Immunity, Inc.
Name CF_directory_traversal
CVE CVE-2010-2861
Exploit Pack CANVAS
DescriptionColdFusion Directory Traversal
NotesCVE Name: CVE-2010-2861
Things to consider:
1 - A remote file (i-test10-1.cfm) will be left in the webroot as well as the CANVAS callback trojan (CF8AdminXXYY.exe)
2 - When creating a ColdFusion Task a time must be specified. For now this is the current time relative to the CANVAS host plus 1 minute.
3 - This module assumes that ColdFusion was installed in the default location.

Notes: This is a multi-step exploit. The steps include:
1 - Exploit the directory traversal to read the configuration file containing the CF admin password hash
2 - Login in with the hash (without knowing the plaintext)
3 - Attempt to discover the web document root (otherwise default to \inetpub\wwwroot)
4 - Create a scheduled task that will download a remote .cfm file
5 - Run the remote .cfm file to execute our CANVAS callback trojan
6 - Enjoy our SYSTEM shell :)

Known Vulnerable Versions: ['ColdFusion 8.0, 8.0.1, 9.0, 9.0.1 and earlier versions for Windows, Macintosh and UNIX']
Repeatability: Infinite
Google Dorks: ['inurl:/CFIDE/administrator/']

Learn more about the CANVAS Exploit Pack here: CANVAS