Mastodon Hillbilly StoryTime: Tool Review - JexBoss

Monday, February 12, 2018

Tool Review - JexBoss



João Filho Matos Figueiredo/@joaomatosf


JexBoss is just the shortened name for the "JBoss (and other Java Deserialization Vulnerabilities) verify and EXploitation Tool"

JexBoss is a python tool designed to identify /test for the presence of various exploitable vulnerabilities that can be found in JBoss Application Server, Tomcat, Jenkins, or other Java frameworks/platforms/etc...


Apache License, Version 2.0

How to Install

On most Linux systems, the user will probably just download the source from GitHub:
git clone
and then they will need to ensure all dependencies are installed:
pip install -r requires.txt
Or the user could download the latest version from GitHub as follows:
Download the latest version at: master.zipcd jexboss-masterpip install -r requires.txt
JexBoss can also be installed on Windows systems as well. According to the developer, the user can you can use the Git Bash to run JexBoss. Follow the steps below:
  • Download and install Python
  • Download and install Git for Windows
  • After installing, run the Git for Windows and type the following commands:
git clone
cd jexboss
pip install -r requires.txt

Sample Usage

As with most Linux tools, JexBoss comes with the typical "-h" flag to display the help/usage:

That shows the syntax to execute JexBoss is:
usage: JexBoss [-h] [--version] [--auto-exploit] [--disable-check-updates]                                                                                                                                                        [-mode {standalone,auto-scan,file-scan}] [--app-unserialize]               [--servlet-unserialize] [--jboss] [--jenkins] [--struts2]               [--jmxtomcat] [--proxy PROXY] [--proxy-cred LOGIN:PASS]               [--jboss-login LOGIN:PASS] [--timeout TIMEOUT]               [--cookies NAME=VALUE] [--reverse-host RHOST:RPORT] [--cmd CMD]               [--dns URL] [--windows] [--post-parameter PARAMETER]               [--show-payload]               [--gadget {commons-collections3.1,commons-collections4.0,jdk7u21,jdk8u20,groovy1,dns}]               [--load-gadget FILENAME] [--force] [-host HOST]               [-network NETWORK] [-ports PORTS] [-results FILENAME]               [-file FILENAME_HOSTS] [-out FILENAME_RESULTS]
As with most tools, not all of those command line options are necessary.  At the very minimum, the user will need to enter: -u <hostname/IP/URL>
Beyond the that simple command, the user can specify any of the other options as well, depending on their needs.  Some of the other command line options include flags for enabling Auto-Exploitation of vulnerable systems, flags to test for just one of JBoss/Jenkins/Struts2/Tomcat, and flags to specify login credentials.


No comments: