Land #10352, Add check/response for CVE-2017-12149

2018-11-20 13:11:05 -06:00 · 2018-11-20 13:11:05 -06:00 · 288d78d372
parent d5d8216377 52df29ebcc
commit 288d78d372
1 changed files with 27 additions and 20 deletions
--- a/modules/auxiliary/scanner/http/jboss_vulnscan.rb
+++ b/modules/auxiliary/scanner/http/jboss_vulnscan.rb
@ -23,7 +23,8 @@ class MetasploitModule < Msf::Auxiliary
        ],
      'References'            =>
        [
-          [ 'CVE', '2010-0738' ] # VERB auth bypass
+          [ 'CVE', '2010-0738' ], # VERB auth bypass
+          [ 'CVE', '2017-12149' ]
        ],
      'License'               => BSD_LICENSE
      ))
@ -57,7 +58,8 @@ class MetasploitModule < Msf::Auxiliary
        '/web-console/ServerInfo.jsp',
        # apps added per Patrick Hof
        '/web-console/Invoker',
-        '/invoker/JMXInvokerServlet'
+        '/invoker/JMXInvokerServlet',
+        '/invoker/readonly'
      ]

      print_status("#{rhost}:#{rport} Checking http...")
@ -88,7 +90,13 @@ class MetasploitModule < Msf::Auxiliary
      'ctype'     => 'text/plain'
    })

-    if res
+
+
+    unless res
+      print_status("#{rhost}:#{rport} #{app} not found")
+      return
+    end
+
    case
    when res.code == 200
      print_good("#{rhost}:#{rport} #{app} does not require authentication (200)")
@ -102,12 +110,11 @@ class MetasploitModule < Msf::Auxiliary
      print_status("#{rhost}:#{rport} #{app} not found (404)")
    when res.code == 301, res.code == 302
      print_status("#{rhost}:#{rport} #{app} is redirected (#{res.code}) to #{res.headers['Location']} (not following)")
+    when res.code == 500 && app == "/invoker/readonly"
+      print_good("#{rhost}:#{rport} #{app} responded (#{res.code})")
    else
      print_status("#{rhost}:#{rport} Don't know how to handle response code #{res.code}")
    end
-    else
-      print_status("#{rhost}:#{rport} #{app} not found")
-    end
  end

  def jboss_as_default_creds