From 5ab4a3821e241de6363ada92ca1fce4d5c0ba6b2 Mon Sep 17 00:00:00 2001
From: Metasploit <metasploit@rapid7.com>
Date: Wed, 20 Feb 2019 05:16:34 -0800
Subject: [PATCH] automatic module_metadata_base.json update

---
 db/modules_metadata_base.json | 36 +++++++++++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)

diff --git a/db/modules_metadata_base.json b/db/modules_metadata_base.json
index bdb5a2bbc0..819109deb7 100644
--- a/db/modules_metadata_base.json
+++ b/db/modules_metadata_base.json
@@ -15207,6 +15207,42 @@
     "notes": {
     }
   },
+  "auxiliary_gather/nuuo_cms_file_download": {
+    "name": "Nuuo Central Management Server Authenticated Arbitrary File Download",
+    "full_name": "auxiliary/gather/nuuo_cms_file_download",
+    "rank": 300,
+    "disclosure_date": "2018-10-11",
+    "type": "auxiliary",
+    "author": [
+      "Pedro Ribeiro <pedrib@gmail.com>"
+    ],
+    "description": "The Nuuo Central Management Server allows an authenticated user to download files from the\n      installation folder. This functionality can be abused to obtain administrative credentials,\n      the SQL Server database password and arbitrary files off the system with directory traversal.\n      The module will attempt to download CMServer.cfg (the user configuration file with all the user\n      passwords including the admin one), ServerConfig.cfg (the server configuration file with the\n      SQL Server password) and a third file if the FILE argument is provided by the user.\n      The two .cfg files are zip-encrypted files, but due to limitations of the Ruby ZIP modules\n      included in Metasploit, these files cannot be decrypted programmatically. The user will\n      have to open them with zip or a similar program and provide the default password \"NUCMS2007!\".\n      This module will either use a provided session number (which can be guessed with an auxiliary\n      module) or attempt to login using a provided username and password - it will also try the\n      default credentials if nothing is provided.\n      All versions of CMS server up to and including 3.5 are vulnerable to this attack.",
+    "references": [
+      "CVE-2018-17934",
+      "URL-https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02",
+      "URL-https://seclists.org/fulldisclosure/2019/Jan/51",
+      "URL-https://raw.githubusercontent.com/pedrib/PoC/master/advisories/nuuo-cms-ownage.txt"
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": 5180,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": null,
+    "mod_time": "2019-02-19 06:55:00 +0000",
+    "path": "/modules/auxiliary/gather/nuuo_cms_file_download.rb",
+    "is_install_path": true,
+    "ref_name": "gather/nuuo_cms_file_download",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    }
+  },
   "auxiliary_gather/opennms_xxe": {
     "name": "OpenNMS Authenticated XXE",
     "full_name": "auxiliary/gather/opennms_xxe",