Refactor extract_rmi_connection_stub

2015-01-15 23:15:30 -06:00 · 2015-01-15 23:15:30 -06:00 · d9c6c56779
parent 2d2f26a0e3
commit d9c6c56779
3 changed files with 35 additions and 43 deletions
--- a/lib/msf/jmx.rb
+++ b/lib/msf/jmx.rb
@ -44,5 +44,31 @@ module Msf
      end

      new_object.class_desc.description.class_name.contents
-    end  end
+    end
+
+    def extract_string(io)
+      raw_length = io.read(2)
+      unless raw_length && raw_length.length == 2
+        return nil
+      end
+      length = raw_length.unpack('n')[0]
+
+      string = io.read(length)
+      unless string && string.length == length
+        return nil
+      end
+
+      string
+    end
+
+    def extract_int(io)
+      int_raw = io.read(4)
+      unless int_raw && int_raw.length == 4
+        return nil
+      end
+      int = int_raw.unpack('N')[0]
+
+      int
+    end
+  end
 end
--- a/lib/msf/jmx/handshake.rb
+++ b/lib/msf/jmx/handshake.rb
@ -50,51 +50,17 @@ module Msf
        auth_array
      end

-      def extract_rmi_connection_stub(stream)
-        stub = false
-        stub_index = 0
-        stream.contents.each do |content|
-          if content.class == Rex::Java::Serialization::Model::NewObject && content.class_desc.description.class_name.contents == 'javax.management.remote.rmi.RMIConnectionImpl_Stub'
-            stub = true
-            break
-          end
-          stub_index = stub_index + 1
-        end
-
-        unless stub
-          return nil
-        end
-
-        block_data = stream.contents[stub_index + 1]
+      def extract_rmi_connection_stub(block_data)
        data_io = StringIO.new(block_data.contents)

-        ref_length = data_io.read(2)
-        unless ref_length && ref_length.length == 2
-          return nil
-        end
-        ref_length = ref_length.unpack('n')[0]
+        ref = extract_string(data_io)
+        return nil unless ref && ref == 'UnicastRef'

-        ref = data_io.read(ref_length)
-        unless ref && ref.length == ref_length && ref == 'UnicastRef'
-          return nil
-        end
+        address = extract_string(data_io)
+        return nil unless address

-        address_length = data_io.read(2)
-        unless address_length && address_length.length == 2
-          return nil
-        end
-        address_length = address_length.unpack('n')[0]
-
-        address = data_io.read(address_length)
-        unless address && address.length == address_length
-          return nil
-        end
-
-        port = data_io.read(4)
-        unless port && port.length == 4
-          return nil
-        end
-        port = port.unpack('N')[0]
+        port = extract_int(data_io)
+        return nil unless port

        id = data_io.read

--- a/modules/exploits/multi/misc/java_jmx_server.rb
+++ b/modules/exploits/multi/misc/java_jmx_server.rb
@ -129,7 +129,7 @@ class Metasploit3 < Msf::Exploit::Remote
      fail_with(Failure::NoAccess, "#{peer} - JMX end point requires authentication, but it failed")
    when 'javax.management.remote.rmi.RMIConnectionImpl_Stub'
      print_good("#{peer} - Handshake completed, proceeding...")
-      conn_stub = extract_rmi_connection_stub(return_data)
+      conn_stub = extract_rmi_connection_stub(return_data.contents[2])
    else
      fail_with(Failure::Unknown, "#{peer} - Handshake returned unexpected object #{answer}")
    end