## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::HttpClient include Msf::Auxiliary::Scanner include Msf::Auxiliary::Report def initialize super( 'Name' => 'ColdFusion Version Scanner', 'Description' => %q{ This module attempts identify various flavors of ColdFusion up to version 10 as well as the underlying OS. }, 'Author' => [ 'nebulus', # Original 'sinn3r' # Fingerprint() patch for Cold Fusion 10 ], 'License' => MSF_LICENSE ) end def fingerprint(response) if(response.headers.has_key?('Server') ) if(response.headers['Server'] =~ /IIS/ or response.headers['Server'] =~ /\(Windows/) os = "Windows (#{response.headers['Server']})" elsif(response.headers['Server'] =~ /Apache\//) os = "Unix (#{response.headers['Server']})" else os = response.headers['Server'] end end return nil if response.body.length < 100 title = "Not Found" if(response.body =~ /(.+)<\/title\/?>/im) title = $1 title.gsub!(/\s/, '') end return nil if( title == 'Not Found' or not title =~ /ColdFusionAdministrator/) out = nil if(response.body =~ />\s*Version:\s*(.*)<\/strong\>\s+ url, 'method' => 'GET', }) return if not res or not res.body or not res.code res.body.gsub!(/[\r|\n]/, ' ') if (res.code.to_i == 200) out = fingerprint(res) return if not out if(out =~ /^Unknown/) print_status("#{ip} " << out) return else print_good("#{ip}: " << out) report_note( :host => ip, :port => datastore['RPORT'], :proto => 'tcp', :ntype => 'cfversion', :data => out ) end elsif(res.code.to_i == 403 and datastore['VERBOSE']) if(res.body =~ /secured with Secure Sockets Layer/ or res.body =~ /Secure Channel Required/ or res.body =~ /requires a secure connection/) print_status("#{ip} denied access to #{url} (SSL Required)") elsif(res.body =~ /has a list of IP addresses that are not allowed/) print_status("#{ip} restricted access by IP") elsif(res.body =~ /SSL client certificate is required/) print_status("#{ip} requires a SSL client certificate") else print_status("#{ip} denied access to #{url} #{res.code} #{res.message}") end end rescue OpenSSL::SSL::SSLError rescue Errno::ENOPROTOOPT, Errno::ECONNRESET, ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::ArgumentError rescue ::Timeout::Error, ::Errno::EPIPE end end