Land #10352, Add check/response for CVE-2017-12149

2018-11-20 13:11:05 -06:00 · 2018-11-20 13:11:05 -06:00 · de9c57408c
parent b90d79040e
commit de9c57408c
1 changed files with 27 additions and 20 deletions
--- a/modules/auxiliary/scanner/http/jboss_vulnscan.rb
+++ b/modules/auxiliary/scanner/http/jboss_vulnscan.rb
@ -23,7 +23,8 @@ class MetasploitModule < Msf::Auxiliary
        ],
      'References'            =>
        [
-          [ 'CVE', '2010-0738' ] # VERB auth bypass
+          [ 'CVE', '2010-0738' ], # VERB auth bypass
+          [ 'CVE', '2017-12149' ]
        ],
      'License'               => BSD_LICENSE
      ))
@ -57,7 +58,8 @@ class MetasploitModule < Msf::Auxiliary
        '/web-console/ServerInfo.jsp',
        # apps added per Patrick Hof
        '/web-console/Invoker',
-        '/invoker/JMXInvokerServlet'
+        '/invoker/JMXInvokerServlet',
+        '/invoker/readonly'
      ]

      print_status("#{rhost}:#{rport} Checking http...")
@ -88,25 +90,30 @@ class MetasploitModule < Msf::Auxiliary
      'ctype'     => 'text/plain'
    })

-    if res
-      case
-      when res.code == 200
-        print_good("#{rhost}:#{rport} #{app} does not require authentication (200)")
-      when res.code == 403
-        print_status("#{rhost}:#{rport} #{app} restricted (403)")
-      when res.code == 401
-        print_status("#{rhost}:#{rport} #{app} requires authentication (401): #{res.headers['WWW-Authenticate']}")
-        bypass_auth(app)
-        basic_auth_default_creds(app)
-      when res.code == 404
-        print_status("#{rhost}:#{rport} #{app} not found (404)")
-      when res.code == 301, res.code == 302
-        print_status("#{rhost}:#{rport} #{app} is redirected (#{res.code}) to #{res.headers['Location']} (not following)")
-      else
-        print_status("#{rhost}:#{rport} Don't know how to handle response code #{res.code}")
-      end
-    else
+
+
+    unless res
      print_status("#{rhost}:#{rport} #{app} not found")
+      return
+    end
+
+    case
+    when res.code == 200
+      print_good("#{rhost}:#{rport} #{app} does not require authentication (200)")
+    when res.code == 403
+      print_status("#{rhost}:#{rport} #{app} restricted (403)")
+    when res.code == 401
+      print_status("#{rhost}:#{rport} #{app} requires authentication (401): #{res.headers['WWW-Authenticate']}")
+      bypass_auth(app)
+      basic_auth_default_creds(app)
+    when res.code == 404
+      print_status("#{rhost}:#{rport} #{app} not found (404)")
+    when res.code == 301, res.code == 302
+      print_status("#{rhost}:#{rport} #{app} is redirected (#{res.code}) to #{res.headers['Location']} (not following)")
+    when res.code == 500 && app == "/invoker/readonly"
+      print_good("#{rhost}:#{rport} #{app} responded (#{res.code})")
+    else
+      print_status("#{rhost}:#{rport} Don't know how to handle response code #{res.code}")
    end
  end