HTDark | Underground Hacking Forum and Cybersecurity Community
  • Earn real money by being active: Hello Guest, earn real money by simply being active on the forum — post quality content, get reactions, and help the community. Once you reach the minimum credit amount, you’ll be able to withdraw your balance directly. Learn how it works.

JNDI Exploit Kit: exploit java web apps vulnerable to JNDI Injection

Status
Not open for further replies.
itsMe

itsMe

*KillmeMories*
Staff member
Administrator
Super Moderator
Hacker
Specter
Crawler
Shadow
Joined
Jan 8, 2019
Messages
56,618
Solutions
2
Reputation
32
Reaction score
100,455
Points
2,313
Credits
32,700
‎6 Years of Service‎
 
76%
modified_new.png


This is a forked modified version of the great exploitation tool created by @welk1n. This tool can be used to start an HTTP Server, RMI Server, and LDAP Server to exploit java web apps vulnerable to JNDI Injection. Here is what I’ve updated on his tool:

    Added support to serialized java payloads to LDAP payloads. This allows exploitation of any java version as long the classes are present in the application classpath ignoring completely the trustURLCodebase=false.

    Added a proper menu with a help display and guidelines (and a fancy ascii banner just because :-p)

    Added some command line parameters to modify the IP:PORT of the services. This helps in situations where the target can only access specific ports like 25, 53, 80, 443, etc.

    Added standalone mode to all services, that way you can start only the JettyServer (HTTP), RMIServer, or LDAPServer. The HTTP address can also be changed on standalone mode to redirect requests to a different server. This is helpful in cases when the target can only access a single port (like port 53) and you need to jump across multiple servers in port 53 for successful exploitation.

    Modified the ASMified Transformer payload (java bytecode) to detect the operating system where the exploit code will be detonated (windows or Unix like systems) and automatically runs the command into a proper terminal shell using the command Runtime.getRuntime().exec(String[] cmd) automatically mapping it to “cmd.exe /c command” or “/bin/bash -c command”. That way we can control pipes and write output to files, etc.

    Added the JNDI bypass using groove published by @orangetw

    Modified the Expression Language in the EL bypass to a more concise payload that detects the operational system and runs the command in a proper terminal (similar to the modified ASMified Transformer code).

    Added two more JDK templates, JDK 1.6 and JDK 1.5. This is important in the case of legacy systems that have ancient Java versions.

To see this hidden content, you must like this content.
 
Status
Not open for further replies.
Back
Top