Module: Msf::Exploit::Remote::Java::Rmi::Client

Includes:
Builder, Jmx, Registry, Util, Tcp
Defined in:
lib/msf/core/exploit/remote/java/rmi/client.rb,
lib/msf/core/exploit/remote/java/rmi/client/jmx.rb,
lib/msf/core/exploit/remote/java/rmi/client/registry.rb,
lib/msf/core/exploit/remote/java/rmi/client/jmx/server.rb,
lib/msf/core/exploit/remote/java/rmi/client/jmx/connection.rb,
lib/msf/core/exploit/remote/java/rmi/client/registry/parser.rb,
lib/msf/core/exploit/remote/java/rmi/client/registry/builder.rb,
lib/msf/core/exploit/remote/java/rmi/client/jmx/server/parser.rb,
lib/msf/core/exploit/remote/java/rmi/client/jmx/server/builder.rb,
lib/msf/core/exploit/remote/java/rmi/client/jmx/connection/builder.rb

Defined Under Namespace

Modules: Jmx, Registry

Constant Summary

Constants included from Jmx

Jmx::BYTE_ARRAY_UID, Jmx::MARSHALLED_OBJECT_UID, Jmx::OBJECT_ARRAY_UID, Jmx::OBJECT_NAME_UID, Jmx::STRING_ARRAY_UID

Instance Attribute Summary

Attributes included from Tcp

#sock

Instance Method Summary collapse

Methods included from Tcp

#chost, #cleanup, #connect, #connect_timeout, #cport, #deregister_tcp_options, #disconnect, #handler, #lhost, #lport, #peer, #print_prefix, #proxies, #set_tcp_evasions, #shutdown, #ssl, #ssl_cipher, #ssl_verify_mode, #ssl_version

Methods included from Jmx::Connection

#build_invoke_arguments_obj_bytes, #build_jmx_invoke, #build_jmx_invoke_args, #send_jmx_create_mbean, #send_jmx_get_object_instance, #send_jmx_invoke

Methods included from Jmx::Connection::Builder

#build_jmx_create_mbean, #build_jmx_create_mbean_args, #build_jmx_get_object_instance, #build_jmx_get_object_instance_args

Methods included from Jmx::Server

#send_new_client

Methods included from Jmx::Server::Parser

#parse_jmx_new_client_endpoint

Methods included from Jmx::Server::Builder

#build_jmx_new_client, #build_jmx_new_client_args

Methods included from Registry

#registry_interface_hash, #send_registry_list, #send_registry_lookup

Methods included from Registry::Parser

#parse_registry_list, #parse_registry_lookup_endpoint

Methods included from Registry::Builder

#build_registry_list, #build_registry_lookup

Methods included from Builder

#build_call, #build_dgc_ack, #build_header

Methods included from Util

#calculate_interface_hash, #calculate_method_hash, #extract_byte, #extract_int, #extract_long, #extract_reference, #extract_string, #register_common_rmi_ports_and_services

Instance Method Details

#initialize(info = {}) ⇒ Object


17
18
19
20
21
22
23
24
25
# File 'lib/msf/core/exploit/remote/java/rmi/client.rb', line 17

def initialize(info = {})
  super

  register_advanced_options(
    [
      OptInt.new('RmiReadLoopTimeout', [ true, 'Maximum number of seconds to wait for data between read iterations', 1])
    ], Msf::Exploit::Remote::Java::Rmi::Client
  )
end

#read_loop_timeoutInteger

Returns the timeout to wait for data between read iterations

Returns:

  • (Integer)

30
31
32
# File 'lib/msf/core/exploit/remote/java/rmi/client.rb', line 30

def read_loop_timeout
  datastore['RmiReadLoopTimeout'] || 1
end

#recv_protocol_ack(opts = {}) ⇒ Rex::Proto::Rmi::Model::ProtocolAck, NilClass

Reads the Protocol Ack

Parameters:

  • opts (Hash) (defaults to: {})

Options Hash (opts):

  • :sock (Rex::Socket::Tcp)

Returns:

See Also:

  • Rex::Proto::Rmi::Model::ProtocolAck.decode

93
94
95
96
97
98
99
100
101
102
103
# File 'lib/msf/core/exploit/remote/java/rmi/client.rb', line 93

def recv_protocol_ack(opts = {})
  nsock = opts[:sock] || sock
  data = safe_get_once(nsock)
  begin
    ack = Rex::Proto::Rmi::Model::ProtocolAck.decode(StringIO.new(data))
  rescue Rex::Proto::Rmi::DecodeError
    return nil
  end

  ack
end

#recv_return(opts = {}) ⇒ Rex::Proto::Rmi::Model::ReturnValue, NilClass

Reads a ReturnData message and returns the java serialized stream with the return data value.

Parameters:

  • opts (Hash) (defaults to: {})

Options Hash (opts):

  • :sock (Rex::Socket::Tcp)

Returns:

See Also:

  • Rex::Proto::Rmi::Model::ReturnData.decode

113
114
115
116
117
118
119
120
121
122
123
124
# File 'lib/msf/core/exploit/remote/java/rmi/client.rb', line 113

def recv_return(opts = {})
  nsock = opts[:sock] || sock
  data = safe_get_once(nsock)

  begin
    return_data = Rex::Proto::Rmi::Model::ReturnData.decode(StringIO.new(data))
  rescue Rex::Proto::Rmi::DecodeError
    return nil
  end

  return_data.return_value
end

#rhostString

Returns the target host

Returns:

  • (String)

37
38
39
# File 'lib/msf/core/exploit/remote/java/rmi/client.rb', line 37

def rhost
  datastore['RHOST']
end

#rportInteger

Returns the target port

Returns:

  • (Integer)

44
45
46
# File 'lib/msf/core/exploit/remote/java/rmi/client.rb', line 44

def rport
  datastore['RPORT']
end

#safe_get_once(nsock = sock, loop_timeout = read_loop_timeout) ⇒ String

Helper method to read fragmented data from a “`Rex::Socket::Tcp“`

Parameters:

  • nsock (Rex::Socket::Tcp) (defaults to: sock)

Returns:

  • (String)

130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
# File 'lib/msf/core/exploit/remote/java/rmi/client.rb', line 130

def safe_get_once(nsock = sock, loop_timeout = read_loop_timeout)
  data = ''
  begin
    res = nsock.get_once
  rescue ::EOFError
    res = nil
  end

  while res && nsock.has_read_data?(loop_timeout)
    data << res
    begin
      res = nsock.get_once
    rescue ::EOFError
      res = nil
    end
  end

  data << res if res
  data
end

#send_call(opts = {}) ⇒ Integer

Sends a RMI CALL stream

Parameters:

  • opts (Hash) (defaults to: {})

Options Hash (opts):

Returns:

  • (Integer)

    the number of bytes sent

See Also:

  • Rmi::Client::Streams#build_call

68
69
70
71
72
# File 'lib/msf/core/exploit/remote/java/rmi/client.rb', line 68

def send_call(opts = {})
  nsock = opts[:sock] || sock
  call = opts[:call] || build_call(opts)
  nsock.put(call.encode)
end

#send_dgc_ack(opts = {}) ⇒ Integer

Sends a RMI DGCACK stream

Parameters:

  • opts (Hash) (defaults to: {})

Options Hash (opts):

  • :sock (Rex::Socket::Tcp)

Returns:

  • (Integer)

    the number of bytes sent

See Also:

  • Rmi::Client::Streams#build_dgc_ack

80
81
82
83
84
# File 'lib/msf/core/exploit/remote/java/rmi/client.rb', line 80

def send_dgc_ack(opts = {})
  nsock = opts[:sock] || sock
  stream = build_dgc_ack(opts)
  nsock.put(stream.encode)
end

#send_header(opts = {}) ⇒ Integer

Sends a RMI header stream

Parameters:

  • opts (Hash) (defaults to: {})

Options Hash (opts):

  • :sock (Rex::Socket::Tcp)

Returns:

  • (Integer)

    the number of bytes sent

See Also:

  • Rmi::Client::Streams#build_header

55
56
57
58
59
# File 'lib/msf/core/exploit/remote/java/rmi/client.rb', line 55

def send_header(opts = {})
  nsock = opts[:sock] || sock
  stream = build_header(opts)
  nsock.put(stream.encode + "\x00\x00\x00\x00\x00\x00")
end