Metasploit mailing list archives
Re: JBoss Application Server Exploit Modules
From: Giorgio Casali <giorgio.casali () gmail com>
Date: Mon, 28 Jun 2010 09:29:12 +0200
Hi Patrick thanks for your work. I had just the need to use your module 3 days ago but it unfortunately failed. I have described the reasons in my blog: http://inner-knowledge.blogspot.com/ I hope your new changes to the module will allow you to exploit the JBoss AS even when the conditions are not so standard. Giorgio. 2010/6/15 Patrick Hof <patrick.hof () redteam-pentesting de>:
Hi List, I have done some work on Metasploit's existing JBoss exploit modules and also wrote a new module. I hope the work proves to be useful so you can add it to trunk. The following modules are attached to this mail: 1. jboss_deploymentfilerepository --------------------------------- This module was originally added in rev 9256. It refers to the directory traversal vuln from CVE 2006-5750, but doesn't really exploit it. It rather uses the DeploymentFileRepository MBean to create a new JSP file in the web console's subdirectory. I've changed the description to describe the module more accurately and also changed the way it exploits the JBoss AS. It will now create a new, minimal WAR with the payload. I also made the HTTP request more robust so it'll work with multiple JBoss versions. I made a whitepaper available detailing the general technique and some more information at http://www.redteam-pentesting.de/publications/jboss The paper also goes into some detail about exploded WAR deployments and CSRF possibilities with the JMX Console. There's also a section about Metasploit, which I'll of course update if my changes get accepted. 2. jboss_bshdeployer -------------------- This is a new module which uses the BeanShell Deployer to deploy a WAR file as described in the paper "Bridging the Gap between the Enterprise and You - or - Who's the JBoss now?" available at the same URL as above. Unlike in the paper, this exploit will use the exploded WAR technique to directly install the JSP page, without writing a WAR to a temporary directory. 3. jboss_maindeployer --------------------- I made the existing module more robust by changing the HTTP requests to be more generic. I also switched from the WAR-to-EXE approach to use the same JSP payloads as in the first two modules. This is more of a personal preference, but I think it is better to upload one of the single JSP file payloads now available in Metasploit, instead of an executable which gets executed on the host system. YMMV though, so feel free to discuss if what I did with the module is better or worse than the old approach. Regards, Patrick -- RedTeam Pentesting GmbH Tel.: +49 241 963-1300 Dennewartstr. 25-27 Fax : +49 241 963-1304 52068 Aachen http://www.redteam-pentesting.de/ Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen, Claus R. F. Overbeck _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- JBoss Application Server Exploit Modules Patrick Hof (Jun 15)
- Re: JBoss Application Server Exploit Modules Tyler Krpata (Jun 15)
- Re: JBoss Application Server Exploit Modules Patrick Hof (Jun 15)
- Re: JBoss Application Server Exploit Modules Tyler Krpata (Jun 25)
- Re: JBoss Application Server Exploit Modules Patrick Hof (Jun 15)
- Re: JBoss Application Server Exploit Modules Giorgio Casali (Jun 28)
- Re: JBoss Application Server Exploit Modules Patrick Hof (Jun 28)
- Re: JBoss Application Server Exploit Modules Giorgio Casali (Jun 28)
- Re: JBoss Application Server Exploit Modules Patrick Hof (Jun 28)
- Re: JBoss Application Server Exploit Modules Tyler Krpata (Jun 15)