JexBoss v1.2.0 - Jboss verify and Exploitation Tool.

JexBoss v1.2.0 – Jboss verify and Exploitation Tool.

Changelog jexboss v1.2.0 27/2/2017:
* Added support for exploiting java deserialization in any HTTP POST parameters (like javax.faces.ViewState).
* Added support for exploiting java deserialization in generic Invoker servlets (any application server).
* Added gadgets to exploit multiple application servers that has commons-collections or groovy libs in the classpath.
* Added support to easily make a reverse shell connection when exploiting java deserialization vulnerabilities.
* Added exploits for Jenkins CLI and Tomcat RMI (CVE-2015-5317, CVE-2016-8735, CVE-2016-3427).
* Added support for load your own gadget from file.
* Several fixes and improvements.

Jexboss version 1.2.0

jexboss v1.1.2

jexboss v1.1.2

jexboss v1.0.15

jexboss v1.0.15

JexBoss is a tool for testing and exploiting vulnerabilities in JBoss Application Server.
Requirements
+ Python >= 2.7.x
+ urllib3jexboss1

Features:
The tool and exploits were developed and tested for versions 3, 4, 5 and 6 of the JBoss Application Server.
The exploitation vectors are:
* /admin-console [ NEW ]
+-+ tested and working in JBoss versions 5 and 6
* /jmx-console
+-+ tested and working in JBoss versions 4, 5 and 6
* /web-console/Invoker
+-+ tested and working in JBoss versions 4
* /invoker/JMXInvokerServlet
+-+ tested and working in JBoss versions 4 and 5

Usage:

Source: https://github.com/joaomatosf | Our Post Before