The idea here is to setup a lab with an old JBoss version (<7.0) in order to exploit the vulnerability.
We can use Docker to facilitate all the process. For this, we're gonna need an Oracle JDK rpm package, that's because JBoss 6.0.0 final works with a JDK 6 runtime. We're also gonna need the Dockerfile present in the repository, and obviously Docker installed on the system. Just make sure to have all files in the same directory.
- Clone this repository with
git clone https://github.com/Xcatolin/jboss-deserialization
- Download the jdk-6u45-linux-x64-rpm.bin package and move it into the same directory as the Dockerfile (you can use an temporary e-mail address to register)
- Build the image with
docker build -t ovanekem/docker-jboss-6.0.0.final .
- Run the image with
docker run -it -p 8080:8080 ovanekem/docker-jboss-6.0.0.final
- Click here to validate if it worked, you should see the JBoss main page