Module: Msf::Exploit::Remote::Java::Rmi::Client

Includes:
Builder, Jmx, Registry, Util, Tcp
Defined in:
lib/msf/core/exploit/java/rmi/client.rb,
lib/msf/core/exploit/java/rmi/client/jmx.rb,
lib/msf/core/exploit/java/rmi/client/registry.rb,
lib/msf/core/exploit/java/rmi/client/jmx/server.rb,
lib/msf/core/exploit/java/rmi/client/jmx/connection.rb,
lib/msf/core/exploit/java/rmi/client/registry/parser.rb,
lib/msf/core/exploit/java/rmi/client/registry/builder.rb,
lib/msf/core/exploit/java/rmi/client/jmx/server/parser.rb,
lib/msf/core/exploit/java/rmi/client/jmx/server/builder.rb,
lib/msf/core/exploit/java/rmi/client/jmx/connection/builder.rb

Defined Under Namespace

Modules: Jmx, Registry

Constant Summary

Constants included from Jmx

Jmx::BYTE_ARRAY_UID, Jmx::MARSHALLED_OBJECT_UID, Jmx::OBJECT_ARRAY_UID, Jmx::OBJECT_NAME_UID, Jmx::STRING_ARRAY_UID

Instance Attribute Summary

Attributes included from Tcp

#sock

Instance Method Summary collapse

Methods included from Tcp

#chost, #cleanup, #connect, #connect_timeout, #cport, #deregister_tcp_options, #disconnect, #handler, #lhost, #lport, #peer, #print_prefix, #proxies, #set_tcp_evasions, #shutdown, #ssl, #ssl_cipher, #ssl_verify_mode, #ssl_version

Methods included from Jmx::Connection

#build_invoke_arguments_obj_bytes, #build_jmx_invoke, #build_jmx_invoke_args, #send_jmx_create_mbean, #send_jmx_get_object_instance, #send_jmx_invoke

Methods included from Jmx::Connection::Builder

#build_jmx_create_mbean, #build_jmx_create_mbean_args, #build_jmx_get_object_instance, #build_jmx_get_object_instance_args

Methods included from Jmx::Server

#send_new_client

Methods included from Jmx::Server::Parser

#parse_jmx_new_client_endpoint

Methods included from Jmx::Server::Builder

#build_jmx_new_client, #build_jmx_new_client_args

Methods included from Registry

#registry_interface_hash, #send_registry_list, #send_registry_lookup

Methods included from Registry::Parser

#parse_registry_list, #parse_registry_lookup_endpoint

Methods included from Registry::Builder

#build_registry_list, #build_registry_lookup

Methods included from Builder

#build_call, #build_dgc_ack, #build_header

Methods included from Util

#calculate_interface_hash, #calculate_method_hash, #extract_byte, #extract_int, #extract_long, #extract_reference, #extract_string, #register_common_rmi_ports_and_services

Instance Method Details

#initialize(info = {}) ⇒ Object


23
24
25
26
27
28
29
30
31
# File 'lib/msf/core/exploit/java/rmi/client.rb', line 23

def initialize(info = {})
  super

  register_advanced_options(
    [
      OptInt.new('RmiReadLoopTimeout', [ true, 'Maximum number of seconds to wait for data between read iterations', 1])
    ], Msf::Exploit::Remote::Java::Rmi::Client
  )
end

#read_loop_timeoutInteger

Returns the timeout to wait for data between read iterations

Returns:

  • (Integer)

36
37
38
# File 'lib/msf/core/exploit/java/rmi/client.rb', line 36

def read_loop_timeout
  datastore['RmiReadLoopTimeout'] || 1
end

#recv_protocol_ack(opts = {}) ⇒ Rex::Proto::Rmi::Model::ProtocolAck, NilClass

Reads the Protocol Ack

Parameters:

  • opts (Hash) (defaults to: {})

Options Hash (opts):

  • :sock (Rex::Socket::Tcp)

Returns:

See Also:

  • Rex::Proto::Rmi::Model::ProtocolAck.decode

99
100
101
102
103
104
105
106
107
108
109
# File 'lib/msf/core/exploit/java/rmi/client.rb', line 99

def recv_protocol_ack(opts = {})
  nsock = opts[:sock] || sock
  data = safe_get_once(nsock)
  begin
    ack = Rex::Proto::Rmi::Model::ProtocolAck.decode(StringIO.new(data))
  rescue Rex::Proto::Rmi::DecodeError
    return nil
  end

  ack
end

#recv_return(opts = {}) ⇒ Rex::Proto::Rmi::Model::ReturnValue, NilClass

Reads a ReturnData message and returns the java serialized stream with the return data value.

Parameters:

  • opts (Hash) (defaults to: {})

Options Hash (opts):

  • :sock (Rex::Socket::Tcp)

Returns:

See Also:

  • Rex::Proto::Rmi::Model::ReturnData.decode

119
120
121
122
123
124
125
126
127
128
129
130
# File 'lib/msf/core/exploit/java/rmi/client.rb', line 119

def recv_return(opts = {})
  nsock = opts[:sock] || sock
  data = safe_get_once(nsock)

  begin
    return_data = Rex::Proto::Rmi::Model::ReturnData.decode(StringIO.new(data))
  rescue Rex::Proto::Rmi::DecodeError
    return nil
  end

  return_data.return_value
end

#rhostString

Returns the target host

Returns:

  • (String)

43
44
45
# File 'lib/msf/core/exploit/java/rmi/client.rb', line 43

def rhost
  datastore['RHOST']
end

#rportInteger

Returns the target port

Returns:

  • (Integer)

50
51
52
# File 'lib/msf/core/exploit/java/rmi/client.rb', line 50

def rport
  datastore['RPORT']
end

#safe_get_once(nsock = sock, loop_timeout = read_loop_timeout) ⇒ String

Helper method to read fragmented data from a “`Rex::Socket::Tcp“`

Parameters:

  • nsock (Rex::Socket::Tcp) (defaults to: sock)

Returns:

  • (String)

136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
# File 'lib/msf/core/exploit/java/rmi/client.rb', line 136

def safe_get_once(nsock = sock, loop_timeout = read_loop_timeout)
  data = ''
  begin
    res = nsock.get_once
  rescue ::EOFError
    res = nil
  end

  while res && nsock.has_read_data?(loop_timeout)
    data << res
    begin
      res = nsock.get_once
    rescue ::EOFError
      res = nil
    end
  end

  data << res if res
  data
end

#send_call(opts = {}) ⇒ Integer

Sends a RMI CALL stream

Parameters:

  • opts (Hash) (defaults to: {})

Options Hash (opts):

Returns:

  • (Integer)

    the number of bytes sent

See Also:

  • Rmi::Client::Streams#build_call

74
75
76
77
78
# File 'lib/msf/core/exploit/java/rmi/client.rb', line 74

def send_call(opts = {})
  nsock = opts[:sock] || sock
  call = opts[:call] || build_call(opts)
  nsock.put(call.encode)
end

#send_dgc_ack(opts = {}) ⇒ Integer

Sends a RMI DGCACK stream

Parameters:

  • opts (Hash) (defaults to: {})

Options Hash (opts):

  • :sock (Rex::Socket::Tcp)

Returns:

  • (Integer)

    the number of bytes sent

See Also:

  • Rmi::Client::Streams#build_dgc_ack

86
87
88
89
90
# File 'lib/msf/core/exploit/java/rmi/client.rb', line 86

def send_dgc_ack(opts = {})
  nsock = opts[:sock] || sock
  stream = build_dgc_ack(opts)
  nsock.put(stream.encode)
end

#send_header(opts = {}) ⇒ Integer

Sends a RMI header stream

Parameters:

  • opts (Hash) (defaults to: {})

Options Hash (opts):

  • :sock (Rex::Socket::Tcp)

Returns:

  • (Integer)

    the number of bytes sent

See Also:

  • Rmi::Client::Streams#build_header

61
62
63
64
65
# File 'lib/msf/core/exploit/java/rmi/client.rb', line 61

def send_header(opts = {})
  nsock = opts[:sock] || sock
  stream = build_header(opts)
  nsock.put(stream.encode + "\x00\x00\x00\x00\x00\x00")
end