Add LinuxKI RCE exploit

modules/vulnerabilities/unix/http/linuxki_rce/linuxki_rce.pp

@@ -0,0 +1,6 @@
+contain linuxki_rce::install
+contain linuxki_rce::apache
+contain linuxki_rce::configure
+Class['linuxki_rce::install']
+-> Class['linuxki_rce::apache']
+-> Class['linuxki_rce::configure']

modules/vulnerabilities/unix/http/linuxki_rce/manifests/apache.pp

@@ -0,0 +1,55 @@
+# Class: linuxki::apache
+# Apache configuration for linuxki
+#
+class linuxki_rce::apache {
+  Exec { path => ['/bin', '/usr/bin', '/usr/local/bin', '/sbin', '/usr/sbin'] }
+
+  file { '/etc/apache2/sites-enabled/000-default.conf':
+    ensure => absent,
+  }
+
+  class { '::apache':
+    default_vhost   => false,
+    default_mods    => ['rewrite'], # php5 via separate module
+    overwrite_ports => false,
+    mpm_module      => 'prefork',
+  }
+  -> ::apache::vhost { 'linuxki':
+    port        => '80',
+    options     => 'FollowSymLinks',
+    override    => 'All',
+    docroot     => '/opt/',
+    directories => [{
+      path  => '/opt/',
+      allow => 'from all',
+    },{
+      path  => '/opt/linuxki/',
+      allow => 'from all',
+    }],
+  }
+
+  $dirmatch = '<Directory /var/www/>
+        Options Indexes FollowSymLinks
+        AllowOverride None
+        Require all granted
+  </Directory>
+  
+  <Directory /opt/>
+        Options Indexes FollowSymLinks
+        AllowOverride None
+        Require all granted
+  </Directory>'
+
+  # ugly way to append to the file... clean up potentially?
+  exec { 'append-directories':
+    command   => "grep -qE '<Directory (\/opt\/)>|<Directory (\/var\/www\/)>' /etc/apache2/apache2.conf && echo '' || echo \"${dirmatch}\" | sudo tee -a /etc/apache2/apache2.conf",
+  }
+  # restart apache
+  -> exec { 'restart-apache-linuxki':
+    command   => 'service apache2 restart',
+    logoutput => true
+  }
+  -> exec { 'wait-apache-linuxki':
+    command => 'sleep 4',
+  }
+}

modules/vulnerabilities/unix/http/linuxki_rce/manifests/configure.pp

@@ -0,0 +1,18 @@
+# Class: linuxki_rce::configure
+# LinuxKI configuration
+#
+class linuxki_rce::configure {
+  $leaked_filenames = ['flagtest'] ##$secgen_parameters['leaked_filenames']
+  $strings_to_leak = ['this is a list of strings that are secrets / flags','another secret'] ##$secgen_parameters['strings_to_leak']
+
+  Exec { path => ['/bin', '/usr/bin', '/usr/local/bin', '/sbin', '/usr/sbin'] }
+
+  ::secgen_functions::leak_files { 'linuxki-flag-leak':
+    storage_directory => '/opt/linuxki/experimental/vis',
+    leaked_filenames  => $leaked_filenames,
+    strings_to_leak   => $strings_to_leak,
+    owner             => 'www-data',
+    mode              => '0750',
+    leaked_from       => 'linuxki_rce',
+  }
+}

modules/vulnerabilities/unix/http/linuxki_rce/manifests/install.pp

@@ -0,0 +1,19 @@
+# Class: linuxki_rce::install
+# Install process for linuxKI toolkit
+#
+class linuxki_rce::install {
+  Exec { path => [ '/bin/', '/sbin/' , '/usr/bin/', '/usr/sbin/' ] }
+
+  # Maybe automate linux-headers to use uname -r?
+  ensure_packages(['make', 'elfutils', 'php', 'linux-headers-4.19.0-21-amd64'])
+
+  file { '/tmp/linuxki_6.0-1_all.deb':
+    ensure => file,
+    source => 'puppet:///modules/linuxki_rce/linuxki_6.0-1_all.deb',
+  }
+  -> package { 'linuxki':
+    ensure   => installed,
+    provider => dpkg,
+    source   => '/tmp/linuxki_6.0-1_all.deb'
+  }
+}

modules/vulnerabilities/unix/http/linuxki_rce/secgen_metadata.xml

@@ -0,0 +1,71 @@
+<?xml version="1.0"?>
+<vulnerability xmlns="http://www.github/cliffe/SecGen/vulnerability"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://www.github/cliffe/SecGen/vulnerability">
+
+  <name>LinuxKI Toolset 6.01 Remote Command Execution</name>
+  <author>James Davis</author>
+  <module_license>MIT</module_license>
+  <description> This
+    module exploits a vulnerability in LinuxKI Toolset 6.01 and below which allows
+    remote code execution.
+    The kivis.php pid parameter received from the user is sent to the shell_exec function,
+    resulting in security vulnerability.
+  </description>
+
+  <type>http</type>
+  <type>in_the_wild</type>
+  <privilege>user_rwx</privilege>
+  <access>remote</access>
+  <platform>linux</platform>
+  <difficulty>low</difficulty>
+
+  <read_fact>port</read_fact>
+  <read_fact>strings_to_leak</read_fact>
+  <read_fact>leaked_filenames</read_fact>
+  <read_fact>strings_to_pre_leak</read_fact>
+
+  <default_input into="port">
+    <value>**CHECK THIS**</value>
+  </default_input>
+
+  <!-- flags or other secrets exposed after exploitation -->
+  <default_input into="strings_to_leak">
+    <generator type="message_generator" />
+  </default_input>
+
+  <default_input into="leaked_filenames">
+    <generator type="filename_generator" />
+  </default_input>
+
+  <!--optional
+  vulnerability details-->
+  <cve>CVE-2020-7209</cve>
+  <cvss_base_score>9.8</cvss_base_score>
+  <cvss_vector>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H</cvss_vector>
+  <software_name>LinuxKI</software_name>
+  <software_license>GNU GPLv2</software_license>
+  <reference>
+    https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/linuxki_rce.rb</reference>
+  <reference>
+    https://github.com/HewlettPackard/LinuxKI/releases/tag/v6.0-1</reference>
+
+  <!--optional
+  hints-->
+  <hint></hint>
+
+  <!-- can't live alongside other web sites, since it accepts any virtual host name -->
+  <conflict>
+    <type>webapp</type>
+  </conflict>
+
+  <requires>
+    <module_path>services/unix/http/apache_stretch_compatible/apache</module_path>
+  </requires>
+
+  <requires>
+    <module_path>services/unix/http/**check versions**</module_path>
+  </requires>
+
+
+</vulnerability>