Skip to content

Commit c70e38a

Browse files
wchen-r7wchen-r7
committed
Do more reporting
1 parent 5ef4cc2 commit c70e38a

File tree

1 file changed

+29
-3
lines changed

1 file changed

+29
-3
lines changed

modules/exploits/multi/http/glassfish_deployer.rb

Lines changed: 29 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,7 @@ class Metasploit3 < Msf::Exploit::Remote
1313

1414
include Msf::Exploit::Remote::HttpClient
1515
include Msf::Exploit::EXE
16+
include Msf::Auxiliary::Report
1617

1718
def initialize(info={})
1819
super(update_info(info,
@@ -270,19 +271,28 @@ def undeploy(viewstate, session, entry)
270271
end
271272
end
272273

274+
def report_glassfish_version(banner)
275+
report_note(
276+
host: rhost,
277+
type: 'glassfish.banner',
278+
data: banner,
279+
update: :unique_data
280+
)
281+
end
282+
273283
#
274284
# Return GlassFish's edition (Open Source or Commercial) and version (2.x, 3.0, 3.1, 9.x) and
275285
# banner (ex: Sun Java System Application Server 9.x)
276286
#
277287
def get_version(res)
278-
#Extract banner from response
288+
# Extract banner from response
279289
banner = res.headers['Server']
280290

281-
#Default value for edition and glassfish version
291+
# Default value for edition and glassfish version
282292
edition = 'Commercial'
283293
version = 'Unknown'
284294

285-
#Set edition (Open Source or Commercial)
295+
# Set edition (Open Source or Commercial)
286296
p = /(Open Source|Sun GlassFish Enterprise Server|Sun Java System Application Server)/
287297
edition = 'Open Source' if banner =~ p
288298

@@ -301,6 +311,8 @@ def get_version(res)
301311
print_status("Unsupported version: #{banner}")
302312
end
303313

314+
report_glassfish_version(banner)
315+
304316
return edition, version, banner
305317
end
306318

@@ -632,6 +644,18 @@ def init_loginscanner
632644
)
633645
end
634646

647+
def report_auth_bypass(version)
648+
report_vuln(
649+
name: 'GlassFish HTTP Method Authentication Bypass',
650+
info: "The remote service has a vulnerable version of GlassFish (#{version}) that allows the " \
651+
'attacker to bypass authentication by sending an HTTP verb in lower-case.',
652+
host: rhost,
653+
port: rport,
654+
proto: 'tcp',
655+
refs: self.references
656+
)
657+
end
658+
635659
def try_glassfish_auth_bypass(version)
636660
sid = nil
637661

@@ -652,6 +676,8 @@ def try_glassfish_auth_bypass(version)
652676
end
653677
end
654678

679+
report_auth_bypass(version) if sid
680+
655681
sid
656682
end
657683

0 commit comments

Comments
 (0)