Class: Metasploit::Framework::LoginScanner::Glassfish

Inherits:
HTTP
  • Object
show all
Defined in:
lib/metasploit/framework/login_scanner/glassfish.rb

Overview

The Glassfish HTTP LoginScanner class provides methods to do login routines for Glassfish 2, 3 and 4.

Constant Summary collapse

DEFAULT_PORT =
4848
PRIVATE_TYPES =
[ :password ]

Constants inherited from HTTP

HTTP::DEFAULT_REALM, HTTP::DEFAULT_SSL_PORT, HTTP::LIKELY_PORTS, HTTP::LIKELY_SERVICE_NAMES, HTTP::REALM_KEY

Instance Attribute Summary collapse

Attributes inherited from HTTP

#digest_auth_iis, #evade_header_folding, #evade_method_random_case, #evade_method_random_invalid, #evade_method_random_valid, #evade_pad_fake_headers, #evade_pad_fake_headers_count, #evade_pad_get_params, #evade_pad_get_params_count, #evade_pad_method_uri_count, #evade_pad_method_uri_type, #evade_pad_post_params, #evade_pad_post_params_count, #evade_pad_uri_version_count, #evade_pad_uri_version_type, #evade_uri_dir_fake_relative, #evade_uri_dir_self_reference, #evade_uri_encode_mode, #evade_uri_fake_end, #evade_uri_fake_params_start, #evade_uri_full_url, #evade_uri_use_backslashes, #evade_version_random_invalid, #evade_version_random_valid, #method, #ntlm_domain, #ntlm_send_lm, #ntlm_send_ntlm, #ntlm_send_spn, #ntlm_use_lm_key, #ntlm_use_ntlmv2, #ntlm_use_ntlmv2_session, #uri, #user_agent, #vhost

Instance Method Summary collapse

Instance Attribute Details

#http_passwordObject


28
29
30
# File 'lib/metasploit/framework/login_scanner/glassfish.rb', line 28

def http_password
  @http_password
end

#http_usernameObject


24
25
26
# File 'lib/metasploit/framework/login_scanner/glassfish.rb', line 24

def http_username
  @http_username
end

#jsessionString

Returns Cookie session.

Returns:

  • (String)

    Cookie session


21
22
23
# File 'lib/metasploit/framework/login_scanner/glassfish.rb', line 21

def jsession
  @jsession
end

#versionString

Returns Glassfish version.

Returns:

  • (String)

    Glassfish version


17
18
19
# File 'lib/metasploit/framework/login_scanner/glassfish.rb', line 17

def version
  @version
end

Instance Method Details

#attempt_login(credential) ⇒ Result

Decides which login routine and returns the results

Parameters:

Returns:


198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
# File 'lib/metasploit/framework/login_scanner/glassfish.rb', line 198

def (credential)
  result_opts = { credential: credential }

  begin
    case self.version
    when /^2\.x$/
      status = try_glassfish_2(credential)
      result_opts.merge!(status)
    when /^[34]\./
      status = try_glassfish_3(credential)
      result_opts.merge!(status)
    when /^9\.x$/
      status = try_glassfish_9(credential)
      result_opts.merge!(status)
    end
  rescue ::EOFError, Errno::ECONNRESET, Rex::ConnectionError, OpenSSL::SSL::SSLError, ::Timeout::Error => e
    result_opts.merge!(status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: e)
  end

  Result.new(result_opts)
end

#check_setupObject


31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
# File 'lib/metasploit/framework/login_scanner/glassfish.rb', line 31

def check_setup
  begin
    res = send_request({'uri' => '/common/index.jsf'})
    return "Connection failed" if res.nil?
    if !([200, 302].include?(res.code))
      return "Unexpected HTTP response code #{res.code} (is this really Glassfish?)"
    end

    # If remote login is enabled on 4.x, it redirects to https on the
    # same port.
    if !self.ssl && res.headers['Location'] =~ /^https:/
      self.ssl = true
      res = send_request({'uri' => '/common/index.jsf'})
      if res.nil?
        return "Connection failed after SSL redirection"
      end
      if res.code != 200
        return "Unexpected HTTP response code #{res.code} after SSL redirection (is this really Glassfish?)"
      end
    end

    res = send_request({'uri' => '/login.jsf'})
    return "Connection failed" if res.nil?
    extract_version(res.headers['Server'])

    if @version.nil? || @version !~ /^[2349]/
      return "Unsupported version ('#{@version}')"
    end
  rescue ::EOFError, Errno::ETIMEDOUT, Rex::ConnectionError, ::Timeout::Error
    return "Unable to connect to target"
  end

  false
end

#extract_version(banner) ⇒ String?

Extract the target's glassfish version from the HTTP Server Sun Java System Application Server 9.1header (ex: Sun Java System Application Server 9.x)

Parameters:

  • banner (String)

    `Server` header from a Glassfish service response

Returns:

  • (String)

    version string, e.g. '2.x'

  • (nil)

    If the banner did not match any of the expected values


227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
# File 'lib/metasploit/framework/login_scanner/glassfish.rb', line 227

def extract_version(banner)
  # Set version.  Some GlassFish servers return banner "GlassFish v3".
  if banner =~ /(GlassFish Server|Open Source Edition)[[:blank:]]*(\d\.\d)/
    @version = $2
  elsif banner =~ /GlassFish v(\d)/
    @version = $1
  elsif banner =~ /Sun GlassFish Enterprise Server v2/
    @version = '2.x'
  elsif banner =~ /Sun Java System Application Server 9/
    @version = '9.x'
  else
    @version = nil
  end

  return @version
end

#is_secure_admin_disabled?(res) ⇒ boolean

As of Sep 2014, if Secure Admin is disabled, it simply means the admin isn't allowed to login remotely. However, the authentication will still run and hint whether the password is correct or not.

Parameters:

Returns:

  • (boolean)

    True if disabled, otherwise false


92
93
94
# File 'lib/metasploit/framework/login_scanner/glassfish.rb', line 92

def is_secure_admin_disabled?(res)
  return (res.body =~ /Secure Admin must be enabled/i) ? true : false
end

#send_request(opts) ⇒ Rex::Proto::Http::Response

Sends a HTTP request with Rex

Returns:


70
71
72
73
74
75
76
77
78
79
80
81
82
83
# File 'lib/metasploit/framework/login_scanner/glassfish.rb', line 70

def send_request(opts)
  cli = Rex::Proto::Http::Client.new(host, port, {'Msf' => framework, 'MsfExploit' => framework_module}, ssl, ssl_version, proxies, http_username, http_password)
  configure_http_client(cli)
  cli.connect
  req = cli.request_raw(opts)
  res = cli.send_recv(req)

  # Found a cookie? Set it. We're going to need it.
  if res && res.get_cookies =~ /JSESSIONID=(\w*);/i
    self.jsession = $1
  end

  res
end

#try_glassfish_2(credential) ⇒ Hash

Tries to login to Glassfish version 2

Parameters:

Returns:

  • (Hash)
    • :status [Metasploit::Model::Login::Status]

    • :proof [String] the HTTP response body


126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
# File 'lib/metasploit/framework/login_scanner/glassfish.rb', line 126

def try_glassfish_2(credential)
  res = (credential)
  if res && res.code == 302
    opts = {
      'uri'     => '/applications/upload.jsf',
      'method'  => 'GET',
      'headers' => {
        'Cookie'  => "JSESSIONID=#{self.jsession}"
      }
    }
    res = send_request(opts)
    p = /<title>Deploy Enterprise Applications\/Modules/
    if (res && res.code.to_i == 200 && res.body.match(p) != nil)
      return {:status => Metasploit::Model::Login::Status::SUCCESSFUL, :proof => res.body}
    end
  end

  {:status => Metasploit::Model::Login::Status::INCORRECT, :proof => res.body}
end

#try_glassfish_3(credential) ⇒ Hash

Tries to login to Glassfish version 3 or 4 (as of now it's the latest)

Parameters:

Returns:

  • (Hash)
    • :status [Metasploit::Model::Login::Status]

    • :proof [String] the HTTP response body


168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
# File 'lib/metasploit/framework/login_scanner/glassfish.rb', line 168

def try_glassfish_3(credential)
  res = (credential)
  if res && res.code == 302
    opts = {
      'uri'     => '/common/applications/uploadFrame.jsf',
      'method'  => 'GET',
      'headers' => {
        'Cookie'  => "JSESSIONID=#{self.jsession}"
      }
    }
    res = send_request(opts)

    p = /<title>Deploy Applications or Modules/
    if (res && res.code.to_i == 200 && res.body.match(p) != nil)
      return {:status => Metasploit::Model::Login::Status::SUCCESSFUL, :proof => res.body}
    end
  elsif res && is_secure_admin_disabled?(res)
    return {:status => Metasploit::Model::Login::Status::DENIED_ACCESS, :proof => res.body}
  elsif res && res.code == 400
    return {:status => Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, :proof => res.body}
  end

  {:status => Metasploit::Model::Login::Status::INCORRECT, :proof => res.body}
end

#try_glassfish_9(credential) ⇒ Hash

Tries to login to Glassfish version 9

Parameters:

Returns:

  • (Hash)
    • :status [Metasploit::Model::Login::Status]

    • :proof [String] the HTTP response body


153
154
155
156
157
158
159
160
161
# File 'lib/metasploit/framework/login_scanner/glassfish.rb', line 153

def try_glassfish_9(credential)
  res = (credential)

  if res && res.code.to_i == 302 && res.headers['Location'].to_s !~ /loginError\.jsf$/
    return {:status => Metasploit::Model::Login::Status::SUCCESSFUL, :proof => res.body}
  end

  {:status => Metasploit::Model::Login::Status::INCORRECT, :proof => res.body}
end

#try_login(credential) ⇒ Rex::Proto::Http::Response

Sends a login request

Parameters:

Returns:


101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
# File 'lib/metasploit/framework/login_scanner/glassfish.rb', line 101

def (credential)
  data  = "j_username=#{Rex::Text.uri_encode(credential.public)}&"
  data << "j_password=#{Rex::Text.uri_encode(credential.private)}&"
  data << 'loginButton=Login'

  opts = {
    'uri'     => '/j_security_check',
    'method'  => 'POST',
    'data'    => data,
    'headers' => {
      'Content-Type'   => 'application/x-www-form-urlencoded',
      'Cookie'         => "JSESSIONID=#{self.jsession}",
    }
  }

  send_request(opts)
end