Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix failed login check in exploit/multi/http/coldfusion_rds for ColdFusion 9.something #12492

Merged
merged 7 commits into from Nov 7, 2019
@@ -18,7 +18,7 @@ class MetasploitModule < Msf::Exploit::Remote

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
include Msf::Exploit::Deprecated
include Msf::Module::Deprecated

moved_from 'exploit/linux/http/cisco_rv130_rmi_rce'

@@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::SSH
include Msf::Exploit::Deprecated
include Msf::Module::Deprecated

moved_from 'exploit/linux/ssh/ubiquiti_airos_file_upload'

@@ -8,12 +8,15 @@ class MetasploitModule < Msf::Exploit::Remote
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::EXE
include Msf::Module::Deprecated

moved_from 'exploit/multi/http/coldfusion_rds'

Rank = GreatRanking

def initialize(info = {})
super(update_info(info,
'Name' => 'Adobe ColdFusion 9 Administrative Login Bypass',
'Name' => 'Adobe ColdFusion RDS Authentication Bypass',
'Description' => %q{
Adobe ColdFusion 9.0, 9.0.1, 9.0.2, and 10 allows remote
attackers to bypass authentication using the RDS component. Due to
@@ -235,7 +238,7 @@ def upload_payload
'cookie' => cookie
})

if res and res.code == 200 and res.body.to_s =~ /ColdFusion Administrator Login/
if res and res.code == 200 and res.body.to_s =~ /ColdFusion Administrator/
This conversation was marked as resolved by wvu-r7

This comment has been minimized.

Copy link
@acammack-r7

acammack-r7 Oct 31, 2019

Contributor
Suggested change
if res and res.code == 200 and res.body.to_s =~ /ColdFusion Administrator/
if res and res.code == 200 and res.body.to_s.include? 'ColdFusion Administrator'

As long as we're fixing this we should also ditch the regex of a literal.

This comment has been minimized.

Copy link
@bcoles

bcoles Oct 31, 2019

Contributor

As long as we're fixing this we should also ditch the regex of a literal.

Agreed. I'm pretty sure the correct syntax is:

Suggested change
if res and res.code == 200 and res.body.to_s =~ /ColdFusion Administrator/
if res && res.code == 200 && res.body.to_s.include?('ColdFusion Administrator')

This comment has been minimized.

Copy link
@acammack-r7

acammack-r7 Oct 31, 2019

Contributor

Yep, that should work.

This comment has been minimized.

Copy link
@wvu-r7

wvu-r7 Oct 31, 2019

Author Contributor

You guys are gonna make me want to fix all of it. That is certainly not the only line!

This comment has been minimized.

Copy link
@bcoles

bcoles Oct 31, 2019

Contributor

You guys are gonna make me want to fix all of it. That is certainly not the only line!

Yeah, the module has problems, like this, which attempts to access the body property of res, which could potentially be nil.

    #is it cf9?
    res = send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri(uri, datastore['CFIDDIR'], 'administrator', 'images', 'loginbackground.jpg')
    })

    img = Rex::Text.md5(res.body.to_s)
    imghash = "596b3fc4f1a0b818979db1cf94a82220"
print_good("Logged in as Administrator!")
else
fail_with(Failure::Unknown, "#{peer} - Login Failed")
@@ -9,7 +9,7 @@ class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking

include Msf::Post::Windows::Process
include Msf::Exploit::Deprecated
include Msf::Module::Deprecated

moved_from 'post/windows/manage/payload_inject'

ProTip! Use n and p to navigate between commits in a pull request.
You can’t perform that action at this time.