From d9c6c5677912d9dab11c12c7bfe211f085a1552f Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Thu, 15 Jan 2015 23:15:30 -0600 Subject: [PATCH] Refactor extract_rmi_connection_stub --- lib/msf/jmx.rb | 28 ++++++++++- lib/msf/jmx/handshake.rb | 48 +++---------------- .../exploits/multi/misc/java_jmx_server.rb | 2 +- 3 files changed, 35 insertions(+), 43 deletions(-) diff --git a/lib/msf/jmx.rb b/lib/msf/jmx.rb index 2c72dbfff4..6663eba063 100644 --- a/lib/msf/jmx.rb +++ b/lib/msf/jmx.rb @@ -44,5 +44,31 @@ module Msf end new_object.class_desc.description.class_name.contents - end end + end + + def extract_string(io) + raw_length = io.read(2) + unless raw_length && raw_length.length == 2 + return nil + end + length = raw_length.unpack('n')[0] + + string = io.read(length) + unless string && string.length == length + return nil + end + + string + end + + def extract_int(io) + int_raw = io.read(4) + unless int_raw && int_raw.length == 4 + return nil + end + int = int_raw.unpack('N')[0] + + int + end + end end diff --git a/lib/msf/jmx/handshake.rb b/lib/msf/jmx/handshake.rb index c18cb890e3..b220e85cb6 100644 --- a/lib/msf/jmx/handshake.rb +++ b/lib/msf/jmx/handshake.rb @@ -50,51 +50,17 @@ module Msf auth_array end - def extract_rmi_connection_stub(stream) - stub = false - stub_index = 0 - stream.contents.each do |content| - if content.class == Rex::Java::Serialization::Model::NewObject && content.class_desc.description.class_name.contents == 'javax.management.remote.rmi.RMIConnectionImpl_Stub' - stub = true - break - end - stub_index = stub_index + 1 - end - - unless stub - return nil - end - - block_data = stream.contents[stub_index + 1] + def extract_rmi_connection_stub(block_data) data_io = StringIO.new(block_data.contents) - ref_length = data_io.read(2) - unless ref_length && ref_length.length == 2 - return nil - end - ref_length = ref_length.unpack('n')[0] + ref = extract_string(data_io) + return nil unless ref && ref == 'UnicastRef' - ref = data_io.read(ref_length) - unless ref && ref.length == ref_length && ref == 'UnicastRef' - return nil - end + address = extract_string(data_io) + return nil unless address - address_length = data_io.read(2) - unless address_length && address_length.length == 2 - return nil - end - address_length = address_length.unpack('n')[0] - - address = data_io.read(address_length) - unless address && address.length == address_length - return nil - end - - port = data_io.read(4) - unless port && port.length == 4 - return nil - end - port = port.unpack('N')[0] + port = extract_int(data_io) + return nil unless port id = data_io.read diff --git a/modules/exploits/multi/misc/java_jmx_server.rb b/modules/exploits/multi/misc/java_jmx_server.rb index a697bae8d4..c8a4eceda6 100644 --- a/modules/exploits/multi/misc/java_jmx_server.rb +++ b/modules/exploits/multi/misc/java_jmx_server.rb @@ -129,7 +129,7 @@ class Metasploit3 < Msf::Exploit::Remote fail_with(Failure::NoAccess, "#{peer} - JMX end point requires authentication, but it failed") when 'javax.management.remote.rmi.RMIConnectionImpl_Stub' print_good("#{peer} - Handshake completed, proceeding...") - conn_stub = extract_rmi_connection_stub(return_data) + conn_stub = extract_rmi_connection_stub(return_data.contents[2]) else fail_with(Failure::Unknown, "#{peer} - Handshake returned unexpected object #{answer}") end