Issues with jboss_bshdeployer.rb

[Konrads Smelkovs <konrads.smelkovs () gmail com>]

Hello,


I have uncovered a few issues with jboss_bshdeployer.rb :

Issue 1 - &name=jboss.deployer:service=BSHDeployer is incorrect for JBoss
3.2.6 , it should say jboss.scripts:service=BSHDeployerI believe this should
be version specific ( I think that version 4+ would work as-is, with 3.2
have to be modified as above).

Issue 2 -  I belive that the list of compatible payloads is wrong:

msf > use exploit/multi/http/jboss_bshdeployer
msf exploit(jboss_bshdeployer) > set PAYLOAD  *[TAB]*
set PAYLOAD generic/shell_bind_tcp
set PAYLOAD generic/shell_reverse_tcp
set PAYLOAD java/jsp_shell_bind_tcp
set PAYLOAD java/jsp_shell_reverse_tcp
msf exploit(jboss_bshdeployer) > set PAYLOAD


> From where I stand, I don't understand how generic/shell_* could work: the
beanshell dropper creates a jsp file, not executes another binary. Unless
the dropper is altered to execute a code bit, only jsp_* should be
compatible.

Which brings me to a point 2.1 - platform for this exploit isn't win/linux,
but is j2ee and here's why: exploit works by executing a jsp file, which is
underlying OS agnostic. It is up to the payloads to either be specific for
OS, or not (e.g. execute some java code). That's why specifying SHELL
variable in exploit module is wrong - it is up to the payload to do
something about it.

Issue 3 - if VERB=HEAD is used, platform autodetect heuristics don't work
and should not be attempted. However, version heuristics _might_ work as
JBoss by default specifies its version in headers.

I would like to hear community's opinion before submitting a patch.

--
Konrads Smelkovs
Applied IT sorcery.

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework