DefCon 18: WAS JSP

Version 1.0.0

slides online
View slides online in S5 format.
Mouse over lower right corner for slide controls.
slides-1.0.0.zip
Slides zipped into one file.
defcon18-1.0.0.ear
EAR for demo application.
When deploying, make sure to enable Deploy Web services or WS4JEE will not work.
exploit-1.0.0.jar
Exploit for Apache Axis 1
Usage: java -jar exploit-1.0.0.jar ctx-root-url relative-path-to-axis1 command-to-run [command-arguments...]
unicode-1.0.0.jar
Tool to display UTF-8 decoding for a JVM.
Usage: java -jar unicode-1.0.0.jar
You will want to run this through a pager (more) or redirect the output to a file.
defcon18-src-1.0.0.zip
Sources for demo application, exploit and unicode tool. You will need Maven and a JDK to build it.
WebSphere Application Server (WAS) Web Site
Time bombed trial available from here
WAS Fixes by version
Where to get updates for WAS

schallee-spam-at-spam-dot-darkmist-net