This exploit leverages the CVE-2024-24401 and CVE-2024-24402 vulnerabilities in Nagios XI to fully compromise the system and gain total remote control. The monitoringwizard.php component of Nagios XI version 2024R1.01 is vulnerable to a critical SQL Injection, identified as CVE-2024-24401. Initially, the exploit targets this component, performing an SQL Injection to extract the administrator key (admin key). Before proceeding, it authenticates using an existing user, regardless of their privilege level, ensuring access to the system for subsequent stages. With the administrator key obtained, a new administrator user is created, along with an identity associated with this user, using the newly generated credentials. This identity enables reauthentication and the ability to perform elevated actions. Subsequently, the exploit executes arbitrary commands on the system using the privileges of the newly created administrator. Next, it installs an agent and escalates its privileges to root, exploiting the CVE-2024-24402 vulnerability. During this process, the exploit manages the npcd service binary: first, the original service is stopped, and a backup of the npcd binary is created in the /usr/local/nagios/bin/ directory as npcd.backup. Then, the agent binary is copied to the same directory under the name npcd, replacing the original binary. Finally, the npcd service is restarted to execute the agent. These steps result in a full system compromise, granting the attacker total remote control and the ability to execute arbitrary actions with root privileges.

This module chains 4 vulnerabilities to deploy an agent in a Linux target system that will run with the cups-browsed daemon user privileges. The first vulnerability is cups-browsed which binds on UDP INADDR_ANY:631 trusting any packet from any source to trigger a Get-Printer-Attributes IPP request to an attacker controlled URL. The second vulnerability is in libcupsfilters were function cfGetPrinterAttributes5 does not validate or sanitize the IPP attributes returned from an IPP server, providing attacker controlled data to the rest of the CUPS system. The third vulnerability is in libppd were function ppdCreatePPDFromIPP2 does not validate or sanitize the IPP attributes when writing them to a temporary PPD file, allowing the injection of attacker controlled data in the resulting PPD. The last vulnerability is in cups-filters were foomatic-rip allows arbitrary command execution via the FoomaticRIPCommandLine PPD parameter. This module will start a fake IPP Server that will be used to deliver the payload to exploit the last 3 vulnerabilities. This will create a fake printer on the system. Then, it will send a packet to the target to exploit the first vulnerability. Finally, the attack chain will be triggered by sending an HTTP request to the CUPS Management Interface to print a test page on the fake printer, which in turn, will execute the commands that will deploy the agent. The url for the CUPS Management Interface can be set with the CUPS_MANAGEMENT_URL parameter. If no value is specified, then http and tcp port 631 will be used. If the final step fails (i.e. if the CUPS Management Interface only listens in the local interface) the module will keep running for a period of time waiting for the target system to create a print job on the fake printer that will deliver the attack to deploy the agent. The wait time (in seconds) can be changed with the ATTACK_TIMEOUT parameter. The default/minimal value is 90 seconds.

In GeoServer prior to versions 2.23.6, 2.24.4, and 2.25.2, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions. The GeoTools library API that GeoServer calls evaluates property/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library which can execute arbitrary code when evaluating XPath expressions. This XPath evaluation is intended to be used only by complex feature types (i.e., Application Schema data stores) but is incorrectly being applied to simple feature types as well which makes this vulnerability apply to all GeoServer instances. In order to exploit this vulnerability, this module sends an evil XPath expression that after being processed by the commons-jxpath library allows us to deploy an agent.

In GeoServer prior to versions 2.23.6, 2.24.4, and 2.25.2, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions. The GeoTools library API that GeoServer calls evaluates property/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library which can execute arbitrary code when evaluating XPath expressions. This XPath evaluation is intended to be used only by complex feature types (i.e., Application Schema data stores) but is incorrectly being applied to simple feature types as well which makes this vulnerability apply to all GeoServer instances. In order to exploit this vulnerability, this module sends an evil XPath expression that after being processed by the commons-jxpath library allows us to deploy an agent.

This module uses a .NET deserialization vulnerability to deploy an agent in Veeam Backup and Replication that will run with the NT AUTHORITY\SYSTEM user privileges. First, the module will register an endpoint in the local webserver that will be used in the attack to send a serialized gadget to the target that will execute system commands to deploy the agent. Finally, it will trigger the vulnerability by crafting a System.Runtime.Remoting.ObjRef .NET class type object and sending it to the /VeeamAuthService .NET remoting endpoint using an external .NET executable. The deserialization of the crafted object will force a POST HTTP request to the local webserver, which will, in turn, deliver the serialized gadget that will deploy the agent.

This module uses a directory traversal vulnerability to deploy an agent in Progress WhatsUp Gold that will run with the IIS APPPOOL\NmConsole user privileges. The module will launch a local webserver that will be used in the attack to send poisoned responses and to upload a webshell to the target. Then it will trigger the vulnerability via the /NmAPI/RecurringReport endpoint. Finally, it will buteforce a webshell name trying to find the one uploaded by the server, that will deploy an agent. The webshell will be saved in the "C:\Program Files (x86)\Ipswitch\WhatsUp\html\NmConsole\Data\ExportedReports" directory of the target.

This module chains together three vulnerabilities to deploy an agent. First, a vulnerability is used to obtain the exact version of Ivanti Connect Secure installed on the system. Next, the module exploits a second vulnerability that allows the attacker to access certain restricted resources without authentication, leveraging a flaw in the SAML component. Finally, the module uses a third vulnerability that enables remote code execution with elevated privileges in the management component, facilitating the injection and execution of the agent. This module uses the first vulnerability to take advantage of the lack of authentication at '/api/v1/totp/user-backup-code,' allowing unauthenticated access and route traversal. With this, the application version can be obtained by accessing '/system/system-information.' Next, it leverages an SSRF vulnerability in the xmltooling library. The '/dana-ws/saml20.ws' endpoint, which handles SOAP-based SAML requests, does not require authentication. This allows anyone to send requests to this endpoint without authentication, exploiting the SSRF vulnerability to send HTTP requests from the compromised server to internal resources. Finally, by sending a request to the SSRF-exploited endpoint, the third vulnerability is used to access the system and execute remote commands. The deployed agent will run with ROOT privileges.

This module chains 2 vulnerabilities to deploy an agent in Magento eCommerce Web Sites that will run with the webserver user privileges. The first vulnerability is an XML External Entity Reference that leverages nested deserialization in Magento's handling of JSON data. This vulnerability allows attackers to manipulate XML input to access arbitrary files on the server. The second vulnerability is a heap buffer overflow in the iconv() function of the GNU C Library. This module will use first vulnerability to download the /proc/self/maps and the libc library. These files will allow the calculation of all the memory offsets required to exploit the second vulnerability and deploy an agent.

This module chains 2 vulnerabilities to deploy an agent in Magento eCommerce Web Sites that will run with the webserver user privileges. The first vulnerability is an XML External Entity Reference that leverages nested deserialization in Magento's handling of JSON data. This vulnerability allows attackers to manipulate XML input to access arbitrary files on the server. The second vulnerability is a heap buffer overflow in the iconv() function of the GNU C Library. This module will use first vulnerability to download the /proc/self/maps and the libc library. These files will allow the calculation of all the memory offsets required to exploit the second vulnerability and deploy an agent.

A vulnerability in the RecordGoodApp method allows to unauthenticated remote attackers to execute commands. This function is potentially vulnerable to an SQL injection because it uses string.Format to insert a value into the SQL query.