diff --git a/lib/msf/jmx/discovery.rb b/lib/msf/jmx/discovery.rb index 3ab99c5f57..86cd2dcd15 100644 --- a/lib/msf/jmx/discovery.rb +++ b/lib/msf/jmx/discovery.rb @@ -17,31 +17,7 @@ module Msf stream end - def extract_mbean_server(stream) - my_block = false - stub = false - i = 0 - stub_index = 0 - stream.contents.each do |content| - if content.class == Rex::Java::Serialization::Model::BlockData && i == 0 - my_block = true - end - - if content.class == Rex::Java::Serialization::Model::NewObject && content.class_desc.description.class_name.contents == 'javax.management.remote.rmi.RMIServerImpl_Stub' - stub = true - stub_index = i - break - end - i = i + 1 - end - - unless my_block && stub - return nil - end - - my_block_id = stream.contents[0].contents[1..-1] - - block_data = stream.contents[stub_index + 1] + def extract_mbean_server(block_data) data_io = StringIO.new(block_data.contents) ref_length = data_io.read(2) diff --git a/modules/exploits/multi/misc/java_jmx_server.rb b/modules/exploits/multi/misc/java_jmx_server.rb index 6ea1baa865..289cab923e 100644 --- a/modules/exploits/multi/misc/java_jmx_server.rb +++ b/modules/exploits/multi/misc/java_jmx_server.rb @@ -193,9 +193,22 @@ class Metasploit3 < Msf::Exploit::Remote fail_with("#{peer} - Failed to discover the JMX endpoint") end + answer = extract_object(return_data, 1) + + if answer.nil? + fail_with(Failure::Unknown, "#{peer} - Unexpected JMXRMI discovery answer") + end + + case answer + when 'javax.management.remote.rmi.RMIServerImpl_Stub' + print_good("#{peer} - RMIServerImpl_Stub instance found, using it") + else + fail_with(Failure::Unknown, "#{peer} - JMXRMI discovery returned unexpected object #{answer}") + end + print_status("#{peer} - Extracting MBean Server...") - mbean_server = extract_mbean_server(return_data) + mbean_server = extract_mbean_server(return_data.contents[2]) if mbean_server.nil? fail_with("#{peer} - Failed to extract the JMX MBean server endpoint")