From 13357c3c0c725a45b57d02f8ca91c72667f07b04 Mon Sep 17 00:00:00 2001
From: JD <j.davis2344@student.leedsbeckett.ac.uk>
Date: Thu, 20 Apr 2023 00:10:17 +0100
Subject: [PATCH] Add user context exploit

---
 .../unix/misc/jboss/manifests/flags.pp        | 11 ++-
 .../unix/misc/jboss/manifests/install.pp      | 78 +++++++++++--------
 .../unix/misc/jboss/secgen_metadata.xml       | 23 ++++--
 .../jboss.service.erb}                        |  4 +
 .../examples/vulnerability_examples/jboss.xml | 16 ++++
 5 files changed, 86 insertions(+), 46 deletions(-)
 rename modules/vulnerabilities/unix/misc/jboss/{files/jboss.service => templates/jboss.service.erb} (69%)
 create mode 100644 scenarios/examples/vulnerability_examples/jboss.xml

diff --git a/modules/vulnerabilities/unix/misc/jboss/manifests/flags.pp b/modules/vulnerabilities/unix/misc/jboss/manifests/flags.pp
index 2c81fce85..f866485ac 100644
--- a/modules/vulnerabilities/unix/misc/jboss/manifests/flags.pp
+++ b/modules/vulnerabilities/unix/misc/jboss/manifests/flags.pp
@@ -1,11 +1,10 @@
 class jboss::flags {
-  # this is how secgen
-##  $secgen_parameters = secgen_functions::get_parameters($::base64_inputs_file)
-  $leaked_filenames = ["flagsecret"] ##$secgen_parameters['leaked_filenames']
-  $strings_to_leak = ["flag message"] ##$secgen_parameters['strings_to_leak']
-  
+  $secgen_parameters = secgen_functions::get_parameters($::base64_inputs_file)
+  $leaked_filenames = $secgen_parameters['leaked_filenames']
+  $strings_to_leak = $secgen_parameters['strings_to_leak']
+
   ::secgen_functions::leak_files { 'jboss-flag':
-    storage_directory => "/opt/jboss-6.1.0.Final",
+    storage_directory => '/opt/jboss-6.1.0.Final',
     leaked_filenames  => $leaked_filenames,
     strings_to_leak   => $strings_to_leak,
     leaked_from       => 'jboss',
diff --git a/modules/vulnerabilities/unix/misc/jboss/manifests/install.pp b/modules/vulnerabilities/unix/misc/jboss/manifests/install.pp
index c48072146..7cdedea68 100644
--- a/modules/vulnerabilities/unix/misc/jboss/manifests/install.pp
+++ b/modules/vulnerabilities/unix/misc/jboss/manifests/install.pp
@@ -1,25 +1,35 @@
 class jboss::install {
-  Exec {
-    path => ['/bin', '/usr/bin', '/usr/local/bin', '/sbin', '/usr/sbin'], 
+  Exec { path => ['/bin', '/usr/bin', '/usr/local/bin', '/sbin', '/usr/sbin'],
     environment => ['JAVA_HOME="/usr/lib/jvm/adoptopenjdk-8-hotspot-amd64/bin/java"']}
 
   ensure_packages(['apt-transport-https', 'ca-certificates', 'wget', 'dirmngr', 'gnupg', 'software-properties-common'])
 
+  $secgen_parameters = secgen_functions::get_parameters($::base64_inputs_file)
+  $user = $secgen_parameters['leaked_username'][0]
+  $user_home = "/home/${user}"
+
+  # Create user
+  user { $user:
+    ensure     => present,
+    home       => $user_home,
+    managehome => true,
+  }
+
   file { '/usr/local/java':
     ensure => 'directory'
-  } ->
-  file { '/usr/local/java/jre-archive-files':
-    source => 'puppet:///modules/jboss/jre-archive-files',
-    ensure => directory,
+  }
+  -> file { '/usr/local/java/jre-archive-files':
+    ensure  => directory,
+    source  => 'puppet:///modules/jboss/jre-archive-files',
     recurse => true,
-  } ->
-  exec { 'extract-java':
+  }
+  -> exec { 'extract-java':
     command => 'cat jre-archive-files/jre* > jre-8u351-linux-x64.tar.gz; tar -xvzf jre-8u351-linux-x64.tar.gz',
-    cwd => '/usr/local/java',
+    cwd     => '/usr/local/java',
     creates => '/usr/local/java/jre1.8.0_351'
-  } ->
-  tidy {'delete-jre-archive-parts':
-    path => '/usr/local/java/jre-archive-files',
+  }
+  -> tidy {'delete-jre-archive-parts':
+    path    => '/usr/local/java/jre-archive-files',
     recurse => true,
   }
   tidy {'delete-jre-archive':
@@ -27,22 +37,25 @@ class jboss::install {
   }
   exec { 'change-java-install-dir-permissions':
     command => 'chmod -R 755 /usr/local/java',
-  } ->
-  exec { 'update-java-location':
+  }
+  -> exec { 'update-java-location':
     command => 'sudo update-alternatives --install "/usr/bin/java" "java" "/usr/local/java/jre1.8.0_351/bin/java" 1',
-  } ->
-  file { '/opt/jboss-archive-files':
-    source => 'puppet:///modules/jboss/jboss-archive-files',
-    ensure => directory,
+  }
+  -> file { '/opt/jboss-archive-files':
+    ensure  => directory,
+    source  => 'puppet:///modules/jboss/jboss-archive-files',
     recurse => true,
-  } ->
-  exec { 'unzip-jboss':
+  }
+  -> exec { 'unzip-jboss':
     command => 'cat jboss-archive-files/jboss* > jboss-as-distribution-6.1.0.Final.zip; unzip jboss-as-distribution-6.1.0.Final.zip',
-    cwd => '/opt',
+    cwd     => '/opt',
     creates => '/opt/jboss-6.1.0.Final/bin'
-  } ->
-  tidy {'delete-jboss-archive-parts':
-    path => '/opt/jboss-archive-files',
+  }
+  -> exec { 'chown-jboss':
+    command => "chown -R ${user} /opt/jboss-6.1.0.Final/",
+  }
+  -> tidy {'delete-jboss-archive-parts':
+    path    => '/opt/jboss-archive-files',
     recurse => true,
   }
   tidy {'delete-jboss-archive':
@@ -51,14 +64,15 @@ class jboss::install {
   exec { 'set-listening-interface':
     command => 'echo "JAVA_OPTS=\"\$JAVA_OPTS -Djboss.bind.address=0.0.0.0 -Djboss.bind.address.management=0.0.0.0\"" >> /opt/jboss-6.1.0.Final/bin/run.conf; mkdir /opt/made-interface',
     creates => '/opt/made-interface'
-  } ->
-  exec { 'change-permissions':
+  }
+  -> exec { 'change-permissions':
     command => 'chmod a+x /opt/jboss-6.1.0.Final',
-  } ->
-  file { '/etc/systemd/system/jboss.service':
-    source => 'puppet:///modules/jboss/jboss.service'
-  } ->
-  exec { 'enable-jboss-service-using-systemd':
-    command => 'systemctl enable --now jboss'
+  }
+  -> file { '/etc/systemd/system/jboss.service':
+    content => template('jboss/jboss.service.erb'),
+  }
+  -> service { 'jboss':
+    ensure => running,
+    enable => true,
   }
 }
diff --git a/modules/vulnerabilities/unix/misc/jboss/secgen_metadata.xml b/modules/vulnerabilities/unix/misc/jboss/secgen_metadata.xml
index 4fc7dbde7..b7a02a311 100644
--- a/modules/vulnerabilities/unix/misc/jboss/secgen_metadata.xml
+++ b/modules/vulnerabilities/unix/misc/jboss/secgen_metadata.xml
@@ -1,29 +1,36 @@
 <?xml version="1.0"?>
-<vulnerability xmlns="http://github.com/cliffe/SecGen/vulnerability"
-               xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-               xsi:schemaLocation="http://github.com/cliffe/SecGen/vulnerability">
+<vulnerability xmlns="http://www.github/cliffe/SecGen/vulnerability"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://www.github/cliffe/SecGen/vulnerability">
 
   <name>JBOSS EAP/AS Remoting Unified Invoker RCE</name>
   <author>Harry J. Hall</author>
+  <author>James Davis</author>
   <module_license>MIT</module_license>
-  <description>JBOSS EAP versions 6.x contain an RCE vulnerability that can be executed by a unauthenticated user.
+  <description>JBOSS EAP versions 6.x contain an RCE vulnerability that can be executed by a
+    unauthenticated user.
     This invovles sending a serialized Java object to JBOSS EAP over a network.</description>
 
   <type>Java web exploit</type>
-  <privilege>root_rwx</privilege>
+  <privilege>user_rwx</privilege>
   <access>remote</access>
   <platform>linux</platform>
   <difficulty>medium</difficulty>
 
-  <read_fact>server_name</read_fact>
   <read_fact>strings_to_leak</read_fact>
   <read_fact>leaked_filenames</read_fact>
+  <read_fact>leaked_username</read_fact>
 
   <default_input into="strings_to_leak">
-    <generator type="message_generator"/>
+    <generator type="message_generator" />
   </default_input>
 
   <default_input into="leaked_filenames">
-    <generator type="filename_generator">
+    <generator type="filename_generator" />
   </default_input>
+
+  <default_input into="leaked_username">
+    <generator type="username_generator" />
+  </default_input>
+
 </vulnerability>
\ No newline at end of file
diff --git a/modules/vulnerabilities/unix/misc/jboss/files/jboss.service b/modules/vulnerabilities/unix/misc/jboss/templates/jboss.service.erb
similarity index 69%
rename from modules/vulnerabilities/unix/misc/jboss/files/jboss.service
rename to modules/vulnerabilities/unix/misc/jboss/templates/jboss.service.erb
index a426049b1..5b709e62f 100644
--- a/modules/vulnerabilities/unix/misc/jboss/files/jboss.service
+++ b/modules/vulnerabilities/unix/misc/jboss/templates/jboss.service.erb
@@ -2,7 +2,11 @@
 Description=Vulnerable JBOSS server.
 
 [Service]
+Type=simple
+User=<%= @user %>
 ExecStart=/opt/jboss-6.1.0.Final/bin/run.sh
+Restart=on-abort
+RestartSec=1
 
 [Install]
 WantedBy=multi-user.target
\ No newline at end of file
diff --git a/scenarios/examples/vulnerability_examples/jboss.xml b/scenarios/examples/vulnerability_examples/jboss.xml
new file mode 100644
index 000000000..aa8c58dbf
--- /dev/null
+++ b/scenarios/examples/vulnerability_examples/jboss.xml
@@ -0,0 +1,16 @@
+<?xml version="1.0"?>
+
+<scenario xmlns="http://www.github/cliffe/SecGen/scenario"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://www.github/cliffe/SecGen/scenario">
+
+    <system>
+        <system_name>jboss</system_name>
+        <base distro="Debian 10" type="desktop" name="KDE" />
+
+        <vulnerability module_path=".*/jboss" />
+
+        <network type="private_network" range="dhcp" />
+    </system>
+
+</scenario>
\ No newline at end of file