Monday, October 03, 2011

JBoss, JMX Console, misconfigured DeploymentScanner

Exploit Title: JBoss, JMX Console, misconfigured DeploymentScanner

Date: Oct 3 2011
Author: y0ug codsec.com
Version:
Tested on: Linux
CVE : CVE-2010-0738

POC against misconfigured JBoss JMX Console
It use the addUrl method in DeploymentScanner module

More information
http://packetstormsecurity.org/files/download/105479/JBossWhitepaper.pdf
http://poc-hack.blogspot.com/2011/02/how-to-hack-any-version-of-jboss.html

You need to edit
# $url_cmd to match the war payload url
# $url_shell is your reverse shell url
( only if you want to use reverse_shell("ip", "port") )

The JSP shell is not mine is available every where
I add a -b param that build the war contener to do this you need java
Is a fast POC coded this morning for fun so maybe it don't cover all case/version

Usage:
Build the war contener (need java)
# ./jboss -b
Hack
#  ./jboss http://www.vuln.com:8080

For more information, please refer to this ExploitDB link:
http://www.exploit-db.com/exploits/17924/

You also can refer to this whitepaper,JBOSS Exploitation:
http://www.exploit-db.com/download_pdf/17915

No comments: