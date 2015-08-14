

JexBoss is a tool for testing and exploiting vulnerabilities in JBoss Application Server and others Java Platforms, Frameworks, Applications, etc.

Requirements:

Python >= 2.7.x

urllib3

ipaddress





Installation on Linux\Mac

To install the latest version of JexBoss, please use the following commands:

git clone https://github.com/joaomatosf/jexboss.git cd jexboss pip install -r requires.txt python jexboss.py -h python jexboss.py -host http://target_host:8080 OR: Download the latest version at: https://github.com/joaomatosf/jexboss/archive/master.zip unzip master.zip cd jexboss-master pip install -r requires.txt python jexboss.py -h python jexboss.py -host http://target_host:8080

yum -y install centos-release-scl yum -y install python27 scl enable python27 bash

Installation on Windows If you are using Windows, you can use the Git Bash to run the JexBoss. Follow the steps below:

Download and install Python

Download and install Git for Windows

After installing, run the Git for Windows and type the following commands: PATH=$PATH:C:\Python27\ PATH=$PATH:C:\Python27\Scripts git clone https://github.com/joaomatosf/jexboss.git cd jexboss pip install -r requires.txt python jexboss.py -h python jexboss.py -host http://target_host:8080

Features: The tool and exploits were developed and tested for:

JBoss Application Server versions: 3, 4, 5 and 6.

Java Deserialization Vulnerabilities in multiple java frameworks, platforms and applications (e.g., Java Server Faces - JSF, Seam Framework, RMI over HTTP, Jenkins CLI RCE (CVE-2015-5317), Remote JMX (CVE-2016-3427, CVE-2016-8735), etc)

The exploitation vectors are:

/admin-console

tested and working in JBoss versions 5 and 6

/jmx-console

tested and working in JBoss versions 4, 5 and 6

/web-console/Invoker

tested and working in JBoss versions 4, 5 and 6

/invoker/JMXInvokerServlet

tested and working in JBoss versions 4, 5 and 6

Application Deserialization

tested and working against multiple Java applications, platforms, etc, via HTTP POST Parameters

Servlet Deserialization

tested and working against multiple Java applications, platforms, etc, via servlets that process serialized objects (e.g. when you see an "Invoker" in a link)

Apache Struts2 CVE-2017-5638

tested in Apache Struts 2 applications

Others

If you are using CentOS with Python 2.6, please install Python2.7. Installation example of the Python 2.7 on CentOS using Collections Software scl: