| Name | CF_directory_traversal |
| CVE | CVE-2010-2861 |
| Exploit Pack | CANVAS |
| Description | ColdFusion Directory Traversal |
| Notes | CVE Name: CVE-2010-2861 VENDOR: http://www.adobe.com Things to consider: 1 - A remote file (i-test10-1.cfm) will be left in the webroot as well as the CANVAS callback trojan (CF8AdminXXYY.exe) 2 - When creating a ColdFusion Task a time must be specified. For now this is the current time relative to the CANVAS host plus 1 minute. 3 - This module assumes that ColdFusion was installed in the default location. Notes: This is a multi-step exploit. The steps include: 1 - Exploit the directory traversal to read the configuration file containing the CF admin password hash 2 - Login in with the hash (without knowing the plaintext) 3 - Attempt to discover the web document root (otherwise default to \inetpub\wwwroot) 4 - Create a scheduled task that will download a remote .cfm file 5 - Run the remote .cfm file to execute our CANVAS callback trojan 6 - Enjoy our SYSTEM shell :) Known Vulnerable Versions: ['ColdFusion 8.0, 8.0.1, 9.0, 9.0.1 and earlier versions for Windows, Macintosh and UNIX'] Repeatability: Infinite References: http://www.adobe.com/support/security/bulletins/apsb10-18.html CVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2861 Google Dorks: ['inurl:/CFIDE/administrator/'] |
| Learn more about the CANVAS Exploit Pack here: CANVAS |