sjet: siberas JMX exploitation toolkit
siberas JMX Exploitation Toolkit
sJET allows easy exploitation of insecure configured JMX services.
git clone https://github.com/siberas/sjet.git
SJET implements a CLI interface (using argparse):
jython sjet.py targetHost targetPort password MODE (modeOptions)
- targetHost – the target IP address
- targerPort – the target port where JMX is running
- password – the password that is/was set during installation
- MODE – the script mode
- modeOptions – the options for the mode selected
Modes and modeOptions
- install – installs the payload in the current target
- payload_url – full URL to load the payload
- payload_port – port to load the payload
- uninstall – uninstalls the payload from the current target
- password – change the password on a already deployed payload
- password – the new password
- command – runs the command CMD in the targetHost
- CMD – the command to run
- shell – starts a simple shell in targetHost (with the limitations of java’s Runtime.exec())
Installing the payload MBean on a vulnerable JMX service
In the following example, the vulnerable JMX service runs on the 192.168.11.136:9991, the attacker has the IP address 192.168.11.132. The JMX service will connect to the web service of the attacker to download the payload jar file. sJET will start the necessary web service on port 8000.
After the successful installation of the MBean, the default password is changed to the password that was provided at the command line (“super_secret”).
Running the command ‘ls -la’ in a Linux target:
After the payload was installed, we can use it to execute OS commands on the target.
Running ping in shell mode on a target
If you don’t want to load Java for every command, you can use the “shell mode” to get a limited command shell.
The example script “javaproperties.js” displays the Java properties of the vulnerable service. It can be invoked as follows:
Change the password
Change the existing password (“super_secret”) to “this-is-the-new-password”:
Uninstall the payload MBean from the target
Uninstall the payload ‘Siberas’ from the target:
Additional background information can be found here and here.
Copyright (c) 2017 Hans-Martin Münch