JBoss Seam 2 File Upload / Execute

Versions of the JBoss Seam 2 framework prior to 2.2.1CR2 fail to properly sanitize inputs to some JBoss Expression Language expressions. As a result, attackers can gain remote code execution through the application server. This Metasploit module leverages RCE to upload and execute a meterpreter payload. Versions of the JBoss AS admin-console are known to be vulnerable to this exploit, without requiring authentication. Tested against JBoss AS 5 and 6, running on Linux with JDKs 6 and 7. This Metasploit module provides a more efficient method of exploitation – it does not loop to find desired Java classes and methods. NOTE: the check for upload success is not 100% accurate. NOTE 2: The module uploads the meterpreter JAR and a JSP to launch it.

Leave a Reply