infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Clean up jboss_status module

bug/bundler_fix
jvazquez-r7 2014-03-28 16:04:43 -05:00
parent fbcd661504
commit e3ec0e7624
1 changed files with 54 additions and 89 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

95
modules/auxiliary/gather/jboss_status.rb
View File

@ -3,7 +3,6 @@
# Current source: https://github.com/rapid7/metasploit-framework # Current source: https://github.com/rapid7/metasploit-framework
## ##
require 'msf/core' require 'msf/core'
class Metasploit3 < Msf::Auxiliary class Metasploit3 < Msf::Auxiliary
@ -14,19 +13,18 @@ class Metasploit3 < Msf::Auxiliary
def initialize def initialize
super( super(
'Name' => 'Jboss Status Servlet Info Gathering', 'Name' => 'JBoss Status Servlet Information Gathering',
'Description' => %q{ 'Description' => %q{
This module queries the Jboss status servlet to collect sensitive This module queries the JBoss status servlet to collect sensitive
information: URL paths, GET parameters and the clients IP address. information: URL paths, GET parameters and the clients IP address.
This module has been tested against JBoss 4.0, 4.2.2 and 4.2.3.
Note: this module has been tested against Jboss 4.0., 4.2.2, 4.2.3
}, },
'References' => 'References' =>
[ [
['CVE', '2008-3273'], ['CVE', '2008-3273'],
['URL', 'http://seclists.org/fulldisclosure/2011/Sep/139'], ['URL', 'http://seclists.org/fulldisclosure/2011/Sep/139'],
['URL', 'https://www.owasp.org/images/a/a9/OWASP3011_Luca.pdf'], ['URL', 'https://www.owasp.org/images/a/a9/OWASP3011_Luca.pdf'],
['URL', 'http://www.slideshare.net/chrisgates/lares-fromlowtopwned'], ['URL', 'http://www.slideshare.net/chrisgates/lares-fromlowtopwned']
], ],
'Author' => 'Matteo Cantoni <goony[at]nothink.org>', 'Author' => 'Matteo Cantoni <goony[at]nothink.org>',
'License' => MSF_LICENSE 'License' => MSF_LICENSE
@ -34,29 +32,21 @@ class Metasploit3 < Msf::Auxiliary
register_options([ register_options([
Opt::RPORT(8080), Opt::RPORT(8080),
OptString.new('PATH', [ true, "The Jboss status servlet URI path", '/status']), OptString.new('TARGETURI', [ true, 'The JBoss status servlet URI path', '/status'])
OptInt.new('REQCOUNT', [false, 'Number of HTTP requests', 3]),
OptInt.new('DELAY', [false, "Delay in seconds between requests",5])
], self.class) ], self.class)
end end
def run_host(target_host) def run_host(target_host)
jpath = normalize_uri(target_uri.to_s)
jpath = normalize_uri(datastore['PATH']) @requests = []
req_src = [] vprint_status("#{rhost}:#{rport} - Collecting data through #{jpath}...")
req_dst = []
req_path = []
# loop to detect more informations
datastore['REQCOUNT'].times do |count|
vprint_status("#{rhost}:#{rport} #{count + 1}/#{datastore['REQCOUNT']} requests...")
begin
res = send_request_raw({ res = send_request_raw({
'uri' => jpath, 'uri' => jpath,
'method' => 'GET' 'method' => 'GET'
}, 10) })
# detect JBoss application server # detect JBoss application server
if res and res.code == 200 and res.body.match(/<title>Tomcat Status<\/title>/) if res and res.code == 200 and res.body.match(/<title>Tomcat Status<\/title>/)
@ -75,73 +65,48 @@ class Metasploit3 < Msf::Auxiliary
j_dst = $6 j_dst = $6
j_path = $7 j_path = $7
req_src << j_src @requests << [j_src, j_dst, j_path]
if !j_dst.match(/\?/)
req_dst << j_dst
end
if !j_path.match(/\?/)
req_path << j_path
end end
end end
end elsif res and res.code == 401
elsif res.code == 401 vprint_error("#{rhost}:#{rport} - Authentication is required")
vprint_error("#{rhost}:#{rport} authentication is required!")
return return
elsif res.code == 403 elsif res and res.code == 403
vprint_error("#{rhost}:#{rport} forbidden!") vprint_error("#{rhost}:#{rport} - Forbidden")
return return
else else
vprint_error("#{rhost}:#{rport} may not support JBoss application server!") vprint_error("#{rhost}:#{rport} - Unknown error")
return return
end end
end
if datastore['DELAY'] > 0 and datastore['REQCOUNT'] > 1
vprint_status("#{rhost}:#{rport} sleeping for #{datastore['DELAY']} seconds...")
select(nil,nil,nil,datastore['DELAY'])
end
end
# show results # show results
if !req_src.empty? unless @requests.empty?
show_results(target_host)
print_good("#{rhost}:#{rport} JBoss application server!") end
report_note({
:host => target_host,
:proto => 'tcp',
:sname => (ssl ? 'https' : 'http'),
:port => rport,
:type => 'JBoss application server',
:data => "#{rhost}:#{rport}"
})
print_line
print_good("CLIENTS IP ADDRESSES:")
req_src.sort.uniq.each do |e|
print_good("#{e}")
end end
print_line def show_results(target_host)
print_good("SERVER (VHOST) IP ADDRESSES:") print_good("#{rhost}:#{rport} JBoss application server found")
req_dst.sort.uniq.each do |e|
print_good("#{e}")
end
print_line req_table = Rex::Ui::Text::Table.new(
print_good("PATH REQUESTS:") 'Header' => 'JBoss application server requests',
req_path.sort.uniq.each do |e| 'Indent' => 1,
print_good("#{e}") 'Columns' => ['Client', 'Vhost target', 'Request']
)
@requests.each do |r|
req_table << r
report_note({ report_note({
:host => target_host, :host => target_host,
:proto => 'tcp', :proto => 'tcp',
:sname => (ssl ? 'https' : 'http'), :sname => (ssl ? 'https' : 'http'),
:port => rport, :port => rport,
:type => 'JBoss application server info', :type => 'JBoss application server info',
:data => "#{rhost}:#{rport} #{e}" :data => "#{rhost}:#{rport} #{r[2]}"
}) })
end end
end print_line
print_line(req_table.to_s)
end end
end end