Home page logo

metasploit logo Metasploit mailing list archives

Re: JBoss Application Server Exploit Modules
From: Giorgio Casali <giorgio.casali () gmail com>
Date: Mon, 28 Jun 2010 09:29:12 +0200

Hi Patrick thanks for your work.
I had just the need to use your module 3 days ago but it unfortunately  failed.
I have described the reasons in my blog:


I hope your new changes to the module will allow you to exploit the
JBoss AS even when the conditions are not so standard.


2010/6/15 Patrick Hof <patrick.hof () redteam-pentesting de>:
Hi List,

I have done some work on Metasploit's existing JBoss exploit modules and also
wrote a new module.  I hope the work proves to be useful so you can add it to
trunk. The following modules are attached to this mail:

1. jboss_deploymentfilerepository
This module was originally added in rev 9256. It refers to the directory
traversal vuln from CVE 2006-5750, but doesn't really exploit it.  It rather
uses the DeploymentFileRepository MBean to create a new JSP file in the web
console's subdirectory.

I've changed the description to describe the module more accurately and also
changed the way it exploits the JBoss AS. It will now create a new, minimal WAR
with the payload. I also made the HTTP request more robust so it'll work with
multiple JBoss versions. I made a whitepaper available detailing the general
technique and some more information at


The paper also goes into some detail about exploded WAR deployments and CSRF
possibilities with the JMX Console. There's also a section about Metasploit,
which I'll of course update if my changes get accepted.

2. jboss_bshdeployer
This is a new module which uses the BeanShell Deployer to deploy a WAR file as
described in the paper "Bridging the Gap between the Enterprise and You - or -
Who's the JBoss now?" available at the same URL as above.  Unlike in the paper,
this exploit will use the exploded WAR technique to directly install the JSP
page, without writing a WAR to a temporary directory.

3. jboss_maindeployer
I made the existing module more robust by changing the HTTP requests to be more
generic. I also switched from the WAR-to-EXE approach to use the same JSP
payloads as in the first two modules. This is more of a personal preference, but
I think it is better to upload one of the single JSP file payloads now available
in Metasploit, instead of an executable which gets executed on the host system.
YMMV though, so feel free to discuss if what I did with the module is better or
worse than the old approach.



RedTeam Pentesting GmbH                    Tel.: +49 241 963-1300
Dennewartstr. 25-27                        Fax : +49 241 963-1304
52068 Aachen                    http://www.redteam-pentesting.de/
Germany                         Registergericht: Aachen HRB 14004
Geschäftsführer: Patrick Hof, Jens Liebchen, Claus R. F. Overbeck



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]