| Name | FCKEditor |
| CVE | CVE-2009-2265 |
| Exploit Pack | CANVAS |
| Description | FCKEditor |
| Notes | CVE Name: CVE-2009-2265 VENDOR: Known Vunlerable Versions: ['ColdFusion MX 8 - 8.01', 'osCMax <=2.0', 'RunCMS <=1.3a', 'Falt4 CMS', 'Many more to come!'] Notes: This exploit has two different variants - one for Windows on ColdFusion and another for Apache. The Default will get you a shell on ColdFusion MX 8.0 and MX 8.0.1. ColdFusion/IIS: To exploit this successfully you have to win a race condition - this exploit module dramatically increases your odds of getting a shell (in fact it doesn't stop until it does or you stop it). Due to the nature of the exploit you may get more than 1 shell to appear (because we can win the race again before the module has a chance to stop trying). We first send a ColdFusion module up to the server that, when executed, will dump a MOSDEF trojan onto the webserver in the format of CFAdminYYZZ.exe. This MOSDEF shell will be running as user SYSTEM. The default behavior of this exploit is to attack ColdFusion on IIS. Apache: There are many applications that use FCKEditor and the attack vector varies as a result. This module attempts a combination of many known attack vectors but can be 'noisy' In the 'autoversion' mode it will attempt to find vulnerable installations of a few known applications that are known to be vulnerable. In the 'custom' mode you can supply a path to your own connector believed to be vulnerable and CANVAS will attempt a variety of combinations to get a shell uploaded and executed. Be mindful to supply the correct basepath so CANVAS can build the URLs correctly! Due to the race condition the generated CFAdminYYZZ.cfm file may not be deleted from the /UserFiles/File folder. You may have to do this manually Repeatability: Infinite References: ['http://www.adobe.com/support/security/bulletins/apsb09-09.html (ColdFusion)'] Date public: 7/8/2009 CVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2265 Google Dorks: ['inurl:cfm/cf5_connector.cfm', 'inurl:cfm/cf5_upload.cfm', 'inurl:php/connector.php'] CVSS: 7.5 |
| Learn more about the CANVAS Exploit Pack here: CANVAS |