Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/auxiliary/scanner/misc/java_jmx_server.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45require 'rex/java/serialization'67class MetasploitModule < Msf::Auxiliary8include Msf::Exploit::Remote::Java::Rmi::Client9include Msf::Auxiliary::Scanner10include Msf::Auxiliary::Report1112def initialize13super(14'Name' => 'Java JMX Server Insecure Endpoint Code Execution Scanner',15'Description' => 'Detect Java JMX endpoints',16'Author' => ['rocktheboat'],17'License' => MSF_LICENSE,18'References' =>19[20['URL', 'https://docs.oracle.com/javase/8/docs/technotes/guides/jmx/JMX_1_4_specification.pdf'],21['URL', 'https://www.optiv.com/blog/exploiting-jmx-rmi'],22['CVE', '2015-2342']23],24'Platform' => 'java',25'DisclosureDate' => 'May 22 2013'26)2728register_options(29[30Opt::RPORT(1099)31])32end3334def run_host(target_host)35mbean_server = { "address" => rhost, "port" => rport }3637connect38print_status("Sending RMI header...")39unless is_rmi?40print_status("#{rhost}:#{rport} Java JMX RMI not detected")41disconnect42return43end4445mbean_server = discover_endpoint46disconnect4748if mbean_server.nil?49print_status("#{rhost}:#{rport} Java JMX MBean not detected")50return51end5253connect(true, { 'RHOST' => mbean_server[:address], 'RPORT' => mbean_server[:port] })5455unless is_rmi?56print_status("#{rhost}:#{rport} Java JMX RMI not detected")57disconnect58return59end6061jmx_endpoint = handshake(mbean_server)62disconnect6364if jmx_endpoint == false65print_status("#{mbean_server[:address]}:#{mbean_server[:port]} Java JMX MBean authentication required")66return67elsif jmx_endpoint.nil?68print_status("#{mbean_server[:address]}:#{mbean_server[:port]} Java JMX MBean status unknown")69return70end7172print_good("Handshake with JMX MBean server on #{jmx_endpoint[:address]}:#{jmx_endpoint[:port]}")73svc = report_service(:host => rhost, :port => rport, :name => "java-rmi", :info => "JMX MBean server accessible")74report_vuln(75:host => rhost,76:service => svc,77:name => self.name,78:info => "Module #{self.fullname} confirmed RCE via JMX RMI service",79:refs => self.references80)81end8283def is_rmi?84send_header85ack = recv_protocol_ack86if ack.nil?87return false88end8990true91end9293def discover_endpoint94rmi_classes_and_interfaces = [95'javax.management.remote.rmi.RMIConnectionImpl',96'javax.management.remote.rmi.RMIConnectionImpl_Stub',97'javax.management.remote.rmi.RMIConnector',98'javax.management.remote.rmi.RMIConnectorServer',99'javax.management.remote.rmi.RMIIIOPServerImpl',100'javax.management.remote.rmi.RMIJRMPServerImpl',101'javax.management.remote.rmi.RMIServerImpl',102'javax.management.remote.rmi.RMIServerImpl_Stub',103'javax.management.remote.rmi.RMIConnection',104'javax.management.remote.rmi.RMIServer'105]106107ref = send_registry_lookup(name: "jmxrmi")108return nil if ref.nil?109110unless rmi_classes_and_interfaces.include? ref[:object]111vprint_error("JMXRMI discovery returned unexpected object #{ref[:object]}")112return nil113end114115ref116end117118def handshake(mbean)119opts = {120object_number: mbean[:object_number],121uid_number: mbean[:uid].number,122uid_time: mbean[:uid].time,123uid_count: mbean[:uid].count124}125send_new_client(opts)126rescue ::Rex::Proto::Rmi::Exception => e127vprint_error("JMXRMI discovery raised an exception of type #{e.message}")128if e.message == 'java.lang.SecurityException'129return false130end131return nil132end133end134135136