From 8d2bd74d312c9a737a02f48e2744d95225bd4483 Mon Sep 17 00:00:00 2001
From: Jon Hart <jon_hart@rapid7.com>
Date: Thu, 18 Dec 2014 17:21:26 -0800
Subject: [PATCH] Add preliminary module to cover 'Misfortune Cookie',
 CVE-2014-9222

---
 .../allegro_rompager_misfortune_cookie.rb     | 64 +++++++++++++++++++
 1 file changed, 64 insertions(+)
 create mode 100644 modules/auxiliary/scanner/http/allegro_rompager_misfortune_cookie.rb

diff --git a/modules/auxiliary/scanner/http/allegro_rompager_misfortune_cookie.rb b/modules/auxiliary/scanner/http/allegro_rompager_misfortune_cookie.rb
new file mode 100644
index 0000000000..9b8200b645
--- /dev/null
+++ b/modules/auxiliary/scanner/http/allegro_rompager_misfortune_cookie.rb
@@ -0,0 +1,64 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit4 < Msf::Auxiliary
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Auxiliary::Scanner
+  include Msf::Auxiliary::Report
+
+  def initialize(info = {})
+    super(update_info(
+      info,
+      'Name' => "Allegro Software RomPager 'Misfortune Cookie' (CVE-2014-9222) Scanner",
+      'Description' => %q(
+        This module scans for HTTP servers that appear to be vulnerable to the
+        'Misfortune Cookie' vulnerability which affects Allegro Software
+        Rompager versions before 4.34 and can allow attackers to authenticate
+        to the HTTP service as an administrator without providing valid
+        credentials, however more specifics are not yet known.
+      ),
+      'Author' => [
+        'Jon Hart <jon_hart[at]rapid7.com>', # metasploit module
+        'Lior Oppenheim' # CVE-2014-9222
+      ],
+      'References' => [
+        ['CVE', '2014-9222'],
+        ['URL', 'http://mis.fortunecook.ie']
+      ],
+      'DisclosureDate' => 'Dec 17 2014',
+      'License' => MSF_LICENSE
+    ))
+
+    register_options([
+      OptString.new('TARGETURI', [true, 'Path to fingerprint RomPager from', '/Allegro'])
+    ], self.class)
+  end
+
+  def check_host(ip)
+    res = send_request_cgi('uri' => normalize_uri(target_uri.path.to_s), 'method' => 'GET')
+    fp = http_fingerprint(response: res)
+    if /RomPager\/(?<version>[\d\.]+)$/ =~ fp
+      if Gem::Version.new(version) < Gem::Version.new('4.34')
+        report_vuln(
+          host: ip,
+          port: rport,
+          name: name,
+          refs: references
+        )
+        return Exploit::CheckCode::Appears
+      else
+        return Exploit::CheckCode::Detected
+      end
+    else
+      return Exploit::CheckCode::Safe
+    end
+  end
+
+  def run_host(ip)
+    print_good("#{peer} appears to be vulnerable") if check_host(ip) == Exploit::CheckCode::Appears
+  end
+end