Rapid7 Vulnerability & Exploit Database

Nuuo Central Management Server User Session Token Bruteforce

Back to Search

Nuuo Central Management Server User Session Token Bruteforce



Nuuo Central Management Server below version 2.4 has a flaw where it sends the heap address of the user object instead of a real session number when a user logs in. This can be used to reduce the keyspace for the session number from 10 million to 1.2 million, and with a bit of analysis it can be guessed in less than 500k tries. This module does exactly that - it uses a computed occurrence table to try the most common combinations up to 1.2 million to try to guess a valid user session. This session number can then be used to achieve code execution or download files - see the other Nuuo CMS auxiliary and exploit modules. Note that for this to work a user has to be logged into the system.


  • Pedro Ribeiro <pedrib@gmail.com>




Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use auxiliary/gather/nuuo_cms_bruteforce
msf auxiliary(nuuo_cms_bruteforce) > show actions
msf auxiliary(nuuo_cms_bruteforce) > set ACTION < action-name >
msf auxiliary(nuuo_cms_bruteforce) > show options
    ...show and set options...
msf auxiliary(nuuo_cms_bruteforce) > run 

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security