Class: Metasploit::Framework::LoginScanner::Glassfish

Inherits:

HTTP

• Object
• HTTP
• Metasploit::Framework::LoginScanner::Glassfish

Defined in:

lib/metasploit/framework/login_scanner/glassfish.rb

Overview

The Glassfish HTTP LoginScanner class provides methods to do login routines for Glassfish 2, 3 and 4.

Constant Summary

DEFAULT_PORT =

4848

PRIVATE_TYPES =

[ :password ]

Constants inherited from HTTP

HTTP::AUTHORIZATION_HEADER, HTTP::DEFAULT_HTTP_NOT_AUTHED_CODES, HTTP::DEFAULT_HTTP_SUCCESS_CODES, HTTP::DEFAULT_REALM, HTTP::DEFAULT_SSL_PORT, HTTP::LIKELY_PORTS, HTTP::LIKELY_SERVICE_NAMES, HTTP::REALM_KEY

Instance Attribute Summary

• #http_password ⇒ Object
• #http_username ⇒ Object
• #jsession ⇒ String

  Cookie session.

• #version ⇒ String

  Glassfish version.

Attributes inherited from HTTP

#digest_auth_iis, #evade_header_folding, #evade_method_random_case, #evade_method_random_invalid, #evade_method_random_valid, #evade_pad_fake_headers, #evade_pad_fake_headers_count, #evade_pad_get_params, #evade_pad_get_params_count, #evade_pad_method_uri_count, #evade_pad_method_uri_type, #evade_pad_post_params, #evade_pad_post_params_count, #evade_pad_uri_version_count, #evade_pad_uri_version_type, #evade_shuffle_get_params, #evade_shuffle_post_params, #evade_uri_dir_fake_relative, #evade_uri_dir_self_reference, #evade_uri_encode_mode, #evade_uri_fake_end, #evade_uri_fake_params_start, #evade_uri_full_url, #evade_uri_use_backslashes, #evade_version_random_invalid, #evade_version_random_valid, #http_success_codes, #keep_connection_alive, #kerberos_authenticator_factory, #method, #ntlm_domain, #ntlm_send_lm, #ntlm_send_ntlm, #ntlm_send_spn, #ntlm_use_lm_key, #ntlm_use_ntlmv2, #ntlm_use_ntlmv2_session, #uri, #user_agent, #vhost

Instance Method Summary

• #attempt_login(credential) ⇒ Result

  Decides which login routine and returns the results.

• #check_setup ⇒ Object
• #extract_version(banner) ⇒ String^?

  Extract the target’s glassfish version from the HTTP Server Sun Java System Application Server 9.1header (ex: Sun Java System Application Server 9.x).

• #is_secure_admin_disabled?(res) ⇒ boolean

  As of Sep 2014, if Secure Admin is disabled, it simply means the admin isn’t allowed to login remotely.

• #send_request(opts) ⇒ Rex::Proto::Http::Response

  Sends a HTTP request with Rex.

• #try_glassfish_2(credential) ⇒ Hash

  Tries to login to Glassfish version 2.

• #try_glassfish_3(credential) ⇒ Hash

  Tries to login to Glassfish version 3 or 4 (as of now it’s the latest).

• #try_glassfish_9(credential) ⇒ Hash

  Tries to login to Glassfish version 9.

• #try_login(credential) ⇒ Rex::Proto::Http::Response

  Sends a login request.

Methods inherited from HTTP

#authentication_required?

Instance Attribute Details

#http_password ⇒ Object

# File 'lib/metasploit/framework/login_scanner/glassfish.rb', line 28

def http_password
  @http_password
end

#http_username ⇒ Object

# File 'lib/metasploit/framework/login_scanner/glassfish.rb', line 24

def http_username
  @http_username
end

#jsession ⇒ String

Returns Cookie session.

Returns:

• (String) —

  Cookie session

# File 'lib/metasploit/framework/login_scanner/glassfish.rb', line 21

def jsession
  @jsession
end

#version ⇒ String

Returns Glassfish version.

Returns:

• (String) —

  Glassfish version

# File 'lib/metasploit/framework/login_scanner/glassfish.rb', line 17

def version
  @version
end

Instance Method Details

#attempt_login(credential) ⇒ Result

Decides which login routine and returns the results

Parameters:

• credential (Metasploit::Framework::Credential) —

  The credential object

Returns:

• (Result)

# File 'lib/metasploit/framework/login_scanner/glassfish.rb', line 205

def attempt_login(credential)
  result_opts = { credential: credential }

  begin
    case self.version
    when /^2\.x$/
      status = try_glassfish_2(credential)
      result_opts.merge!(status)
    when /^[34]\./
      status = try_glassfish_3(credential)
      result_opts.merge!(status)
    when /^9\.x$/
      status = try_glassfish_9(credential)
      result_opts.merge!(status)
    end
  rescue ::EOFError, Errno::ECONNRESET, Rex::ConnectionError, OpenSSL::SSL::SSLError, ::Timeout::Error => e
    result_opts.merge!(status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: e)
  end

  Result.new(result_opts)
end

#check_setup ⇒ Object

# File 'lib/metasploit/framework/login_scanner/glassfish.rb', line 31

def check_setup
  begin
    res = send_request({
      'uri' => '/common/index.jsf',
    })
    return "Connection failed" if res.nil?
    if !([200, 302].include?(res.code))
      return "Unexpected HTTP response code #{res.code} (is this really Glassfish?)"
    end

    # If remote login is enabled on 4.x, it redirects to https on the
    # same port.
    if !self.ssl && res.headers['Location'] =~ /^https:/
      self.ssl = true
      res = send_request({
        'uri' => '/common/index.jsf',
        'cgi' => false
      })
      if res.nil?
        return "Connection failed after SSL redirection"
      end
      if res.code != 200
        return "Unexpected HTTP response code #{res.code} after SSL redirection (is this really Glassfish?)"
      end
    end

    res = send_request({
      'uri' => '/login.jsf',
      'cgi' => false
    })
    return "Connection failed" if res.nil?
    extract_version(res.headers['Server'])

    if @version.nil? || @version !~ /^[2349]/
      return "Unsupported version ('#{@version}')"
    end
  rescue ::EOFError, Errno::ETIMEDOUT, OpenSSL::SSL::SSLError, Rex::ConnectionError, ::Timeout::Error
    return "Unable to connect to target"
  end

  false
end

#extract_version(banner) ⇒ String^?

Extract the target’s glassfish version from the HTTP Server Sun Java System Application Server 9.1header (ex: Sun Java System Application Server 9.x)

Parameters:

• banner (String) —

  ‘Server` header from a Glassfish service response

Returns:

• (String) —

  version string, e.g. ‘2.x’

• (nil) —

  If the banner did not match any of the expected values

# File 'lib/metasploit/framework/login_scanner/glassfish.rb', line 234

def extract_version(banner)
  # Set version.  Some GlassFish servers return banner "GlassFish v3".
  if banner =~ /(GlassFish Server|Open Source Edition)[[:blank:]]*(\d\.\d)/
    @version = $2
  elsif banner =~ /GlassFish v(\d)/
    @version = $1
  elsif banner =~ /Sun GlassFish Enterprise Server v2/
    @version = '2.x'
  elsif banner =~ /Sun Java System Application Server 9/
    @version = '9.x'
  else
    @version = nil
  end

  return @version
end

#is_secure_admin_disabled?(res) ⇒ boolean

As of Sep 2014, if Secure Admin is disabled, it simply means the admin isn’t allowed to login remotely. However, the authentication will still run and hint whether the password is correct or not.

Parameters:

• res (Rex::Proto::Http::Response) —

  The HTTP auth response

Returns:

• (boolean) —

  True if disabled, otherwise false

# File 'lib/metasploit/framework/login_scanner/glassfish.rb', line 96

def is_secure_admin_disabled?(res)
  return (res.body =~ /Secure Admin must be enabled/i) ? true : false
end

#send_request(opts) ⇒ Rex::Proto::Http::Response

Sends a HTTP request with Rex

Returns:

• (Rex::Proto::Http::Response) —

  The HTTP response

# File 'lib/metasploit/framework/login_scanner/glassfish.rb', line 78

def send_request(opts)
  res = super(opts)

  # Found a cookie? Set it. We're going to need it.
  if res && res.get_cookies =~ /JSESSIONID=(\w*);/i
    self.jsession = $1
  end

  res
end

#try_glassfish_2(credential) ⇒ Hash

Tries to login to Glassfish version 2

Parameters:

• credential (Metasploit::Framework::Credential) —

  The credential object

Returns:

• (Hash) —

  • :status [Metasploit::Model::Login::Status]

  • :proof [String] the HTTP response body

# File 'lib/metasploit/framework/login_scanner/glassfish.rb', line 131

def try_glassfish_2(credential)
  res = try_login(credential)
  if res && res.code == 302
    opts = {
      'uri'     => '/applications/upload.jsf',
      'method'  => 'GET',
      'headers' => {
        'Cookie'  => "JSESSIONID=#{self.jsession}"
      },
      'cgi' => false
    }
    res = send_request(opts)
    p = /<title>Deploy Enterprise Applications\/Modules/
    if (res && res.code.to_i == 200 && res.body.match(p) != nil)
      return {:status => Metasploit::Model::Login::Status::SUCCESSFUL, :proof => res.body}
    end
  end

  {:status => Metasploit::Model::Login::Status::INCORRECT, :proof => res.body}
end

#try_glassfish_3(credential) ⇒ Hash

Tries to login to Glassfish version 3 or 4 (as of now it’s the latest)

Parameters:

• credential (Metasploit::Framework::Credential) —

  The credential object

Returns:

• (Hash) —

  • :status [Metasploit::Model::Login::Status]

  • :proof [String] the HTTP response body

# File 'lib/metasploit/framework/login_scanner/glassfish.rb', line 174

def try_glassfish_3(credential)
  res = try_login(credential)
  if res && res.code == 302
    opts = {
      'uri'     => '/common/applications/uploadFrame.jsf',
      'method'  => 'GET',
      'headers' => {
        'Cookie'  => "JSESSIONID=#{self.jsession}"
      },
      'cgi' => false
    }
    res = send_request(opts)

    p = /<title>Deploy Applications or Modules/
    if (res && res.code.to_i == 200 && res.body.match(p) != nil)
      return {:status => Metasploit::Model::Login::Status::SUCCESSFUL, :proof => res.body}
    end
  elsif res && is_secure_admin_disabled?(res)
    return {:status => Metasploit::Model::Login::Status::DENIED_ACCESS, :proof => res.body}
  elsif res && res.code == 400
    return {:status => Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, :proof => res.body}
  end

  {:status => Metasploit::Model::Login::Status::INCORRECT, :proof => res.body}
end

#try_glassfish_9(credential) ⇒ Hash

Tries to login to Glassfish version 9

Parameters:

• credential (Metasploit::Framework::Credential) —

  The credential object

Returns:

• (Hash) —

  • :status [Metasploit::Model::Login::Status]

  • :proof [String] the HTTP response body

# File 'lib/metasploit/framework/login_scanner/glassfish.rb', line 159

def try_glassfish_9(credential)
  res = try_login(credential)

  if res && res.code.to_i == 302 && res.headers['Location'].to_s !~ /loginError\.jsf$/
    return {:status => Metasploit::Model::Login::Status::SUCCESSFUL, :proof => res.body}
  end

  {:status => Metasploit::Model::Login::Status::INCORRECT, :proof => res.body}
end

#try_login(credential) ⇒ Rex::Proto::Http::Response

Sends a login request

Parameters:

• credential (Metasploit::Framework::Credential) —

  The credential object

Returns:

• (Rex::Proto::Http::Response) —

  The HTTP auth response

# File 'lib/metasploit/framework/login_scanner/glassfish.rb', line 105

def try_login(credential)
  data  = "j_username=#{Rex::Text.uri_encode(credential.public)}&"
  data << "j_password=#{Rex::Text.uri_encode(credential.private)}&"
  data << 'loginButton=Login'

  opts = {
    'uri'     => '/j_security_check',
    'method'  => 'POST',
    'data'    => data,
    'headers' => {
      'Content-Type'   => 'application/x-www-form-urlencoded',
      'Cookie'         => "JSESSIONID=#{self.jsession}",
    },
    'cgi' => false
  }

  send_request(opts)
end