Metasploit mailing list archives
Issues with jboss_bshdeployer.rb
From: Konrads Smelkovs <konrads.smelkovs () gmail com>
Date: Sat, 4 Dec 2010 20:31:10 +0200
Hello, I have uncovered a few issues with jboss_bshdeployer.rb : Issue 1 - &name=jboss.deployer:service=BSHDeployer is incorrect for JBoss 3.2.6 , it should say jboss.scripts:service=BSHDeployerI believe this should be version specific ( I think that version 4+ would work as-is, with 3.2 have to be modified as above). Issue 2 - I belive that the list of compatible payloads is wrong: msf > use exploit/multi/http/jboss_bshdeployer msf exploit(jboss_bshdeployer) > set PAYLOAD *[TAB]* set PAYLOAD generic/shell_bind_tcp set PAYLOAD generic/shell_reverse_tcp set PAYLOAD java/jsp_shell_bind_tcp set PAYLOAD java/jsp_shell_reverse_tcp msf exploit(jboss_bshdeployer) > set PAYLOAD
From where I stand, I don't understand how generic/shell_* could work: the
beanshell dropper creates a jsp file, not executes another binary. Unless the dropper is altered to execute a code bit, only jsp_* should be compatible. Which brings me to a point 2.1 - platform for this exploit isn't win/linux, but is j2ee and here's why: exploit works by executing a jsp file, which is underlying OS agnostic. It is up to the payloads to either be specific for OS, or not (e.g. execute some java code). That's why specifying SHELL variable in exploit module is wrong - it is up to the payload to do something about it. Issue 3 - if VERB=HEAD is used, platform autodetect heuristics don't work and should not be attempted. However, version heuristics _might_ work as JBoss by default specifies its version in headers. I would like to hear community's opinion before submitting a patch. -- Konrads Smelkovs Applied IT sorcery.
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- Issues with jboss_bshdeployer.rb Konrads Smelkovs (Dec 04)