Refactor extract_rmi_connection_stub
jvazquez-r7
parent
2d2f26a0e3
commit
d9c6c56779
|
|
@ -44,5 +44,31 @@ module Msf
|
||||||
end
|
end
|
||||||
|
|
||||||
new_object.class_desc.description.class_name.contents
|
new_object.class_desc.description.class_name.contents
|
||||||
end end
|
end
|
||||||
|
|
||||||
|
def extract_string(io)
|
||||||
|
raw_length = io.read(2)
|
||||||
|
unless raw_length && raw_length.length == 2
|
||||||
|
return nil
|
||||||
|
end
|
||||||
|
length = raw_length.unpack('n')[0]
|
||||||
|
|
||||||
|
string = io.read(length)
|
||||||
|
unless string && string.length == length
|
||||||
|
return nil
|
||||||
|
end
|
||||||
|
|
||||||
|
string
|
||||||
|
end
|
||||||
|
|
||||||
|
def extract_int(io)
|
||||||
|
int_raw = io.read(4)
|
||||||
|
unless int_raw && int_raw.length == 4
|
||||||
|
return nil
|
||||||
|
end
|
||||||
|
int = int_raw.unpack('N')[0]
|
||||||
|
|
||||||
|
int
|
||||||
|
end
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
|
||||||
|
|
@ -50,51 +50,17 @@ module Msf
|
||||||
auth_array
|
auth_array
|
||||||
end
|
end
|
||||||
|
|
||||||
def extract_rmi_connection_stub(stream)
|
def extract_rmi_connection_stub(block_data)
|
||||||
stub = false
|
|
||||||
stub_index = 0
|
|
||||||
stream.contents.each do |content|
|
|
||||||
if content.class == Rex::Java::Serialization::Model::NewObject && content.class_desc.description.class_name.contents == 'javax.management.remote.rmi.RMIConnectionImpl_Stub'
|
|
||||||
stub = true
|
|
||||||
break
|
|
||||||
end
|
|
||||||
stub_index = stub_index + 1
|
|
||||||
end
|
|
||||||
|
|
||||||
unless stub
|
|
||||||
return nil
|
|
||||||
end
|
|
||||||
|
|
||||||
block_data = stream.contents[stub_index + 1]
|
|
||||||
data_io = StringIO.new(block_data.contents)
|
data_io = StringIO.new(block_data.contents)
|
||||||
|
|
||||||
ref_length = data_io.read(2)
|
ref = extract_string(data_io)
|
||||||
unless ref_length && ref_length.length == 2
|
return nil unless ref && ref == 'UnicastRef'
|
||||||
return nil
|
|
||||||
end
|
|
||||||
ref_length = ref_length.unpack('n')[0]
|
|
||||||
|
|
||||||
ref = data_io.read(ref_length)
|
address = extract_string(data_io)
|
||||||
unless ref && ref.length == ref_length && ref == 'UnicastRef'
|
return nil unless address
|
||||||
return nil
|
|
||||||
end
|
|
||||||
|
|
||||||
address_length = data_io.read(2)
|
port = extract_int(data_io)
|
||||||
unless address_length && address_length.length == 2
|
return nil unless port
|
||||||
return nil
|
|
||||||
end
|
|
||||||
address_length = address_length.unpack('n')[0]
|
|
||||||
|
|
||||||
address = data_io.read(address_length)
|
|
||||||
unless address && address.length == address_length
|
|
||||||
return nil
|
|
||||||
end
|
|
||||||
|
|
||||||
port = data_io.read(4)
|
|
||||||
unless port && port.length == 4
|
|
||||||
return nil
|
|
||||||
end
|
|
||||||
port = port.unpack('N')[0]
|
|
||||||
|
|
||||||
id = data_io.read
|
id = data_io.read
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -129,7 +129,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
fail_with(Failure::NoAccess, "#{peer} - JMX end point requires authentication, but it failed")
|
fail_with(Failure::NoAccess, "#{peer} - JMX end point requires authentication, but it failed")
|
||||||
when 'javax.management.remote.rmi.RMIConnectionImpl_Stub'
|
when 'javax.management.remote.rmi.RMIConnectionImpl_Stub'
|
||||||
print_good("#{peer} - Handshake completed, proceeding...")
|
print_good("#{peer} - Handshake completed, proceeding...")
|
||||||
conn_stub = extract_rmi_connection_stub(return_data)
|
conn_stub = extract_rmi_connection_stub(return_data.contents[2])
|
||||||
else
|
else
|
||||||
fail_with(Failure::Unknown, "#{peer} - Handshake returned unexpected object #{answer}")
|
fail_with(Failure::Unknown, "#{peer} - Handshake returned unexpected object #{answer}")
|
||||||
end
|
end
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue