Module: Msf::Exploit::Remote::Java::Rmi::Client

Includes:

Builder, Jmx, Registry, Util, Tcp

Defined in:

lib/msf/core/exploit/remote/java/rmi/client.rb,
lib/msf/core/exploit/remote/java/rmi/client/jmx.rb,
lib/msf/core/exploit/remote/java/rmi/client/registry.rb,
lib/msf/core/exploit/remote/java/rmi/client/jmx/server.rb,
lib/msf/core/exploit/remote/java/rmi/client/jmx/connection.rb,
lib/msf/core/exploit/remote/java/rmi/client/registry/parser.rb,
lib/msf/core/exploit/remote/java/rmi/client/registry/builder.rb,
lib/msf/core/exploit/remote/java/rmi/client/jmx/server/parser.rb,
lib/msf/core/exploit/remote/java/rmi/client/jmx/server/builder.rb,
lib/msf/core/exploit/remote/java/rmi/client/jmx/connection/builder.rb

Defined Under Namespace

Modules: Jmx, Registry

Constant Summary

Constants included from Jmx

Jmx::BYTE_ARRAY_UID, Jmx::MARSHALLED_OBJECT_UID, Jmx::OBJECT_ARRAY_UID, Jmx::OBJECT_NAME_UID, Jmx::STRING_ARRAY_UID

Instance Attribute Summary

Attributes included from Tcp

#sock

Instance Method Summary

• #initialize(info = {}) ⇒ Object
• #read_loop_timeout ⇒ Integer

  Returns the timeout to wait for data between read iterations.

• #recv_protocol_ack(opts = {}) ⇒ Rex::Proto::Rmi::Model::ProtocolAck, NilClass

  Reads the Protocol Ack.

• #recv_return(opts = {}) ⇒ Rex::Proto::Rmi::Model::ReturnValue, NilClass

  Reads a ReturnData message and returns the java serialized stream with the return data value.

• #rhost ⇒ String

  Returns the target host.

• #rport ⇒ Integer

  Returns the target port.

• #safe_get_once(nsock = sock, loop_timeout = read_loop_timeout) ⇒ String

  Helper method to read fragmented data from a “‘Rex::Socket::Tcp“`.

• #send_call(opts = {}) ⇒ Integer

  Sends a RMI CALL stream.

• #send_dgc_ack(opts = {}) ⇒ Integer

  Sends a RMI DGCACK stream.

• #send_header(opts = {}) ⇒ Integer

  Sends a RMI header stream.

Methods included from Tcp

#chost, #cleanup, #connect, #connect_timeout, #cport, #disconnect, #handler, #lhost, #lport, #peer, #print_prefix, #proxies, #set_tcp_evasions, #shutdown, #ssl, #ssl_cipher, #ssl_verify_mode, #ssl_version

Methods included from Jmx::Connection

#build_invoke_arguments_obj_bytes, #build_jmx_invoke, #build_jmx_invoke_args, #send_jmx_create_mbean, #send_jmx_get_object_instance, #send_jmx_invoke

Methods included from Jmx::Connection::Builder

#build_jmx_create_mbean, #build_jmx_create_mbean_args, #build_jmx_get_object_instance, #build_jmx_get_object_instance_args

Methods included from Jmx::Server

#send_new_client

Methods included from Jmx::Server::Parser

#parse_jmx_new_client_endpoint

Methods included from Jmx::Server::Builder

#build_jmx_new_client, #build_jmx_new_client_args

Methods included from Registry

#registry_interface_hash, #send_registry_list, #send_registry_lookup

Methods included from Registry::Parser

#parse_registry_list, #parse_registry_lookup_endpoint

Methods included from Registry::Builder

#build_registry_list, #build_registry_lookup

Methods included from Builder

#build_call, #build_dgc_ack, #build_header

Methods included from Util

#calculate_interface_hash, #calculate_method_hash, #extract_byte, #extract_int, #extract_long, #extract_reference, #extract_string, #register_common_rmi_ports_and_services

Instance Method Details

#initialize(info = {}) ⇒ Object

# File 'lib/msf/core/exploit/remote/java/rmi/client.rb', line 17

def initialize(info = {})
  super

  register_advanced_options(
    [
      OptInt.new('RmiReadLoopTimeout', [ true, 'Maximum number of seconds to wait for data between read iterations', 1])
    ], Msf::Exploit::Remote::Java::Rmi::Client
  )
end

#read_loop_timeout ⇒ Integer

Returns the timeout to wait for data between read iterations

Returns:

• (Integer)

# File 'lib/msf/core/exploit/remote/java/rmi/client.rb', line 30

def read_loop_timeout
  datastore['RmiReadLoopTimeout'] || 1
end

#recv_protocol_ack(opts = {}) ⇒ Rex::Proto::Rmi::Model::ProtocolAck, NilClass

Reads the Protocol Ack

Parameters:

• opts (Hash) (defaults to: {})

Options Hash (opts):

• :sock (Rex::Socket::Tcp)

Returns:

• (Rex::Proto::Rmi::Model::ProtocolAck) —

  if success

• (NilClass) —

  otherwise

See Also:

• Rex::Proto::Rmi::Model::ProtocolAck.decode

# File 'lib/msf/core/exploit/remote/java/rmi/client.rb', line 93

def recv_protocol_ack(opts = {})
  nsock = opts[:sock] || sock
  data = safe_get_once(nsock)
  begin
    ack = Rex::Proto::Rmi::Model::ProtocolAck.decode(StringIO.new(data))
  rescue Rex::Proto::Rmi::DecodeError
    return nil
  end

  ack
end

#recv_return(opts = {}) ⇒ Rex::Proto::Rmi::Model::ReturnValue, NilClass

Reads a ReturnData message and returns the java serialized stream with the return data value.

Parameters:

• opts (Hash) (defaults to: {})

Options Hash (opts):

• :sock (Rex::Socket::Tcp)

Returns:

• (Rex::Proto::Rmi::Model::ReturnValue) —

  if success

• (NilClass) —

  otherwise

See Also:

• Rex::Proto::Rmi::Model::ReturnData.decode

# File 'lib/msf/core/exploit/remote/java/rmi/client.rb', line 113

def recv_return(opts = {})
  nsock = opts[:sock] || sock
  data = safe_get_once(nsock)

  begin
    return_data = Rex::Proto::Rmi::Model::ReturnData.decode(StringIO.new(data))
  rescue Rex::Proto::Rmi::DecodeError
    return nil
  end

  return_data.return_value
end

#rhost ⇒ String

Returns the target host

Returns:

• (String)

# File 'lib/msf/core/exploit/remote/java/rmi/client.rb', line 37

def rhost
  datastore['RHOST']
end

#rport ⇒ Integer

Returns the target port

Returns:

• (Integer)

# File 'lib/msf/core/exploit/remote/java/rmi/client.rb', line 44

def rport
  datastore['RPORT']
end

#safe_get_once(nsock = sock, loop_timeout = read_loop_timeout) ⇒ String

Helper method to read fragmented data from a “‘Rex::Socket::Tcp“`

Parameters:

• nsock (Rex::Socket::Tcp) (defaults to: sock)

Returns:

• (String)

# File 'lib/msf/core/exploit/remote/java/rmi/client.rb', line 130

def safe_get_once(nsock = sock, loop_timeout = read_loop_timeout)
  data = ''
  begin
    res = nsock.get_once
  rescue ::EOFError
    res = nil
  end

  while res && nsock.has_read_data?(loop_timeout)
    data << res
    begin
      res = nsock.get_once
    rescue ::EOFError
      res = nil
    end
  end

  data << res if res
  data
end

#send_call(opts = {}) ⇒ Integer

Sends a RMI CALL stream

Parameters:

• opts (Hash) (defaults to: {})

Options Hash (opts):

• :sock (Rex::Socket::Tcp)
• :call (Rex::Proto::Rmi::Model::Call)

Returns:

• (Integer) —

  the number of bytes sent

See Also:

• Rmi::Client::Streams#build_call

# File 'lib/msf/core/exploit/remote/java/rmi/client.rb', line 68

def send_call(opts = {})
  nsock = opts[:sock] || sock
  call = opts[:call] || build_call(opts)
  nsock.put(call.encode)
end

#send_dgc_ack(opts = {}) ⇒ Integer

Sends a RMI DGCACK stream

Parameters:

• opts (Hash) (defaults to: {})

Options Hash (opts):

• :sock (Rex::Socket::Tcp)

Returns:

• (Integer) —

  the number of bytes sent

See Also:

• Rmi::Client::Streams#build_dgc_ack

# File 'lib/msf/core/exploit/remote/java/rmi/client.rb', line 80

def send_dgc_ack(opts = {})
  nsock = opts[:sock] || sock
  stream = build_dgc_ack(opts)
  nsock.put(stream.encode)
end

#send_header(opts = {}) ⇒ Integer

Sends a RMI header stream

Parameters:

• opts (Hash) (defaults to: {})

Options Hash (opts):

• :sock (Rex::Socket::Tcp)

Returns:

• (Integer) —

  the number of bytes sent

See Also:

• Rmi::Client::Streams#build_header

# File 'lib/msf/core/exploit/remote/java/rmi/client.rb', line 55

def send_header(opts = {})
  nsock = opts[:sock] || sock
  stream = build_header(opts)
  nsock.put(stream.encode + "\x00\x00\x00\x00\x00\x00")
end