Land rapid7#5431, deprecate cold_fusion_version, use coldfusion_version instead.

wchen-r7 · wchen-r7 · commit b6b055a5f2e2 · 2015-05-28T15:40:34.000-05:00
diff --git a/modules/auxiliary/scanner/http/cold_fusion_version.rb b/modules/auxiliary/scanner/http/cold_fusion_version.rb
@@ -10,6 +10,9 @@ class Metasploit3 < Msf::Auxiliary
   include Msf::Exploit::Remote::HttpClient
   include Msf::Auxiliary::Scanner
   include Msf::Auxiliary::Report
+  include Msf::Module::Deprecated
+
+  deprecated(Date.new(2015, 6, 28), 'auxiliary/scanner/http/coldfusion_version')
 
   def initialize
     super(
diff --git a/modules/auxiliary/scanner/http/coldfusion_version.rb b/modules/auxiliary/scanner/http/coldfusion_version.rb
@@ -0,0 +1,127 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Auxiliary::Scanner
+  include Msf::Auxiliary::Report
+
+  def initialize
+    super(
+      'Name'        => 'ColdFusion Version Scanner',
+      'Description' => %q{
+        This module attempts identify various flavors of ColdFusion up to version 10
+        as well as the underlying OS.
+      },
+      'Author'      =>
+        [
+          'nebulus',  # Original
+          'sinn3r'    # Fingerprint() patch for Cold Fusion 10
+        ],
+      'License'     => MSF_LICENSE
+    )
+  end
+
+  def fingerprint(response)
+
+    if(response.headers.has_key?('Server') )
+      if(response.headers['Server'] =~ /IIS/ or response.headers['Server'] =~ /\(Windows/)
+        os = "Windows (#{response.headers['Server']})"
+      elsif(response.headers['Server'] =~ /Apache\//)
+        os = "Unix (#{response.headers['Server']})"
+      else
+        os = response.headers['Server']
+      end
+    end
+
+    return nil if response.body.length < 100
+
+    title = "Not Found"
+    if(response.body =~ /<title.*\/?>(.+)<\/title\/?>/im)
+      title = $1
+      title.gsub!(/\s/, '')
+    end
+
+    return nil if( title == 'Not Found' or not title =~ /ColdFusionAdministrator/)
+
+    out = nil
+
+    if(response.body =~ />\s*Version:\s*(.*)<\/strong\><br\s\//)
+      v = $1
+      out = (v =~ /^6/) ? "Adobe ColdFusion MX6 #{v}" : "Adobe ColdFusion MX7 #{v}"
+    elsif(response.body =~ /<meta name=\"Author\" content=\"Copyright 1995\-2012 Adobe/ and response.body =~ /Administrator requires a browser that supports frames/ )
+      out = "Adobe ColdFusion MX7"
+    elsif(response.body =~ /<meta name=\"Author\" content=\"Copyright \(c\) 1995\-2006 Adobe/)
+      out = "Adobe ColdFusion 8"
+    elsif(response.body =~ /<meta name=\"Author\" content=\"Copyright \(c\) 1995\-2010 Adobe/ and
+      response.body =~ /1997\-2012 Adobe Systems Incorporated and its licensors/)
+      out = "Adobe ColdFusion 10"
+    elsif(response.body =~ /<meta name=\"Author\" content=\"Copyright \(c\) 1995\-2010 Adobe/ or
+      response.body =~ /<meta name=\"Author\" content=\"Copyright \(c\) 1995\-2009 Adobe Systems\, Inc\. All rights reserved/ or
+      response.body =~ /<meta name=\"Author\" content=\"Copyright \(c\) 1997\-2012 Adobe Systems\, Inc\. All rights reserved/)
+      out = "Adobe ColdFusion 9"
+    elsif(response.body =~ /<meta name=\"Keywords\" content=\"(.*)\">\s+<meta name/)
+      out = $1.split(/,/)[0]
+    else
+      out = 'Unknown ColdFusion'
+    end
+
+    if(title.downcase == 'coldfusionadministrator')
+      out << " (administrator access)"
+    end
+
+    out << " (#{os})"
+    return out
+  end
+
+  def run_host(ip)
+
+    url = '/CFIDE/administrator/index.cfm'
+
+    res = send_request_cgi({
+      'uri' => url,
+      'method' => 'GET',
+    })
+
+    return if not res or not res.body or not res.code
+    res.body.gsub!(/[\r|\n]/, ' ')
+
+    if (res.code.to_i == 200)
+      out = fingerprint(res)
+      return if not out
+      if(out =~ /^Unknown/)
+        print_status("#{ip} " << out)
+        return
+      else
+        print_good("#{ip}: " << out)
+        report_note(
+          :host  => ip,
+          :port  => datastore['RPORT'],
+          :proto => 'tcp',
+          :ntype => 'cfversion',
+          :data  => out
+        )
+      end
+    elsif(res.code.to_i == 403 and datastore['VERBOSE'])
+      if(res.body =~ /secured with Secure Sockets Layer/ or res.body =~ /Secure Channel Required/ or res.body =~ /requires a secure connection/)
+        print_status("#{ip} denied access to #{url} (SSL Required)")
+      elsif(res.body =~ /has a list of IP addresses that are not allowed/)
+        print_status("#{ip} restricted access by IP")
+      elsif(res.body =~ /SSL client certificate is required/)
+        print_status("#{ip} requires a SSL client certificate")
+      else
+        print_status("#{ip} denied access to #{url} #{res.code} #{res.message}")
+      end
+    end
+
+  rescue OpenSSL::SSL::SSLError
+  rescue Errno::ENOPROTOOPT, Errno::ECONNRESET, ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::ArgumentError
+  rescue ::Timeout::Error, ::Errno::EPIPE
+  end
+
+end
