# JexBoss Release Notes # https://github.com/joaomatosf/jexboss # # Copyright 2014 João Filho Matos Figueiredo last_version: 1.2.4 date: 2017-03-27 notes: * Added DNS gadget (to check for deserialization bugs with simple dns lookup). Usage: --gadget dns --dns test.yourdomain.com * Fixed bug when running with python3 version: 1.2.3 date: 2017-03-23 notes: * Added JKD8u20 Golden Gadget (based on Alvaro @pwntester). Usage: --gadget jdk8u20 * Added JDK7u21 Golden Gadget (based on Frohoff @Frohoff). Usage: --gadget jdk7u21 * Fixed bugs on admin-console cookie version: 1.2.2 date: 2017-03-16 notes: * Add Cookies support on the Struts2 exploit (useful for testing internal pages that need authentication) * Fix bug when trying to exploit deserialization on the web-console for the second time. * Fix bug when trying to exploit deserialization on the JMXInvokerServlet for the second time. * Add struts2 demo https://www.youtube.com/watch?v=PSRsVcfmRSg on the README version: 1.2.1 date: 2017-03-10 notes: * Added exploit for Apache Struts2 (CVE-2017-5638). * See demo: https://www.youtube.com/watch?v=PSRsVcfmRSg (Exploiting Apache Struts2) version: 1.2.0 date: 2017-02-28 notes: * Added support for exploiting java deserialization in any HTTP POST parameters (like javax.faces.ViewState). * Added support for exploiting java deserialization in generic Invoker servlets (any application server). * Added gadgets to exploit multiple application servers that has commons-collections or groovy libs in the classpath. * Added support to easily make a reverse shell connection when exploiting java deserialization vulnerabilities. * Added exploits for Jenkins CLI and Tomcat RMI (CVE-2015-5317, CVE-2016-8735, CVE-2016-3427). * Added support for load your own gadget from file. * Several fixes and improvements. version: 1.1.2 date: 2016-11-01 notes: * Added support for reverse shell (meterpreter, etc) * Improvements in exploits to support complex commands with pipe and etc (|,>, <, etc ...) * Fixes and improvements version: 1.0.17 date: 2016-10-29 notes: * Added proxy support
 * Fixed problems with buffer for correct execution in Windows Git Bash (thanks to iramar for the report)
 * Added support for logs in order to users to check the details of the execution and help in identifying bugs.
 * OBS: In the next version I will add support for reverse shell easily. version: 1.0.16 date: 2016-10-25 notes: * Extend the -D option to disable too checking for updates performed by the jexboss client at http://joaomatosf.com/rnp/releases.txt (obs: this option also disables checking for updates performed by webshell in exploited server at http://webshell.jexboss.net//jsp_version.txt) version: 1.0.15 date: 2016-10-23 notes: * added readline for improve the command terminal (support arrows keys) * fix error 'captureWarning' when using python 2.6 version: 1.0.12 date: 2016-07-25 notes: * Prevent false positives and other bug fixes version: 1.0.9 date: 2016-04-24 notes: * Fixed command execution problem on Windows servers version: 1.0.8 date: 2016-04-23 notes: * Added network scan mode * Added file list scan mode * Added option for automatic exploitation * Added option to disable checking updates performed by Webshell in http://webshell.jexbos.net address * Update webshell JSP for not to check for updates when the -D option is used * PS: The scans features are still being improved. Please report problems version: 1.0.7 date: 2016-04-20 notes: * Added a new exploit for the vector "admin-console". Tested and working for versions "5" and "6" with default installation. version: 1.0.6 date: 2016-04-16 notes: * Fix for executing commands on servers exploited by earlier versions; * More improvements in webshells to bypass Intrusion Prevention Systems (IPS); version: 1.0.5 date: 2016-04-16 notes: * Fixes for command execution on Windows servers for the vector invoker; * Added support for a new target in the invoker vector; * Split of exploits in a new module to improve code readability; version: 1.0.4 date: 2016-04-14 notes: * Bypass some Intrusion Detection Systems (IPS) * Improvements Webshell; * Fixes for command execution on Windows servers; * Bug fix in the exploit for JBoss 6 in jmx-console vector; version: 1.0.2 date: 2016-04-13 notes: * Added support for checking and auto update version: 1.0.0 date: 2014-01-01 notes: * First version available on github