Re: JBoss Application Server Exploit Modules

[Giorgio Casali <giorgio.casali () gmail com>]

Hi Patrick thanks for your work.
I had just the need to use your module 3 days ago but it unfortunately  failed.
I have described the reasons in my blog:

http://inner-knowledge.blogspot.com/

I hope your new changes to the module will allow you to exploit the
JBoss AS even when the conditions are not so standard.

Giorgio.




2010/6/15 Patrick Hof <patrick.hof () redteam-pentesting de>:
> Hi List,
>
> I have done some work on Metasploit's existing JBoss exploit modules and also
> wrote a new module.  I hope the work proves to be useful so you can add it to
> trunk. The following modules are attached to this mail:
>
> 1. jboss_deploymentfilerepository
> ---------------------------------
> This module was originally added in rev 9256. It refers to the directory
> traversal vuln from CVE 2006-5750, but doesn't really exploit it.  It rather
> uses the DeploymentFileRepository MBean to create a new JSP file in the web
> console's subdirectory.
>
> I've changed the description to describe the module more accurately and also
> changed the way it exploits the JBoss AS. It will now create a new, minimal WAR
> with the payload. I also made the HTTP request more robust so it'll work with
> multiple JBoss versions. I made a whitepaper available detailing the general
> technique and some more information at
>
> http://www.redteam-pentesting.de/publications/jboss
>
> The paper also goes into some detail about exploded WAR deployments and CSRF
> possibilities with the JMX Console. There's also a section about Metasploit,
> which I'll of course update if my changes get accepted.
>
>
> 2. jboss_bshdeployer
> --------------------
> This is a new module which uses the BeanShell Deployer to deploy a WAR file as
> described in the paper "Bridging the Gap between the Enterprise and You - or -
> Who's the JBoss now?" available at the same URL as above.  Unlike in the paper,
> this exploit will use the exploded WAR technique to directly install the JSP
> page, without writing a WAR to a temporary directory.
>
>
> 3. jboss_maindeployer
> ---------------------
> I made the existing module more robust by changing the HTTP requests to be more
> generic. I also switched from the WAR-to-EXE approach to use the same JSP
> payloads as in the first two modules. This is more of a personal preference, but
> I think it is better to upload one of the single JSP file payloads now available
> in Metasploit, instead of an executable which gets executed on the host system.
> YMMV though, so feel free to discuss if what I did with the module is better or
> worse than the old approach.
>
>
> Regards,
>
> Patrick
>
> --
> RedTeam Pentesting GmbH                    Tel.: +49 241 963-1300
> Dennewartstr. 25-27                        Fax : +49 241 963-1304
> 52068 Aachen                    http://www.redteam-pentesting.de/
> Germany                         Registergericht: Aachen HRB 14004
> Geschäftsführer: Patrick Hof, Jens Liebchen, Claus R. F. Overbeck
>
> _______________________________________________
> https://mail.metasploit.com/mailman/listinfo/framework
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework