infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Calculate the java/rmi/registry/RegistryImpl_Stub hash dinamically

bug/bundler_fix
jvazquez-r7 2015-03-25 11:29:07 -05:00
parent a5c39db6c3
commit 0540e25db2
No known key found for this signature in database
GPG Key ID: 38D99152B9352D83
6 changed files with 68 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
lib/msf/java/rmi/client/registry.rb
View File

@ -84,6 +84,44 @@ module Msf
names
end
# Calculates the hash to make RMI calls for the
# java/rmi/registry/RegistryImpl_Stub interface
#
# @return [Fixnum] The interface's hash
def registry_interface_hash
hash = calculate_interface_hash(
[
{
name: 'bind',
descriptor: '(Ljava/lang/String;Ljava/rmi/Remote;)V',
exceptions: ['java.rmi.AccessException', 'java.rmi.AlreadyBoundException', 'java.rmi.RemoteException']
},
{
name: 'list',
descriptor: '()[Ljava/lang/String;',
exceptions: ['java.rmi.AccessException', 'java.rmi.RemoteException']
},
{
name: 'lookup',
descriptor: '(Ljava/lang/String;)Ljava/rmi/Remote;',
exceptions: ['java.rmi.AccessException', 'java.rmi.NotBoundException', 'java.rmi.RemoteException']
},
{
name: 'rebind',
descriptor: '(Ljava/lang/String;Ljava/rmi/Remote;)V',
exceptions: ['java.rmi.AccessException', 'java.rmi.RemoteException']
},
{
name: 'unbind',
descriptor: '(Ljava/lang/String;)V',
exceptions: ['java.rmi.AccessException', 'java.rmi.NotBoundException', 'java.rmi.RemoteException']
}
]
)
hash
end
end
end
end

4
lib/msf/java/rmi/client/registry/builder.rb
View File

@ -27,7 +27,7 @@ module Msf
uid_time: uid_time,
uid_count: uid_count,
operation: 2, # java.rmi.Remote lookup(java.lang.String)
hash: 0x44154dc9d4e63bdf, # RegistryImpl_Stub
hash: registry_interface_hash,
arguments: [Rex::Java::Serialization::Model::Utf.new(nil, name)]
)
@ -52,7 +52,7 @@ module Msf
uid_time: uid_time,
uid_count: uid_count,
operation: 1, # java.lang.String list()[]
hash: 0x44154dc9d4e63bdf, # RegistryImpl_Stub
hash: registry_interface_hash,
arguments: []
)

4
lib/msf/java/rmi/util.rb
View File

@ -25,7 +25,7 @@ module Msf
# @param exceptions [Array] set of declared exceptions
# @return [Fixnum] The interface hash
# @see http://docs.oracle.com/javase/8/docs/platform/rmi/spec/rmi-stubs24.html The RemoteRef Interface documentation to understand how interface hashes are calculated
def calculate_interface_hash(methods, exceptions)
def calculate_interface_hash(methods)
stream = ''
stream << [1].pack('N') # stub version number
@ -34,7 +34,7 @@ module Msf
utf_descriptor = Rex::Java::Serialization::Model::Utf.new(nil, m[:descriptor])
stream << utf_method.encode
stream << utf_descriptor.encode
exceptions.each do |e|
m[:exceptions].each do |e|
utf_exception = Rex::Java::Serialization::Model::Utf.new(nil, e)
stream << utf_exception.encode
end

15
modules/auxiliary/scanner/misc/java_rmi_server.rb
View File

@ -53,10 +53,17 @@ class Metasploit3 < Msf::Auxiliary
dgc_interface_hash = calculate_interface_hash(
[
{name: 'clean', descriptor: '([Ljava/rmi/server/ObjID;JLjava/rmi/dgc/VMID;Z)V'},
{name: 'dirty', descriptor: '([Ljava/rmi/server/ObjID;JLjava/rmi/dgc/Lease;)Ljava/rmi/dgc/Lease;'}
],
['java.rmi.RemoteException']
{
name: 'clean',
descriptor: '([Ljava/rmi/server/ObjID;JLjava/rmi/dgc/VMID;Z)V',
exceptions: ['java.rmi.RemoteException']
},
{
name: 'dirty',
descriptor: '([Ljava/rmi/server/ObjID;JLjava/rmi/dgc/Lease;)Ljava/rmi/dgc/Lease;',
exceptions: ['java.rmi.RemoteException']
}
]
)
# JDK 1.1 stub protocol

6
spec/lib/msf/java/rmi/client/registry_spec.rb
View File

@ -227,5 +227,11 @@ describe Msf::Java::Rmi::Client::Registry do
end
end
end
describe "#registry_interface_hash" do
it "calculates the hash for the java/rmi/registry/RegistryImpl_Stub correctly" do
expect(mod.registry_interface_hash).to eq(4905912898345647071)
end
end
end

26
spec/lib/msf/java/rmi/util_spec.rb
View File

@ -12,18 +12,14 @@ describe Msf::Java::Rmi::Util do
mod
end
let(:interface_methods) do
let(:example_interface) do
[
{name: 'sayHello', descriptor: '()Ljava/lang/String;'},
{name: 'sayHelloTwo', descriptor: '(Ljava/lang/String;)Ljava/lang/String;'}
{name: 'sayHello', descriptor: '()Ljava/lang/String;', exceptions: ['java.rmi.RemoteException']},
{name: 'sayHelloTwo', descriptor: '(Ljava/lang/String;)Ljava/lang/String;', exceptions: ['java.rmi.RemoteException']}
]
end
let(:interface_exceptions) do
['java.rmi.RemoteException']
end
let(:interface_hash) do
let(:example_hash) do
0x3e664fcbd9e953bb
end
@ -35,17 +31,13 @@ describe Msf::Java::Rmi::Util do
0x53e0822d3e3724df
end
let(:dgc_methods) do
let(:dgc_interface) do
[
{name: 'clean', descriptor: '([Ljava/rmi/server/ObjID;JLjava/rmi/dgc/VMID;Z)V'},
{name: 'dirty', descriptor: '([Ljava/rmi/server/ObjID;JLjava/rmi/dgc/Lease;)Ljava/rmi/dgc/Lease;'}
{name: 'clean', descriptor: '([Ljava/rmi/server/ObjID;JLjava/rmi/dgc/VMID;Z)V', exceptions: ['java.rmi.RemoteException']},
{name: 'dirty', descriptor: '([Ljava/rmi/server/ObjID;JLjava/rmi/dgc/Lease;)Ljava/rmi/dgc/Lease;', exceptions: ['java.rmi.RemoteException']}
]
end
let(:dgc_exceptions) do
['java.rmi.RemoteException']
end
let(:dgc_hash) do
0xf6b6898d8bf28643
end
@ -83,13 +75,13 @@ describe Msf::Java::Rmi::Util do
describe "#calculate_interface_hash" do
context "when an example interface is provided" do
it "generates a correct interface hash" do
expect(mod.calculate_interface_hash(interface_methods, interface_exceptions)).to eq(interface_hash)
expect(mod.calculate_interface_hash(example_interface)).to eq(example_hash)
end
end
context "when a DGC interface is provided" do
it "generates a correct interface hash" do
expect(mod.calculate_interface_hash(dgc_methods, dgc_exceptions)).to eq(dgc_hash)
expect(mod.calculate_interface_hash(dgc_interface)).to eq(dgc_hash)
end
end
end