diff --git a/lib/msf/java/jmx.rb b/lib/msf/java/jmx.rb index 8c54bd9b35..fa5db05204 100644 --- a/lib/msf/java/jmx.rb +++ b/lib/msf/java/jmx.rb @@ -9,14 +9,12 @@ module Msf require 'msf/java/rmi/util' require 'msf/java/rmi/builder' require 'msf/java/jmx/util' - require 'msf/java/jmx/discovery' require 'msf/java/jmx/handshake' require 'msf/java/jmx/mbean' include Msf::Java::Rmi::Util include Msf::Java::Rmi::Builder include Msf::Java::Jmx::Util - include Msf::Java::Jmx::Discovery include Msf::Java::Jmx::Handshake include Msf::Java::Jmx::Mbean diff --git a/lib/msf/java/jmx/discovery.rb b/lib/msf/java/jmx/discovery.rb deleted file mode 100644 index c525261922..0000000000 --- a/lib/msf/java/jmx/discovery.rb +++ /dev/null @@ -1,29 +0,0 @@ -# -*- coding: binary -*- - -module Msf - module Java - module Jmx - # This module provides methods which help to handle JMX end points discovery - module Discovery - # Builds a Rex::Proto::Rmi::Model::Call to discover - # an JMX RMI endpoint - # - # @return [Rex::Proto::Rmi::Model::Call] - # @TODO it should be moved to a Registry mixin - def discovery_stream - call = build_call( - object_number: 0, - uid_number: 0, - uid_time: 0, - uid_count: 0, - operation: 2, # java.rmi.Remote lookup(java.lang.String) - hash: 0x44154dc9d4e63bdf, #ReferenceRegistryStub - arguments: [Rex::Java::Serialization::Model::Utf.new(nil, 'jmxrmi')] - ) - - call - end - end - end - end -end diff --git a/modules/exploits/multi/misc/java_jmx_server.rb b/modules/exploits/multi/misc/java_jmx_server.rb index 49f831e91b..4ee4d2bbf2 100644 --- a/modules/exploits/multi/misc/java_jmx_server.rb +++ b/modules/exploits/multi/misc/java_jmx_server.rb @@ -179,37 +179,17 @@ class Metasploit3 < Msf::Exploit::Remote end def discover_endpoint - send_call(call: discovery_stream) - return_value = recv_return + ref = send_registry_lookup(name: 'jmxrmi') + return nil if ref.nil? - if return_value.nil? - vprint_error("#{peer} - Discovery request didn't answer") + unless ref[:object] == 'javax.management.remote.rmi.RMIServerImpl_Stub' + vprint_error("#{peer} - JMXRMI discovery returned unexpected object #{ref[:object]}") return nil end - if return_value.is_exception? - vprint_error("#{peer} - Discovery request returned an exception") - return nil - end + print_status("#{ref.inspect}") - answer = extract_object(return_value.value[0]) - - if answer.nil? - vprint_error("#{peer} - Unexpected JMXRMI discovery answer") - return nil - end - - case answer - when 'javax.management.remote.rmi.RMIServerImpl_Stub' - mbean_server = extract_unicast_ref(StringIO.new(return_value.value[1].contents)) - else - vprint_error("#{peer} - JMXRMI discovery returned unexpected object #{answer}") - return nil - end - - print_status("#{mbean_server.inspect}") - - mbean_server + ref end def handshake(mbean) diff --git a/spec/lib/msf/java/jmx/discovery_spec.rb b/spec/lib/msf/java/jmx/discovery_spec.rb deleted file mode 100644 index c5f02ef22a..0000000000 --- a/spec/lib/msf/java/jmx/discovery_spec.rb +++ /dev/null @@ -1,33 +0,0 @@ -# -*- coding:binary -*- -require 'spec_helper' - -require 'rex/java' -require 'msf/java/jmx' - -describe Msf::Java::Jmx::Discovery do - subject(:mod) do - mod = ::Msf::Exploit.new - mod.extend ::Msf::Java::Jmx - mod.send(:initialize) - mod - end - - let(:stream_discovery) do - "\xac\xed\x00\x05\x77\x22\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + - "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02" + - "\x44\x15\x4d\xc9\xd4\xe6\x3b\xdf\x74\x00\x06\x6a\x6d\x78\x72\x6d" + - "\x69" - end - - describe "#discovery_stream" do - - it "returns a Rex::Java::Serialization::Model::Stream" do - expect(mod.discovery_stream).to be_a(Rex::Java::Serialization::Model::Stream) - end - - it "builds a valid stream to discover an jmxrmi endpoing" do - expect(mod.discovery_stream.encode).to eq(stream_discovery) - end - end -end -