Monday, October 03, 2011

JBoss, JMX Console, misconfigured DeploymentScanner

Exploit Title: JBoss, JMX Console, misconfigured DeploymentScanner

Date: Oct 3 2011
Author: y0ug
Tested on: Linux
CVE : CVE-2010-0738

POC against misconfigured JBoss JMX Console
It use the addUrl method in DeploymentScanner module

More information

You need to edit
# $url_cmd to match the war payload url
# $url_shell is your reverse shell url
( only if you want to use reverse_shell("ip", "port") )

The JSP shell is not mine is available every where
I add a -b param that build the war contener to do this you need java
Is a fast POC coded this morning for fun so maybe it don't cover all case/version

Build the war contener (need java)
# ./jboss -b
#  ./jboss

For more information, please refer to this ExploitDB link:

You also can refer to this whitepaper,JBOSS Exploitation:

No comments: