Beanshooter Versions Save

Added

• Add model action (see blog post from CODE WHITE)
• Add standard action (see blog post from CODE WHITE)

Changed

• Improved exception handling

Checksums

• beanshooter-4.1.0-jar-with-dependencies.jar
  • MD5: 69e3e35e9da2670eaecebff318f0e409
  • SHA256: fc9830784690a79f0fddf98f076ba1d07e7d09859c7d1082b7db54d2ac119ba9

Added

• Add Jolokia support
• Add jolokia-example-server
• Add Jolokia documentation

Changed

• Make the TonkaBean OpenType compatible
• Update default credential list
• Some bugfixes and improved exception handling

Checksums

• beanshooter-4.0.0-jar-with-dependencies.jar
  • MD5: 7005b68d5e5c19fa76b5bfff5334bbb7
  • SHA256: 033c1b853e1a1aec29d734917bd57fdf1d72d1e6d6422136888c84bc9c8142e5

Changed

• Small bugfix in JarHandler that occurred when using a file system jar during deployment

Checksums

• beanshooter-3.1.1-jar-with-dependencies.jar
  • MD5: 2eed5165f387845e374d9ae1cd7b1ee4
  • SHA256: 5c593102a8c68963e052c480dda3842c37ae6bdea1d55096185dc3f68a810eab

Added

• Display bound names during enum action
• Display JMX endpoint address during enum action
• Add support for Glassfish and Correto (thanks to @dinosn for reporting :pray:)
• Add --no-canary option to prevent usage of deserialization canaries
• Add example plugin

Changed

• Switch from iinsecure.dev to iinsecure.example for docker containers (thanks to @ghuser for reporting :wink:)
• Switch from jre11 to jre17 for tomcat container
• Modify Jar Manifest to include Add-Opens (Java16+ support)
• Catch exceptions caused by outdated TLS servers (thanks to @ret2src for reporting :+1:)

Checksums

• beanshooter-3.1.0-jar-with-dependencies.jar
  • MD5: 63d6f2bfe5f47390f90b44d1368fbc87
  • SHA256: 419bf7263932fb03c3c6c50e8680fc5b6ccfad81bcb2dbd5e56fea773ab28927

Added

• Add operations for the FlightRecorderMXBean
• Add operations for the DiagnosticCommandMBean
• Add operations for the HotSpotDiagnosticMXBean
• Add the attr action for obtaining and modifying attributes
• Add the info action for enumerating methods and attributes
• Add the dump action for the MemoryUserDatabaseMBean
• Add the write action for the MemoryUserDatabaseMBean

Changed

• The invoke action does no longer allow accessing attributes by using methods starting with get. Instead, the attr action should now be used for attribute access
• The old MBean info operations was renamed to stats. The info action now performs the general info operation for the specified MBean
• MBeans with default support by beanshooter are now displayed together with the corresponding action name when listing MBeans
• Refactored the completion script
• Several bugfixes (thanks to @JustinMoorcroft and @varandinawer for reporting :+1: )

Checksums

• beanshooter-3.0.0-jar-with-dependencies.jar
  • MD5: faacf796a850caf5bba49b4053477652
  • SHA256: a3111468fc5e2ae0a2b820194d70b3cc913564d84f76d3d5dbd3419f37e825ba

Added

• Added documentation for the docker containers
• Added execarray action for the tonka bean
• Added tricot based tests for all actions

Changed

• Improve the argument handling of the invoke action (resolves #11. Thanks to @Stijn-Vdh for reporting)
• Improve the shell action (Windows compatibility)
• Replace execbackground action with the option --background
• Several bug fixes

Checksums

• beanshooter-3.0.0-rc.2-jar-with-dependencies.jar
  • MD5: ada6687ddae8bbaede83558a4f78d5f8
  • SHA256: f0bb255e29334b96092e227896a3b0719813a41d07ff5c5a24fcbe7298d966a2

Global refactoring. Basically all code sections were renewed and several new features were implemented.

Added

• Added the brute action for bruteforcing JMX credentials
• Added the invoke action for calling arbitrary MBean methods
• Added the enum action to enumerate common JMX vulnerabilities
• Added the list action to enumerate available MBeans
• Added the serial action to perform deserialization attacks
• Added support for the Apache tomcats MemoryUserDatabaseMBean
• Added support for calling the MLetMBean manually
• Added support for Apache Karaf

Changed

• The example servers were renewed and provide now more useful usage examples
• The tonka-bean is now included into the beanshooter jar file Building and providing the tonka-bean separately is no longer required
• The tonka-bean was renewed and contains several new features and improvements
• The exception handling was improved to provide more detailed information in case of an error. Using the --stack-trace option allows always to investigate the full stack trace if required

Checksums

• beanshooter-3.0.0-rc.1-jar-with-dependencies.jar
  • MD5: 78729362e4b58acfef521641333f9e91
  • SHA256: 951ecf4eef7830c527ab369d97de42da9fa26ec95ed8e94fdb80aac8bb61cd67

Changed

• Fixed bug when using quotes within the !upload and !download shell wrappers

Added

• Add SSL support (for registry and remote objects)
• Add automatic redirection feature
• Add shell action
• Add ysoserial action
• Add cve-2016-3427 action
• Add support for authenticated JMXMP
• Add support for SSL protected JMXMP
• Add new options for separate bind-address and bind-port
• Add color support
• Add upload and download functions

Changed

• Changed the parameter layout during execute actions
• Changed the bash completion script to include new options
• Changed the folder structure and class layouts

Example Server

• Add additional example server running a different tomcat version
• Add CVE-2016-3427 vulnerability to the example server
• Add deserialization vulnerability to the example server
• Add authenticated JMXMP listeners to the example server
• Add SSL protection to RMI and JMXMP listeners
• Add hostname specification to the registry server

Added

• autocompletion script
• CI workflows

Changed

• default path of tonka bean is now /opt/jmx-exploiter/tonka-bean/target/