From e14668ece9248d6e0f5c992a5e5f23c5c656dd02 Mon Sep 17 00:00:00 2001
From: Wei Chen <Wei_Chen@rapid7.com>
Date: Mon, 31 Oct 2011 18:18:11 +0000
Subject: [PATCH] Add ColdFusion version scanner - feature #4079

git-svn-id: file:///home/svn/framework3/trunk@14127 4d416f70-5f16-0410-b530-b9f4589650da
---
 .../scanner/http/cold_fusion_version.rb       | 123 ++++++++++++++++++
 1 file changed, 123 insertions(+)
 create mode 100644 modules/auxiliary/scanner/http/cold_fusion_version.rb

diff --git a/modules/auxiliary/scanner/http/cold_fusion_version.rb b/modules/auxiliary/scanner/http/cold_fusion_version.rb
new file mode 100644
index 0000000000..3494aa2300
--- /dev/null
+++ b/modules/auxiliary/scanner/http/cold_fusion_version.rb
@@ -0,0 +1,123 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+	include Msf::Exploit::Remote::HttpClient
+	include Msf::Auxiliary::Scanner
+	include Msf::Auxiliary::Report
+
+	def initialize
+		super(
+			'Name'        => 'ColdFusion Version Scanner',
+			'Version'     => '$Revision$',
+			'Description' => %q{
+					This module attempts identify various flavors of ColdFusion as well as the underlying OS
+			},
+			'Author'      => [ 'nebulus' ],
+			'License'     => MSF_LICENSE,
+		)
+	end
+
+	def fingerprint(response)
+
+		if(response.headers.has_key?('Server') )
+			if(response.headers['Server'] =~ /IIS/ or response.headers['Server'] =~ /\(Windows/)
+				os = "Windows (#{response.headers['Server']})"
+			elsif(response.headers['Server'] =~ /Apache\//)
+					os = "Unix (#{response.headers['Server']})"
+			else
+				os = response.headers['Server']
+			end
+		end
+
+		len = (response.body.length > 2500) ?  2500 : response.body.length
+		return nil if response.body.length < 100
+
+		title = "Not Found"
+		if(response.body =~ /<title.*\/?>(.+)<\/title\/?>/i)
+			title = $1
+			title.gsub!(/\s/, '')
+		end
+		return nil  if( title == 'Not Found' or not title =~ /ColdFusionAdministrator/)
+
+		out = nil
+
+		if(response.body =~ />\s*Version:\s*(.*)<\/strong\><br\s\//)
+			v = $1
+			out = (v =~ /^6/) ? "Adobe ColdFusion MX6 #{v}" : "Adobe ColdFusion MX7 #{v}"
+		elsif(response.body =~ /<meta name=\"Author\" content=\"Copyright \(c\) 1995-2006 Adobe/)
+			out = "Adobe ColdFusion 8"
+		elsif(response.body =~ /<meta name=\"Author\" content=\"Copyright \(c\) 1995-2010 Adobe/ or 
+			response.body =~ /<meta name=\"Author\" content=\"Copyright \(c\) 1995\-2009 Adobe Systems\, Inc\. All rights reserved/)
+			out = "Adobe ColdFusion 9"
+		elsif(response.body =~ /<meta name=\"Keywords\" content=\"(.*)\">\s+<meta name/)
+			out = $1.split(/,/)[0]
+		else
+			out = 'Unknown ColdFusion'
+		end
+
+		if(title.downcase == 'coldfusionadministrator')
+			out << " (administrator access)"
+		end
+
+		out << " (#{os})"
+		return out
+	end
+
+	def run_host(ip)
+
+		url = '/CFIDE/administrator/index.cfm'
+
+		res = send_request_cgi({
+				'uri' => url,
+				'method' => 'GET',
+				}, 5)
+
+		return if not res or not res.body or not res.code
+		res.body.gsub!(/[\r|\n]/, ' ')
+
+		if (res.code.to_i == 200)
+			out = fingerprint(res)
+			return if not out
+			if(out =~ /^Unknown/)
+				print_status("#{ip} " << out)
+				return
+			else
+				print_good("#{ip}: " << out)
+				report_note(
+					:host  => ip,
+					:port  => datastore['RPORT'],
+					:proto => 'tcp',
+					:ntype => 'cfversion',
+					:data  => out
+				)
+			end
+		elsif(res.code.to_i == 403 and datastore['VERBOSE'])
+			if(res.body =~ /secured with Secure Sockets Layer/ or res.body =~ /Secure Channel Required/ or res.body =~ /requires a secure connection/)
+				print_status("#{ip} denied access to #{url} (SSL Required)")
+			elsif(res.body =~ /has a list of IP addresses that are not allowed/)
+				print_status("#{ip} restricted access by IP")
+			elsif(res.body =~ /SSL client certificate is required/)
+				print_status("#{ip} requires a SSL client certificate")
+			else
+				print_status("#{ip} denied access to #{url} #{res.code} #{res.message}")
+			end
+		end
+
+	rescue OpenSSL::SSL::SSLError
+	rescue Errno::ENOPROTOOPT, Errno::ECONNRESET, ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::ArgumentError
+	rescue ::Timeout::Error, ::Errno::EPIPE
+	end
+
+end