Home page logo
/

metasploit logo Metasploit mailing list archives

Re: JBoss Application Server Exploit Modules
From: Tyler Krpata <krpatasec () gmail com>
Date: Tue, 15 Jun 2010 16:10:55 -0400

Good stuff! To jump on the bandwagon, attached is a scanner that I was
working on that is a good smoke test for some of these vulns on a
JBoss instance. One thing it doesn't currently do is see if the RMI
port is open, which I will get around to adding.

On Tue, Jun 15, 2010 at 9:07 AM, Patrick Hof
<patrick.hof () redteam-pentesting de> wrote:
Hi List,

I have done some work on Metasploit's existing JBoss exploit modules and also
wrote a new module.  I hope the work proves to be useful so you can add it to
trunk. The following modules are attached to this mail:

1. jboss_deploymentfilerepository
---------------------------------
This module was originally added in rev 9256. It refers to the directory
traversal vuln from CVE 2006-5750, but doesn't really exploit it.  It rather
uses the DeploymentFileRepository MBean to create a new JSP file in the web
console's subdirectory.

I've changed the description to describe the module more accurately and also
changed the way it exploits the JBoss AS. It will now create a new, minimal WAR
with the payload. I also made the HTTP request more robust so it'll work with
multiple JBoss versions. I made a whitepaper available detailing the general
technique and some more information at

http://www.redteam-pentesting.de/publications/jboss

The paper also goes into some detail about exploded WAR deployments and CSRF
possibilities with the JMX Console. There's also a section about Metasploit,
which I'll of course update if my changes get accepted.


2. jboss_bshdeployer
--------------------
This is a new module which uses the BeanShell Deployer to deploy a WAR file as
described in the paper "Bridging the Gap between the Enterprise and You - or -
Who's the JBoss now?" available at the same URL as above.  Unlike in the paper,
this exploit will use the exploded WAR technique to directly install the JSP
page, without writing a WAR to a temporary directory.


3. jboss_maindeployer
---------------------
I made the existing module more robust by changing the HTTP requests to be more
generic. I also switched from the WAR-to-EXE approach to use the same JSP
payloads as in the first two modules. This is more of a personal preference, but
I think it is better to upload one of the single JSP file payloads now available
in Metasploit, instead of an executable which gets executed on the host system.
YMMV though, so feel free to discuss if what I did with the module is better or
worse than the old approach.


Regards,

Patrick

--
RedTeam Pentesting GmbH                    Tel.: +49 241 963-1300
Dennewartstr. 25-27                        Fax : +49 241 963-1304
52068 Aachen                    http://www.redteam-pentesting.de/
Germany                         Registergericht: Aachen HRB 14004
Geschäftsführer: Patrick Hof, Jens Liebchen, Claus R. F. Overbeck

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework


Attachment: jboss.rb
Description:

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]