Re: JBoss Application Server Exploit Modules

[Tyler Krpata <krpatasec () gmail com>]

Not sure if there's a "right way" to submit updates to modules...
sorry if I missed it. Here's an update to jboss_scanner.rb that looks
for the URLs Patrick mentioned, and also checks for TCP ports
1098,1099,and 4444 for RMI.

On Tue, Jun 15, 2010 at 5:07 PM, Patrick Hof
<patrick.hof () redteam-pentesting de> wrote:
> Hi,
>
> Tyler Krpata <krpatasec () gmail com> wrote:
> > Good stuff! To jump on the bandwagon, attached is a scanner that I was
> > working on that is a good smoke test for some of these vulns on a
> > JBoss instance. One thing it doesn't currently do is see if the RMI
> > port is open, which I will get around to adding.
>
> I was getting started to write such a scanner myself, it's great that there's
> already someone who did the work :). I suggest you add the following URLs to the
> checks:
>
> /web-console/Invoker
> /invoker/JMXInvokerServlet
>
> If one of those returns a Java serialized object, you can send arbitrary JMX
> commands to the JBoss AS and therefore exploit it. See the older whitepaper
> "Bridging the Gap between the Enterprise and You" on
> http://www.redteam-pentesting.de/publications/jboss for an explanation.
>
>
> Regards,
>
> Patrick
>
> --
> RedTeam Pentesting GmbH                    Tel.: +49 241 963-1300
> Dennewartstr. 25-27                        Fax : +49 241 963-1304
> 52068 Aachen                    http://www.redteam-pentesting.de/
> Germany                         Registergericht: Aachen HRB 14004
> Geschäftsführer: Patrick Hof, Jens Liebchen, Claus R. F. Overbeck
>
> _______________________________________________
> https://mail.metasploit.com/mailman/listinfo/framework

Attachment: jboss_scanner.rb
Description:

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework