automatic module_metadata_base.json update

2019-02-20 10:21:06 -08:00 · 2019-02-20 10:21:06 -08:00 · 42ea35f524
parent 61cd6205a8
commit 42ea35f524
1 changed files with 110 additions and 0 deletions
--- a/db/modules_metadata_base.json
+++ b/db/modules_metadata_base.json
@ -15207,6 +15207,78 @@
    "notes": {
    }
  },
+  "auxiliary_gather/nuuo_cms_bruteforce": {
+    "name": "Nuuo Central Management Server User Session Token Bruteforce",
+    "full_name": "auxiliary/gather/nuuo_cms_bruteforce",
+    "rank": 300,
+    "disclosure_date": "2018-10-11",
+    "type": "auxiliary",
+    "author": [
+      "Pedro Ribeiro <pedrib@gmail.com>"
+    ],
+    "description": "Nuuo Central Management Server below version 2.4 has a flaw where it sends the\n        heap address of the user object instead of a real session number when a user logs\n        in. This can be used to reduce the keyspace for the session number from 10 million\n        to 1.2 million, and with a bit of analysis it can be guessed in less than 500k tries.\n        This module does exactly that - it uses a computed occurence table to try the most common\n        combinations up to 1.2 million to try to guess a valid user session.\n        This session number can then be used to achieve code execution or download files - see\n        the other Nuuo CMS auxiliary and exploit modules.\n        Note that for this to work a user has to be logged into the system.",
+    "references": [
+      "CVE-2018-17888",
+      "URL-https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02",
+      "URL-https://seclists.org/fulldisclosure/2019/Jan/51",
+      "URL-https://raw.githubusercontent.com/pedrib/PoC/master/advisories/nuuo-cms-ownage.txt"
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": 5180,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": null,
+    "mod_time": "2019-02-20 08:09:06 +0000",
+    "path": "/modules/auxiliary/gather/nuuo_cms_bruteforce.rb",
+    "is_install_path": true,
+    "ref_name": "gather/nuuo_cms_bruteforce",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    }
+  },
+  "auxiliary_gather/nuuo_cms_file_download": {
+    "name": "Nuuo Central Management Server Authenticated Arbitrary File Download",
+    "full_name": "auxiliary/gather/nuuo_cms_file_download",
+    "rank": 300,
+    "disclosure_date": "2018-10-11",
+    "type": "auxiliary",
+    "author": [
+      "Pedro Ribeiro <pedrib@gmail.com>"
+    ],
+    "description": "The Nuuo Central Management Server allows an authenticated user to download files from the\n      installation folder. This functionality can be abused to obtain administrative credentials,\n      the SQL Server database password and arbitrary files off the system with directory traversal.\n      The module will attempt to download CMServer.cfg (the user configuration file with all the user\n      passwords including the admin one), ServerConfig.cfg (the server configuration file with the\n      SQL Server password) and a third file if the FILE argument is provided by the user.\n      The two .cfg files are zip-encrypted files, but due to limitations of the Ruby ZIP modules\n      included in Metasploit, these files cannot be decrypted programmatically. The user will\n      have to open them with zip or a similar program and provide the default password \"NUCMS2007!\".\n      This module will either use a provided session number (which can be guessed with an auxiliary\n      module) or attempt to login using a provided username and password - it will also try the\n      default credentials if nothing is provided.\n      All versions of CMS server up to and including 3.5 are vulnerable to this attack.",
+    "references": [
+      "CVE-2018-17934",
+      "URL-https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02",
+      "URL-https://seclists.org/fulldisclosure/2019/Jan/51",
+      "URL-https://raw.githubusercontent.com/pedrib/PoC/master/advisories/nuuo-cms-ownage.txt"
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": 5180,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": null,
+    "mod_time": "2019-02-19 06:55:00 +0000",
+    "path": "/modules/auxiliary/gather/nuuo_cms_file_download.rb",
+    "is_install_path": true,
+    "ref_name": "gather/nuuo_cms_file_download",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    }
+  },
  "auxiliary_gather/opennms_xxe": {
    "name": "OpenNMS Authenticated XXE",
    "full_name": "auxiliary/gather/opennms_xxe",
@ -117925,6 +117997,44 @@
    "notes": {
    }
  },
+  "exploit_windows/nuuo/nuuo_cms_fu": {
+    "name": "Nuuo Central Management Server Authenticated Arbitrary File Upload",
+    "full_name": "exploit/windows/nuuo/nuuo_cms_fu",
+    "rank": 0,
+    "disclosure_date": "2018-10-11",
+    "type": "exploit",
+    "author": [
+      "Pedro Ribeiro <pedrib@gmail.com>"
+    ],
+    "description": "The COMMITCONFIG verb is used by a CMS client to upload and modify the configuration of the\n      CMS Server.\n      The vulnerability is in the \"FileName\" parameter, which accepts directory traversal (..\\..\\)\n      characters. Therefore, this function can be abused to overwrite any files in the installation\n      drive of CMS Server.\n\n      This vulnerability is exploitable in CMS versions up to and including v2.4.\n\n      This module will either use a provided session number (which can be guessed with an auxiliary\n      module) or attempt to login using a provided username and password - it will also try the\n      default credentials if nothing is provided.\n\n      This module will overwrite the LicenseTool.dll file in the CMS Server installation. If the module\n      fails to restore LicenseTool.dll then the installation will be corrupted and NCS Server will\n      not execute successfully.",
+    "references": [
+      "CVE-2018-17936",
+      "URL-https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02",
+      "URL-https://seclists.org/fulldisclosure/2019/Jan/51",
+      "URL-https://raw.githubusercontent.com/pedrib/PoC/master/advisories/nuuo-cms-ownage.txt"
+    ],
+    "platform": "Windows",
+    "arch": "x86",
+    "rport": 5180,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Nuuo Central Management Server <= v2.4.0"
+    ],
+    "mod_time": "2019-02-19 05:48:54 +0000",
+    "path": "/modules/exploits/windows/nuuo/nuuo_cms_fu.rb",
+    "is_install_path": true,
+    "ref_name": "windows/nuuo/nuuo_cms_fu",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    }
+  },
  "exploit_windows/oracle/client_system_analyzer_upload": {
    "name": "Oracle Database Client System Analyzer Arbitrary File Upload",
    "full_name": "exploit/windows/oracle/client_system_analyzer_upload",