tag:blogger.com,1999:blog-6160546299096632925.post8741305625093313406..comments2024-03-28T02:21:33.008-07:00Comments on alert(1): JBOSS JMXInvokerServlet ExploitAnonymoushttp://www.blogger.com/profile/14557935438165448741noreply@blogger.comBlogger15125tag:blogger.com,1999:blog-6160546299096632925.post-12761569447315680982020-01-16T09:24:17.105-08:002020-01-16T09:24:17.105-08:00Has anyone figured out how the hash value for the ...Has anyone figured out how the hash value for the jboss 6 yet?Anonymoushttps://www.blogger.com/profile/11570943524068463456noreply@blogger.comtag:blogger.com,1999:blog-6160546299096632925.post-14392988134761757032015-01-13T21:24:38.742-08:002015-01-13T21:24:38.742-08:00Hi,
Just started looking into this and tried usin...Hi,<br /><br />Just started looking into this and tried using a HEAD method instead of POST. However, I receive a ProtocolException: HTTP method HEAD doesn't support output.<br />I changed POST to HEAD on line 48 of the code before compiling it. <br /><br />Please any ideas?Anonymoushttps://www.blogger.com/profile/09695269590631842692noreply@blogger.comtag:blogger.com,1999:blog-6160546299096632925.post-18261971808455706122014-02-19T18:07:22.252-08:002014-02-19T18:07:22.252-08:00New post with an update that should work against J...New post with an update that should work against JBoss 5.1 - tested on 5.0.1. Addresses the VFS problem by using a different deployer http://breenmachine.blogspot.com/2014/02/jboss-jbxinvoker-servlet-update.htmlAnonymoushttps://www.blogger.com/profile/14557935438165448741noreply@blogger.comtag:blogger.com,1999:blog-6160546299096632925.post-2528569371076833082014-02-17T15:34:52.588-08:002014-02-17T15:34:52.588-08:00Hey, I can confirm the hash does seem okay. The pr...Hey, I can confirm the hash does seem okay. The problem seems to be like you said with the deployer. I'll be working on this a bit in the next few days and will post an update if I get the code sorted out. Anonymoushttps://www.blogger.com/profile/14557935438165448741noreply@blogger.comtag:blogger.com,1999:blog-6160546299096632925.post-8037096113850609762014-02-17T14:44:29.613-08:002014-02-17T14:44:29.613-08:00Self-reply to help people searching for the same t...Self-reply to help people searching for the same thing.<br />1) No, the hash is just fine.<br />2) You want to call getTargetException() on the InvocationEXception to get the InvokerAdaptorException, then you want to call getWrapped() on that. You now have the original Exception that was thrown, which is useful for debugging.<br /><br />Further, the MainDeployer.deploy() function doesn't work properly in JBoss 5.1 as this function is now restricted to only accepting vfsfile:// URIs. See https://issues.jboss.org/browse/JBPAPP-8215Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-6160546299096632925.post-32404034967494253612014-02-14T18:23:18.937-08:002014-02-14T18:23:18.937-08:00I'm getting InvocationException, but the comma...I'm getting InvocationException, but the command-line doesn't show the full trace. Running it in Burp, I can see that it's actually a DepolymentException with "No context factory for " off of org.jboss.virtual.VFS.getVFS().<br /><br />1) I'm testing against JBoss 5.1, is this related to the hash not matching this version?<br />2) Can the command-line output be improved to show the other exceptions in the stack?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-6160546299096632925.post-3217140474409077892014-02-12T11:58:42.653-08:002014-02-12T11:58:42.653-08:00That's awesome!That's awesome!Anonymoushttps://www.blogger.com/profile/14557935438165448741noreply@blogger.comtag:blogger.com,1999:blog-6160546299096632925.post-24077469188766573552014-02-12T11:40:57.980-08:002014-02-12T11:40:57.980-08:00Good observation. I'm looking into this as we...Good observation. I'm looking into this as well, and have integrated my findings thus far into a new exploitation tool:<br /><br />https://github.com/hatRiot/clusterd<br /><br />I currently have the hashes for 3.2/4.0/4.2, but have yet to figure out 5.x and above. I've also implemented all publically available deployers for JBoss, and ensure that the versions match up with the deployers.<br /><br />Feel free to contribute your findings.dronehttps://www.blogger.com/profile/13041279279605772934noreply@blogger.comtag:blogger.com,1999:blog-6160546299096632925.post-75724044005233533832014-02-11T15:13:02.436-08:002014-02-11T15:13:02.436-08:00Awesome, thanks. When I get some time I'm goin...Awesome, thanks. When I get some time I'm going to package this up with a bunch of version hashes and different "Deployers" (because not all JBOSS setups use the MainDeployer).<br /><br />I'll definitely look into making it compatible with versions above 5.x with an object in place of the version hash. I doubt you even need to "serialize" the object out. You would just need to find what type of object and set it, then the whole thing gets serialized and sent over in one shot. Totally doable, probably just a few lines of code.Anonymoushttps://www.blogger.com/profile/14557935438165448741noreply@blogger.comtag:blogger.com,1999:blog-6160546299096632925.post-31698744820967462762014-02-11T14:09:59.952-08:002014-02-11T14:09:59.952-08:00I did some research; see here http://forelsec.blog...I did some research; see here http://forelsec.blogspot.com/2014/01/fetching-jboss-mbean-method-hashes.html<br /><br />tl;dr: JBoss 5.x and up invoke the method not with an integer hash value, but with an Object. Not sure how, but it's likely that an Object needs to be serialized out first to map to the correct method.dronehttps://www.blogger.com/profile/13041279279605772934noreply@blogger.comtag:blogger.com,1999:blog-6160546299096632925.post-43111017899237998242013-12-12T23:10:07.257-08:002013-12-12T23:10:07.257-08:00Any hash for X-Powered-By: Servlet 2.5; JBoss-5.0/...Any hash for X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1?<br />ThanksAnonymoushttps://www.blogger.com/profile/10888727272326125587noreply@blogger.comtag:blogger.com,1999:blog-6160546299096632925.post-38083254159892450802013-11-27T12:03:29.783-08:002013-11-27T12:03:29.783-08:00Try java -cp jboss.jar:jbossall-client.jar:. JBOSS...Try java -cp jboss.jar:jbossall-client.jar:. JBOSSExploit<br /><br />Notice the ":."... includes the current directory in the classpath. You need the classpath to include JBOSSExploit.class.Anonymoushttps://www.blogger.com/profile/14557935438165448741noreply@blogger.comtag:blogger.com,1999:blog-6160546299096632925.post-70894547913003151942013-11-27T09:00:01.459-08:002013-11-27T09:00:01.459-08:00javac -cp jboss.jar:jbossall-client.jar TrustModif...javac -cp jboss.jar:jbossall-client.jar TrustModifier.java JBOSSExploit.java<br /><br />above works and compiles <br /><br />but below gives me "Error: Could not find or load main class JBOSSExploit"<br /><br />java -cp jboss.jar:jbossall-client.jar JBOSSExploit<br /><br />please help.Anonymoushttps://www.blogger.com/profile/04075833392508310452noreply@blogger.comtag:blogger.com,1999:blog-6160546299096632925.post-11709730755930186862013-10-24T13:57:54.891-07:002013-10-24T13:57:54.891-07:00I got lucky in that the version I was testing used...I got lucky in that the version I was testing used the same version hash as the one in the Matasano paper. The Metasploit module uses a different version hash in its payloads. You could try both of those, if neither work, I'm actually not sure where to find it other than inspecting network traffic. I'd start by installing JBoss 6 locally and doing some research.<br /><br />Let me know if you figure it out. I know that the guy who did the original research is on twitter @_ikki, could try asking him.Anonymoushttps://www.blogger.com/profile/14557935438165448741noreply@blogger.comtag:blogger.com,1999:blog-6160546299096632925.post-62994707361685523032013-10-24T12:06:26.804-07:002013-10-24T12:06:26.804-07:00Hi Stephen! Awesome blog!
May I ask how you found...Hi Stephen! Awesome blog!<br /><br />May I ask how you found the hash value of the invoker jboss object?? I'm doing a pentest of Jboss 6 with unauthenticated /invoker/jmxinvokeservlet.<br /><br />Thanks!Anonymousnoreply@blogger.com