JexBoss – Jboss Exploitation Tool

JexBoss is a tool for testing and exploiting vulnerabilities in JBoss Application Server and others Java Platforms, Frameworks, Applications, etc.

JexBoss - Jboss Exploitation Tool
JexBoss – Jboss Exploitation Tool

The tool and exploit scripts were developed and tested for:

  • JBoss Application Server versions: 3, 4, 5 and 6.
  • Java Deserialization Vulnerabilities in multiple java frameworks, platforms and applications (e.g., Java Server Faces – JSF, Seam Framework, RMI over HTTP, Jenkins CLI RCE (CVE-2015-5317), Remote JMX (CVE-2016-3427, CVE-2016-8735), etc).

The exploitation vectors are:

  • /admin-console
    • tested and working in JBoss versions 5 and 6
  • /jmx-console
    • tested and working in JBoss versions 4, 5 and 6
  • /web-console/Invoker
    • tested and working in JBoss versions 4, 5 and 6
  • /invoker/JMXInvokerServlet
    • tested and working in JBoss versions 4, 5 and 6
  • Application Deserialization
    • tested and working against multiple java applications, platforms, etc, via HTTP POST Parameters
  • Servlet Deserialization
    • tested and working against multiple java applications, platforms, etc, via servlets that process serialized objets (e.g. when you see an “Invoker” in a link)
  • Apache Struts2 CVE-2017-5638
    • tested in Apache Struts 2 applications

You can read more and download this tool over here: https://github.com/joaomatosf/jexboss

Share