diff --git a/modules/vulnerabilities/unix/http/linuxki_rce/files/linuxki_6.0-1_all.deb b/modules/vulnerabilities/unix/http/linuxki_rce/files/linuxki_6.0-1_all.deb
new file mode 100644
index 000000000..52adc24de
Binary files /dev/null and b/modules/vulnerabilities/unix/http/linuxki_rce/files/linuxki_6.0-1_all.deb differ
diff --git a/modules/vulnerabilities/unix/http/linuxki_rce/linuxki_rce.pp b/modules/vulnerabilities/unix/http/linuxki_rce/linuxki_rce.pp
new file mode 100644
index 000000000..16037f28d
--- /dev/null
+++ b/modules/vulnerabilities/unix/http/linuxki_rce/linuxki_rce.pp
@@ -0,0 +1,6 @@
+contain linuxki_rce::install
+contain linuxki_rce::apache
+contain linuxki_rce::configure
+Class['linuxki_rce::install']
+-> Class['linuxki_rce::apache']
+-> Class['linuxki_rce::configure']
diff --git a/modules/vulnerabilities/unix/http/linuxki_rce/manifests/apache.pp b/modules/vulnerabilities/unix/http/linuxki_rce/manifests/apache.pp
new file mode 100644
index 000000000..c05978088
--- /dev/null
+++ b/modules/vulnerabilities/unix/http/linuxki_rce/manifests/apache.pp
@@ -0,0 +1,58 @@
+# Class: linuxki::apache
+# Apache configuration for linuxki
+#
+class linuxki_rce::apache {
+ Exec { path => ['/bin', '/usr/bin', '/usr/local/bin', '/sbin', '/usr/sbin'] }
+
+ $secgen_parameters = secgen_functions::get_parameters($::base64_inputs_file)
+ $port = $secgen_parameters['port'][0]
+
+ file { '/etc/apache2/sites-enabled/000-default.conf':
+ ensure => absent,
+ }
+
+ class { '::apache':
+ default_vhost => false,
+ default_mods => ['rewrite'], # php5 via separate module
+ overwrite_ports => false,
+ mpm_module => 'prefork',
+ }
+ -> ::apache::vhost { 'linuxki':
+ port => $port,
+ options => 'FollowSymLinks',
+ override => 'All',
+ docroot => '/opt/',
+ directories => [{
+ path => '/opt/',
+ allow => 'from all',
+ },{
+ path => '/opt/linuxki/',
+ allow => 'from all',
+ }],
+ }
+
+ $dirmatch = '
+ Options Indexes FollowSymLinks
+ AllowOverride None
+ Require all granted
+
+
+
+ Options Indexes FollowSymLinks
+ AllowOverride None
+ Require all granted
+ '
+
+ # ugly way to append to the file... clean up potentially?
+ exec { 'append-directories':
+ command => "grep -qE '|' /etc/apache2/apache2.conf && echo '' || echo \"${dirmatch}\" | sudo tee -a /etc/apache2/apache2.conf",
+ }
+ # restart apache
+ -> exec { 'restart-apache-linuxki':
+ command => 'service apache2 restart',
+ logoutput => true
+ }
+ -> exec { 'wait-apache-linuxki':
+ command => 'sleep 4',
+ }
+}
diff --git a/modules/vulnerabilities/unix/http/linuxki_rce/manifests/configure.pp b/modules/vulnerabilities/unix/http/linuxki_rce/manifests/configure.pp
new file mode 100644
index 000000000..c360ae0ff
--- /dev/null
+++ b/modules/vulnerabilities/unix/http/linuxki_rce/manifests/configure.pp
@@ -0,0 +1,29 @@
+# Class: linuxki_rce::configure
+# LinuxKI configuration
+#
+class linuxki_rce::configure {
+ $secgen_parameters = secgen_functions::get_parameters($::base64_inputs_file)
+ $leaked_filenames = $secgen_parameters['leaked_filenames']
+ $strings_to_leak = $secgen_parameters['strings_to_leak']
+
+ $user = $secgen_parameters['leaked_username'][0]
+ $user_home = "/home/${user}"
+
+ Exec { path => ['/bin', '/usr/bin', '/usr/local/bin', '/sbin', '/usr/sbin'] }
+
+ # Create user
+ user { $user:
+ ensure => present,
+ home => $user_home,
+ managehome => true,
+ }
+
+ ::secgen_functions::leak_files { 'linuxki-flag-leak':
+ storage_directory => $user_home,
+ leaked_filenames => $leaked_filenames,
+ strings_to_leak => $strings_to_leak,
+ owner => $user,
+ mode => '0644',
+ leaked_from => 'linuxki_rce',
+ }
+}
diff --git a/modules/vulnerabilities/unix/http/linuxki_rce/manifests/install.pp b/modules/vulnerabilities/unix/http/linuxki_rce/manifests/install.pp
new file mode 100644
index 000000000..49b080c34
--- /dev/null
+++ b/modules/vulnerabilities/unix/http/linuxki_rce/manifests/install.pp
@@ -0,0 +1,19 @@
+# Class: linuxki_rce::install
+# Install process for linuxKI toolkit
+#
+class linuxki_rce::install {
+ Exec { path => [ '/bin/', '/sbin/' , '/usr/bin/', '/usr/sbin/' ] }
+
+ # Maybe automate linux-headers to use uname -r?
+ ensure_packages(['make', 'elfutils', 'php', 'linux-headers-4.19.0-21-amd64'])
+
+ file { '/tmp/linuxki_6.0-1_all.deb':
+ ensure => file,
+ source => 'puppet:///modules/linuxki_rce/linuxki_6.0-1_all.deb',
+ }
+ -> package { 'linuxki':
+ ensure => installed,
+ provider => dpkg,
+ source => '/tmp/linuxki_6.0-1_all.deb'
+ }
+}
diff --git a/modules/vulnerabilities/unix/http/linuxki_rce/secgen_metadata.xml b/modules/vulnerabilities/unix/http/linuxki_rce/secgen_metadata.xml
new file mode 100644
index 000000000..955256216
--- /dev/null
+++ b/modules/vulnerabilities/unix/http/linuxki_rce/secgen_metadata.xml
@@ -0,0 +1,63 @@
+
+
+
+ LinuxKI Toolset 6.01 Remote Command Execution
+ James Davis
+ MIT
+
+ This module exploits a vulnerability in LinuxKI Toolset 6.01 and below which allows
+ remote code execution.
+ The kivis.php pid parameter received from the user is sent to the shell_exec function,
+ resulting in security vulnerability.
+
+
+ web
+ in_the_wild
+ user_rwx
+ remote
+ linux
+ low
+
+ port
+ strings_to_leak
+ leaked_filenames
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ CVE-2020-7209
+ 9.8
+ AV:N/AC:L/Au:N/C:C/I:C/A:C
+
+ https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/linuxki_rce.rb
+ https://github.com/HewlettPackard/LinuxKI/releases/tag/v6.0-1
+ LinuxKI
+ GNU GPLv2
+
+
+ update
+
+
+
+ .*apache.*compatible.*
+
+
+
\ No newline at end of file
diff --git a/scenarios/examples/vulnerability_examples/linuxki_rce.xml b/scenarios/examples/vulnerability_examples/linuxki_rce.xml
new file mode 100644
index 000000000..75df73078
--- /dev/null
+++ b/scenarios/examples/vulnerability_examples/linuxki_rce.xml
@@ -0,0 +1,16 @@
+
+
+
+
+
+ linuxki
+
+
+
+
+
+
+
+
\ No newline at end of file