{feature request} cve-2010-2861 exploit?

[thsle3p]

I am not sure if the ColdFusion lfi stager exploit in clusterd uses cve-2010-2861 or if that is a separate vulnerability it uses, but if not I recommend a module that exploits cve-2010-2861 as it is a wide spread (many versions) vulnerability in CF and can be used to deploy code. Also it could also be used as an aux module to get credentials for a CF server so that's a double win vulnerability right there.

[hatRiot]

Hey @thsle3p, thanks for the feature request!

Fortunately for you, this is already implemented in clusterd, and it's actually what the --cf-hash flag uses to fetch credentials. The LFI deployer actually does use this particular CVE to execute the stager. You can find more info on it here.

You can find the source code for this here:

https://github.com/hatRiot/clusterd/blob/master/src/platform/coldfusion/auxiliary/fetch_hashes.py

clusterd also allows you to pass the hash once fetched via LFI, by simply providing it to --usr-auth.

Cheers!

[thsle3p]

Wow! Thanks for the fast reply and I did not know that the --usr-auth module could use the passed hash. Thanks again. On Thu, 2014-09-18 at 14:10 -0700, bryan alexander wrote:

Hey @thsle3p, thanks for the feature request!

Fortunately for you, this is already implemented in clusterd, and it's actually what the --cf-hash flag uses to fetch credentials. The LFI deployer actually does use this particular CVE to execute the stager. You can find more info on it here.

You can find the source code for this here:

https://github.com/hatRiot/clusterd/blob/master/src/platform/coldfusion/auxiliary/fetch_hashes.py

clusterd also allows you to pass the hash once fetched via LFI, by simply providing it to --usr-auth.

Cheers!

— Reply to this email directly or view it on GitHub.