Module: Msf::Exploit::Remote::Java::Rmi::Client::Jmx::Server::Builder

Included in:
Msf::Exploit::Remote::Java::Rmi::Client::Jmx::Server
Defined in:
lib/msf/core/exploit/java/rmi/client/jmx/server/builder.rb

Instance Method Summary collapse

Instance Method Details

#build_jmx_new_client(opts = {}) ⇒ Rex::Proto::Rmi::Model::Call

Builds an RMI call to javax/management/remote/rmi/RMIServer_Stub#newClient() used to enumerate the names bound in a registry

Parameters:

  • opts (Hash) (defaults to: {})

Options Hash (opts):

  • :username (String)

    the JMX role to establish the connection if needed

  • :password (String)

    the JMX password to establish the connection if needed

Returns:

See Also:

  • Builder.build_call

21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
# File 'lib/msf/core/exploit/java/rmi/client/jmx/server/builder.rb', line 21

def build_jmx_new_client(opts = {})
  object_number = opts[:object_number] || 0
  uid_number = opts[:uid_number] || 0
  uid_time = opts[:uid_time] || 0
  uid_count = opts[:uid_count] || 0
  username = opts[:username]
  password = opts[:password] || ''

  if username
    arguments = build_jmx_new_client_args(username, password)
  else
    arguments = [Rex::Java::Serialization::Model::NullReference.new]
  end

  call = build_call(
    object_number: object_number,
    uid_number: uid_number,
    uid_time: uid_time,
    uid_count: uid_count,
    operation: -1,
    hash: -1089742558549201240, # javax.management.remote.rmi.RMIServer.newClient
    arguments: arguments
  )

  call
end

#build_jmx_new_client_args(username = '', password = '') ⇒ Array<Rex::Java::Serialization::Model::NewArray>

Builds a Rex::Java::Serialization::Model::NewArray with credentials to make an javax/management/remote/rmi/RMIServer_Stub#newClient call

Parameters:

  • username (String) (defaults to: '')

    The username (role) to authenticate with

  • password (String) (defaults to: '')

    The password to authenticate with

Returns:

  • (Array<Rex::Java::Serialization::Model::NewArray>)

54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
# File 'lib/msf/core/exploit/java/rmi/client/jmx/server/builder.rb', line 54

def build_jmx_new_client_args(username = '', password = '')
  builder = Rex::Java::Serialization::Builder.new

  auth_array = builder.new_array(
    name: '[Ljava.lang.String;',
    serial: Msf::Exploit::Remote::Java::Rmi::Client::Jmx::STRING_ARRAY_UID, # serialVersionUID
    values_type: 'java.lang.String;',
    values: [
      Rex::Java::Serialization::Model::Utf.new(nil, username),
      Rex::Java::Serialization::Model::Utf.new(nil, password)
    ]
  )

  [auth_array]
end