Merge pull request #25 from qtc-de/develop

Prepare v3.1.0 Release
qtc-de · Jan 19, 2023 · 1c8a9c9 · 1c8a9c9
2 parents a5c44b7 + d9bb7bc
commit 1c8a9c9
Show file tree

Hide file tree

Showing 61 changed files with 1,015 additions and 542 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,6 +6,24 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 
+## [3.1.0] - Jan 19, 2022
+
+### Added
+
+* Display bound names during enum action
+* Display JMX endpoint address during enum action
+* Add support for Glassfish and Correto
+* Add `--no-canary` option to prevent usage of deserialization canaries
+* Add [example plugin](/plugins)
+
+### Changed
+
+* Switch from `iinsecure.dev` to `iinsecure.example` for docker containers
+* Switch from *jre11* to *jre17* for tomcat container
+* Modify Jar Manifest to include *Add-Opens* (Java16+ support)
+* Catch exceptions caused by outdated TLS servers 
+
+
 ## [3.0.0] - Aug 07, 2022
 
 ### Added

diff --git a/README.md b/README.md
@@ -8,7 +8,7 @@
 ![](https://github.com/qtc-de/beanshooter/workflows/develop%20maven%20CI/badge.svg?branch=develop)
 ![](https://img.shields.io/badge/java-8%2b-blue)
 [![](https://img.shields.io/badge/build%20system-maven-blue)](https://maven.apache.org/)
-[![](https://img.shields.io/badge/version-3.0.0-blue)](https://github.com/qtc-de/beanshooter/releases)
+[![](https://img.shields.io/badge/version-3.1.0-blue)](https://github.com/qtc-de/beanshooter/releases)
 [![](https://img.shields.io/badge/license-GPL%20v3.0-blue)](https://github.com/qtc-de/beanshooter/blob/master/LICENSE)
 
 
@@ -249,7 +249,7 @@ When the *MBean* class is not known to the *JMX* service, you can use the `--jar
 [+] 				Creating JarHandler for endpoint: /c65c3cdc908348d8bd9a22b8a2bf8be3
 [+] 				Starting HTTP server... 
 [+] 				
-[+] 			Incoming request from: iinsecure.dev
+[+] 			Incoming request from: iinsecure.example
 [+] 			Requested resource: /
 [+] 			Sending mlet:
 [+]
@@ -258,7 +258,7 @@ When the *MBean* class is not known to the *JMX* service, you can use the `--jar
 [+] 				Object:    qtc.test:type=Example
 [+] 				Codebase:  http://172.17.0.1:8000
 [+]
-[+] 			Incoming request from: iinsecure.dev
+[+] 			Incoming request from: iinsecure.example
 [+] 			Requested resource: /c65c3cdc908348d8bd9a22b8a2bf8be3
 [+] 			Sending jar file with md5sum: c4d8f40d1c1ac7f3cf7582092802a484
 [+]
@@ -339,7 +339,7 @@ the `--ssl` option:
 [+] Checking servers SASL configuration:
 [+]
 [+] 	- Remote JMXMP server uses SASL/DIGEST-MD5 SASL profile.
-[+] 	  Credentials are requried and the following hostname must be used: iinsecure.dev
+[+] 	  Credentials are requried and the following hostname must be used: iinsecure.example
 [+] 	  Notice: TLS setting cannot be enumerated and --ssl may be required.
 [+] 	  Vulnerability Status: Non Vulnerable
 ...
@@ -474,7 +474,7 @@ the `--class-name`, `--object-name` and `--jar-file` options are required.
 [+] 
 [+] Press Enter to stop listening.
 [+]
-[+] Incoming request from: iinsecure.dev
+[+] Incoming request from: iinsecure.example
 [+] Requested resource: /
 [+] Sending mlet:
 [+]
@@ -483,7 +483,7 @@ the `--class-name`, `--object-name` and `--jar-file` options are required.
 [+] 	Object:    MLetTonkaBean:name=TonkaBean,id=1
 [+] 	Codebase:  http://172.17.0.1:8888
 [+]
-[+] Incoming request from: iinsecure.dev
+[+] Incoming request from: iinsecure.example
 [+] Requested resource: /93691b8bae4143f087f7a3123641b20d
 [+] Sending jar file with md5sum: 6568ffb2934cb978dbd141848b8b128a
 ```
@@ -569,7 +569,7 @@ a builtin jar file is available):
 [+] 				Creating JarHandler for endpoint: /440441bf8c794d40a83caf1e34cd9993
 [+] 				Starting HTTP server... 
 [+] 				
-[+] 			Incoming request from: iinsecure.dev
+[+] 			Incoming request from: iinsecure.example
 [+] 			Requested resource: /
 [+] 			Sending mlet:
 [+]
@@ -578,7 +578,7 @@ a builtin jar file is available):
 [+] 				Object:    MLetTonkaBean:name=TonkaBean,id=1
 [+] 				Codebase:  http://172.17.0.1:8000
 [+]
-[+] 			Incoming request from: iinsecure.dev
+[+] 			Incoming request from: iinsecure.example
 [+] 			Requested resource: /440441bf8c794d40a83caf1e34cd9993
 [+] 			Sending jar file with md5sum: 55a843002e13f763137d115ce4caf705
 [+]
@@ -748,7 +748,7 @@ The `cmdline` action prints the cmdline the *JVM* was launched with:
 ```console
 [qtc@devbox ~]$ beanshooter diagnostic cmdline 172.17.0.2 1090
 VM Arguments:
-jvm_args: --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/java.util.concurrent=ALL-UNNAMED --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED -Djava.util.logging.config.file=/usr/local/tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 -Dignore.endorsed.dirs= -Dcatalina.base=/usr/local/tomcat -Dcatalina.home=/usr/local/tomcat -Djava.io.tmpdir=/usr/local/tomcat/temp -Djava.rmi.server.hostname=iinsecure.dev -Djavax.net.ssl.keyStorePassword=password -Djavax.net.ssl.keyStore=/opt/store.p12 -Djavax.net.ssl.keyStoreType=pkcs12 -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.local.only=false -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.port=1090 -Dcom.sun.management.jmxremote.rmi.port=1099
+jvm_args: --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/java.util.concurrent=ALL-UNNAMED --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED -Djava.util.logging.config.file=/usr/local/tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 -Dignore.endorsed.dirs= -Dcatalina.base=/usr/local/tomcat -Dcatalina.home=/usr/local/tomcat -Djava.io.tmpdir=/usr/local/tomcat/temp -Djava.rmi.server.hostname=iinsecure.example -Djavax.net.ssl.keyStorePassword=password -Djavax.net.ssl.keyStore=/opt/store.p12 -Djavax.net.ssl.keyStoreType=pkcs12 -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.local.only=false -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.port=1090 -Dcom.sun.management.jmxremote.rmi.port=1099
 java_command: org.apache.catalina.startup.Bootstrap start
 java_class_path (initial): /usr/local/tomcat/bin/bootstrap.jar:/usr/local/tomcat/bin/tomcat-juli.jar
 Launcher Type: SUN_STANDARD
@@ -851,7 +851,7 @@ an *MBean* class from a user specified *URL*:
 [+] 		Creating JarHandler for endpoint: /3584de270132420aaf0812366bc46035
 [+] 		Starting HTTP server... 
 [+] 		
-[+] 	Incoming request from: iinsecure.dev
+[+] 	Incoming request from: iinsecure.example
 [+] 	Requested resource: /
 [+] 	Sending mlet:
 [+]
@@ -860,7 +860,7 @@ an *MBean* class from a user specified *URL*:
 [+] 		Object:    MLetTonkaBean:name=TonkaBean,id=1
 [+] 		Codebase:  http://172.17.0.1:8000
 [+]
-[+] 	Incoming request from: iinsecure.dev
+[+] 	Incoming request from: iinsecure.example
 [+] 	Requested resource: /3584de270132420aaf0812366bc46035
 [+] 	Sending jar file with md5sum: b2f7040f7d8f2d1f40b205d631ff7356
 [+]

diff --git a/beanshooter/pom.xml b/beanshooter/pom.xml
@@ -4,7 +4,7 @@
     <parent>
         <groupId>de.qtc.beanshooter</groupId>
         <artifactId>reactor</artifactId>
-        <version>3.0.0</version>
+        <version>3.1.0</version>
     </parent>
 
     <artifactId>beanshooter</artifactId>
@@ -26,13 +26,13 @@
         <dependency>
             <groupId>commons-io</groupId>
             <artifactId>commons-io</artifactId>
-            <version>2.8.0</version>
+            <version>2.11.0</version>
         </dependency>
 
         <dependency>
             <groupId>org.javassist</groupId>
             <artifactId>javassist</artifactId>
-            <version>3.27.0-GA</version>
+            <version>3.29.2-GA</version>
         </dependency>
 
         <dependency>
@@ -84,6 +84,16 @@
                         <mainClass>de.qtc.beanshooter.Starter</mainClass>
                         <addDefaultImplementationEntries>true</addDefaultImplementationEntries>
                     </manifest>
+                    <manifestEntries>
+                        <Add-Opens>
+                            java.base/java.lang.reflect
+                            java.base/jdk.internal.misc
+                            java.rmi/java.rmi.server
+                            java.rmi/sun.rmi.server
+                            java.rmi/sun.rmi.transport
+                            java.rmi/sun.rmi.transport.tcp
+                        </Add-Opens>
+                    </manifestEntries>
                 </archive>
                 <descriptorRefs>
                   <descriptorRef>jar-with-dependencies</descriptorRef>

diff --git a/beanshooter/src/de/qtc/beanshooter/exceptions/ExceptionHandler.java b/beanshooter/src/de/qtc/beanshooter/exceptions/ExceptionHandler.java
@@ -4,6 +4,9 @@
 import java.io.IOException;
 import java.util.List;
 
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.UnsupportedCallbackException;
+
 import de.qtc.beanshooter.io.Logger;
 import de.qtc.beanshooter.operation.BeanshooterOption;
 import de.qtc.beanshooter.utils.Utils;
@@ -395,6 +398,19 @@ public static void handleMBeanGeneric(Exception e)
         }
     }
 
+    public static void unsupportedCallback(Exception e)
+    {
+        UnsupportedCallbackException callbackException = (UnsupportedCallbackException)e;
+        Callback callback = callbackException.getCallback();
+
+        Logger.eprintlnMixedYellow("Caught", "UnsupportedCallbackException", "while authenticating to JMX.");
+        Logger.eprintlnMixedBlue("The server does not support the", callback.getClass().getName(), "callback.");
+        Logger.println("This is probably an implementation error on the server side. You may try a different auth method.");
+
+        ExceptionHandler.showStackTrace(e);
+        Utils.exit();
+    }
+
     public static void noSuchMethod(Exception e, String method)
     {
         String signature = BeanshooterOption.INVOKE_METHOD.getValue(method);
@@ -575,6 +591,8 @@ public static void deserialClassNotFound(ClassNotFoundException e)
             Logger.eprintlnMixedYellow("Caught", "ClassNotFoundException", "after the payload object was sent.");
             Logger.eprintlnMixedBlue("The specified gadget does probably", "not exist", "inside the classpath.");
         }
+
+        ExceptionHandler.showStackTrace(e);
     }
 
     public static void invalidObjectId(String objID)
@@ -585,6 +603,18 @@ public static void invalidObjectId(String objID)
         Utils.exit();
     }
 
+    public static void pluginException(PluginException e)
+    {
+        Logger.eprintlnMixedYellow("Caught unexpected", "PluginException", "during operation.");
+        Logger.eprintln("The specified plugin raised this exception to indicate an error condition.");
+        Logger.eprintlnMixedBlue("Plugin error message:", e.getMessage());
+
+        if (e.origException != null)
+            showStackTrace(e.origException);
+
+        Utils.exit();
+    }
+
     public static void lookupClassNotFoundException(Exception e, String name)
     {
         name = name.replace(" (no security manager: RMI class loader disabled)", "");

diff --git a/beanshooter/src/de/qtc/beanshooter/exceptions/GlassFishException.java b/beanshooter/src/de/qtc/beanshooter/exceptions/GlassFishException.java
@@ -0,0 +1,37 @@
+package de.qtc.beanshooter.exceptions;
+
+import de.qtc.beanshooter.io.Logger;
+
+/**
+ * The GlassFishException is thrown when GlassFish specific error messages
+ * are observed during a JMX login attempt.
+ *
+ * @author Tobias Neitzel (@qtc_de)
+ */
+public class GlassFishException extends AuthenticationException {
+
+    private static final long serialVersionUID = 1L;
+
+    public GlassFishException(Exception e)
+    {
+        super(e, false);
+    }
+
+    public GlassFishException(Exception e, boolean showDetails)
+    {
+        super(e, showDetails);
+    }
+
+    public void printStackTrace()
+    {
+        if (origException.getMessage().contains("AdminLoginModule$PrincipalCallback"))
+        {
+            Logger.lineBreak();
+            Logger.printlnMixedBlue("The following stacktrace might be misleading. See", "https://github.com/eclipse-ee4j/glassfish/issues/24223");
+            Logger.printlnMixedYellow("Summarized: The error is probably caused by", "missing or invalid", "credentials.");
+            Logger.lineBreak();
+        }
+
+        origException.printStackTrace();
+    }
+}
diff --git a/beanshooter/src/de/qtc/beanshooter/exceptions/PluginException.java b/beanshooter/src/de/qtc/beanshooter/exceptions/PluginException.java
@@ -0,0 +1,28 @@
+package de.qtc.beanshooter.exceptions;
+
+/**
+ * Can be raised by plugins. Beanshooter always aborts upon encountering such an exception.
+ *
+ * @author Tobias Neitzel (@qtc_de)
+ */
+public class PluginException extends Exception
+{
+    private static final long serialVersionUID = 1L;
+    protected final Exception origException;
+
+      public PluginException()
+      {
+          this(null, null);
+      }
+
+      public PluginException(String message)
+      {
+         this(message, null);
+      }
+
+      public PluginException(String message, Exception e)
+      {
+         super(message);
+         origException = e;
+      }
+}
diff --git a/beanshooter/src/de/qtc/beanshooter/mbean/MBean.java b/beanshooter/src/de/qtc/beanshooter/mbean/MBean.java
@@ -86,7 +86,7 @@ public enum MBean implements IMBean
           "general purpose bean for executing commands and uploading or download files",
           Utils.getObjectName("MLetTonkaBean:name=TonkaBean,id=1"),
           "de.qtc.beanshooter.tonkabean.TonkaBean",
-          "tonka-bean-3.0.0-jar-with-dependencies.jar",
+          "tonka-bean-3.1.0-jar-with-dependencies.jar",
           TonkaBeanOperation.values(),
           TonkaBeanOption.values()
          );

diff --git a/beanshooter/src/de/qtc/beanshooter/operation/BeanshooterOperation.java b/beanshooter/src/de/qtc/beanshooter/operation/BeanshooterOperation.java
@@ -201,6 +201,7 @@ public enum BeanshooterOperation implements Operation {
             BeanshooterOption.SERIAL_GADGET_CMD,
             BeanshooterOption.YSO,
             BeanshooterOption.SERIAL_PREAUTH,
+            BeanshooterOption.SERIAL_NO_CANARY,
     }),
 
     STAGER("stager", "start a stager server to deliver MBeans", new Option[] {

diff --git a/beanshooter/src/de/qtc/beanshooter/operation/BeanshooterOption.java b/beanshooter/src/de/qtc/beanshooter/operation/BeanshooterOption.java
@@ -242,6 +242,13 @@ public enum BeanshooterOption implements Option {
                         ArgType.STRING,
                         "cmd"),
 
+    SERIAL_NO_CANARY("--no-canary",
+            "do not use a canary during deserialization attacks",
+            Arguments.storeTrue(),
+            OptionGroup.ACTION,
+            ArgType.STRING
+            ),
+
     SERIAL_PREAUTH("--preauth",
                    "attempt pre authentication deserialization",
                    Arguments.storeTrue(),

diff --git a/beanshooter/src/de/qtc/beanshooter/operation/Dispatcher.java b/beanshooter/src/de/qtc/beanshooter/operation/Dispatcher.java
@@ -25,6 +25,7 @@
 import de.qtc.beanshooter.mbean.MBean;
 import de.qtc.beanshooter.networking.StagerServer;
 import de.qtc.beanshooter.plugin.PluginSystem;
+import de.qtc.beanshooter.utils.DeserializationCanary;
 import de.qtc.beanshooter.utils.Utils;
 
 /**
@@ -124,6 +125,7 @@ public void enumerate()
         int port = ArgumentHandler.require(BeanshooterOption.TARGET_PORT);
 
         EnumHelper enumHelper = new EnumHelper(host, port);
+        enumHelper.boundNames();
 
         if (BeanshooterOption.CONN_JMXMP.getBool() && BeanshooterOption.CONN_SASL.isNull())
         {
@@ -186,6 +188,9 @@ public void serial()
 
         Object payloadObject = ArgumentHandler.getInstance().getGadget();
 
+        if (!BeanshooterOption.SERIAL_NO_CANARY.getBool())
+            payloadObject = new Object[] { payloadObject, new DeserializationCanary() };
+
         try
         {
             if (BeanshooterOption.CONN_JMXMP.getBool())