JMET - The Java Message Exploitation Tool.

JMET – The Java Message Exploitation Tool.

Disclaimer:
JMET is a proof-of-concept tool for blackbox testing of JMS destinations. Please use this tool with care and only when authorized. Be aware that sending an invalid message to a JMS destination might result in a denial-of-service state (DOS) of the target system. You have been warned !!!
We publish it againt for Learning Java Deserialization Vulnerabilities and Non Commercial Use.

JMET was released at Blackhat USA 2016 and is an outcome of Code White’s research effort presented in the talk “Pwning Your Java Messaging With Deserialization Vulnerabilities”. The goal of JMET is to make the exploitation of the Java Message Service (JMS) easy. In the talk more than 12 JMS client implementations where shown, vulnerable to deserialization attacks. The specific deserialization vulnerabilities were found in ObjectMessage implementations (classes implementing javax.jms.ObjectMessage). The following more or less complete list shows the vulnerable JMS broker client libraries:
* Apache ActiveMQ
* Redhat/Apache HornetQ
* Oracle OpenMQ
* IBM WebSphereMQ
* Oracle Weblogic
* Pivotal RabbitMQ
* IBM MessageSight
* IIT Software SwiftMQ
* Apache ActiveMQ Artemis
* Apache QPID JMS
* Apache QPID Client
* Amazon SQS Java Messaging
For creating gadget payloads JMET makes use of Chris Frohoffs’ Ysoserial.

jmet helper

jmet helper

Supported JMS client libraries
* Apache ActiveMQ
* Redhat/Apache HornetQ
* Oracle OpenMQ
* IBM WebSphereMQ
* Pivotal RabbitMQ
* IIT Software SwiftMQ
* Apache ActiveMQ Artemis
* Apache QPID JMS
* Apache QPID Client

Example Jmet

Example Jmet

Dependencies:
– Maven
– java Jdk 7 or letter
– JMET depends on a lot of libraries , For details see the maven pom file.

Download and Use From git:

Source: https://github.com/matthiaskaiser | Download Stable version: jmet-0.1.0-all.jar