New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add exploit for Nuuo CMS arbitrary file download #11293
Conversation
they cannot be decrypted in Metasploit.") | ||
print_status("#{peer} - You will need to open them up with zip or a similar utility, and use the \ | ||
password NUCMS2007! to unzip them.") | ||
print_status("#{peer} - Annoy the Metasploit developers until this gets fixed!") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The Metasploit project accepts pull requests.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
so it's ok if I submit a PR including the 'archive/zip' gem? Last time I mentioned that I was told new gems would only be included in extreme cases.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A native Ruby solution would likely be preferred. Ideally, an update to the Rex::Archive
library to support decryption.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure but that would be pretty time consuming for a non professional developer like me, especially if there is a gem that already does it.
docs added ! |
Co-Authored-By: pedrib <pedrib@gmail.com>
Co-Authored-By: pedrib <pedrib@gmail.com>
Reverted changes... |
Fixed a bug: if we gave the path to a bogus file and nil was returned, we would say all good. Now we just warn the user that nothing was downloaded and the file might not exist, or let him/her know the download was successful. |
aux:nuuo_cms_file_download
Tested on Windows 10 Pro x64 running NCS Server 2.4.0
|
Release NotesThe auxiliary/gather/nuuo_cms_file_download module has been added to the framework. This sends GETCONFIG requests to download configuration files from vulnerable NCS Server applications by exploiting a directory traversal vulnerability in the FileName header. |
tested on 2.9, working! |
This is the 4th and last exploit of the Nuuo CMS ownage.
This exploit allows an authenticated attacker to download any file off the system, including the Nuuo configuration files that contain the database password.
The exploit downloads these configuration files by default plus whatever the user specifies. Note that these configuration files are zip encrypted with a password, and at the moment there is no way to unzip them in msf.
I've added a note for the users to harass you to get it into the framework :P
This vulnerability has not been fixed by Nuuo, and it's still exploitable in the latest 3.5.0 version.
This module has been tested and is working for all versions of Nuuo CMS up to and including 3.5.0.
Please see more details in the full advisory at https://raw.githubusercontent.com/pedrib/PoC/master/advisories/nuuo-cms-ownage.txt
This exploit needs PR #11289
You can download current and earlier versions of Nuuo software at http://d1.nuuo.com/NUUO/CMS/