Class: Metasploit::Framework::LoginScanner::Glassfish

Inherits:
HTTP
  • Object
show all
Defined in:
lib/metasploit/framework/login_scanner/glassfish.rb

Overview

The Glassfish HTTP LoginScanner class provides methods to do login routines for Glassfish 2, 3 and 4.

Constant Summary collapse

DEFAULT_PORT =
4848
PRIVATE_TYPES =
[ :password ]

Constants inherited from HTTP

HTTP::DEFAULT_HTTP_SUCCESS_CODES, HTTP::DEFAULT_REALM, HTTP::DEFAULT_SSL_PORT, HTTP::LIKELY_PORTS, HTTP::LIKELY_SERVICE_NAMES, HTTP::REALM_KEY

Instance Attribute Summary collapse

Attributes inherited from HTTP

#digest_auth_iis, #evade_header_folding, #evade_method_random_case, #evade_method_random_invalid, #evade_method_random_valid, #evade_pad_fake_headers, #evade_pad_fake_headers_count, #evade_pad_get_params, #evade_pad_get_params_count, #evade_pad_method_uri_count, #evade_pad_method_uri_type, #evade_pad_post_params, #evade_pad_post_params_count, #evade_pad_uri_version_count, #evade_pad_uri_version_type, #evade_shuffle_get_params, #evade_shuffle_post_params, #evade_uri_dir_fake_relative, #evade_uri_dir_self_reference, #evade_uri_encode_mode, #evade_uri_fake_end, #evade_uri_fake_params_start, #evade_uri_full_url, #evade_uri_use_backslashes, #evade_version_random_invalid, #evade_version_random_valid, #http_success_codes, #keep_connection_alive, #kerberos_authenticator_factory, #method, #ntlm_domain, #ntlm_send_lm, #ntlm_send_ntlm, #ntlm_send_spn, #ntlm_use_lm_key, #ntlm_use_ntlmv2, #ntlm_use_ntlmv2_session, #uri, #user_agent, #vhost

Instance Method Summary collapse

Instance Attribute Details

#http_passwordObject



28
29
30
# File 'lib/metasploit/framework/login_scanner/glassfish.rb', line 28

def http_password
  @http_password
end

#http_usernameObject



24
25
26
# File 'lib/metasploit/framework/login_scanner/glassfish.rb', line 24

def http_username
  @http_username
end

#jsessionString

Returns Cookie session.

Returns:

  • (String)

    Cookie session



21
22
23
# File 'lib/metasploit/framework/login_scanner/glassfish.rb', line 21

def jsession
  @jsession
end

#versionString

Returns Glassfish version.

Returns:

  • (String)

    Glassfish version



17
18
19
# File 'lib/metasploit/framework/login_scanner/glassfish.rb', line 17

def version
  @version
end

Instance Method Details

#attempt_login(credential) ⇒ Result

Decides which login routine and returns the results

Parameters:

Returns:



205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
# File 'lib/metasploit/framework/login_scanner/glassfish.rb', line 205

def (credential)
  result_opts = { credential: credential }

  begin
    case self.version
    when /^2\.x$/
      status = try_glassfish_2(credential)
      result_opts.merge!(status)
    when /^[34]\./
      status = try_glassfish_3(credential)
      result_opts.merge!(status)
    when /^9\.x$/
      status = try_glassfish_9(credential)
      result_opts.merge!(status)
    end
  rescue ::EOFError, Errno::ECONNRESET, Rex::ConnectionError, OpenSSL::SSL::SSLError, ::Timeout::Error => e
    result_opts.merge!(status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: e)
  end

  Result.new(result_opts)
end

#check_setupObject



31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
# File 'lib/metasploit/framework/login_scanner/glassfish.rb', line 31

def check_setup
  begin
    res = send_request({
      'uri' => '/common/index.jsf',
    })
    return "Connection failed" if res.nil?
    if !([200, 302].include?(res.code))
      return "Unexpected HTTP response code #{res.code} (is this really Glassfish?)"
    end

    # If remote login is enabled on 4.x, it redirects to https on the
    # same port.
    if !self.ssl && res.headers['Location'] =~ /^https:/
      self.ssl = true
      res = send_request({
        'uri' => '/common/index.jsf',
        'cgi' => false
      })
      if res.nil?
        return "Connection failed after SSL redirection"
      end
      if res.code != 200
        return "Unexpected HTTP response code #{res.code} after SSL redirection (is this really Glassfish?)"
      end
    end

    res = send_request({
      'uri' => '/login.jsf',
      'cgi' => false
    })
    return "Connection failed" if res.nil?
    extract_version(res.headers['Server'])

    if @version.nil? || @version !~ /^[2349]/
      return "Unsupported version ('#{@version}')"
    end
  rescue ::EOFError, Errno::ETIMEDOUT, OpenSSL::SSL::SSLError, Rex::ConnectionError, ::Timeout::Error
    return "Unable to connect to target"
  end

  false
end

#extract_version(banner) ⇒ String?

Extract the target’s glassfish version from the HTTP Server Sun Java System Application Server 9.1header (ex: Sun Java System Application Server 9.x)

Parameters:

  • banner (String)

    ‘Server` header from a Glassfish service response

Returns:

  • (String)

    version string, e.g. ‘2.x’

  • (nil)

    If the banner did not match any of the expected values



234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
# File 'lib/metasploit/framework/login_scanner/glassfish.rb', line 234

def extract_version(banner)
  # Set version.  Some GlassFish servers return banner "GlassFish v3".
  if banner =~ /(GlassFish Server|Open Source Edition)[[:blank:]]*(\d\.\d)/
    @version = $2
  elsif banner =~ /GlassFish v(\d)/
    @version = $1
  elsif banner =~ /Sun GlassFish Enterprise Server v2/
    @version = '2.x'
  elsif banner =~ /Sun Java System Application Server 9/
    @version = '9.x'
  else
    @version = nil
  end

  return @version
end

#is_secure_admin_disabled?(res) ⇒ boolean

As of Sep 2014, if Secure Admin is disabled, it simply means the admin isn’t allowed to login remotely. However, the authentication will still run and hint whether the password is correct or not.

Parameters:

Returns:

  • (boolean)

    True if disabled, otherwise false



96
97
98
# File 'lib/metasploit/framework/login_scanner/glassfish.rb', line 96

def is_secure_admin_disabled?(res)
  return (res.body =~ /Secure Admin must be enabled/i) ? true : false
end

#send_request(opts) ⇒ Rex::Proto::Http::Response

Sends a HTTP request with Rex

Returns:



78
79
80
81
82
83
84
85
86
87
# File 'lib/metasploit/framework/login_scanner/glassfish.rb', line 78

def send_request(opts)
  res = super(opts)

  # Found a cookie? Set it. We're going to need it.
  if res && res.get_cookies =~ /JSESSIONID=(\w*);/i
    self.jsession = $1
  end

  res
end

#try_glassfish_2(credential) ⇒ Hash

Tries to login to Glassfish version 2

Parameters:

Returns:

  • (Hash)
    • :status [Metasploit::Model::Login::Status]

    • :proof [String] the HTTP response body



131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
# File 'lib/metasploit/framework/login_scanner/glassfish.rb', line 131

def try_glassfish_2(credential)
  res = (credential)
  if res && res.code == 302
    opts = {
      'uri'     => '/applications/upload.jsf',
      'method'  => 'GET',
      'headers' => {
        'Cookie'  => "JSESSIONID=#{self.jsession}"
      },
      'cgi' => false
    }
    res = send_request(opts)
    p = /<title>Deploy Enterprise Applications\/Modules/
    if (res && res.code.to_i == 200 && res.body.match(p) != nil)
      return {:status => Metasploit::Model::Login::Status::SUCCESSFUL, :proof => res.body}
    end
  end

  {:status => Metasploit::Model::Login::Status::INCORRECT, :proof => res.body}
end

#try_glassfish_3(credential) ⇒ Hash

Tries to login to Glassfish version 3 or 4 (as of now it’s the latest)

Parameters:

Returns:

  • (Hash)
    • :status [Metasploit::Model::Login::Status]

    • :proof [String] the HTTP response body



174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
# File 'lib/metasploit/framework/login_scanner/glassfish.rb', line 174

def try_glassfish_3(credential)
  res = (credential)
  if res && res.code == 302
    opts = {
      'uri'     => '/common/applications/uploadFrame.jsf',
      'method'  => 'GET',
      'headers' => {
        'Cookie'  => "JSESSIONID=#{self.jsession}"
      },
      'cgi' => false
    }
    res = send_request(opts)

    p = /<title>Deploy Applications or Modules/
    if (res && res.code.to_i == 200 && res.body.match(p) != nil)
      return {:status => Metasploit::Model::Login::Status::SUCCESSFUL, :proof => res.body}
    end
  elsif res && is_secure_admin_disabled?(res)
    return {:status => Metasploit::Model::Login::Status::DENIED_ACCESS, :proof => res.body}
  elsif res && res.code == 400
    return {:status => Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, :proof => res.body}
  end

  {:status => Metasploit::Model::Login::Status::INCORRECT, :proof => res.body}
end

#try_glassfish_9(credential) ⇒ Hash

Tries to login to Glassfish version 9

Parameters:

Returns:

  • (Hash)
    • :status [Metasploit::Model::Login::Status]

    • :proof [String] the HTTP response body



159
160
161
162
163
164
165
166
167
# File 'lib/metasploit/framework/login_scanner/glassfish.rb', line 159

def try_glassfish_9(credential)
  res = (credential)

  if res && res.code.to_i == 302 && res.headers['Location'].to_s !~ /loginError\.jsf$/
    return {:status => Metasploit::Model::Login::Status::SUCCESSFUL, :proof => res.body}
  end

  {:status => Metasploit::Model::Login::Status::INCORRECT, :proof => res.body}
end

#try_login(credential) ⇒ Rex::Proto::Http::Response

Sends a login request

Parameters:

Returns:



105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
# File 'lib/metasploit/framework/login_scanner/glassfish.rb', line 105

def (credential)
  data  = "j_username=#{Rex::Text.uri_encode(credential.public)}&"
  data << "j_password=#{Rex::Text.uri_encode(credential.private)}&"
  data << 'loginButton=Login'

  opts = {
    'uri'     => '/j_security_check',
    'method'  => 'POST',
    'data'    => data,
    'headers' => {
      'Content-Type'   => 'application/x-www-form-urlencoded',
      'Cookie'         => "JSESSIONID=#{self.jsession}",
    },
    'cgi' => false
  }

  send_request(opts)
end