your backdoor? about jexboss HOT 7 CLOSED

Hello Friend,
This is the JSP shell that is deployed within the JBoss server successfully exploited via Jexboss and http://webshell.jexboss.net/ address must be the official tool site (at the time, I'm just migrating the releases notes file for he).
Currently there are 5 different exploits that help improve the effectiveness of JexBoss. They deploy SAME JSP code within the vulnerable server (if you have permission).
As you can see, the code is available both within the python script or hosted on http://joaomatosf.com/rnp/jexws.war. The specific case of your figure, the code is using url encoding, otherwise the exploit does not work. In exploit for vector "invoker", in turn, the same code is in hexadecimal, why it is a holding which sends binary payload.
If you download the http://joaomatosf.com/rnp/jexws.war file and unpack with unzip, inside is the same JSP shell that appears in his image, but without using url encoding.

Addresses "http://webshell.jexboss.net" and "http://webshell.jexboss.com" will be used to host the webshells JexBoss and changelog file (instead of the address http://joaomatosf.com/rnp/, which is an old abandoned blog).
Currently the shell JSP that JexBoss deploys within your server vulnerable seeks changelog file hosted on http://webshell.jexboss.net but does not warn the user when updates are available yet (I'm currently implementing it).
In future releases, when the shell jsp is accessed, it must inform you whenever there are updates itself, similar to what happens when you run the python script jexboss.py. At the time, it just checks the version control file (changelog) which you can view here: http://webshell.jexboss.net/.

Thank you for your question and I am available for any questions.

from jexboss.

thanks for a long reply．I finfished reading it and I hold on to my opinion, it's a backdoor to show u those victims' IP

from jexboss.

Hello Friend,
I understand your opinion.
This Webshell update check is important to keep the webshells always up to date and thus avoid problems (eg, blocking by Intrusion Detection Systems IPS, etc.), but I assure you that I do not store access information.

In respect your opinion, I'll add today an option "--disable-updates" that will instruct the Webshell JSP not to do the checking for updates, okay?

from jexboss.

yeah, it's a possible solution.
anyway, thanks a lot for sharing your python code .

from jexboss.

围观中......

from jexboss.

In a few hours I will be releasing a version with --disable-check-updates option, among others that follow below:

optional arguments:
-h, --help show this help message and exit
--version show program's version number and exit
--auto-exploit, -A Send exploit code automatically (USE ONLY IF YOU HAVE
PERMISSION!!!)
--disable-check-updates, -D
Disable the check for updates performed by JSP
Webshell at:
http://webshell.jexboss.net/jsp_version.txt
-mode {auto-scan,file-scan,standalone}
Operation mode

Standalone mode:
-host HOST Host address to be checked

Auto scan mode:
-network NETWORK Network to be checked in CIDR format (eg. 10.0.0.0/8)
-ports PORTS List of ports separated by commas to be checked for
each host (eg. 8080,8443,8888,80,443)
-results FILENAME File name to store the auto scan results

File scan mode:
-file FILENAME_HOSTS Filename with host list to be scanned (one host per
line)
-out FILENAME_RESULTS
File name to store the file scan results

from jexboss.

Dear, the version was released.
Please report any problems.
Thank you

from jexboss.