Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: [NSE] jboss-vuln-cve2010-0738.nse
From: Patrik Karlsson <patrik () cqure net>
Date: Sat, 16 Jun 2012 12:51:11 +0200

On Sat, Jun 16, 2012 at 12:14 PM, Tiago Natel de Moura <
tiago4orion () gmail com> wrote:

 Hi Patrik,

I already knew the script http-method-tamper and I agree with your opinion
to make it more generic. I also liked your idea of putting a check in the
script in a non-intrusive way and exploit the vulnerability only if the
options for reverse shell are present. I can do that and also add support
to exploit using SSL.


Let's see if we get any more comments about how to proceed with this. I can
take upon myself to alter the old script unless someone else would like to
do it, once we get a decision.



About the script:
1 - Ok, I'll modify to use the http headers instead of the product
information. Do you really think a good idea to let this test in action?
This not affect performance of nmap?


I rather check in the action method and avoid having to run a version scan
every time. If we eg. do the non-intrusive check everytime, even for the
exploit scenario, the headers should be available there and allow you to
bail if they do not match.


2 - Regarding the shell, I think the only safe way to automatically choose
the shell in the script-side is using the nmap version OS detection (-O).
The script already has the "cmd" in the command line if "-O" is not used.
Leave this task to the uploaded java code is also a good idea.


This code seems to work well for me;

 public static Process getShell() {

    String[] cmds = {"cmd.exe", "/bin/sh"};

     for ( String cmd : cmds ) {

        try {

            return Runtime.getRuntime().exec(cmd);

        }

        catch(IOException e) { }

    }

    return null;

}



Thanks for the programming tips, but I usually declare variables at the
beginning because of the influence of ANSI C ;)  I will improve it.

Yes, it's a common "mistake" :)



About the sleep, is because after the upload of java, JBoss will deploy
the file in a directory (it will run the steps that are in the variable in
bsh_script) and this can take some seconds depending on server load.


OK, thanks for the clarification.



Thanks, I'm glad that the script can be useful.


There's no doubt about that.


Thanks,
Patrik

-- 
Patrik Karlsson
http://www.cqure.net
http://twitter.com/nevdull77
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]