Kasım 2018

Home » Archives for Kasım 2018

4 Kasım 2018 Pazar

Development Of Metasploit Module After 0day [Nuuo NVRmini2 RCE]

   Kasım 04, 2018      


Hello Everyone

 In this article I will tell you how to develop a 0day's metasploit module. Before writing Thank you to Numan Türle (@numanturle) for help on about ruby ​on rails

Vulnerability 

Vulnerability in a web application running on hardware, an input from a user caused a vulnerability in execution of a remote command execution.

 This vulnerability affected 106 server

Examples Request



Usually this application is running on the server "8081" port. But when I do some research with shodan "50000" can work on ports such as "8080".

"uploaddir" value causes remote command execution vulnerability.in 

Example Response

The application works on root privileges. 

Metasploit-Framework Modules Development

Before you start writing, you can benefit greatly from here.If we need to summarize the first picture, we mentioned that the msf module is remote and we will use http client

Then enter the author, platforms, date and arch values.if this vulnerability was remote code execution, we should have chosen ARCH_PHP. But I used ARCH_CMD for remote command execution

There is a point we need to pay attention to here.people often compare "remote code execution" and "remote command execution" vulnerabilities

https://www.offensive-security.com/metasploit-unleashed/exploit-development/


If we need to summarize the first picture, we mentioned that the msf module is remote and we will use http client.

 Then enter the author, platforms, date and arch values. There is a point we need to pay attention to here.People often compare "remote code execution" and "remote command execution" vulnerabilities.If this vulnerability was remote code execution, we should have chosen ARCH_PHP. 

"if else" loop generated in response to  code in first lines. If response 200 and body / upload_tmp_dir / return vulnerable.

 In the last lines we have specified the type of web request to be made "GET". Then the payload is entered with the "cmd" to the value that is the vulnerability. This payload gets backconnect with telnet.



Thank you for reading. twitter.com/berkdusunur
mailto::berkdusunurx@protonmail.com

   / / / / / / /

   No Comments

- Kasım 04, 2018 0 yorum
Kaydol: Kayıtlar ( Atom )