Module: Msf::Exploit::Remote::Java::Rmi::Client::Jmx::Connection::Builder

Included in:
Msf::Exploit::Remote::Java::Rmi::Client::Jmx::Connection
Defined in:
lib/msf/core/exploit/java/rmi/client/jmx/connection/builder.rb

Instance Method Summary collapse

Instance Method Details

#build_jmx_create_mbean(opts = {}) ⇒ Rex::Proto::Rmi::Model::Call

Builds an RMI call to javax/management/remote/rmi/RMIConnectionImpl_Stub#createMBean() used to retrieve an MBean instance

Parameters:

  • opts (Hash) (defaults to: {})

Options Hash (opts):

  • :name (String)

    the MBean name

Returns:

See Also:

  • Builder.build_call

74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
# File 'lib/msf/core/exploit/java/rmi/client/jmx/connection/builder.rb', line 74

def build_jmx_create_mbean(opts = {})
  name = opts[:name] || ''
  object_number = opts[:object_number] || 0
  uid_number = opts[:uid_number] || 0
  uid_time = opts[:uid_time] || 0
  uid_count = opts[:uid_count] || 0

  method_hash = calculate_method_hash('createMBean(Ljava/lang/String;Ljavax/management/ObjectName;Ljavax/security/auth/Subject;)Ljavax/management/ObjectInstance;')

  arguments = build_jmx_create_mbean_args(name)

  call = build_call(
    object_number: object_number,
    uid_number: uid_number,
    uid_time: uid_time,
    uid_count: uid_count,
    operation: -1,
    hash: method_hash,
    arguments: arguments
  )

  call
end

#build_jmx_create_mbean_args(name = '') ⇒ Array

Builds an an array of arguments o build a call to javax/management/remote/rmi/RMIConnectionImpl_Stub#createMBean()

Parameters:

  • name (Hash) (defaults to: '')

    the MBean name

Returns:

  • (Array)

103
104
105
106
107
108
109
110
111
# File 'lib/msf/core/exploit/java/rmi/client/jmx/connection/builder.rb', line 103

def build_jmx_create_mbean_args(name = '')
  arguments = [
    Rex::Java::Serialization::Model::Utf.new(nil, name),
    Rex::Java::Serialization::Model::NullReference.new,
    Rex::Java::Serialization::Model::NullReference.new
  ]

  arguments
end

#build_jmx_get_object_instance(opts = {}) ⇒ Rex::Proto::Rmi::Model::Call

Builds an RMI call to javax/management/remote/rmi/RMIConnectionImpl_Stub#getObjectInstance() used to retrieve an MBean instance

Parameters:

  • opts (Hash) (defaults to: {})

Options Hash (opts):

  • :name (String)

    the MBean name

Returns:

See Also:

  • Builder.build_call

19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
# File 'lib/msf/core/exploit/java/rmi/client/jmx/connection/builder.rb', line 19

def build_jmx_get_object_instance(opts = {})
  object_number = opts[:object_number] || 0
  uid_number = opts[:uid_number] || 0
  uid_time = opts[:uid_time] || 0
  uid_count = opts[:uid_count] || 0
  name = opts[:name] || ''

  arguments = build_jmx_get_object_instance_args(name)

  method_hash = calculate_method_hash('getObjectInstance(Ljavax/management/ObjectName;Ljavax/security/auth/Subject;)Ljavax/management/ObjectInstance;')

  call = build_call(
    object_number: object_number,
    uid_number: uid_number,
    uid_time: uid_time,
    uid_count: uid_count,
    operation: -1,
    hash: method_hash,
    arguments: arguments
  )

  call
end

#build_jmx_get_object_instance_args(name = '') ⇒ Array

Builds an an array of arguments o build a call to javax/management/remote/rmi/RMIConnectionImpl_Stub#getObjectInstance()

Parameters:

  • name (String) (defaults to: '')

    the MBean name

Returns:

  • (Array)

48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
# File 'lib/msf/core/exploit/java/rmi/client/jmx/connection/builder.rb', line 48

def build_jmx_get_object_instance_args(name = '')
  builder = Rex::Java::Serialization::Builder.new

  new_object = builder.new_object(
    name: 'javax.management.ObjectName',
    serial: Msf::Exploit::Remote::Java::Rmi::Client::Jmx::OBJECT_NAME_UID, # serialVersionUID
    flags: 3
  )

  arguments = [
    new_object,
    Rex::Java::Serialization::Model::Utf.new(nil, name),
    Rex::Java::Serialization::Model::EndBlockData.new,
    Rex::Java::Serialization::Model::NullReference.new
  ]

  arguments
end