JBOSS is an application server/middleware that use Apache Tomcat as jsp engine; this paper explains how to deploy a custom application in order to operate (read, write, execute) with the underlying O.S.
JBOSS installation guide recommends to deploy new application copying them into the file system but there is a less documented way to deploy an application using the web interface.
In this case I used the backdoor collection provided by http://open-labs.org/hacker_webkit02.tar.gz: you just need to compile it with java and build the .war servlet.
This paper does not explain how to get in the JBOSS web console, I just assume you have access to it (btw, the default user and password are admin/admin).
What we need to deploy a new servlet is named “DeploymentScanner”.
Shortly, its work is to check in a list of defined URLs (ftp://, http://, file://) for new java servlets to deploy; hence, the trick is to add a new URL to the previous ones.
take care: adding a non existent URL may crash jboss… be careful and double check that the jboss server can reach the new servlet repository.
There are several menus in the main page of the jboss console (picture #1), the DeploymentScanner is reachable from both JMX console and JBoss web console, dunno why but I noticed that while one can be password protected the other can not.
Using JMX Console you have to go to (picture #2):
Using jboss web-console you have to go to (picture #3):
After opening the DeploymentScanner we have to change on the “URLList” field (check picture #3 because it lists the URLs to scan to check for new servlet.
To add a new URL we have to use the “void addURL()” function (picture #4).
Once again, I happened to crash a production JBoss using a non existing URL so be careful at this point.
You can choose various kinds of URLs (ftp, http and more), use one you are sure the JBoss server can reach.
If you do not want to be more selective you can point directly to a single file using the sintax http://x.x.x.x/file.war.
When done, you have to click on the “invoke” button to add a new URL the the list defined at the top of the page (pitcture #3).
To start up the deployment scanner just click (and pray) the button “invoke” in the “void scan” function (picture #5). If all works fine you will able to see the new application deployed in the JMX Console ( or JBoss Web Console).
In my case the new servlet is named pentest3 (picture #6).
If you can see the servlet the job is done and you can start enjoying you backdoor using your favorite web browser (picture #7).
A last note, if JBoss is installed on M$ you have to point to cmd.exe with it’s complete path and the /c option to execute commands (picture #8).