Module: Msf::Exploit::Remote::Java::Rmi::Client::Jmx::Connection

Includes:
Builder
Included in:
Msf::Exploit::Remote::Java::Rmi::Client::Jmx
Defined in:
lib/msf/core/exploit/remote/java/rmi/client/jmx/connection.rb,
lib/msf/core/exploit/remote/java/rmi/client/jmx/connection/builder.rb

Overview

This mixin provides methods to simulate calls to the Java javax/management/remote/rmi/RMIConnectionImpl_Stub interface

Defined Under Namespace

Modules: Builder

Instance Method Summary collapse

Methods included from Builder

#build_jmx_create_mbean, #build_jmx_create_mbean_args, #build_jmx_get_object_instance, #build_jmx_get_object_instance_args

Instance Method Details

#build_invoke_arguments_obj_bytes(args = {}) ⇒ Rex::Java::Serialization::Model::Stream

Builds a Rex::Java::Serialization::Model::Stream with the arguments to simulate a call to the Java javax/management/remote/rmi/RMIConnectionImpl_Stub#invoke() method.

Parameters:

  • args (Hash) (defaults to: {})

    the arguments of the method to invoke

Returns:

  • (Rex::Java::Serialization::Model::Stream)


215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
# File 'lib/msf/core/exploit/remote/java/rmi/client/jmx/connection/builder.rb', line 215

def build_invoke_arguments_obj_bytes(args = {})
  builder = Rex::Java::Serialization::Builder.new

  new_array = builder.new_array(
    name: '[Ljava.lang.Object;',
    serial: Msf::Exploit::Remote::Java::Rmi::Client::Jmx::OBJECT_ARRAY_UID, # serialVersionUID
    annotations: [Rex::Java::Serialization::Model::EndBlockData.new],
    values_type: 'java.lang.Object;',
    values: args.values.collect { |arg| Rex::Java::Serialization::Model::Utf.new(nil, arg) }
  )

  stream = Rex::Java::Serialization::Model::Stream.new
  stream.contents << new_array

  stream
end

#build_jmx_invoke(opts = {}) ⇒ Rex::Proto::Rmi::Model::Call

Builds an RMI call to javax/management/remote/rmi/RMIConnectionImpl_Stub#invoke() used to invoke an MBean method

Parameters:

  • opts (Hash) (defaults to: {})

Options Hash (opts):

  • :name (String)

    the MBean name

Returns:

See Also:



123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
# File 'lib/msf/core/exploit/remote/java/rmi/client/jmx/connection/builder.rb', line 123

def build_jmx_invoke(opts = {})
  object_number = opts[:object_number] || 0
  uid_number = opts[:uid_number] || 0
  uid_time = opts[:uid_time] || 0
  uid_count = opts[:uid_count] || 0

  method_hash = calculate_method_hash('invoke(Ljavax/management/ObjectName;Ljava/lang/String;Ljava/rmi/MarshalledObject;[Ljava/lang/String;Ljavax/security/auth/Subject;)Ljava/lang/Object;')

  arguments = build_jmx_invoke_args(opts)

  call = build_call(
    object_number: object_number,
    uid_number: uid_number,
    uid_time: uid_time,
    uid_count: uid_count,
    operation: -1,
    hash: method_hash,
    arguments: arguments
  )

  call
end

#build_jmx_invoke_args(opts = {}) ⇒ Array

Builds an an array of arguments o build a call to javax/management/remote/rmi/RMIConnectionImpl_Stub#invoke()

Parameters:

  • opts (Hash) (defaults to: {})

Options Hash (opts):

  • :object (String)

    the MBean name

  • :method (String)

    the method name

  • :args (Hash)

    the method arguments

Returns:

  • (Array)


154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
# File 'lib/msf/core/exploit/remote/java/rmi/client/jmx/connection/builder.rb', line 154

def build_jmx_invoke_args(opts = {})
  object_name = opts[:object] || ''
  method_name = opts[:method] || ''
  args = opts[:args] || {}

  builder = Rex::Java::Serialization::Builder.new

  new_object = builder.new_object(
    name: 'javax.management.ObjectName',
    serial: Msf::Exploit::Remote::Java::Rmi::Client::Jmx::OBJECT_NAME_UID, # serialVersionUID
    flags: 3
  )

  data_binary = builder.new_array(
    name: '[B',
    serial: Msf::Exploit::Remote::Java::Rmi::Client::Jmx::BYTE_ARRAY_UID, # serialVersionUID
    values_type: 'byte',
    values: build_invoke_arguments_obj_bytes(args).encode.unpack('C*')
  )

  marshall_object = builder.new_object(
    name: 'java.rmi.MarshalledObject',
    serial: Msf::Exploit::Remote::Java::Rmi::Client::Jmx::MARSHALLED_OBJECT_UID, # serialVersionUID
    fields: [
      ['int', 'hash'],
      ['array', 'locBytes', '[B'],
      ['array', 'objBytes', '[B']
    ],
    data: [
      ["int", 1919492550],
      Rex::Java::Serialization::Model::NullReference.new,
      data_binary
    ]
  )

  new_array = builder.new_array(
    name: '[Ljava.lang.String;',
    serial: Msf::Exploit::Remote::Java::Rmi::Client::Jmx::STRING_ARRAY_UID, # serialVersionUID
    values_type: 'java.lang.String;',
    values: args.keys.collect { |k| Rex::Java::Serialization::Model::Utf.new(nil, k) }
  )

  arguments = [
    new_object,
    Rex::Java::Serialization::Model::Utf.new(nil, object_name),
    Rex::Java::Serialization::Model::EndBlockData.new,
    Rex::Java::Serialization::Model::Utf.new(nil, method_name),
    marshall_object,
    new_array,
    Rex::Java::Serialization::Model::NullReference.new
  ]

  arguments
end

#send_jmx_create_mbean(opts = {}) ⇒ TrueClass, NilClass

Sends a call to the JMXRMI endpoint to create an MBean instance. Simulates a call to the Java javax/management/remote/rmi/RMIConnectionImpl_Stub#createMBean() method.

Parameters:

  • opts (Hash) (defaults to: {})

Options Hash (opts):

  • :sock (Rex::Socket::Tcp)

Returns:

  • (TrueClass, NilClass)

    true if success, nil otherwise

Raises:

See Also:

  • Registry::Builder.build_jmx_create_mbean


61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
# File 'lib/msf/core/exploit/remote/java/rmi/client/jmx/connection.rb', line 61

def send_jmx_create_mbean(opts = {})
  send_call(
    sock: opts[:sock] || sock,
    call: build_jmx_create_mbean(opts)
  )

  return_value = recv_return(
    sock: opts[:sock] || sock
  )

  if return_value.nil?
    return nil
  end

  if return_value.is_exception?
    raise ::Rex::Proto::Rmi::Exception, return_value.get_class_name
  end

  unless return_value.get_class_name == 'javax.management.ObjectInstance'
    return nil
  end

  true
end

#send_jmx_get_object_instance(opts = {}) ⇒ TrueClass, NilClass

Sends a call to the JMXRMI endpoint to retrieve an MBean instance. Simulates a call to the Java javax/management/remote/rmi/RMIConnectionImpl_Stub#getObjectInstance() method.

Parameters:

  • opts (Hash) (defaults to: {})

Options Hash (opts):

  • :sock (Rex::Socket::Tcp)

Returns:

  • (TrueClass, NilClass)

    true if success, nil otherwise

Raises:

See Also:

  • Registry::Builder.build_jmx_get_object_instance


27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
# File 'lib/msf/core/exploit/remote/java/rmi/client/jmx/connection.rb', line 27

def send_jmx_get_object_instance(opts = {})
  send_call(
    sock: opts[:sock] || sock,
    call: build_jmx_get_object_instance(opts)
  )

  return_value = recv_return(
    sock: opts[:sock] || sock
  )

  if return_value.nil?
    return nil
  end

  if return_value.is_exception?
    raise ::Rex::Proto::Rmi::Exception, return_value.get_class_name
  end

  unless return_value.get_class_name == 'javax.management.ObjectInstance'
    return nil
  end

  true
end

#send_jmx_invoke(opts = {}) ⇒ TrueClass, NilClass

Sends a call to the JMXRMI endpoint to invoke an MBean method. Simulates a call to the Java javax/management/remote/rmi/RMIConnectionImpl_Stub#invoke() method.

Parameters:

  • opts (Hash) (defaults to: {})

Options Hash (opts):

  • :sock (Rex::Socket::Tcp)

Returns:

  • (TrueClass, NilClass)

    true if success, nil otherwise

Raises:

See Also:

  • Registry::Builder.build_jmx_invoke


95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
# File 'lib/msf/core/exploit/remote/java/rmi/client/jmx/connection.rb', line 95

def send_jmx_invoke(opts = {})
  send_call(
    sock: opts[:sock] || sock,
    call: build_jmx_invoke(opts)
  )

  return_value = recv_return(
    sock: opts[:sock] || sock
  )

  if return_value.nil?
    return nil
  end

  if return_value.is_exception?
    raise ::Rex::Proto::Rmi::Exception, return_value.get_class_name
  end

  unless return_value.get_class_name == 'java.util.HashSet'
    return nil
  end

  true
end