Delete JMX discovery stream

lib/msf/java/jmx.rb

@@ -9,14 +9,12 @@ module Msf
       require 'msf/java/rmi/util'
       require 'msf/java/rmi/builder'
       require 'msf/java/jmx/util'
-      require 'msf/java/jmx/discovery'
       require 'msf/java/jmx/handshake'
       require 'msf/java/jmx/mbean'
 
       include Msf::Java::Rmi::Util
       include Msf::Java::Rmi::Builder
       include Msf::Java::Jmx::Util
-      include Msf::Java::Jmx::Discovery
       include Msf::Java::Jmx::Handshake
       include Msf::Java::Jmx::Mbean
 

lib/msf/java/jmx/discovery.rb

@@ -1,29 +0,0 @@
-# -*- coding: binary -*-
-
-module Msf
-  module Java
-    module Jmx
-      # This module provides methods which help to handle JMX end points discovery
-      module Discovery
-        # Builds a Rex::Proto::Rmi::Model::Call to discover
-        # an JMX RMI endpoint
-        #
-        # @return [Rex::Proto::Rmi::Model::Call]
-        # @TODO it should be moved to a Registry mixin
-        def discovery_stream
-          call = build_call(
-            object_number: 0,
-            uid_number: 0,
-            uid_time: 0,
-            uid_count: 0,
-            operation: 2, # java.rmi.Remote lookup(java.lang.String)
-            hash: 0x44154dc9d4e63bdf, #ReferenceRegistryStub
-            arguments: [Rex::Java::Serialization::Model::Utf.new(nil, 'jmxrmi')]
-          )
-
-          call
-        end
-      end
-    end
-  end
-end

modules/exploits/multi/misc/java_jmx_server.rb

@@ -179,37 +179,17 @@ class Metasploit3 < Msf::Exploit::Remote
   end
 
   def discover_endpoint
-    send_call(call: discovery_stream)
-    return_value = recv_return
+    ref = send_registry_lookup(name: 'jmxrmi')
+    return nil if ref.nil?
 
-    if return_value.nil?
-      vprint_error("#{peer} - Discovery request didn't answer")
+    unless ref[:object] == 'javax.management.remote.rmi.RMIServerImpl_Stub'
+      vprint_error("#{peer} - JMXRMI discovery returned unexpected object #{ref[:object]}")
       return nil
     end
 
-    if return_value.is_exception?
-      vprint_error("#{peer} - Discovery request returned an exception")
-      return nil
-    end
+    print_status("#{ref.inspect}")
 
-    answer = extract_object(return_value.value[0])
-
-    if answer.nil?
-      vprint_error("#{peer} - Unexpected JMXRMI discovery answer")
-      return nil
-    end
-
-    case answer
-    when 'javax.management.remote.rmi.RMIServerImpl_Stub'
-      mbean_server = extract_unicast_ref(StringIO.new(return_value.value[1].contents))
-    else
-      vprint_error("#{peer} - JMXRMI discovery returned unexpected object #{answer}")
-      return nil
-    end
-
-    print_status("#{mbean_server.inspect}")
-
-    mbean_server
+    ref
   end
 
   def handshake(mbean)

spec/lib/msf/java/jmx/discovery_spec.rb

@@ -1,33 +0,0 @@
-# -*- coding:binary -*-
-require 'spec_helper'
-
-require 'rex/java'
-require 'msf/java/jmx'
-
-describe Msf::Java::Jmx::Discovery do
-  subject(:mod) do
-    mod = ::Msf::Exploit.new
-    mod.extend ::Msf::Java::Jmx
-    mod.send(:initialize)
-    mod
-  end
-
-  let(:stream_discovery) do
-    "\xac\xed\x00\x05\x77\x22\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
-    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02" +
-    "\x44\x15\x4d\xc9\xd4\xe6\x3b\xdf\x74\x00\x06\x6a\x6d\x78\x72\x6d" +
-    "\x69"
-  end
-
-  describe "#discovery_stream" do
-
-    it "returns a Rex::Java::Serialization::Model::Stream" do
-      expect(mod.discovery_stream).to be_a(Rex::Java::Serialization::Model::Stream)
-    end
-
-    it "builds a valid stream to discover an jmxrmi endpoing" do
-      expect(mod.discovery_stream.encode).to eq(stream_discovery)
-    end
-  end
-end
-