Module: Msf::Exploit::Remote::Java::Rmi::Util

Included in:
Client
Defined in:
lib/msf/core/exploit/java/rmi/util.rb

Instance Method Summary collapse

Instance Method Details

#calculate_interface_hash(methods) ⇒ Integer

Calculates an interface hash to make RMI calls as defined by the JDK 1.1

Parameters:

  • methods (Array)

    set of method names and their descriptors

Returns:

  • (Integer)

    The interface hash

See Also:


29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
# File 'lib/msf/core/exploit/java/rmi/util.rb', line 29

def calculate_interface_hash(methods)
  stream = ''
  stream << [1].pack('N') # stub version number

  methods.each do |m|
    utf_method = Rex::Java::Serialization::Model::Utf.new(nil, m[:name])
    utf_descriptor = Rex::Java::Serialization::Model::Utf.new(nil, m[:descriptor])
    stream << utf_method.encode
    stream << utf_descriptor.encode
    m[:exceptions].each do |e|
      utf_exception = Rex::Java::Serialization::Model::Utf.new(nil, e)
      stream << utf_exception.encode
    end
  end

  sha1 = Rex::Text.sha1_raw(stream)

  sha1.unpack('Q<')[0]
end

#calculate_method_hash(signature) ⇒ Integer

Calculates a method hash to make RMI calls as defined by the JDK 1.2

Parameters:

  • signature (String)

    The remote method signature as specified by the JDK 1.2, method name + method descriptor (as explained in the Java Virtual Machine Specification)

Returns:

  • (Integer)

    The method hash

See Also:


17
18
19
20
21
22
# File 'lib/msf/core/exploit/java/rmi/util.rb', line 17

def calculate_method_hash(signature)
  utf = Rex::Java::Serialization::Model::Utf.new(nil, signature)
  sha1 = Rex::Text.sha1_raw(utf.encode)

  sha1.unpack('Q<')[0]
end

#extract_byte(io) ⇒ Byte?

Extracts a byte from an IO

Parameters:

  • io (IO)

    the io to extract the byte from

Returns:

  • (Byte, nil)

    the extracted byte if success, nil otherwise


86
87
88
89
90
91
92
93
94
95
# File 'lib/msf/core/exploit/java/rmi/util.rb', line 86

def extract_byte(io)
  byte_raw = io.read(1)

  unless byte_raw && byte_raw.length == 1
    return nil
  end
  byte = byte_raw.unpack('C')[0]

  byte
end

#extract_int(io) ⇒ Integer?

Extracts an int from an IO

Parameters:

  • io (IO)

    the io to extract the int from

Returns:

  • (Integer, nil)

    the extracted int if success, nil otherwise


72
73
74
75
76
77
78
79
80
# File 'lib/msf/core/exploit/java/rmi/util.rb', line 72

def extract_int(io)
  int_raw = io.read(4)
  unless int_raw && int_raw.length == 4
    return nil
  end
  int = int_raw.unpack('l>')[0]

  int
end

#extract_long(io) ⇒ Integer?

Extracts a long from an IO

Parameters:

  • io (IO)

    the io to extract the long from

Returns:

  • (Integer, nil)

    the extracted int if success, nil otherwise


101
102
103
104
105
106
107
108
109
# File 'lib/msf/core/exploit/java/rmi/util.rb', line 101

def extract_long(io)
  int_raw = io.read(8)
  unless int_raw && int_raw.length == 8
    return nil
  end
  int = int_raw.unpack('q>')[0]

  int
end

#extract_reference(io) ⇒ Hash?

Extract an RMI interface reference from an IO

Parameters:

  • io (IO)

    the io to extract the reference from, should contain the data inside a BlockData with the reference information.

Returns:

  • (Hash, nil)

    the extracted reference if success, nil otherwise

See Also:


118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
# File 'lib/msf/core/exploit/java/rmi/util.rb', line 118

def extract_reference(io)
  ref = extract_string(io)
  unless ref && (ref == 'UnicastRef' || ref == 'UnicastRef2')
    return nil
  end

  if ref == 'UnicastRef2'
    form = extract_byte(io)

    unless form == 0 || form == 1 # FORMAT_HOST_PORT or FORMAT_HOST_PORT_FACTORY
      return nil
    end
  end

  address = extract_string(io)
  return nil unless address

  port = extract_int(io)
  return nil unless port

  object_number = extract_long(io)

  uid = Rex::Proto::Rmi::Model::UniqueIdentifier.decode(io)

  {address: address, port: port, object_number: object_number, uid: uid}
end

#extract_string(io) ⇒ String?

Extracts an string from an IO

Parameters:

  • io (IO)

    the io to extract the string from

Returns:

  • (String, nil)

    the extracted string if success, nil otherwise


53
54
55
56
57
58
59
60
61
62
63
64
65
66
# File 'lib/msf/core/exploit/java/rmi/util.rb', line 53

def extract_string(io)
  raw_length = io.read(2)
  unless raw_length && raw_length.length == 2
    return nil
  end
  length = raw_length.unpack('s>')[0]

  string = io.read(length)
  unless string && string.length == length
    return nil
  end

  string
end

#register_common_rmi_ports_and_servicesObject

Register ports and services for autofilter support


147
148
149
150
151
152
153
154
155
156
157
158
# File 'lib/msf/core/exploit/java/rmi/util.rb', line 147

def register_common_rmi_ports_and_services
  register_autofilter_ports([
    999, 1090, 1098, 1099, 1100, 1101, 1102, 1103, 1129, 1030, 1035, 1199, 1234, 1440, 3273, 3333, 3900,
    2199, 2809, 5520, 5580, 5521, 5999, 6060, 6789, 6996, 7700, 7800, 7878, 7890, 7801, 8050, 8051, 8085,
    8091, 8205, 8303, 8642, 8701, 8686, 8888, 8889, 8890, 8901, 8902, 8903, 8999, 9001, 9003, 9004, 9005,
    9050, 9090, 9099, 9300, 9500, 9711, 9809, 9810, 9811, 9812, 9813, 9814, 9815, 9875, 9910, 9991, 9999,
    10001, 10162, 10098, 10099, 11001, 11099, 11333, 12000, 13013, 14000, 15000, 15001, 15200, 16000,
    17200, 18980, 20000, 23791, 26256, 31099, 33000, 32913, 37718, 45230, 47001, 47002, 50050, 50500,
    50501, 50502, 50503, 50504
  ])
  register_autofilter_services(%W{ rmi rmid java-rmi rmiregistry })
end