Module: Msf::Exploit::Remote::Nuuo

Defined in:
lib/msf/core/exploit/remote/nuuo.rb

Instance Attribute Summary collapse

Instance Method Summary collapse

Instance Attribute Details

#clientObject

Returns the value of attribute client.



150
151
152
# File 'lib/msf/core/exploit/remote/nuuo.rb', line 150

def client
  @client
end

#server_versionObject

Returns the value of attribute server_version.



151
152
153
# File 'lib/msf/core/exploit/remote/nuuo.rb', line 151

def server_version
  @server_version
end

#user_sessionObject

Returns the value of attribute user_session.



152
153
154
# File 'lib/msf/core/exploit/remote/nuuo.rb', line 152

def user_session
  @user_session
end

Instance Method Details

#connect(global = true) ⇒ Object



39
40
41
42
43
44
45
46
47
48
49
50
51
52
# File 'lib/msf/core/exploit/remote/nuuo.rb', line 39

def connect(global=true)
  c = Rex::Proto::Nuuo::Client.new({
    host: datastore['RHOST'],
    username: datastore['NCSUSER'],
    password: datastore['NCSPASS'],
    user_session: datastore['NCSSESSION'],
    context: { 'Msf' => framework, 'MsfExploit' => self }
  })

  client.close if self.client && global
  self.client = c if global

  c
end

#generate_req(opts = {}) ⇒ Object



54
55
56
57
58
59
60
61
62
63
64
# File 'lib/msf/core/exploit/remote/nuuo.rb', line 54

def generate_req(opts={})
  case opts['method']
    when 'PING' then client.request_ping(opts)
    when 'SENDLICFILE' then client.request_sendlicfile(opts)
    when 'GETCONFIG' then client.request_getconfig(opts)
    when 'COMMITCONFIG' then client.request_commitconfig(opts)
    when 'USERLOGIN' then client.request_userlogin(opts)
    when 'GETOPENALARM' then client.request_getopenalarm(opts)
    else nil
  end
end

#initialize(info = {}) ⇒ Object

Creates an instance of an Nuuo exploit module.



14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
# File 'lib/msf/core/exploit/remote/nuuo.rb', line 14

def initialize(info = {})
  super(update_info(info,
    'Author'         =>
      [
        'Pedro Ribeiro <pedrib@gmail.com>'
      ],
  ))

  register_options(
    [
      Opt::RHOST,
      Opt::RPORT(5180),
      OptString.new('NCSSESSION', [false, 'Session number of logged in user']),
      OptString.new('NCSUSER', [false, 'NUUO Central Management System username', 'admin']),
      OptString.new('NCSPASS', [false, 'Password for NCSUSER',])
    ], Msf::Exploit::Remote::Nuuo)

  register_advanced_options(
    [
      OptString.new('NCSVERSION', [false, 'Version header used during login']),
      OptBool.new('NCSBRUTEAPI', [false, 'Bruteforce Version header used during login', false]),
      OptBool.new('NCSTRACE', [false, 'Show NCS requests and responses', false])
    ], Msf::Exploit::Remote::Nuuo)
end

#ncs_loginObject



99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
# File 'lib/msf/core/exploit/remote/nuuo.rb', line 99

def 
  unless datastore['NCSVERSION'] || server_version
    if datastore['NCSBRUTEAPI']
      vprint_status('Bruteforcing Version string')
      self.server_version = ncs_version_bruteforce
    else
      print_error('Set NCSBRUTEAPI to bruteforce the Version string or NCSVERSION to set a version string')
      return nil
    end
  end

  self.server_version ||= datastore['NCSVERSION']
  unless server_version
    print_error('Failed to determine server version')
    return nil
  end

  res = ncs_send_request({
    'method'  => 'USERLOGIN',
    'server_version'  => server_version
  }, temp: false)

  if res.headers['User-Session-No']
    self.user_session = res.headers['User-Session-No']
  end

  res
end

#ncs_send_request(opts = {}, req = nil, temp: true) ⇒ Object



66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
# File 'lib/msf/core/exploit/remote/nuuo.rb', line 66

def ncs_send_request(opts={}, req=nil, temp: true)
  req = generate_req(opts) unless req
  return nil unless req

  if datastore['NCSTRACE']
    print_status("Request:\r\n#{req.to_s}")
  end

  begin
    conn = temp ? client.connect(temp: temp) : nil
    res = client.send_recv(req, conn)
    if conn && temp
      conn.shutdown
      conn.close
    end

    if datastore['NCSTRACE'] && res
      print_status("Response:\r\n#{res.to_s}")
    end

    res
  rescue ::Errno::EPIPE, ::Timeout::Error => e
    print_line(e.message) if datastore['NCSTRACE']
    nil
  rescue Rex::ConnectionError => e
    vprint_error(e.to_s)
    nil
  rescue ::Exception => e
    print_line(e.message) if datastore['NCSTRACE']
    raise e
  end
end

#ncs_version_bruteforceObject



128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
# File 'lib/msf/core/exploit/remote/nuuo.rb', line 128

def ncs_version_bruteforce
  res = ''
  Rex::Proto::Nuuo::Constants::VERSIONS.shuffle.each do |version|
    begin
      res = ncs_send_request({
        'method' => 'USERLOGIN',
        'server_version' => version
      })
    rescue
      print_error('Request failed')
    end

    client.close
    if res && res.headers['User-Session-No']
      vprint_good("Valid version detected: #{version}")
      return version
    end
  end

  return nil
end