##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
def initialize
super(
'Name' => 'ColdFusion Version Scanner',
'Description' => %q{
This module attempts identify various flavors of ColdFusion up to version 10
as well as the underlying OS.
},
'Author' =>
[
'nebulus', # Original
'sinn3r' # Fingerprint() patch for Cold Fusion 10
],
'License' => MSF_LICENSE
)
end
def fingerprint(response)
if(response.headers.has_key?('Server') )
if(response.headers['Server'] =~ /IIS/ or response.headers['Server'] =~ /\(Windows/)
os = "Windows (#{response.headers['Server']})"
elsif(response.headers['Server'] =~ /Apache\//)
os = "Unix (#{response.headers['Server']})"
else
os = response.headers['Server']
end
end
return nil if response.body.length < 100
title = "Not Found"
if(response.body =~ /
(.+)<\/title\/?>/im)
title = $1
title.gsub!(/\s/, '')
end
return nil if( title == 'Not Found' or not title =~ /ColdFusionAdministrator/)
out = nil
if(response.body =~ />\s*Version:\s*(.*)<\/strong\>
\s+ url,
'method' => 'GET',
})
return if not res or not res.body or not res.code
res.body.gsub!(/[\r|\n]/, ' ')
if (res.code.to_i == 200)
out = fingerprint(res)
return if not out
if(out =~ /^Unknown/)
print_status("#{ip} " << out)
return
else
print_good("#{ip}: " << out)
report_note(
:host => ip,
:port => datastore['RPORT'],
:proto => 'tcp',
:ntype => 'cfversion',
:data => out
)
end
elsif(res.code.to_i == 403 and datastore['VERBOSE'])
if(res.body =~ /secured with Secure Sockets Layer/ or res.body =~ /Secure Channel Required/ or res.body =~ /requires a secure connection/)
print_status("#{ip} denied access to #{url} (SSL Required)")
elsif(res.body =~ /has a list of IP addresses that are not allowed/)
print_status("#{ip} restricted access by IP")
elsif(res.body =~ /SSL client certificate is required/)
print_status("#{ip} requires a SSL client certificate")
else
print_status("#{ip} denied access to #{url} #{res.code} #{res.message}")
end
end
rescue OpenSSL::SSL::SSLError
rescue Errno::ENOPROTOOPT, Errno::ECONNRESET, ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::ArgumentError
rescue ::Timeout::Error, ::Errno::EPIPE
end
end