Home page logo
/

metasploit logo Metasploit mailing list archives

Re: JBoss Application Server Exploit Modules
From: Tyler Krpata <krpatasec () gmail com>
Date: Fri, 25 Jun 2010 18:01:24 -0400

Not sure if there's a "right way" to submit updates to modules...
sorry if I missed it. Here's an update to jboss_scanner.rb that looks
for the URLs Patrick mentioned, and also checks for TCP ports
1098,1099,and 4444 for RMI.

On Tue, Jun 15, 2010 at 5:07 PM, Patrick Hof
<patrick.hof () redteam-pentesting de> wrote:
Hi,

Tyler Krpata <krpatasec () gmail com> wrote:
Good stuff! To jump on the bandwagon, attached is a scanner that I was
working on that is a good smoke test for some of these vulns on a
JBoss instance. One thing it doesn't currently do is see if the RMI
port is open, which I will get around to adding.

I was getting started to write such a scanner myself, it's great that there's
already someone who did the work :). I suggest you add the following URLs to the
checks:

/web-console/Invoker
/invoker/JMXInvokerServlet

If one of those returns a Java serialized object, you can send arbitrary JMX
commands to the JBoss AS and therefore exploit it. See the older whitepaper
"Bridging the Gap between the Enterprise and You" on
http://www.redteam-pentesting.de/publications/jboss for an explanation.


Regards,

Patrick

--
RedTeam Pentesting GmbH                    Tel.: +49 241 963-1300
Dennewartstr. 25-27                        Fax : +49 241 963-1304
52068 Aachen                    http://www.redteam-pentesting.de/
Germany                         Registergericht: Aachen HRB 14004
Geschäftsführer: Patrick Hof, Jens Liebchen, Claus R. F. Overbeck

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework


Attachment: jboss_scanner.rb
Description:

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault