Home page logo

metasploit logo Metasploit mailing list archives

JBoss Application Server Exploit Modules
From: Patrick Hof <patrick.hof () redteam-pentesting de>
Date: Tue, 15 Jun 2010 15:07:28 +0200

Hi List,

I have done some work on Metasploit's existing JBoss exploit modules and also
wrote a new module.  I hope the work proves to be useful so you can add it to
trunk. The following modules are attached to this mail:

1. jboss_deploymentfilerepository
This module was originally added in rev 9256. It refers to the directory
traversal vuln from CVE 2006-5750, but doesn't really exploit it.  It rather
uses the DeploymentFileRepository MBean to create a new JSP file in the web
console's subdirectory.

I've changed the description to describe the module more accurately and also
changed the way it exploits the JBoss AS. It will now create a new, minimal WAR
with the payload. I also made the HTTP request more robust so it'll work with
multiple JBoss versions. I made a whitepaper available detailing the general
technique and some more information at 


The paper also goes into some detail about exploded WAR deployments and CSRF
possibilities with the JMX Console. There's also a section about Metasploit,
which I'll of course update if my changes get accepted.

2. jboss_bshdeployer
This is a new module which uses the BeanShell Deployer to deploy a WAR file as
described in the paper "Bridging the Gap between the Enterprise and You - or -
Who's the JBoss now?" available at the same URL as above.  Unlike in the paper,
this exploit will use the exploded WAR technique to directly install the JSP
page, without writing a WAR to a temporary directory.

3. jboss_maindeployer
I made the existing module more robust by changing the HTTP requests to be more
generic. I also switched from the WAR-to-EXE approach to use the same JSP
payloads as in the first two modules. This is more of a personal preference, but
I think it is better to upload one of the single JSP file payloads now available
in Metasploit, instead of an executable which gets executed on the host system.
YMMV though, so feel free to discuss if what I did with the module is better or
worse than the old approach.



RedTeam Pentesting GmbH                    Tel.: +49 241 963-1300
Dennewartstr. 25-27                        Fax : +49 241 963-1304
52068 Aachen                    http://www.redteam-pentesting.de/
Germany                         Registergericht: Aachen HRB 14004
Geschäftsführer: Patrick Hof, Jens Liebchen, Claus R. F. Overbeck

Attachment: jboss_bshdeployer.rb

Attachment: jboss_maindeployer.rb

Attachment: jboss_deploymentfilerepository.rb

Attachment: _bin


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]