Metasploit mailing list archives
Re: JBoss Application Server Exploit Modules
From: Giorgio Casali <giorgio.casali () gmail com>
Date: Tue, 29 Jun 2010 00:09:50 +0200
Hi, It was a very inspiring article, thanks for sharing. Regards, Giorgio 2010/6/28 Patrick Hof <patrick.hof () redteam-pentesting de>:
HI, Giorgio Casali <giorgio.casali () gmail com> wrote:Hi Patrick thanks for your work. I had just the need to use your module 3 days ago but it unfortunately failed. I have described the reasons in my blog: http://inner-knowledge.blogspot.com/ I hope your new changes to the module will allow you to exploit the JBoss AS even when the conditions are not so standard.you're right in what you write in your blog post, it can be necessary sometimes to do some additional work until the JBoss exploits work, like in your case adding the path to the DeploymentScanner. Unfortunately, adding all these little "non-standard" things is quite difficult to achieve for a generic exploit module. Normally, if you find a JBoss AS with an open JMX Console, it is in it's default configuration, so I guess most of the time the module should work as expected. I think this shows that as a Pentester, you can't just rely on some tool. As you demonstrate in your blog post, it's necessary to really understand the details of an exploit so you can adapt it where needed. I hope the papers helped in gaining that knowledge. Regards, Patrick -- RedTeam Pentesting GmbH Tel.: +49 241 963-1300 Dennewartstr. 25-27 Fax : +49 241 963-1304 52068 Aachen http://www.redteam-pentesting.de/ Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen, Claus R. F. Overbeck _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- JBoss Application Server Exploit Modules Patrick Hof (Jun 15)
- Re: JBoss Application Server Exploit Modules Tyler Krpata (Jun 15)
- Re: JBoss Application Server Exploit Modules Patrick Hof (Jun 15)
- Re: JBoss Application Server Exploit Modules Tyler Krpata (Jun 25)
- Re: JBoss Application Server Exploit Modules Patrick Hof (Jun 15)
- Re: JBoss Application Server Exploit Modules Giorgio Casali (Jun 28)
- Re: JBoss Application Server Exploit Modules Patrick Hof (Jun 28)
- Re: JBoss Application Server Exploit Modules Giorgio Casali (Jun 28)
- Re: JBoss Application Server Exploit Modules Patrick Hof (Jun 28)
- Re: JBoss Application Server Exploit Modules Tyler Krpata (Jun 15)