Disclaimer:
JMET is a proof-of-concept tool for blackbox testing of JMS destinations. Please use this tool with care and only when authorized. Be aware that sending an invalid message to a JMS destination might result in a denial-of-service state (DOS) of the target system. You have been warned !!!
We publish it againt for Learning Java Deserialization Vulnerabilities and Non Commercial Use.
JMET was released at Blackhat USA 2016 and is an outcome of Code White’s research effort presented in the talk “Pwning Your Java Messaging With Deserialization Vulnerabilities”. The goal of JMET is to make the exploitation of the Java Message Service (JMS) easy. In the talk more than 12 JMS client implementations where shown, vulnerable to deserialization attacks. The specific deserialization vulnerabilities were found in ObjectMessage implementations (classes implementing javax.jms.ObjectMessage). The following more or less complete list shows the vulnerable JMS broker client libraries:
* Apache ActiveMQ
* Redhat/Apache HornetQ
* Oracle OpenMQ
* IBM WebSphereMQ
* Oracle Weblogic
* Pivotal RabbitMQ
* IBM MessageSight
* IIT Software SwiftMQ
* Apache ActiveMQ Artemis
* Apache QPID JMS
* Apache QPID Client
* Amazon SQS Java Messaging
For creating gadget payloads JMET makes use of Chris Frohoffs’ Ysoserial.
jmet helper
Supported JMS client libraries
* Apache ActiveMQ
* Redhat/Apache HornetQ
* Oracle OpenMQ
* IBM WebSphereMQ
* Pivotal RabbitMQ
* IIT Software SwiftMQ
* Apache ActiveMQ Artemis
* Apache QPID JMS
* Apache QPID Client
Example Jmet
Dependencies:
– Maven
– java Jdk 7 or letter
– JMET depends on a lot of libraries , For details see the maven pom file.
Download and Use From git:
wget https://github.com/matthiaskaiser/jmet/releases/download/0.1.0/jmet-0.1.0-all.jar or build git clone https://github.com/matthiaskaiser/jmet && cd jmet Please put the following libraries of the commercial brokers into a directory of your choice (e.g. DIR). com.ibm.mq.allclient.jar (WebSphere MQ) amqp.jar (SwiftMQ) jms.jar (SwiftMQ) swiftmq.jar (SwiftMQ) Then invoke maven with the property "commercial" set to your path. export MAVEN_OPTS=-Xss10m mvn clean compile assembly:single -Dcommerical=DIR If you don't want to use the commercial brokers at all you can just delete the following files: src/main/java/de/codewhite/jmet/target/impl/WebSphereMQTarget.java src/main/java/de/codewhite/jmet/target/impl/SwiftMQTarget.java export MAVEN_OPTS=-Xss10m mvn clean compile assembly:single
Source: https://github.com/matthiaskaiser | Download Stable version: jmet-0.1.0-all.jar
