Nmap Development mailing list archives
Re: [NSE] jboss-vuln-cve2010-0738.nse
From: David Fifield <david () bamsoftware com>
Date: Tue, 19 Jun 2012 09:27:40 -0700
On Sat, Jun 16, 2012 at 10:53:51AM +0200, Patrik Karlsson wrote:
On Sat, Jun 16, 2012 at 5:39 AM, Tiago Natel de Moura <tiago4orion () gmail comwrote:Hi list, this is just a script that I created to exploit the CVE-2010-0738 of JBoss. description = [[ JBoss Enterprise Application Platform is prone to multiple vulnerabilities, including an information-disclosure issue and multiple authentication-bypass issues. An attacker can exploit these issues to bypass certain security restrictions to obtain sensitive information or gain unauthorized access to the application. this script will attempt to exploit one of these vulnerabilities and get a reverse shell on the target machine. This exploit is a rewrite to NSE of the Kingcope's perl exploit ( daytona_bsh.pl). More information: http://www.exploit-db.com/exploits/16274/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0738 http://www.securityfocus.com/bid/39710 ]]Hi Tiago, This seems to be a very useful script! Thanks for taking the time to write it! We do have an existing, more generic, script that checks whether a resource could be retrieved using different HTTP methods. It defaults to the jmx-console and first tries a GET and then a HEAD. The script also provides the possibility to change the path to something else to test other servers than jboss for the same vulnerability. The name of the script is http-method-tamper. I'm not sure what to do here but I suggest the following, but would like comments from others before we decide how to procede. - We keep the http-method-tamper as a generic way for testing method tampering. - We extend the http-method-tamper script with spidering capabilities and remove the connection it has to jboss. - We add code to this new script that allows to do the check in a less intrusive manner, in the same way as the http-method-tamper does. - The check is default unless the reverse_host and revers_port arguments are given, at which point the script does exploitation
What needs to change in http-method-tamper in order for it to be able to detect this vulnerability. It seems to me that it already does, with no changes? It uses the same /jmx-console path as this exploit script. So is the only thing different about this new script, the addition of exploit code? David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] jboss-vuln-cve2010-0738.nse Tiago Natel de Moura (Jun 15)
- Re: [NSE] jboss-vuln-cve2010-0738.nse Patrik Karlsson (Jun 16)
- Re: [NSE] jboss-vuln-cve2010-0738.nse Tiago Natel de Moura (Jun 16)
- Re: [NSE] jboss-vuln-cve2010-0738.nse Patrik Karlsson (Jun 16)
- Re: [NSE] jboss-vuln-cve2010-0738.nse Patrik Karlsson (Jun 17)
- Re: [NSE] jboss-vuln-cve2010-0738.nse Tiago Natel de Moura (Jun 16)
- Re: [NSE] jboss-vuln-cve2010-0738.nse David Fifield (Jun 19)
- Re: [NSE] jboss-vuln-cve2010-0738.nse Patrik Karlsson (Jun 19)
- Re: [NSE] jboss-vuln-cve2010-0738.nse David Fifield (Jun 19)
- Re: [NSE] jboss-vuln-cve2010-0738.nse Patrik Karlsson (Jun 19)
- Re: [NSE] jboss-vuln-cve2010-0738.nse Patrik Karlsson (Jun 16)