Vulnerabilities) verify and EXploitation Tool
JexBoss is a tool for testing and exploiting vulnerabilities in JBoss Application Server and others Java Platforms, Frameworks, Applications, etc.
Requirements
Python >= 2.7.x
urllib3
ipaddress
Installation on Linux\Mac
To install the latest version of JexBoss, please use the following commands:
git clone https://github.com/joaomatosf/jexboss.git
cd jexboss
pip install -r requires.txt
python jexboss.py -h
python jexboss.py -host http://target_host:8080
OR:
Download the latest version at: https://github.com/joaomatosf/jexboss/archive/master.zip
unzip master.zip
cd jexboss-master
pip install -r requires.txt
python jexboss.py -h
python jexboss.py -host http://target_host:8080
If you are using CentOS with Python 2.6, please install Python2.7. Installation example of the Python 2.7 on CentOS using Collections Software scl:
yum -y install centos-release-scl
yum -y install python27
scl enable python27 bash
Installation on Windows
If you are using Windows, you can use the Git Bash to run the JexBoss. Follow the steps below:
Download and install Python
Download and install Git for Windows
After installing, run the Git for Windows and type the following commands:
PATH=$PATH:C:\Python27\
PATH=$PATH:C:\Python27\Scripts
git clone https://github.com/joaomatosf/jexboss.git
cd jexboss
pip install -r requires.txt
python jexboss.py -h
python jexboss.py -host http://target_host:8080
Features
The tool and exploits were developed and tested for:
JBoss Application Server versions: 3, 4, 5 and 6.
Java Deserialization Vulnerabilities in multiple java frameworks, platforms and applications (e.g., Java Server Faces - JSF, Seam Framework, RMI over HTTP, Jenkins CLI RCE (CVE-2015-5317), Remote JMX (CVE-2016-3427, CVE-2016-8735), etc)
The exploitation vectors are:
/admin-console
tested and working in JBoss versions 5 and 6
/jmx-console
tested and working in JBoss versions 4, 5 and 6
/web-console/Invoker
tested and working in JBoss versions 4, 5 and 6
/invoker/JMXInvokerServlet
tested and working in JBoss versions 4, 5 and 6
Application Deserialization
tested and working against multiple java applications, platforms, etc, via HTTP POST Parameters
Servlet Deserialization
tested and working against multiple java applications, platforms, etc, via servlets that process serialized objets (e.g. when you see an “Invoker” in a link)
Apache Struts2 CVE-2017-5638
tested in Apache Struts 2 applications
Others
Videos
Exploiting Java Deserialization Vulnerabilities (RCE) on JSF/Seam Applications via javax.faces.ViewState with JexBoss
Exploiting JBoss Application Server with JexBoss
Exploiting Apache Struts2 (RCE) with Jexboss (CVE-2017-5638)
Screenshots
Simple usage examples:
$ python jexboss.py
Example of standalone mode against JBoss:
$ python jexboss.py -u http://192.168.0.26:8080
