Several (tm) months back I did my talk on "From LOW to PWNED" at hashdays and BSides Atlanta.
The slides were published here and the video from hashdays is here, no video for BSides ATL.
I consistently violate presentation zen and I try to make my slides usable after the talk but I decided to do a few blog posts covering the topics I put in the talk anyway.
Post [3] JBoss/Tomcat server-status
There have been some posts/exploits/modules on hitting up unprotected jboss and tomcat servers.
http://www.nruns.com/_downloads/Whitepaper-Hacking-jBoss-using-a-Browser.pdf
http://carnal0wnage.attackresearch.com/2009/11/hacking-unprotected-jboss-jmx-console.html
http://www.notsosecure.com/folder2/2009/10/27/hacking-jboss-with-jmx-console/
http://goohackle.com/jboss-security-vulnerability-jmx-management-console/
http://www.metasploit.com/modules/exploit/multi/http/jboss_maindeployer
http://www.metasploit.com/modules/exploit/multi/http/tomcat_mgr_deploy
Sometimes even though the deployer functionality is password protected the sever-status may not be.
/web-console/status?full=true
/manager/status/all
LOW?
This can be useful to find:
- Lists of applications
- Recent URL's accessed
- sometimes with sessionids
- Find hidden services/apps
- Enabled servlets
- owned stuff :-)
Finding 0wned stuff is always fun let's see
Looking at the list of applications list one that doesnt look normal (zecmd)
Following that down leads us to zecmd.jsp that is a jsp shell
If you are interested in zecmd.jsp and jboss worm it comes from --> this is a good write up as well as this OWASP preso https://www.owasp.org/images/a/a9/OWASP3011_Luca.pdf
thoughts?
-CG
zecmd.jsp is the bomb! LOL. Awesome posts/blog as always man!
ReplyDeleteThis is like saying "if the crips have already kneecapped a punk ass blood, and his wallet isn't chained to his belt, you can steal it while he's writhing in agony!".
ReplyDeleteThis post demonstrates exploiting the CVE-2008-3273 or CVE-2010-1429 information disclosure flaws to read a list of deployed software on a JBoss server. This information can be used to determine whether a machine is infected by the JBoss worm based on CVE-2010-0738. All of the security issues mentioned in this post are historical. Patches have been available for JBoss enterprise products since April 2010. Users running fully patched JBoss enterprise products are protected from these attacks, as are users running the latest community releases.
ReplyDeleteHeh, yeah and looks like someone beat you to the pwning OLOL!
ReplyDeleteThere are a lot of applications which are built on top of JBoss/Tomcat and aren't secured at all. Best of all, they're often running as LocalSystem on Windows boxes.
ReplyDeleteHey is it possible to deface that site using zecmd ?
ReplyDeleteand in zecmd i found that it has root access..