Module: Msf::Exploit::Remote::Java::Rmi::Client::Registry

Includes:
Builder, Parser
Included in:
Msf::Exploit::Remote::Java::Rmi::Client
Defined in:
lib/msf/core/exploit/java/rmi/client/registry.rb,
lib/msf/core/exploit/java/rmi/client/registry/parser.rb,
lib/msf/core/exploit/java/rmi/client/registry/builder.rb

Overview

This mixin provides methods to simulate calls to the Java java/rmi/registry/RegistryImpl_Stub interface

Defined Under Namespace

Modules: Builder, Parser

Instance Method Summary collapse

Methods included from Parser

#parse_registry_list, #parse_registry_lookup_endpoint

Methods included from Builder

#build_registry_list, #build_registry_lookup

Instance Method Details

#registry_interface_hashInteger

Calculates the hash to make RMI calls for the java/rmi/registry/RegistryImpl_Stub interface

Returns:

  • (Integer)

    The interface's hash


95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
# File 'lib/msf/core/exploit/java/rmi/client/registry.rb', line 95

def registry_interface_hash
  hash = calculate_interface_hash(
    [
      {
        name: 'bind',
        descriptor: '(Ljava/lang/String;Ljava/rmi/Remote;)V',
        exceptions: ['java.rmi.AccessException', 'java.rmi.AlreadyBoundException', 'java.rmi.RemoteException']
      },
      {
        name: 'list',
        descriptor: '()[Ljava/lang/String;',
        exceptions: ['java.rmi.AccessException', 'java.rmi.RemoteException']
      },
      {
        name: 'lookup',
        descriptor: '(Ljava/lang/String;)Ljava/rmi/Remote;',
        exceptions: ['java.rmi.AccessException', 'java.rmi.NotBoundException', 'java.rmi.RemoteException']
      },
      {
        name: 'rebind',
        descriptor: '(Ljava/lang/String;Ljava/rmi/Remote;)V',
        exceptions: ['java.rmi.AccessException', 'java.rmi.RemoteException']
      },
      {
        name: 'unbind',
        descriptor: '(Ljava/lang/String;)V',
        exceptions: ['java.rmi.AccessException', 'java.rmi.NotBoundException', 'java.rmi.RemoteException']
      }
    ]
  )

  hash
end

#send_registry_list(opts = {}) ⇒ Array, NilClass

Sends a Registry list call to the RMI endpoint. Simulates a call to the Java java/rmi/registry/RegistryImpl_Stub#list() method

Parameters:

  • opts (Hash) (defaults to: {})

Options Hash (opts):

  • :sock (Rex::Socket::Tcp)

Returns:

  • (Array, NilClass)

    The set of names if success, nil otherwise

Raises:

See Also:

  • Msf::Exploit::Remote::Java::Rmi::Client::Registry::Builder.build_registry_list

68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
# File 'lib/msf/core/exploit/java/rmi/client/registry.rb', line 68

def send_registry_list(opts = {})
  send_call(
    sock: opts[:sock] || sock,
    call: build_registry_list(opts)
  )

  return_value = recv_return(
    sock: opts[:sock] || sock
  )

  if return_value.nil?
    return nil
  end

  if return_value.is_exception?
    raise ::Rex::Proto::Rmi::Exception, return_value.get_class_name
  end

  names = parse_registry_list(return_value)

  names
end

#send_registry_lookup(opts = {}) ⇒ Hash, NilClass

Sends a Registry lookup call to the RMI endpoint. Simulates a call to the Java java/rmi/registry/RegistryImpl_Stub#lookup() method.

Parameters:

  • opts (Hash) (defaults to: {})

Options Hash (opts):

  • :sock (Rex::Socket::Tcp)

Returns:

  • (Hash, NilClass)

    The remote reference information if success, nil otherwise

Raises:

See Also:

  • Msf::Exploit::Remote::Java::Rmi::Client::Registry::Builder.build_registry_lookup

27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
# File 'lib/msf/core/exploit/java/rmi/client/registry.rb', line 27

def send_registry_lookup(opts = {})
  send_call(
    sock: opts[:sock] || sock,
    call: build_registry_lookup(opts)
  )

  return_value = recv_return(
    sock: opts[:sock] || sock
  )

  if return_value.nil?
    return nil
  end

  if return_value.is_exception?
    raise ::Rex::Proto::Rmi::Exception, return_value.get_class_name
  end

  remote_object = return_value.get_class_name

  if remote_object.nil?
    return nil
  end

  remote_location = parse_registry_lookup_endpoint(return_value)

  if remote_location.nil?
    return nil
  end

  remote_location.merge(object: remote_object)
end