Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: [NSE] jboss-vuln-cve2010-0738.nse
From: Tiago Natel de Moura <tiago4orion () gmail com>
Date: Sat, 16 Jun 2012 07:14:51 -0300

Hi Patrik,

I already knew the script http-method-tamper and I agree with your
opinion to make it more generic. I also liked your idea of putting a
check in the script in a non-intrusive way and exploit the vulnerability
only if the options for reverse shell are present. I can do that and
also add support to exploit using SSL.

About the script:
1 - Ok, I'll modify to use the http headers instead of the product
information. Do you really think a good idea to let this test in action?
This not affect performance of nmap?
2 - Regarding the shell, I think the only safe way to automatically
choose the shell in the script-side is using the nmap version OS
detection (-O). The script already has the "cmd" in the command line if
"-O" is not used. Leave this task to the uploaded java code is also a
good idea.

Thanks for the programming tips, but I usually declare variables at the
beginning because of the influence of ANSI C ;)  I will improve it.

About the sleep, is because after the upload of java, JBoss will deploy
the file in a directory (it will run the steps that are in the variable
in bsh_script) and this can take some seconds depending on server load.

Thanks, I'm glad that the script can be useful.

BugSec Team

On 06/16/2012 05:53 AM, Patrik Karlsson wrote:

Hi Tiago,

This seems to be a very useful script! Thanks for taking the time to
write it!
We do have an existing, more generic, script that checks whether a
resource could be retrieved using different HTTP methods.
It defaults to the jmx-console and first tries a GET and then a HEAD.
The script also provides the possibility to change the path to
something else to test other servers than jboss for the same
vulnerability. The name of the script is http-method-tamper.
I'm not sure what to do here but I suggest the following, but would
like comments from others before we decide how to procede.
- We keep the http-method-tamper as a generic way for testing method
- We extend the http-method-tamper script with spidering capabilities
and remove the connection it has to jboss.
- We add code to this new script that allows to do the check in a less
intrusive manner, in the same way as the http-method-tamper does.
- The check is default unless the reverse_host and revers_port
arguments are given, at which point the script does exploitation

Now for some comments on the script;

I would recommend not doing the product checks in the portrule. The
reason being that those fields are only populated if a version scan
has been run. My guess is that they are fetched from the http headers
and it would therefore be better to perform this check within the
action method. This way the script would always run, regardless if a
version scan was selected or not and you would be able to bail if you
detect it not to be the product you expect in the action method. Also,
I think it might be worth continuing when the product cannot be
determined as this http header could simply have been removed on valid

This also applies for the OS check and determining of the appropriate
shell to use. Is there another way of doing it, that doesn't require
the version scan to be run? Ideally it would be determined from a http
request to the server. An alternative would be allowing the user to
specify the shell in an argument or in some way automatically try
both. I guess the Runtime.getRuntime().exec section of the Java code
could be put in a loop first trying cmd.exe and then /bin/sh and
testing whether an instance was properly created?

I think it would be a good idea to explain either in the comments of
the script, or as part of the result, that there is new code deployed
to the server and where. My reasoning behind this is that if you're
doing a pentest you would most likely want to inform you client of the
change to the app server to give them a chance to clean it up.

In general, you should declare parameters when they're used in favor
of putting them all on top initialized with nil.
Out of curiosity, what purpose does the sleep(5) call have, except for
waiting 5 seconds?

Patrik Karlsson


Tiago Natel de Moura
Consultor de Segurança da Informação
Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]