-
Notifications
You must be signed in to change notification settings - Fork 14
/
Copy pathrmi-vuln-classloader.nse
117 lines (100 loc) · 3.72 KB
/
rmi-vuln-classloader.nse
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
local bin = require "bin"
local rmi = require "rmi"
local shortport = require "shortport"
local stdnse = require "stdnse"
local string = require "string"
local vulns = require "vulns"
description = [[
Checks if rmiregistry allows class loading.
The default configuration of rmiregistry allows loading classes from remote
URLs which can lead to remote code execution. This is considered as "by
design".
Based on original Metasploit module by mihi.
References:
* http://dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/multi/misc/java_rmi_server.rb
]];
---
-- @usage
-- nmap --script=rmi-vuln-classloader -p 1099 <target>
--
-- @output
-- PORT STATE SERVICE
-- 1099/tcp open rmiregistry
-- | rmi-vuln:
-- | VULNERABLE:
-- | RMI registry default configuration remote code execution vulnerability
-- | State: VULNERABLE
-- | Description:
-- | Default configuration of RMI registry allows loading classes from remote URLs which can lead to remote code executeion.
-- |
-- | References:
-- |_ http://dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/multi/misc/java_rmi_server.rb
author = "Aleksandar Nikolic";
license = "Same as Nmap--See http://nmap.org/book/man-legal.html";
categories = {
"intrusive",
"vuln"
};
portrule = shortport.port_or_service({
1099
}, {
"rmiregistry"
});
action = function (host, port)
local registry = rmi.Registry:new(host.ip, port.number);
registry:_handshake();
local rmiArgs = rmi.Arguments:new();
local argsRaw = "75" .. --TC_ARRAY
"72" .. -- TC_CLASSDESC
"0018" .. -- string len
"5B4C6A6176612E726D692E7365727665722E4F626A49443B" .. -- class name "[Ljava.rmi.server.ObjID;"
"871300B8D02C647E" .. -- serial id
"02" .. -- FLAGS (serializable)
"0000" .. -- FIELD COUNT
"70787000000000" .. --TC_NULL TC_BLOCKEND TC_NULL
"77080000000000000000" .. -- TC_BLOCKDATA
"73" .. -- TC_OBJECT
"72" .. -- TC_CLASSDESC
"0005" .. -- string len
"64756D6D79" .. -- class name "dummy"
"A16544BA26F9C2F4" .. -- serial id
"02" .. -- FLAGS (serializable)
"0000" .. -- FIELD COUNT
"74" .. -- TC_STRING
"0010" .. -- string len
"66696C653A2E2F64756D6D792E6A6172" .. -- annotation "file:./dummy.jar"
"78" .. -- TC_ENDBLOCKDATA
"70" .. -- TC_NULL
"7701000A"; -- TC_BLOCKDATA
local rmi_vuln = {
title = "RMI registry default configuration remote code execution vulnerability",
description = [[
Default configuration of RMI registry allows loading classes from remote URLs which can lead to remote code executeion.
]],
references = {
'http://dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/multi/misc/java_rmi_server.rb',
},
exploit_results = {},
};
local report = vulns.Report:new(SCRIPT_NAME, host, port);
rmi_vuln.state = vulns.STATE.NOT_VULN;
rmiArgs:addRaw(bin.pack("H", argsRaw));
-- reference: java/rmi/dgc/DGCImpl_Stub.java and java/rmi/dgc/DGCImpl_Skel.java
-- we are calling DGC's (it's objectId is 2) method with opnum 0
-- DCG's hashcode is f6b6898d8bf28643 hex or -669196253586618813 dec
local status, j_array = registry.out:writeMethodCall(registry.out, 2, "f6b6898d8bf28643", 0, rmiArgs);
local status, retByte = registry.out.dis:readByte();
if not status then
return false, "No return data received from server";
end
if 0x51 ~= retByte then
-- 0x51 : Returndata
return false, "No return data received from server";
end
local data = registry.out.dis.bReader.readBuffer;
if string.find(data, "RMI class loader disabled") == nil then
rmi_vuln.state = vulns.STATE.VULN;
return report:make_output(rmi_vuln);
end
return report:make_output(rmi_vuln);
end;