This Metasploit module exploits an authentication bypass vulnerability in HP SiteScope which allows to retrieve the HP SiteScope configuration, including administrative credentials. It is accomplished by calling the getSiteScopeConfiguration operation available through the APISiteScopeImpl AXIS service. The HP SiteScope Configuration is retrieved as file containing Java serialization data. This Metasploit module has been tested successfully on HP SiteScope 11.20 over Windows 2003 SP2 and Linux Centos 6.3.
49a6293f49b3d88908408822f05f60de61f16258c0921f50adecb84a90811493
This Metasploit module exploits an authentication bypass vulnerability in HP SiteScope to retrieve an arbitrary text file from the remote server. It is accomplished by calling the loadFileContent operation available through the APIMonitorImpl AXIS service. This Metasploit module has been successfully tested on HP SiteScope 11.20 over Windows 2003 SP2 and Linux Centos 6.3.
70fba2e746b60b36e7ed3d2efbabee053f81db339cfb2580347bd710629b238d
This Metasploit module exploits an authentication bypass vulnerability in HP SiteScope to retrieve an arbitrary file from the remote server. It is accomplished by calling the getFileInternal operation available through the APISiteScopeImpl AXIS service. This Metasploit module has been successfully tested on HP SiteScope 11.20 over Windows 2003 SP2 and Linux Centos 6.3.
ac2a6c8b7ee1032f4592faca207812805ca78af0323e9f167ee599f82c2b95f3
The util-linux wall command does not filter escape sequences from command line arguments. The vulnerable code was introduced in commit cdd3cc7fa4 (2013). Every version since has been vulnerable. This allows unprivileged users to put arbitrary text on other users terminals, if mesg is set to y and wall is setgid. CentOS is not vulnerable since wall is not setgid. On Ubuntu 22.04 and Debian Bookworm, wall is both setgid and mesg is set to y by default.
c3644f61b4f68f9fafd4782ffb69bd4b73d2b6ff8ac981711c3329c0a8408077
CentOS Stream 9 has a missing kernel security fix for a tun double-free amongst other missing fixes. Included is a local root exploit to demonstrate the issue.
ff7d7021860395c29340e572b9c37574d2458d361ce7c71f08cc837f0834b69e
The kernel tree of CentOS Stream 9 suffers from multiple use-after-free conditions that were already patched in upstream stable trees.
a5f94e90c58a4d65e7349c5ac6abff2cbc680f758ae71b7d0bf35a8ec6642057
Local privilege escalation root exploit for Polkit's pkexec vulnerability as described in CVE-2021-4034. Verified on Debian 10 and CentOS 7. Written in C.
5c59fb8b51079e3f956e9fcbe1974b3cbb587b1887064897119332a9ecf3f86a
CentOS Web Panel version 0.9.8.1081 suffers from a persistent cross site scripting vulnerability.
93b9ad1a6879ca9d21a0ce2d751c88565c0c662d0b935ab50b3a96c2b8c6064e
This Metasploit module exploits an OS command injection vulnerability in includes/components/nxti/index.php that enables an authenticated user with admin privileges to achieve remote code execution as the apache user. Valid credentials for a Nagios XI admin user are required. This module has been successfully tested against Nagios XI 5.7.3 running on CentOS 7.
02c732ecdeb46edeb55c3d07feeea7f934380ef9d317001de2070079b9dae17d
This Metasploit module exploits a command injection vulnerability in the /admin/monitoringplugins.php page of Nagios XI versions prior to 5.8.0 when uploading plugins. Successful exploitation allows an authenticated admin user to achieve remote code execution as the apache user by uploading a malicious plugin. Valid credentials for a Nagios XI admin user are required. This module has been successfully tested against Nagios versions XI 5.3.0 and 5.7.5, both running on CentOS 7.
1c6d22c62a86e7b5f3dedccebd30589cc4a30d490a6e2f222d47174bbda1bf57
This Metasploit module exploits a vulnerability in the getprofile.sh script of Nagios XI versions prior to 5.6.6 in order to upload a malicious check_ping plugin and thereby execute arbitrary commands. For Nagios XI 5.2.0 through 5.4.13, the commands are run as the nagios user. For versions 5.5.0 through 5.6.5, the commands are run as root. Note that versions prior to 5.2.0 will still be marked as being vulnerable however this module does not presently support exploiting these targets. The module uploads a malicious check_ping plugin to the Nagios XI server via /admin/monitoringplugins.php and then executes this plugin by issuing a HTTP GET request to download a system profile from the server. For all supported targets except Linux (cmd), the module uses a command stager to write the exploit to the target via the malicious plugin. This may not work if Nagios XI is running in a restricted Unix environment, so in that case the target must be set to Linux (cmd). The module then writes the payload to the malicious plugin while avoiding commands that may not be supported. Valid credentials for a user with administrative privileges are required. This module was successfully tested on Nagios XI 5.3.0 and Nagios 5.6.5, both running on CentOS 7. For vulnerable versions before 5.5.0, it may take a significant amount of time for the payload to get back (up to 5 minutes). If exploitation fails against an older system, it is recommended to increase the WfsDelay setting (default is 300 seconds).
e333bc1f3434e1dcf5429b3717a70090c1f771194a0104e33385aa561adb6f05
This Metasploit module exploits a vulnerability (CVE-2020-13851) in Pandora FMS versions 7.0 NG 742, 7.0 NG 743, and 7.0 NG 744 (and perhaps older versions) in order to execute arbitrary commands. This module takes advantage of a command injection vulnerability in th e Events feature of Pandora FMS. This flaw allows users to execute arbitrary commands via the target parameter in HTTP POST requests to the Events function. After authenticating to the target, the module attempts to exploit this flaw by issuing such an HTTP POST request, with the target parameter set to contain the payload. If a shell is obtained, the module will try to obtain the local MySQL database password via a simple grep command on the plaintext /var/www/html/pandora_console/include/config.php file. Valid credentials for a Pandora FMS account are required. The account does not need to have admin privileges. This module has been successfully tested on Pandora 7.0 NG 744 running on CentOS 7 (the official virtual appliance ISO for this version).
8c2e13e57553407ba5b46b1cb763ce1bf256fd53ba20f8b4cb5a87d5d92785b0
This Metasploit module exploits multiple vulnerabilities in Bolt CMS version 3.7.0 and 3.6.x in order to execute arbitrary commands as the user running Bolt. Valid credentials for a Bolt CMS user are required. This module has been successfully tested against Bolt CMS 3.7.0 running on CentOS 7.
9f2d762b1d8e6bcbc5f7e02bde9b6d95028ec1015c112f2165e2847c2855320d
This Metasploit module exploits a Python code injection in the Netsweeper WebAdmin component's unixlogin.php script, for versions 6.4.4 and prior, to execute code as the root user. Authentication is bypassed by sending a random whitelisted Referer header in each request. Tested on the CentOS Linux-based Netsweeper 6.4.3 and 6.4.4 ISOs. Though the advisory lists 6.4.3 and prior as vulnerable, 6.4.4 has been confirmed exploitable.
dcae513897070a9218f0bedaca27c407e24184902dfdcf5421907f51081acf14
CentOS Webpanel version 7 suffers from a remote SQL injection vulnerability.
e53b5c9a3afbce2e2af8903eaa3942eac11f5bf27fd53e3eebacfbf1805f53b3
This Metasploit module exploits a vulnerability in Nagios XI versions before 5.6.6 in order to execute arbitrary commands as root. The module uploads a malicious plugin to the Nagios XI server and then executes this plugin by issuing an HTTP GET request to download a system profile from the server. For all supported targets except Linux (cmd), the module uses a command stager to write the exploit to the target via the malicious plugin. This may not work if Nagios XI is running in a restricted Unix environment, so in that case the target must be set to Linux (cmd). The module then writes the payload to the malicious plugin while avoiding commands that may not be supported. Valid credentials for a user with administrative privileges are required. This module was successfully tested on Nagios XI 5.6.5 running on CentOS 7. The module may behave differently against older versions of Nagios XI.
ff7c4c4f60a8d9d91f4dea43c87e96d04fac8cbc379e059ccb3fb23c944c18ab
This Metasploit module exploits an unauthenticated command injection vulnerability in rConfig versions 3.9.2 and prior. The install directory is not automatically removed after installation, allowing unauthenticated users to execute arbitrary commands via the ajaxServerSettingsChk.php file as the web server user. This module has been tested successfully on rConfig version 3.9.2 on CentOS 7.7.1908 (x64).
c186325528acbfb5de4f3fa7f089b9e55a0ed4689c4440a3e05bf3134759a1f7
This Metasploit module attempts to gain root privileges with SUID Xorg X11 server versions 1.19.0 up to 1.20.3. A permission check flaw exists for -modulepath and -logfile options when starting Xorg. This allows unprivileged users that can start the server the ability to elevate privileges and run arbitrary code under root privileges. This module has been tested with CentOS 7 (1708). CentOS default install will require console auth for the users session. Xorg must have SUID permissions and may not start if running. On successful exploitation artifacts will be created consistent with starting Xorg.
9377740962fb859c56e4c74db8eb408580293ddee8808bfba3b45eda70d58cd2
This Metasploit module attempts to gain root privileges by blindly injecting into the session user's running shell processes and executing commands by calling system(), in the hope that the process has valid cached sudo tokens with root privileges. The system must have gdb installed and permit ptrace. This module has been tested successfully on Debian 9.8 (x64) and CentOS 7.4.1708 (x64).
fdcbf0c4d9e341553a52dec31cde80eee431ecb79d69538c1c636d8d6742a5ca
CentOS version 7.6.1810 with Control Web Panel version 0.9.8.837 suffers from a cross site request forgery vulnerability.
ac74f5f7b06a995d875030245867e034334374afc0f014487faf49f644264983
CentOS version 7.6.1810 with Control Web Panel version 0.9.8.837 suffers from a persistent cross site scripting vulnerability.
75c43595c2ca8facaf005e68f433a5fb50f881898e16454e23e33907ffc28ffc
CentOS-WebPanel.com Control Web Panel (CWP) version 0.9.8.851 allows an attacker to change arbitrary passwords.
4efb27420a227e97715e7d7be24416f052d4c5a363d45dce305d0340da388115
CentOS-WebPanel.com Control Web Panel (CWP) version 0.9.8.851 suffers from an arbitrary database dropping vulnerability.
1d6d82560f3b4ba4f1c6c891801038a74f7372c46e8936527195f907db40fd4f
CentOS-WebPanel.com Control Web Panel (CWP) version 0.9.8.848 suffers from a user enumeration vulnerability.
cc0c55ccdb42fd51d11a4b01419284a4bc4b629d40b00b2b4ccebe57d7de4456
CentOS-WebPanel.com Control Web Panel (CWP) version 0.9.8.846 suffers from a reflective cross site scripting vulnerability.
8b1c696a73f9bac0e96c917432a4e295ca1c20adf0976f10d1b7af7562e21405