This Metasploit module exploits an OS command injection vulnerability in includes/components/nxti/index.php that enables an authenticated user with admin privileges to achieve remote code execution as the apache user. Valid credentials for a Nagios XI admin user are required. This module has been successfully tested against Nagios XI 5.7.3 running on CentOS 7.
02c732ecdeb46edeb55c3d07feeea7f934380ef9d317001de2070079b9dae17d
This Metasploit module exploits CVE-2020-5791, an OS command injection vulnerability on Nagios XI versions 5.6.0 through 5.7.3 in admin/mibs.php that enables an authenticated user with admin privileges to achieve remote code execution as either the apache user or the www-data user.
5f3ec659fe836f33c81a4956f9541aeece789fd3ec657e3f2f83dc70252319dc
Nagios XI version 5.7.3 mibs.php remote command injection exploit.
6855f4caf30f9e7751d6594a73e43b55ca31b7b9ddebeacdfa7108721c29da09
This Metasploit module exploits an authenticated Python unsafe pickle.load of a Dict file. An authenticated attacker can create a photo library and add arbitrary files to it. After setting the Windows only Plex variable LocalAppDataPath to the newly created photo library, a file named Dict will be unpickled, which causes remote code execution as the user who started Plex. Plex_Token is required, to get it you need to log-in through a web browser, then check the requests to grab the X-Plex-Token header. See info -d for additional details. If an exploit fails, or is cancelled, Dict is left on disk, a new ALBUM_NAME will be required as subsequent writes will make Dict-1, and not execute.
e2012f91e0f7c3c6e3c7a3f9dff3d5bbac47e45f6db5582aff00dfa52d4c1a26
Druva inSync client for Windows exposes a network service on TCP port 6064 on the local network interface. inSync versions 6.5.2 and prior do not validate user-supplied program paths in RPC type 5 messages, allowing execution of arbitrary commands as SYSTEM. This Metasploit module has been tested successfully on inSync version 6.5.2r99097 on Windows 7 SP1 (x64).
12e3b974b7cb427087439bf5f922afb373bca8c3346525b183f6422b28801319
Druva inSync Windows Client version 6.5.2 suffers from a local privilege escalation vulnerability.
31dfb7b5bc6e0e8460608ac6efee03fdb1a7159259a19815bc7b9c3106a68129
Citrix SD-WAN Appliance version 10.2.2 suffers from authentication bypass and remote command execution vulnerabilities.
35d49241776f0e93fd18d36ff74eb03319d7260a004bea11c110838e3f48883e
This Metasploit module exploits two vulnerabilities in Nagios XI 5.5.6. One allows for unauthenticated remote code execution and another allows for local privilege escalation. When combined, these two vulnerabilities give us a root reverse shell.
497ccf076e88aa8797c172933964fb4ad92dddf4ca42816ab9c5f28af82b486b
Nagios XI version 5.5.6 suffers from remote code execution and privilege escalation vulnerabilities.
24108dbb8c9c59ae34ce542303af31e1e4a7a64d3f72d47d85b85c06711c4a54
Advantech WebAccess SCADA version 8.3.2 suffers from a code execution vulnerability.
54655f065e3a495129a4eb8059227b2933475527411c65bf1abae23771430c88
Advantech WebAccess versions prior to 8.1 webvrpcs DrawSrv.dll path BwBuildPath stack-based buffer overflow remote code execution exploit.
3917887b7385488d5ab094dd0cfa0c73128701eb66ed70da342531a89b649458
Advantech WebAccess versions less than 8.3 suffer from directory traversal and remote code execution vulnerabilities.
97cde78f92d072d5a56b25fbbfba6add14a9da604c9181028efa5012de1aeb81
Advantech WebAccess version 8.0-2015.08.16 suffers from a remote SQL injection vulnerability.
16f7cbd1a62ea43d75bb9453984431e804ee465d9a86013ea46d2004a1667ff2
HPE iMC version 7.3 suffers from an RMI java deserialization vulnerability.
922064ae08e689f5f6b61f2d38c19479a08bc094ab866c6ce11fcb3ba20f8939
This Metasploit module exploits a remote command execution vulnerability in Hewlett Packard Enterprise Intelligent Management Center before version 7.3 E0504P04. The dbman service allows unauthenticated remote users to restore a user-specified database (OpCode 10007), however the database connection username is not sanitized resulting in command injection, allowing execution of arbitrary operating system commands as SYSTEM. This service listens on TCP port 2810 by default. This Metasploit module has been tested successfully on iMC PLAT v7.2 (E0403) on Windows 7 SP1 (EN).
6e617c9e2dc52b8e3176ccf763528cbf0564f66df4920f7c15aa5b7cd694b5ea
This Metasploit module exploits a remote command execution vulnerability in Hewlett Packard Enterprise Intelligent Management Center before version 7.3 E0504P04. The dbman service allows unauthenticated remote users to restart a user-specified database instance (OpCode 10008), however the instance ID is not sanitized, allowing execution of arbitrary operating system commands as SYSTEM. This service listens on TCP port 2810 by default. This Metasploit module has been tested successfully on iMC PLAT v7.2 (E0403) on Windows 7 SP1 (EN).
8593e2a11cac9b478374fc96e4123be69ffbd8aafe9adc13437d98414d73a636
HP iMC Plat version 7.2 suffers from a remote code execution vulnerability.
d565f4abdec6884979ae167b1dadec8950fd14886753cffd197125147b659f70