Fix up the check so it doesn't throw a marshal exception

2012-04-29 18:40:01 -05:00 · 2012-04-29 18:40:01 -05:00 · e12c29a5dc
parent ffd91793b9
commit e12c29a5dc
1 changed files with 41 additions and 12 deletions
--- a/modules/auxiliary/scanner/misc/java_rmi_server.rb
+++ b/modules/auxiliary/scanner/misc/java_rmi_server.rb
@ -41,7 +41,23 @@ class Metasploit3 < Msf::Auxiliary
 	end
 	
 	def setup
-		@pkt = "JRMI" + [2,0x4b,0,0].pack("nCnN") + gen_rmi_loader_packet
+		buf = gen_rmi_loader_packet
+		
+		jar = Rex::Text.rand_text_alpha(rand(8)+1) + '.jar'
+		old_url = "file:./rmidummy.jar"
+		new_url = "file:RMIClassLoaderSecurityTest/" + jar
+
+		# Java strings in serialized data are prefixed with a 2-byte, big endian length
+		# (at least, as long as they are shorter than 65536 bytes)
+		find_me = [old_url.length].pack("n") + old_url
+		
+		idx = buf.index(find_me)
+		len = [new_url.length].pack("n")
+		
+		# Now replace it with the new url
+		buf[idx, find_me.length] = len + new_url
+		
+		@pkt = "JRMI" + [2,0x4b,0,0].pack("nCnN") + buf
 	end

 	def run_host(target_host)
@ -50,24 +66,34 @@ class Metasploit3 < Msf::Auxiliary
 			connect
 			sock.put("\x4a\x52\x4d\x49\0\x02\x4b")
 			res = sock.get_once
+			disconnect

 			if res and res =~ /^\x4e..([^\x00]+)\x00\x00/
 				info = $1
-
-				# Determine if the instance allows remote class loading
-				sock.put(@pkt)
+				
+				begin
+					# Determine if the instance allows remote class loading
+					connect
+					sock.put(@pkt) rescue nil
 	
-				buf = ""
-				1.upto(6) do
-					res = sock.get_once(-1, 5) rescue nil
-					break if not res
-					buf << res
+					buf = ""
+					1.upto(6) do
+						res = sock.get_once(-1, 5) rescue nil
+						break if not res
+						buf << res
+					end
+				
+				rescue ::Interrupt
+					raise $!
+				rescue ::Exception
+				ensure
+					disconnect
 				end
-
+	
 				if buf =~ /RMI class loader disabled/
-					print_status("#{rhost}:#{rport} Java RMI Endpoint Detected")
+					print_status("#{rhost}:#{rport} Java RMI Endpoint Detected: Class Loader Disabled")
 					report_service(:host => rhost, :port => rport, :name => "java-rmi", :info => "Class Loader: Disabled")
-				else
+				elsif buf.length > 0
 					print_good("#{rhost}:#{rport} Java RMI Endpoint Detected: Class Loader Enabled")
 					report_service(:host => rhost, :port => rport, :name => "java-rmi", :info => "Class Loader: Enabled")
 					report_vuln(
@ -79,6 +105,9 @@ class Metasploit3 < Msf::Auxiliary
 						:info         => "Class Loader: Enabled",
 						:refs         => self.references
 					)
+				else
+					print_status("#{rhost}:#{rport} Java RMI Endpoint Detected")
+					report_service(:host => rhost, :port => rport, :name => "java-rmi", :info => "")
 				end

 			end