Nmap Development mailing list archives
Re: [NSE] jboss-vuln-cve2010-0738.nse
From: Tiago Natel de Moura <tiago4orion () gmail com>
Date: Sat, 16 Jun 2012 07:14:51 -0300
Hi Patrik, I already knew the script http-method-tamper and I agree with your opinion to make it more generic. I also liked your idea of putting a check in the script in a non-intrusive way and exploit the vulnerability only if the options for reverse shell are present. I can do that and also add support to exploit using SSL. About the script: 1 - Ok, I'll modify to use the http headers instead of the product information. Do you really think a good idea to let this test in action? This not affect performance of nmap? 2 - Regarding the shell, I think the only safe way to automatically choose the shell in the script-side is using the nmap version OS detection (-O). The script already has the "cmd" in the command line if "-O" is not used. Leave this task to the uploaded java code is also a good idea. Thanks for the programming tips, but I usually declare variables at the beginning because of the influence of ANSI C ;) I will improve it. About the sleep, is because after the upload of java, JBoss will deploy the file in a directory (it will run the steps that are in the variable in bsh_script) and this can take some seconds depending on server load. Thanks, I'm glad that the script can be useful. []'s i4k BugSec Team On 06/16/2012 05:53 AM, Patrik Karlsson wrote:
Hi Tiago, This seems to be a very useful script! Thanks for taking the time to write it! We do have an existing, more generic, script that checks whether a resource could be retrieved using different HTTP methods. It defaults to the jmx-console and first tries a GET and then a HEAD. The script also provides the possibility to change the path to something else to test other servers than jboss for the same vulnerability. The name of the script is http-method-tamper. I'm not sure what to do here but I suggest the following, but would like comments from others before we decide how to procede. - We keep the http-method-tamper as a generic way for testing method tampering. - We extend the http-method-tamper script with spidering capabilities and remove the connection it has to jboss. - We add code to this new script that allows to do the check in a less intrusive manner, in the same way as the http-method-tamper does. - The check is default unless the reverse_host and revers_port arguments are given, at which point the script does exploitation Now for some comments on the script; I would recommend not doing the product checks in the portrule. The reason being that those fields are only populated if a version scan has been run. My guess is that they are fetched from the http headers and it would therefore be better to perform this check within the action method. This way the script would always run, regardless if a version scan was selected or not and you would be able to bail if you detect it not to be the product you expect in the action method. Also, I think it might be worth continuing when the product cannot be determined as this http header could simply have been removed on valid targets. This also applies for the OS check and determining of the appropriate shell to use. Is there another way of doing it, that doesn't require the version scan to be run? Ideally it would be determined from a http request to the server. An alternative would be allowing the user to specify the shell in an argument or in some way automatically try both. I guess the Runtime.getRuntime().exec section of the Java code could be put in a loop first trying cmd.exe and then /bin/sh and testing whether an instance was properly created? I think it would be a good idea to explain either in the comments of the script, or as part of the result, that there is new code deployed to the server and where. My reasoning behind this is that if you're doing a pentest you would most likely want to inform you client of the change to the app server to give them a chance to clean it up. In general, you should declare parameters when they're used in favor of putting them all on top initialized with nil. Out of curiosity, what purpose does the sleep(5) call have, except for waiting 5 seconds? Thanks, Patrik -- Patrik Karlsson http://www.cqure.net http://twitter.com/nevdull77
-- Tiago Natel de Moura Consultor de Segurança da Informação http://www.linkedin.com/in/tiagonatel http://www.secplus.com.br/ http://github.com/tiago4orion http://code.google.com/p/bugsec _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] jboss-vuln-cve2010-0738.nse Tiago Natel de Moura (Jun 15)
- Re: [NSE] jboss-vuln-cve2010-0738.nse Patrik Karlsson (Jun 16)
- Re: [NSE] jboss-vuln-cve2010-0738.nse Tiago Natel de Moura (Jun 16)
- Re: [NSE] jboss-vuln-cve2010-0738.nse Patrik Karlsson (Jun 16)
- Re: [NSE] jboss-vuln-cve2010-0738.nse Patrik Karlsson (Jun 17)
- Re: [NSE] jboss-vuln-cve2010-0738.nse Tiago Natel de Moura (Jun 16)
- Re: [NSE] jboss-vuln-cve2010-0738.nse David Fifield (Jun 19)
- Re: [NSE] jboss-vuln-cve2010-0738.nse Patrik Karlsson (Jun 19)
- Re: [NSE] jboss-vuln-cve2010-0738.nse David Fifield (Jun 19)
- Re: [NSE] jboss-vuln-cve2010-0738.nse Patrik Karlsson (Jun 19)
- Re: [NSE] jboss-vuln-cve2010-0738.nse Patrik Karlsson (Jun 16)