Land #11521, add RMI support for UnicastRef2 responses

2019-03-06 20:05:33 -06:00 · 2019-03-06 20:05:33 -06:00 · a5bcabc9c0
parent 55df841a18
commit a5bcabc9c0
1 changed files with 24 additions and 1 deletions
--- a/lib/msf/core/exploit/java/rmi/util.rb
+++ b/lib/msf/core/exploit/java/rmi/util.rb
@ -79,6 +79,21 @@ module Msf
              int
            end

+            # Extracts a byte from an IO
+            #
+            # @param io [IO] the io to extract the byte from
+            # @return [Byte, nil] the extracted byte if success, nil otherwise
+            def extract_byte(io)
+              byte_raw = io.read(1)
+              
+              unless byte_raw && byte_raw.length == 1
+                return nil
+              end
+              byte = byte_raw.unpack('C')[0]
+                      
+              byte
+            end
+
            # Extracts a long from an IO
            #
            # @param io [IO] the io to extract the long from
@ -102,9 +117,17 @@ module Msf
            # @see Msf::Exploit::Remote::Java::Rmi::Client::Registry::Parser#parse_registry_lookup_endpoint
            def extract_reference(io)
              ref = extract_string(io)
-              unless ref && ref == 'UnicastRef'
+              unless ref && (ref == 'UnicastRef' || ref == 'UnicastRef2')
                return nil
              end
+              
+              if ref == 'UnicastRef2'
+                form = extract_byte(io)
+
+                unless form == 0 || form == 1 # FORMAT_HOST_PORT or FORMAT_HOST_PORT_FACTORY
+                  return nil
+                end
+              end

              address = extract_string(io)
              return nil unless address