Browse Source

Move Msf::Java to the normal Msf::Exploit::Remote namespace

HD Moore 4 years ago
parent
commit
cd2e9d4232
41 changed files with 1266 additions and 1211 deletions
  1. 0
    4
      lib/msf/core.rb
  2. 2
    0
      lib/msf/core/exploit/java.rb
  3. 101
    0
      lib/msf/core/exploit/java/rmi/builder.rb
  4. 168
    0
      lib/msf/core/exploit/java/rmi/client.rb
  5. 27
    0
      lib/msf/core/exploit/java/rmi/client/jmx.rb
  6. 128
    0
      lib/msf/core/exploit/java/rmi/client/jmx/connection.rb
  7. 238
    0
      lib/msf/core/exploit/java/rmi/client/jmx/connection/builder.rb
  8. 63
    0
      lib/msf/core/exploit/java/rmi/client/jmx/server.rb
  9. 77
    0
      lib/msf/core/exploit/java/rmi/client/jmx/server/builder.rb
  10. 40
    0
      lib/msf/core/exploit/java/rmi/client/jmx/server/parser.rb
  11. 135
    0
      lib/msf/core/exploit/java/rmi/client/registry.rb
  12. 70
    0
      lib/msf/core/exploit/java/rmi/client/registry/builder.rb
  13. 53
    0
      lib/msf/core/exploit/java/rmi/client/registry/parser.rb
  14. 127
    0
      lib/msf/core/exploit/java/rmi/util.rb
  15. 0
    96
      lib/msf/java/rmi/builder.rb
  16. 0
    164
      lib/msf/java/rmi/client.rb
  17. 0
    23
      lib/msf/java/rmi/client/jmx.rb
  18. 0
    122
      lib/msf/java/rmi/client/jmx/connection.rb
  19. 0
    234
      lib/msf/java/rmi/client/jmx/connection/builder.rb
  20. 0
    57
      lib/msf/java/rmi/client/jmx/server.rb
  21. 0
    73
      lib/msf/java/rmi/client/jmx/server/builder.rb
  22. 0
    35
      lib/msf/java/rmi/client/jmx/server/parser.rb
  23. 0
    129
      lib/msf/java/rmi/client/registry.rb
  24. 0
    66
      lib/msf/java/rmi/client/registry/builder.rb
  25. 0
    49
      lib/msf/java/rmi/client/registry/parser.rb
  26. 0
    122
      lib/msf/java/rmi/util.rb
  27. 1
    1
      modules/auxiliary/gather/java_rmi_registry.rb
  28. 1
    1
      modules/auxiliary/scanner/misc/java_rmi_server.rb
  29. 1
    1
      modules/exploits/multi/misc/java_jmx_server.rb
  30. 1
    1
      modules/exploits/multi/misc/java_rmi_server.rb
  31. 3
    3
      spec/lib/msf/core/exploit/remote/java/rmi/builder_spec.rb
  32. 3
    3
      spec/lib/msf/core/exploit/remote/java/rmi/client/jmx/connection/builder_spec.rb
  33. 3
    3
      spec/lib/msf/core/exploit/remote/java/rmi/client/jmx/connection_spec.rb
  34. 3
    3
      spec/lib/msf/core/exploit/remote/java/rmi/client/jmx/server/builder_spec.rb
  35. 3
    3
      spec/lib/msf/core/exploit/remote/java/rmi/client/jmx/server/parser_spec.rb
  36. 3
    3
      spec/lib/msf/core/exploit/remote/java/rmi/client/jmx/server_spec.rb
  37. 3
    3
      spec/lib/msf/core/exploit/remote/java/rmi/client/registry/builder_spec.rb
  38. 3
    3
      spec/lib/msf/core/exploit/remote/java/rmi/client/registry/parser_spec.rb
  39. 3
    3
      spec/lib/msf/core/exploit/remote/java/rmi/client/registry_spec.rb
  40. 3
    3
      spec/lib/msf/core/exploit/remote/java/rmi/client_spec.rb
  41. 3
    3
      spec/lib/msf/core/exploit/remote/java/rmi/util_spec.rb

+ 0
- 4
lib/msf/core.rb View File

@@ -75,10 +75,6 @@ require 'msf/http/jboss'
75 75
 # Kerberos Support
76 76
 require 'msf/kerberos/client'
77 77
 
78
-# Java RMI Support
79
-require 'msf/java/rmi/util'
80
-require 'msf/java/rmi/client'
81
-
82 78
 # Drivers
83 79
 require 'msf/core/exploit_driver'
84 80
 

+ 2
- 0
lib/msf/core/exploit/java.rb View File

@@ -14,6 +14,8 @@
14 14
 ###
15 15
 
16 16
 require 'msf/core'
17
+require 'msf/core/exploit/java/rmi/util'
18
+require 'msf/core/exploit/java/rmi/client'
17 19
 
18 20
 module Msf
19 21
 module Exploit::Java

+ 101
- 0
lib/msf/core/exploit/java/rmi/builder.rb View File

@@ -0,0 +1,101 @@
1
+# -*- coding: binary -*-
2
+
3
+require 'rex/java/serialization'
4
+
5
+module Msf
6
+  class Exploit
7
+    class Remote
8
+      module Java
9
+        module Rmi
10
+          module Builder
11
+            # Builds a RMI header stream
12
+            #
13
+            # @param opts [Hash{Symbol => <String, Fixnum>}]
14
+            # @option opts [String] :signature
15
+            # @option opts [Fixnum] :version
16
+            # @option opts [Fixnum] :protocol
17
+            # @return [Rex::Proto::Rmi::Model::OutputHeader]
18
+            def build_header(opts = {})
19
+              signature = opts[:signature] || Rex::Proto::Rmi::Model::SIGNATURE
20
+              version = opts[:version] || 2
21
+              protocol = opts[:protocol] || Rex::Proto::Rmi::Model::STREAM_PROTOCOL
22
+
23
+              header = Rex::Proto::Rmi::Model::OutputHeader.new(
24
+                  signature: signature,
25
+                  version: version,
26
+                  protocol: protocol)
27
+
28
+              header
29
+            end
30
+
31
+            # Builds a RMI call stream
32
+            #
33
+            # @param opts [Hash{Symbol => <Fixnum, Array>}]
34
+            # @option opts [Fixnum] :message_id
35
+            # @option opts [Fixnum] :object_number Random to identify the object.
36
+            # @option opts [Fixnum] :uid_number Identifies the VM where the object was generated.
37
+            # @option opts [Fixnum] :uid_time Time where the object was generated.
38
+            # @option opts [Fixnum] :uid_count Identifies different instance of the same object generated from the same VM
39
+            #   at the same time.
40
+            # @option opts [Fixnum] :operation On JDK 1.1 stub protocol the operation index in the interface. On JDK 1.2
41
+            #   it is -1.
42
+            # @option opts [Fixnum] :hash On JDK 1.1 stub protocol the stub's interface hash. On JDK1.2 is a hash
43
+            #   representing the method to call.
44
+            # @option opts [Array] :arguments
45
+            # @return [Rex::Proto::Rmi::Model::Call]
46
+            def build_call(opts = {})
47
+              message_id = opts[:message_id] || Rex::Proto::Rmi::Model::CALL_MESSAGE
48
+              object_number = opts[:object_number] || 0
49
+              uid_number = opts[:uid_number] || 0
50
+              uid_time = opts[:uid_time] ||  0
51
+              uid_count = opts[:uid_count] || 0
52
+              operation = opts[:operation] || -1
53
+              hash = opts[:hash] || 0
54
+              arguments = opts[:arguments] || []
55
+
56
+              uid = Rex::Proto::Rmi::Model::UniqueIdentifier.new(
57
+                number: uid_number,
58
+                time: uid_time,
59
+                count: uid_count
60
+              )
61
+
62
+              call_data = Rex::Proto::Rmi::Model::CallData.new(
63
+                object_number: object_number,
64
+                uid: uid,
65
+                operation: operation,
66
+                hash: hash,
67
+                arguments: arguments
68
+              )
69
+
70
+              call = Rex::Proto::Rmi::Model::Call.new(
71
+                message_id: message_id,
72
+                call_data: call_data
73
+              )
74
+
75
+              call
76
+            end
77
+
78
+            # Builds a RMI dgc ack stream
79
+            #
80
+            # @param opts [Hash{Symbol => <Fixnum, String>}]
81
+            # @option opts [Fixnum] :stream_id
82
+            # @option opts [String] :unique_identifier
83
+            # @return [Rex::Proto::Rmi::Model::DgcAck]
84
+            def build_dgc_ack(opts = {})
85
+              stream_id = opts[:stream_id] || Rex::Proto::Rmi::Model::DGC_ACK_MESSAGE
86
+              unique_identifier = opts[:unique_identifier] || "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
87
+
88
+              dgc_ack = Rex::Proto::Rmi::Model::DgcAck.new(
89
+                  stream_id: stream_id,
90
+                  unique_identifier: unique_identifier
91
+              )
92
+
93
+              dgc_ack
94
+            end
95
+
96
+          end
97
+        end
98
+      end
99
+    end
100
+  end
101
+end

+ 168
- 0
lib/msf/core/exploit/java/rmi/client.rb View File

@@ -0,0 +1,168 @@
1
+# -*- coding: binary -*-
2
+require 'rex/proto/rmi'
3
+require 'rex/java/serialization'
4
+require 'stringio'
5
+require 'msf/core/exploit/java/rmi/util'
6
+require 'msf/core/exploit/java/rmi/builder'
7
+require 'msf/core/exploit/java/rmi/client/registry'
8
+require 'msf/core/exploit/java/rmi/client/jmx'
9
+
10
+module Msf
11
+  class Exploit
12
+    class Remote
13
+      module Java
14
+        module Rmi
15
+          module Client
16
+
17
+            include Msf::Exploit::Remote::Java::Rmi::Util
18
+            include Msf::Exploit::Remote::Java::Rmi::Builder
19
+            include Msf::Exploit::Remote::Java::Rmi::Client::Registry
20
+            include Msf::Exploit::Remote::Java::Rmi::Client::Jmx
21
+            include Msf::Exploit::Remote::Tcp
22
+
23
+            def initialize(info = {})
24
+              super
25
+
26
+              register_advanced_options(
27
+                [
28
+                  OptInt.new('RmiReadLoopTimeout', [ true, 'Maximum number of seconds to wait for data between read iterations', 1])
29
+                ], Msf::Exploit::Remote::Java::Rmi::Client
30
+              )
31
+            end
32
+
33
+            # Returns the timeout to wait for data between read iterations
34
+            #
35
+            # @return [Fixnum]
36
+            def read_loop_timeout
37
+              datastore['RmiReadLoopTimeout'] || 1
38
+            end
39
+
40
+            # Returns the target host
41
+            #
42
+            # @return [String]
43
+            def rhost
44
+              datastore['RHOST']
45
+            end
46
+
47
+            # Returns the target port
48
+            #
49
+            # @return [Fixnum]
50
+            def rport
51
+              datastore['RPORT']
52
+            end
53
+
54
+            # Returns the RMI server peer
55
+            #
56
+            # @return [String]
57
+            def peer
58
+              "#{rhost}:#{rport}"
59
+            end
60
+
61
+            # Sends a RMI header stream
62
+            #
63
+            # @param opts [Hash]
64
+            # @option opts [Rex::Socket::Tcp] :sock
65
+            # @return [Fixnum] the number of bytes sent
66
+            # @see Msf::Rmi::Client::Streams#build_header
67
+            def send_header(opts = {})
68
+              nsock = opts[:sock] || sock
69
+              stream = build_header(opts)
70
+              nsock.put(stream.encode + "\x00\x00\x00\x00\x00\x00")
71
+            end
72
+
73
+            # Sends a RMI CALL stream
74
+            #
75
+            # @param opts [Hash]
76
+            # @option opts [Rex::Socket::Tcp] :sock
77
+            # @option opts [Rex::Proto::Rmi::Model::Call] :call
78
+            # @return [Fixnum] the number of bytes sent
79
+            # @see Msf::Rmi::Client::Streams#build_call
80
+            def send_call(opts = {})
81
+              nsock = opts[:sock] || sock
82
+              call = opts[:call] || build_call(opts)
83
+              nsock.put(call.encode)
84
+            end
85
+
86
+            # Sends a RMI DGCACK stream
87
+            #
88
+            # @param opts [Hash]
89
+            # @option opts [Rex::Socket::Tcp] :sock
90
+            # @return [Fixnum] the number of bytes sent
91
+            # @see Msf::Rmi::Client::Streams#build_dgc_ack
92
+            def send_dgc_ack(opts = {})
93
+              nsock = opts[:sock] || sock
94
+              stream = build_dgc_ack(opts)
95
+              nsock.put(stream.encode)
96
+            end
97
+
98
+            # Reads the Protocol Ack
99
+            #
100
+            # @param opts [Hash]
101
+            # @option opts [Rex::Socket::Tcp] :sock
102
+            # @return [Rex::Proto::Rmi::Model::ProtocolAck] if success
103
+            # @return [NilClass] otherwise
104
+            # @see Rex::Proto::Rmi::Model::ProtocolAck.decode
105
+            def recv_protocol_ack(opts = {})
106
+              nsock = opts[:sock] || sock
107
+              data = safe_get_once(nsock)
108
+              begin
109
+                ack = Rex::Proto::Rmi::Model::ProtocolAck.decode(StringIO.new(data))
110
+              rescue Rex::Proto::Rmi::DecodeError
111
+                return nil
112
+              end
113
+
114
+              ack
115
+            end
116
+
117
+            # Reads a ReturnData message and returns the java serialized stream
118
+            # with the return data value.
119
+            #
120
+            # @param opts [Hash]
121
+            # @option opts [Rex::Socket::Tcp] :sock
122
+            # @return [Rex::Proto::Rmi::Model::ReturnValue] if success
123
+            # @return [NilClass] otherwise
124
+            # @see Rex::Proto::Rmi::Model::ReturnData.decode
125
+            def recv_return(opts = {})
126
+              nsock = opts[:sock] || sock
127
+              data = safe_get_once(nsock)
128
+
129
+              begin
130
+                return_data = Rex::Proto::Rmi::Model::ReturnData.decode(StringIO.new(data))
131
+              rescue Rex::Proto::Rmi::DecodeError
132
+                return nil
133
+              end
134
+
135
+              return_data.return_value
136
+            end
137
+
138
+            # Helper method to read fragmented data from a ```Rex::Socket::Tcp```
139
+            #
140
+            # @param nsock [Rex::Socket::Tcp]
141
+            # @return [String]
142
+            def safe_get_once(nsock = sock, loop_timeout = read_loop_timeout)
143
+              data = ''
144
+              begin
145
+                res = nsock.get_once
146
+              rescue ::EOFError
147
+                res = nil
148
+              end
149
+
150
+              while res && nsock.has_read_data?(loop_timeout)
151
+                data << res
152
+                begin
153
+                  res = nsock.get_once
154
+                rescue ::EOFError
155
+                  res = nil
156
+                end
157
+              end
158
+
159
+              data << res if res
160
+              data
161
+            end
162
+          end
163
+
164
+        end
165
+      end
166
+    end
167
+  end
168
+end

+ 27
- 0
lib/msf/core/exploit/java/rmi/client/jmx.rb View File

@@ -0,0 +1,27 @@
1
+# -*- coding: binary -*-
2
+require 'msf/core/exploit/java/rmi/client/jmx/server'
3
+require 'msf/core/exploit/java/rmi/client/jmx/connection'
4
+
5
+module Msf
6
+  class Exploit
7
+    class Remote
8
+      module Java
9
+        module Rmi
10
+          module Client
11
+            module Jmx
12
+
13
+              include Msf::Exploit::Remote::Java::Rmi::Client::Jmx::Server
14
+              include Msf::Exploit::Remote::Java::Rmi::Client::Jmx::Connection
15
+
16
+              OBJECT_NAME_UID = 1081892073854801359
17
+              BYTE_ARRAY_UID = -5984413125824719648
18
+              MARSHALLED_OBJECT_UID = 8988374069173025854
19
+              STRING_ARRAY_UID = -5921575005990323385
20
+              OBJECT_ARRAY_UID = -8012369246846506644
21
+            end
22
+          end
23
+        end
24
+      end
25
+    end
26
+  end
27
+end

+ 128
- 0
lib/msf/core/exploit/java/rmi/client/jmx/connection.rb View File

@@ -0,0 +1,128 @@
1
+# -*- coding: binary -*-
2
+
3
+require 'msf/core/exploit/java/rmi/client/jmx/connection/builder'
4
+
5
+module Msf
6
+  class Exploit
7
+    class Remote
8
+      module Java
9
+        module Rmi
10
+          module Client
11
+            module Jmx
12
+              # This mixin provides methods to simulate calls to the Java
13
+              # javax/management/remote/rmi/RMIConnectionImpl_Stub
14
+              # interface
15
+              module Connection
16
+
17
+                include Msf::Exploit::Remote::Java::Rmi::Client::Jmx::Connection::Builder
18
+
19
+                # Sends a call to the JMXRMI endpoint to retrieve an MBean instance. Simulates a call
20
+                # to the Java javax/management/remote/rmi/RMIConnectionImpl_Stub#getObjectInstance()
21
+                # method.
22
+                #
23
+                # @param opts [Hash]
24
+                # @option opts [Rex::Socket::Tcp] :sock
25
+                # @return [TrueClass, NilClass] true if success, nil otherwise
26
+                # @raise [Rex::Proto::Rmi::Exception] if the endpoint raises a remote exception
27
+                # @see Msf::Exploit::Remote::Java::Rmi::Client::Registry::Builder.build_jmx_get_object_instance
28
+                def send_jmx_get_object_instance(opts = {})
29
+                  send_call(
30
+                    sock: opts[:sock] || sock,
31
+                    call: build_jmx_get_object_instance(opts)
32
+                  )
33
+
34
+                  return_value = recv_return(
35
+                    sock: opts[:sock] || sock
36
+                  )
37
+
38
+                  if return_value.nil?
39
+                    return nil
40
+                  end
41
+
42
+                  if return_value.is_exception?
43
+                    raise ::Rex::Proto::Rmi::Exception, return_value.get_class_name
44
+                  end
45
+
46
+                  unless return_value.get_class_name == 'javax.management.ObjectInstance'
47
+                    return nil
48
+                  end
49
+
50
+                  true
51
+                end
52
+
53
+                # Sends a call to the JMXRMI endpoint to create an MBean instance. Simulates a call
54
+                # to the Java javax/management/remote/rmi/RMIConnectionImpl_Stub#createMBean()
55
+                # method.
56
+                #
57
+                # @param opts [Hash]
58
+                # @option opts [Rex::Socket::Tcp] :sock
59
+                # @return [TrueClass, NilClass] true if success, nil otherwise
60
+                # @raise [Rex::Proto::Rmi::Exception] if the endpoint raises a remote exception
61
+                # @see Msf::Exploit::Remote::Java::Rmi::Client::Registry::Builder.build_jmx_create_mbean
62
+                def send_jmx_create_mbean(opts = {})
63
+                  send_call(
64
+                    sock: opts[:sock] || sock,
65
+                    call: build_jmx_create_mbean(opts)
66
+                  )
67
+
68
+                  return_value = recv_return(
69
+                    sock: opts[:sock] || sock
70
+                  )
71
+
72
+                  if return_value.nil?
73
+                    return nil
74
+                  end
75
+
76
+                  if return_value.is_exception?
77
+                    raise ::Rex::Proto::Rmi::Exception, return_value.get_class_name
78
+                  end
79
+
80
+                  unless return_value.get_class_name == 'javax.management.ObjectInstance'
81
+                    return nil
82
+                  end
83
+
84
+                  true
85
+                end
86
+
87
+                # Sends a call to the JMXRMI endpoint to invoke an MBean method. Simulates a call
88
+                # to the Java javax/management/remote/rmi/RMIConnectionImpl_Stub#invoke()
89
+                # method.
90
+                #
91
+                # @param opts [Hash]
92
+                # @option opts [Rex::Socket::Tcp] :sock
93
+                # @return [TrueClass, NilClass] true if success, nil otherwise
94
+                # @raise [Rex::Proto::Rmi::Exception] if the endpoint raises a remote exception
95
+                # @see Msf::Exploit::Remote::Java::Rmi::Client::Registry::Builder.build_jmx_invoke
96
+                def send_jmx_invoke(opts = {})
97
+                  send_call(
98
+                    sock: opts[:sock] || sock,
99
+                    call: build_jmx_invoke(opts)
100
+                  )
101
+
102
+                  return_value = recv_return(
103
+                    sock: opts[:sock] || sock
104
+                  )
105
+
106
+                  if return_value.nil?
107
+                    return nil
108
+                  end
109
+
110
+                  if return_value.is_exception?
111
+                    raise ::Rex::Proto::Rmi::Exception, return_value.get_class_name
112
+                  end
113
+
114
+                  unless return_value.get_class_name == 'java.util.HashSet'
115
+                    return nil
116
+                  end
117
+
118
+                  true
119
+                end
120
+
121
+              end
122
+            end
123
+          end
124
+        end
125
+      end
126
+    end
127
+  end
128
+end

+ 238
- 0
lib/msf/core/exploit/java/rmi/client/jmx/connection/builder.rb View File

@@ -0,0 +1,238 @@
1
+# -*- coding: binary -*-
2
+
3
+module Msf
4
+  class Exploit
5
+    class Remote
6
+      module Java
7
+        module Rmi
8
+          module Client
9
+            module Jmx
10
+              module Connection
11
+                module Builder
12
+                  # Builds an RMI call to javax/management/remote/rmi/RMIConnectionImpl_Stub#getObjectInstance()
13
+                  # used to retrieve an MBean instance
14
+                  #
15
+                  # @param opts [Hash]
16
+                  # @option opts [String] :name the MBean name
17
+                  # @return [Rex::Proto::Rmi::Model::Call]
18
+                  # @see Msf::Exploit::Remote::Java::Rmi::Builder.build_call
19
+                  def build_jmx_get_object_instance(opts = {})
20
+                    object_number = opts[:object_number] || 0
21
+                    uid_number = opts[:uid_number] || 0
22
+                    uid_time = opts[:uid_time] || 0
23
+                    uid_count = opts[:uid_count] || 0
24
+                    name = opts[:name] || ''
25
+
26
+                    arguments = build_jmx_get_object_instance_args(name)
27
+
28
+                    method_hash = calculate_method_hash('getObjectInstance(Ljavax/management/ObjectName;Ljavax/security/auth/Subject;)Ljavax/management/ObjectInstance;')
29
+
30
+                    call = build_call(
31
+                      object_number: object_number,
32
+                      uid_number: uid_number,
33
+                      uid_time: uid_time,
34
+                      uid_count: uid_count,
35
+                      operation: -1,
36
+                      hash: method_hash,
37
+                      arguments: arguments
38
+                    )
39
+
40
+                    call
41
+                  end
42
+
43
+                  # Builds an an array of arguments o build a call to
44
+                  # javax/management/remote/rmi/RMIConnectionImpl_Stub#getObjectInstance()
45
+                  #
46
+                  # @param name [String] the MBean name
47
+                  # @return [Array]
48
+                  def build_jmx_get_object_instance_args(name = '')
49
+                    builder = Rex::Java::Serialization::Builder.new
50
+
51
+                    new_object = builder.new_object(
52
+                      name: 'javax.management.ObjectName',
53
+                      serial: Msf::Exploit::Remote::Java::Rmi::Client::Jmx::OBJECT_NAME_UID, # serialVersionUID
54
+                      flags: 3
55
+                    )
56
+
57
+                    arguments = [
58
+                      new_object,
59
+                      Rex::Java::Serialization::Model::Utf.new(nil, name),
60
+                      Rex::Java::Serialization::Model::EndBlockData.new,
61
+                      Rex::Java::Serialization::Model::NullReference.new
62
+                    ]
63
+
64
+                    arguments
65
+                  end
66
+
67
+                  # Builds an RMI call to javax/management/remote/rmi/RMIConnectionImpl_Stub#createMBean()
68
+                  # used to retrieve an MBean instance
69
+                  #
70
+                  # @param opts [Hash]
71
+                  # @option opts [String] :name the MBean name
72
+                  # @return [Rex::Proto::Rmi::Model::Call]
73
+                  # @see Msf::Exploit::Remote::Java::Rmi::Builder.build_call
74
+                  def build_jmx_create_mbean(opts = {})
75
+                    name = opts[:name] || ''
76
+                    object_number = opts[:object_number] || 0
77
+                    uid_number = opts[:uid_number] || 0
78
+                    uid_time = opts[:uid_time] || 0
79
+                    uid_count = opts[:uid_count] || 0
80
+
81
+                    method_hash = calculate_method_hash('createMBean(Ljava/lang/String;Ljavax/management/ObjectName;Ljavax/security/auth/Subject;)Ljavax/management/ObjectInstance;')
82
+
83
+                    arguments = build_jmx_create_mbean_args(name)
84
+
85
+                    call = build_call(
86
+                      object_number: object_number,
87
+                      uid_number: uid_number,
88
+                      uid_time: uid_time,
89
+                      uid_count: uid_count,
90
+                      operation: -1,
91
+                      hash: method_hash,
92
+                      arguments: arguments
93
+                    )
94
+
95
+                    call
96
+                  end
97
+
98
+                  # Builds an an array of arguments o build a call to
99
+                  # javax/management/remote/rmi/RMIConnectionImpl_Stub#createMBean()
100
+                  #
101
+                  # @param name [Hash] the MBean name
102
+                  # @return [Array]
103
+                  def build_jmx_create_mbean_args(name = '')
104
+                    arguments = [
105
+                      Rex::Java::Serialization::Model::Utf.new(nil, name),
106
+                      Rex::Java::Serialization::Model::NullReference.new,
107
+                      Rex::Java::Serialization::Model::NullReference.new
108
+                    ]
109
+
110
+                    arguments
111
+                  end
112
+                end
113
+
114
+
115
+                # Builds an RMI call to javax/management/remote/rmi/RMIConnectionImpl_Stub#invoke()
116
+                # used to invoke an MBean method
117
+                #
118
+                # @param opts [Hash]
119
+                # @option opts [String] :name the MBean name
120
+                # @return [Rex::Proto::Rmi::Model::Call]
121
+                # @see Msf::Exploit::Remote::Java::Rmi::Builder.build_call
122
+                # @see #build_jmx_invoke_args
123
+                def build_jmx_invoke(opts = {})
124
+                  object_number = opts[:object_number] || 0
125
+                  uid_number = opts[:uid_number] || 0
126
+                  uid_time = opts[:uid_time] || 0
127
+                  uid_count = opts[:uid_count] || 0
128
+
129
+                  method_hash = calculate_method_hash('invoke(Ljavax/management/ObjectName;Ljava/lang/String;Ljava/rmi/MarshalledObject;[Ljava/lang/String;Ljavax/security/auth/Subject;)Ljava/lang/Object;')
130
+
131
+                  arguments = build_jmx_invoke_args(opts)
132
+
133
+                  call = build_call(
134
+                    object_number: object_number,
135
+                    uid_number: uid_number,
136
+                    uid_time: uid_time,
137
+                    uid_count: uid_count,
138
+                    operation: -1,
139
+                    hash: method_hash,
140
+                    arguments: arguments
141
+                  )
142
+
143
+                  call
144
+                end
145
+
146
+                # Builds an an array of arguments o build a call to
147
+                # javax/management/remote/rmi/RMIConnectionImpl_Stub#invoke()
148
+                #
149
+                # @param opts [Hash]
150
+                # @option opts [String] :object the MBean name
151
+                # @option opts [String] :method the method name
152
+                # @option opts [Hash] :args the method arguments
153
+                # @return [Array]
154
+                def build_jmx_invoke_args(opts = {})
155
+                  object_name = opts[:object] || ''
156
+                  method_name = opts[:method] || ''
157
+                  args = opts[:args] || {}
158
+
159
+                  builder = Rex::Java::Serialization::Builder.new
160
+
161
+                  new_object = builder.new_object(
162
+                    name: 'javax.management.ObjectName',
163
+                    serial: Msf::Exploit::Remote::Java::Rmi::Client::Jmx::OBJECT_NAME_UID, # serialVersionUID
164
+                    flags: 3
165
+                  )
166
+
167
+                  data_binary = builder.new_array(
168
+                    name: '[B',
169
+                    serial: Msf::Exploit::Remote::Java::Rmi::Client::Jmx::BYTE_ARRAY_UID, # serialVersionUID
170
+                    values_type: 'byte',
171
+                    values: build_invoke_arguments_obj_bytes(args).encode.unpack('C*')
172
+                  )
173
+
174
+                  marshall_object = builder.new_object(
175
+                    name: 'java.rmi.MarshalledObject',
176
+                    serial: Msf::Exploit::Remote::Java::Rmi::Client::Jmx::MARSHALLED_OBJECT_UID, # serialVersionUID
177
+                    fields: [
178
+                      ['int', 'hash'],
179
+                      ['array', 'locBytes', '[B'],
180
+                      ['array', 'objBytes', '[B']
181
+                    ],
182
+                    data: [
183
+                      ["int", 1919492550],
184
+                      Rex::Java::Serialization::Model::NullReference.new,
185
+                      data_binary
186
+                    ]
187
+                  )
188
+
189
+                  new_array = builder.new_array(
190
+                    name: '[Ljava.lang.String;',
191
+                    serial: Msf::Exploit::Remote::Java::Rmi::Client::Jmx::STRING_ARRAY_UID, # serialVersionUID
192
+                    values_type: 'java.lang.String;',
193
+                    values: args.keys.collect { |k| Rex::Java::Serialization::Model::Utf.new(nil, k) }
194
+                  )
195
+
196
+                  arguments = [
197
+                    new_object,
198
+                    Rex::Java::Serialization::Model::Utf.new(nil, object_name),
199
+                    Rex::Java::Serialization::Model::EndBlockData.new,
200
+                    Rex::Java::Serialization::Model::Utf.new(nil, method_name),
201
+                    marshall_object,
202
+                    new_array,
203
+                    Rex::Java::Serialization::Model::NullReference.new
204
+                  ]
205
+
206
+                  arguments
207
+                end
208
+
209
+                # Builds a Rex::Java::Serialization::Model::Stream with the arguments to
210
+                # simulate a call to the Java javax/management/remote/rmi/RMIConnectionImpl_Stub#invoke()
211
+                # method.
212
+                #
213
+                # @param args [Hash] the arguments of the method to invoke
214
+                # @return [Rex::Java::Serialization::Model::Stream]
215
+                def build_invoke_arguments_obj_bytes(args = {})
216
+                  builder = Rex::Java::Serialization::Builder.new
217
+
218
+                  new_array = builder.new_array(
219
+                    name: '[Ljava.lang.Object;',
220
+                    serial: Msf::Exploit::Remote::Java::Rmi::Client::Jmx::OBJECT_ARRAY_UID, # serialVersionUID
221
+                    annotations: [Rex::Java::Serialization::Model::EndBlockData.new],
222
+                    values_type: 'java.lang.Object;',
223
+                    values: args.values.collect { |arg| Rex::Java::Serialization::Model::Utf.new(nil, arg) }
224
+                  )
225
+
226
+                  stream = Rex::Java::Serialization::Model::Stream.new
227
+                  stream.contents << new_array
228
+
229
+                  stream
230
+                end
231
+              end
232
+            end
233
+          end
234
+        end
235
+      end
236
+    end
237
+  end
238
+end

+ 63
- 0
lib/msf/core/exploit/java/rmi/client/jmx/server.rb View File

@@ -0,0 +1,63 @@
1
+# -*- coding: binary -*-
2
+
3
+require 'msf/core/exploit/java/rmi/client/jmx/server/builder'
4
+require 'msf/core/exploit/java/rmi/client/jmx/server/parser'
5
+
6
+module Msf
7
+  class Exploit
8
+    class Remote
9
+      module Java
10
+        module Rmi
11
+          module Client
12
+            module Jmx
13
+              module Server
14
+
15
+                include Msf::Exploit::Remote::Java::Rmi::Client::Jmx::Server::Builder
16
+                include Msf::Exploit::Remote::Java::Rmi::Client::Jmx::Server::Parser
17
+
18
+                # Sends a call to the JMXRMI endpoint to retrieve an MBean instance. Simulates a call
19
+                # to the Java javax/management/remote/rmi/RMIServer_Stub#newClient()
20
+                # method.
21
+                #
22
+                # @param opts [Hash]
23
+                # @option opts [Rex::Socket::Tcp] :sock
24
+                # @return [Hash, NilClass] The connection information if success, nil otherwise
25
+                # @raise [Rex::Proto::Rmi::Exception] if the endpoint raises a remote exception
26
+                # @see Msf::Exploit::Remote::Java::Rmi::Client::Registry::Builder.build_jmx_new_client
27
+                def send_new_client(opts = {})
28
+                  send_call(
29
+                    sock: opts[:sock] || sock,
30
+                    call: build_jmx_new_client(opts)
31
+                  )
32
+
33
+                  return_value = recv_return(
34
+                    sock: opts[:sock] || sock
35
+                  )
36
+
37
+                  if return_value.nil?
38
+                    return nil
39
+                  end
40
+
41
+                  if return_value.is_exception?
42
+                    raise ::Rex::Proto::Rmi::Exception, return_value.get_class_name
43
+                  end
44
+
45
+                  remote_object = return_value.get_class_name
46
+
47
+                  unless remote_object && remote_object == 'javax.management.remote.rmi.RMIConnectionImpl_Stub'
48
+                    return nil
49
+                  end
50
+
51
+                  reference = parse_jmx_new_client_endpoint(return_value)
52
+
53
+                  reference
54
+                end
55
+
56
+              end
57
+            end
58
+          end
59
+        end
60
+      end
61
+    end
62
+  end
63
+end

+ 77
- 0
lib/msf/core/exploit/java/rmi/client/jmx/server/builder.rb View File

@@ -0,0 +1,77 @@
1
+# -*- coding: binary -*-
2
+
3
+module Msf
4
+  class Exploit
5
+    class Remote
6
+      module Java
7
+        module Rmi
8
+          module Client
9
+            module Jmx
10
+              module Server
11
+                module Builder
12
+
13
+                  # Builds an RMI call to javax/management/remote/rmi/RMIServer_Stub#newClient()
14
+                  # used to enumerate the names bound in a registry
15
+                  #
16
+                  # @param opts [Hash]
17
+                  # @option opts [String] :username the JMX role to establish the connection if needed
18
+                  # @option opts [String] :password the JMX password to establish the connection if needed
19
+                  # @return [Rex::Proto::Rmi::Model::Call]
20
+                  # @see Msf::Exploit::Remote::Java::Rmi::Builder.build_call
21
+                  def build_jmx_new_client(opts = {})
22
+                    object_number = opts[:object_number] || 0
23
+                    uid_number = opts[:uid_number] || 0
24
+                    uid_time = opts[:uid_time] || 0
25
+                    uid_count = opts[:uid_count] || 0
26
+                    username = opts[:username]
27
+                    password = opts[:password] || ''
28
+
29
+                    if username
30
+                      arguments = build_jmx_new_client_args(username, password)
31
+                    else
32
+                      arguments = [Rex::Java::Serialization::Model::NullReference.new]
33
+                    end
34
+
35
+                    call = build_call(
36
+                      object_number: object_number,
37
+                      uid_number: uid_number,
38
+                      uid_time: uid_time,
39
+                      uid_count: uid_count,
40
+                      operation: -1,
41
+                      hash: -1089742558549201240, # javax.management.remote.rmi.RMIServer.newClient
42
+                      arguments: arguments
43
+                    )
44
+
45
+                    call
46
+                  end
47
+
48
+                  # Builds a Rex::Java::Serialization::Model::NewArray with credentials
49
+                  # to make an javax/management/remote/rmi/RMIServer_Stub#newClient call
50
+                  #
51
+                  # @param username [String] The username (role) to authenticate with
52
+                  # @param password [String] The password to authenticate with
53
+                  # @return [Array<Rex::Java::Serialization::Model::NewArray>]
54
+                  def build_jmx_new_client_args(username = '', password = '')
55
+                    builder = Rex::Java::Serialization::Builder.new
56
+
57
+                    auth_array = builder.new_array(
58
+                      name: '[Ljava.lang.String;',
59
+                      serial: Msf::Exploit::Remote::Java::Rmi::Client::Jmx::STRING_ARRAY_UID, # serialVersionUID
60
+                      values_type: 'java.lang.String;',
61
+                      values: [
62
+                        Rex::Java::Serialization::Model::Utf.new(nil, username),
63
+                        Rex::Java::Serialization::Model::Utf.new(nil, password)
64
+                      ]
65
+                    )
66
+
67
+                    [auth_array]
68
+                  end
69
+                end
70
+              end
71
+            end
72
+          end
73
+        end
74
+      end
75
+    end
76
+  end
77
+end

+ 40
- 0
lib/msf/core/exploit/java/rmi/client/jmx/server/parser.rb View File

@@ -0,0 +1,40 @@
1
+# -*- coding: binary -*-
2
+
3
+module Msf
4
+  class Exploit
5
+    class Remote
6
+      module Java
7
+        module Rmi
8
+          module Client
9
+            module Jmx
10
+              module Server
11
+                module Parser
12
+                  # Parses a javax/management/remote/rmi/RMIServer_Stub#newClient() return value
13
+                  # to find out the remote reference information.
14
+                  #
15
+                  # @param return_value [Rex::Java::Serialization::Model::ReturnValue]
16
+                  # @return [Hash, NilClass] The remote interface information if success, nil otherwise
17
+                  def parse_jmx_new_client_endpoint(return_value)
18
+                    values_size = return_value.value.length
19
+                    end_point_block_data = return_value.value[values_size - 2]
20
+
21
+                    unless end_point_block_data.is_a?(Rex::Java::Serialization::Model::BlockData)
22
+                      return nil
23
+                    end
24
+
25
+                    return_io = StringIO.new(end_point_block_data.contents, 'rb')
26
+
27
+                    reference = extract_reference(return_io)
28
+
29
+                    reference
30
+                  end
31
+
32
+                end
33
+              end
34
+            end
35
+          end
36
+        end
37
+      end
38
+    end
39
+  end
40
+end

+ 135
- 0
lib/msf/core/exploit/java/rmi/client/registry.rb View File

@@ -0,0 +1,135 @@
1
+# -*- coding: binary -*-
2
+
3
+require 'msf/core/exploit/java/rmi/client/registry/builder'
4
+require 'msf/core/exploit/java/rmi/client/registry/parser'
5
+
6
+module Msf
7
+  class Exploit
8
+    class Remote
9
+      module Java
10
+        module Rmi
11
+          module Client
12
+            # This mixin provides methods to simulate calls to the Java java/rmi/registry/RegistryImpl_Stub
13
+            # interface
14
+            module Registry
15
+
16
+              include Msf::Exploit::Remote::Java::Rmi::Client::Registry::Builder
17
+              include Msf::Exploit::Remote::Java::Rmi::Client::Registry::Parser
18
+
19
+              # Sends a Registry lookup call to the RMI endpoint. Simulates a call to the Java
20
+              # java/rmi/registry/RegistryImpl_Stub#lookup() method.
21
+              #
22
+              # @param opts [Hash]
23
+              # @option opts [Rex::Socket::Tcp] :sock
24
+              # @return [Hash, NilClass] The remote reference information if success, nil otherwise
25
+              # @raise [Rex::Proto::Rmi::Exception] if the endpoint raises a remote exception
26
+              # @see Msf::Exploit::Remote::Java::Rmi::Client::Registry::Builder.build_registry_lookup
27
+              def send_registry_lookup(opts = {})
28
+                send_call(
29
+                  sock: opts[:sock] || sock,
30
+                  call: build_registry_lookup(opts)
31
+                )
32
+
33
+                return_value = recv_return(
34
+                  sock: opts[:sock] || sock
35
+                )
36
+
37
+                if return_value.nil?
38
+                  return nil
39
+                end
40
+
41
+                if return_value.is_exception?
42
+                  raise ::Rex::Proto::Rmi::Exception, return_value.get_class_name
43
+                end
44
+
45
+                remote_object = return_value.get_class_name
46
+
47
+                if remote_object.nil?
48
+                  return nil
49
+                end
50
+
51
+                remote_location = parse_registry_lookup_endpoint(return_value)
52
+
53
+                if remote_location.nil?
54
+                  return nil
55
+                end
56
+
57
+                remote_location.merge(object: remote_object)
58
+              end
59
+
60
+              # Sends a Registry list call to the RMI endpoint. Simulates a call to the Java
61
+              # java/rmi/registry/RegistryImpl_Stub#list() method
62
+              #
63
+              # @param opts [Hash]
64
+              # @option opts [Rex::Socket::Tcp] :sock
65
+              # @return [Array, NilClass] The set of names if success, nil otherwise
66
+              # @raise [Rex::Proto::Rmi::Exception] if the endpoint raises a remote exception
67
+              # @see Msf::Exploit::Remote::Java::Rmi::Client::Registry::Builder.build_registry_list
68
+              def send_registry_list(opts = {})
69
+                send_call(
70
+                  sock: opts[:sock] || sock,
71
+                  call: build_registry_list(opts)
72
+                )
73
+
74
+                return_value = recv_return(
75
+                  sock: opts[:sock] || sock
76
+                )
77
+
78
+                if return_value.nil?
79
+                  return nil
80
+                end
81
+
82
+                if return_value.is_exception?
83
+                  raise ::Rex::Proto::Rmi::Exception, return_value.get_class_name
84
+                end
85
+
86
+                names = parse_registry_list(return_value)
87
+
88
+                names
89
+              end
90
+
91
+              # Calculates the hash to make RMI calls for the
92
+              # java/rmi/registry/RegistryImpl_Stub interface
93
+              #
94
+              # @return [Fixnum] The interface's hash
95
+              def registry_interface_hash
96
+                hash = calculate_interface_hash(
97
+                  [
98
+                    {
99
+                      name: 'bind',
100
+                      descriptor: '(Ljava/lang/String;Ljava/rmi/Remote;)V',
101
+                      exceptions: ['java.rmi.AccessException', 'java.rmi.AlreadyBoundException', 'java.rmi.RemoteException']
102
+                    },
103
+                    {
104
+                      name: 'list',
105
+                      descriptor: '()[Ljava/lang/String;',
106
+                      exceptions: ['java.rmi.AccessException', 'java.rmi.RemoteException']
107
+                    },
108
+                    {
109
+                      name: 'lookup',
110
+                      descriptor: '(Ljava/lang/String;)Ljava/rmi/Remote;',
111
+                      exceptions: ['java.rmi.AccessException', 'java.rmi.NotBoundException', 'java.rmi.RemoteException']
112
+                    },
113
+                    {
114
+                      name: 'rebind',
115
+                      descriptor: '(Ljava/lang/String;Ljava/rmi/Remote;)V',
116
+                      exceptions: ['java.rmi.AccessException', 'java.rmi.RemoteException']
117
+                    },
118
+                    {
119
+                      name: 'unbind',
120
+                      descriptor: '(Ljava/lang/String;)V',
121
+                      exceptions: ['java.rmi.AccessException', 'java.rmi.NotBoundException', 'java.rmi.RemoteException']
122
+                    }
123
+                  ]
124
+                )
125
+
126
+                hash
127
+              end
128
+
129
+            end
130
+          end
131
+        end
132
+      end
133
+    end
134
+  end
135
+end

+ 70
- 0
lib/msf/core/exploit/java/rmi/client/registry/builder.rb View File

@@ -0,0 +1,70 @@
1
+# -*- coding: binary -*-
2
+
3
+module Msf
4
+  class Exploit
5
+    class Remote
6
+      module Java
7
+        module Rmi
8
+          module Client
9
+            module Registry
10
+              module Builder
11
+
12
+                # Builds an RMI call to java/rmi/registry/RegistryImpl_Stub#lookup() used to
13
+                # retrieve the remote reference bound to a name.
14
+                #
15
+                # @param opts [Hash]
16
+                # @option opts [String] :name the name to lookup
17
+                # @return [Rex::Proto::Rmi::Model::Call]
18
+                # @see Msf::Exploit::Remote::Java::Rmi::Builder.build_call
19
+                def build_registry_lookup(opts = {})
20
+                  object_number = opts[:object_number] || 0
21
+                  uid_number = opts[:uid_number] || 0
22
+                  uid_time = opts[:uid_time] || 0
23
+                  uid_count = opts[:uid_count] || 0
24
+                  name = opts[:name] || ''
25
+
26
+                  call = build_call(
27
+                    object_number: object_number,
28
+                    uid_number: uid_number,
29
+                    uid_time: uid_time,
30
+                    uid_count: uid_count,
31
+                    operation: 2, # java.rmi.Remote lookup(java.lang.String)
32
+                    hash: registry_interface_hash,
33
+                    arguments: [Rex::Java::Serialization::Model::Utf.new(nil, name)]
34
+                  )
35
+
36
+                  call
37
+                end
38
+
39
+                # Builds an RMI call to java/rmi/registry/RegistryImpl_Stub#list() used to
40
+                # enumerate the names bound in a registry
41
+                #
42
+                # @param opts [Hash]
43
+                # @return [Rex::Proto::Rmi::Model::Call]
44
+                # @see Msf::Exploit::Remote::Java::Rmi::Builder.build_call
45
+                def build_registry_list(opts = {})
46
+                  object_number = opts[:object_number] || 0
47
+                  uid_number = opts[:uid_number] || 0
48
+                  uid_time = opts[:uid_time] || 0
49
+                  uid_count = opts[:uid_count] || 0
50
+
51
+                  call = build_call(
52
+                    object_number: object_number,
53
+                    uid_number: uid_number,
54
+                    uid_time: uid_time,
55
+                    uid_count: uid_count,
56
+                    operation: 1, # java.lang.String list()[]
57
+                    hash: registry_interface_hash,
58
+                    arguments: []
59
+                  )
60
+
61
+                  call
62
+                end
63
+              end
64
+            end
65
+          end
66
+        end
67
+      end
68
+    end
69
+  end
70
+end

+ 53
- 0
lib/msf/core/exploit/java/rmi/client/registry/parser.rb View File

@@ -0,0 +1,53 @@
1
+# -*- coding: binary -*-
2
+
3
+module Msf
4
+  class Exploit
5
+    class Remote
6
+      module Java
7
+        module Rmi
8
+          module Client
9
+            module Registry
10
+              module Parser
11
+                # Parses a java/rmi/registry/RegistryImpl_Stub#lookup() return value to find out
12
+                # the remote reference information.
13
+                #
14
+                # @param return_value [Rex::Java::Serialization::Model::ReturnValue]
15
+                # @return [Hash, NilClass] The remote interface information if success, nil otherwise
16
+                def parse_registry_lookup_endpoint(return_value)
17
+                  values_size = return_value.value.length
18
+                  end_point_block_data = return_value.value[values_size - 2]
19
+                  unless end_point_block_data.is_a?(Rex::Java::Serialization::Model::BlockData)
20
+                    return nil
21
+                  end
22
+
23
+                  return_io = StringIO.new(end_point_block_data.contents, 'rb')
24
+
25
+                  reference = extract_reference(return_io)
26
+
27
+                  reference
28
+                end
29
+
30
+                # Parses a java/rmi/registry/RegistryImpl_Stub#list() return value to find out
31
+                # the list of names registered.
32
+                #
33
+                # @param return_value [Rex::Java::Serialization::Model::ReturnValue]
34
+                # @return [Array, NilClass] The list of names registered if success, nil otherwise
35
+                def parse_registry_list(return_value)
36
+                  unless return_value.value[0].is_a?(Rex::Java::Serialization::Model::NewArray)
37
+                    return nil
38
+                  end
39
+
40
+                  unless return_value.value[0].type == 'java.lang.String;'
41
+                    return nil
42
+                  end
43
+
44
+                  return_value.value[0].values.collect { |val| val.contents }
45
+                end
46
+              end
47
+            end
48
+          end
49
+        end
50
+      end
51
+    end
52
+  end
53
+end

+ 127
- 0
lib/msf/core/exploit/java/rmi/util.rb View File

@@ -0,0 +1,127 @@
1
+# -*- coding: binary -*-
2
+require 'rex/java/serialization'
3
+require 'rex/text'
4
+
5
+module Msf
6
+  class Exploit
7
+    class Remote
8
+      module Java
9
+        module Rmi
10
+          module Util
11
+            # Calculates a method hash to make RMI calls as defined by the JDK 1.2
12
+            #
13
+            # @param signature [String] The remote method signature as specified by the JDK 1.2,
14
+            #   method name + method descriptor (as explained in the Java Virtual Machine Specification)
15
+            # @return [Fixnum] The method hash
16
+            # @see http://docs.oracle.com/javase/8/docs/platform/rmi/spec/rmi-stubs24.html The RemoteRef Interface documentation to understand how method hashes are calculated
17
+            def calculate_method_hash(signature)
18
+              utf = Rex::Java::Serialization::Model::Utf.new(nil, signature)
19
+              sha1 = Rex::Text.sha1_raw(utf.encode)
20
+
21
+              sha1.unpack('Q<')[0]
22
+            end
23
+
24
+            # Calculates an interface hash to make RMI calls as defined by the JDK 1.1
25
+            #
26
+            # @param methods [Array] set of method names and their descriptors
27
+            # @return [Fixnum] The interface hash
28
+            # @see http://docs.oracle.com/javase/8/docs/platform/rmi/spec/rmi-stubs24.html The RemoteRef Interface documentation to understand how interface hashes are calculated
29
+            def calculate_interface_hash(methods)
30
+              stream = ''
31
+              stream << [1].pack('N') # stub version number
32
+
33
+              methods.each do |m|
34
+                utf_method = Rex::Java::Serialization::Model::Utf.new(nil, m[:name])
35
+                utf_descriptor = Rex::Java::Serialization::Model::Utf.new(nil, m[:descriptor])
36
+                stream << utf_method.encode
37
+                stream << utf_descriptor.encode
38
+                m[:exceptions].each do |e|
39
+                  utf_exception = Rex::Java::Serialization::Model::Utf.new(nil, e)
40
+                  stream << utf_exception.encode
41
+                end
42
+              end
43
+
44
+              sha1 = Rex::Text.sha1_raw(stream)
45
+
46
+              sha1.unpack('Q<')[0]
47
+            end
48
+
49
+            # Extracts an string from an IO
50
+            #
51
+            # @param io [IO] the io to extract the string from
52
+            # @return [String, nil] the extracted string if success, nil otherwise
53
+            def extract_string(io)
54
+              raw_length = io.read(2)
55
+              unless raw_length && raw_length.length == 2
56
+                return nil
57
+              end
58
+              length = raw_length.unpack('s>')[0]
59
+
60
+              string = io.read(length)
61
+              unless string && string.length == length
62
+                return nil
63
+              end
64
+
65
+              string
66
+            end
67
+
68
+            # Extracts an int from an IO
69
+            #
70
+            # @param io [IO] the io to extract the int from
71
+            # @return [Fixnum, nil] the extracted int if success, nil otherwise
72
+            def extract_int(io)
73
+              int_raw = io.read(4)
74
+              unless int_raw && int_raw.length == 4
75
+                return nil
76
+              end
77
+              int = int_raw.unpack('l>')[0]
78
+
79
+              int
80
+            end
81
+
82
+            # Extracts a long from an IO
83
+            #
84
+            # @param io [IO] the io to extract the long from
85
+            # @return [Fixnum, nil] the extracted int if success, nil otherwise
86
+            def extract_long(io)
87
+              int_raw = io.read(8)
88
+              unless int_raw && int_raw.length == 8
89
+                return nil
90
+              end
91
+              int = int_raw.unpack('q>')[0]
92
+
93
+              int
94
+            end
95
+
96
+            # Extract an RMI interface reference from an IO
97
+            #
98
+            # @param io [IO] the io to extract the reference from, should contain the data
99
+            #   inside a BlockData with the reference information.
100
+            # @return [Hash, nil] the extracted reference if success, nil otherwise
101
+            # @see Msf::Exploit::Remote::Java::Rmi::Client::Jmx:Server::Parser#parse_jmx_new_client_endpoint
102
+            # @see Msf::Exploit::Remote::Java::Rmi::Client::Registry::Parser#parse_registry_lookup_endpoint
103
+            def extract_reference(io)
104
+              ref = extract_string(io)
105
+              unless ref && ref == 'UnicastRef'
106
+                return nil
107
+              end
108
+
109
+              address = extract_string(io)
110
+              return nil unless address
111
+
112
+              port = extract_int(io)
113
+              return nil unless port
114
+
115
+              object_number = extract_long(io)
116
+
117
+              uid = Rex::Proto::Rmi::Model::UniqueIdentifier.decode(io)
118
+
119
+              {address: address, port: port, object_number: object_number, uid: uid}
120
+            end
121
+
122
+          end
123
+        end
124
+      end
125
+    end
126
+  end
127
+end

+ 0
- 96
lib/msf/java/rmi/builder.rb View File

@@ -1,96 +0,0 @@
1
-# -*- coding: binary -*-
2
-
3
-require 'rex/java/serialization'
4
-
5
-module Msf
6
-  module Java
7
-    module Rmi
8
-      module Builder
9
-        # Builds a RMI header stream
10
-        #
11
-        # @param opts [Hash{Symbol => <String, Fixnum>}]
12
-        # @option opts [String] :signature
13
-        # @option opts [Fixnum] :version
14
-        # @option opts [Fixnum] :protocol
15
-        # @return [Rex::Proto::Rmi::Model::OutputHeader]
16
-        def build_header(opts = {})
17
-          signature = opts[:signature] || Rex::Proto::Rmi::Model::SIGNATURE
18
-          version = opts[:version] || 2
19
-          protocol = opts[:protocol] || Rex::Proto::Rmi::Model::STREAM_PROTOCOL
20
-
21
-          header = Rex::Proto::Rmi::Model::OutputHeader.new(
22
-              signature: signature,
23
-              version: version,
24
-              protocol: protocol)
25
-
26
-          header
27
-        end
28
-
29
-        # Builds a RMI call stream
30
-        #
31
-        # @param opts [Hash{Symbol => <Fixnum, Array>}]
32
-        # @option opts [Fixnum] :message_id
33
-        # @option opts [Fixnum] :object_number Random to identify the object.
34
-        # @option opts [Fixnum] :uid_number Identifies the VM where the object was generated.
35
-        # @option opts [Fixnum] :uid_time Time where the object was generated.
36
-        # @option opts [Fixnum] :uid_count Identifies different instance of the same object generated from the same VM
37
-        #   at the same time.
38
-        # @option opts [Fixnum] :operation On JDK 1.1 stub protocol the operation index in the interface. On JDK 1.2
39
-        #   it is -1.
40
-        # @option opts [Fixnum] :hash On JDK 1.1 stub protocol the stub's interface hash. On JDK1.2 is a hash
41
-        #   representing the method to call.
42
-        # @option opts [Array] :arguments
43
-        # @return [Rex::Proto::Rmi::Model::Call]
44
-        def build_call(opts = {})
45
-          message_id = opts[:message_id] || Rex::Proto::Rmi::Model::CALL_MESSAGE
46
-          object_number = opts[:object_number] || 0
47
-          uid_number = opts[:uid_number] || 0
48
-          uid_time = opts[:uid_time] ||  0
49
-          uid_count = opts[:uid_count] || 0
50
-          operation = opts[:operation] || -1
51
-          hash = opts[:hash] || 0
52
-          arguments = opts[:arguments] || []
53
-
54
-          uid = Rex::Proto::Rmi::Model::UniqueIdentifier.new(
55
-            number: uid_number,
56
-            time: uid_time,
57
-            count: uid_count
58
-          )
59
-
60
-          call_data = Rex::Proto::Rmi::Model::CallData.new(
61
-            object_number: object_number,
62
-            uid: uid,
63
-            operation: operation,
64
-            hash: hash,
65
-            arguments: arguments
66
-          )
67
-
68
-          call = Rex::Proto::Rmi::Model::Call.new(
69
-            message_id: message_id,
70
-            call_data: call_data
71
-          )
72
-
73
-          call
74
-        end
75
-
76
-        # Builds a RMI dgc ack stream
77
-        #
78
-        # @param opts [Hash{Symbol => <Fixnum, String>}]
79
-        # @option opts [Fixnum] :stream_id
80
-        # @option opts [String] :unique_identifier
81
-        # @return [Rex::Proto::Rmi::Model::DgcAck]
82
-        def build_dgc_ack(opts = {})
83
-          stream_id = opts[:stream_id] || Rex::Proto::Rmi::Model::DGC_ACK_MESSAGE
84
-          unique_identifier = opts[:unique_identifier] || "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
85
-
86
-          dgc_ack = Rex::Proto::Rmi::Model::DgcAck.new(
87
-              stream_id: stream_id,
88
-              unique_identifier: unique_identifier
89
-          )
90
-
91
-          dgc_ack
92
-        end
93
-      end
94
-    end
95
-  end
96
-end

+ 0
- 164
lib/msf/java/rmi/client.rb View File

@@ -1,164 +0,0 @@
1
-# -*- coding: binary -*-
2
-require 'rex/proto/rmi'
3
-require 'rex/java/serialization'
4
-require 'stringio'
5
-
6
-module Msf
7
-  module Java
8
-    module Rmi
9
-      module Client
10
-
11
-        require 'msf/java/rmi/util'
12
-        require 'msf/java/rmi/builder'
13
-        require 'msf/java/rmi/client/registry'
14
-        require 'msf/java/rmi/client/jmx'
15
-
16
-        include Msf::Java::Rmi::Util
17
-        include Msf::Java::Rmi::Builder
18
-        include Msf::Java::Rmi::Client::Registry
19
-        include Msf::Java::Rmi::Client::Jmx
20
-        include Exploit::Remote::Tcp
21
-
22
-        def initialize(info = {})
23
-          super
24
-
25
-          register_advanced_options(
26
-            [
27
-              OptInt.new('RmiReadLoopTimeout', [ true, 'Maximum number of seconds to wait for data between read iterations', 1])
28
-            ], Msf::Java::Rmi::Client
29
-          )
30
-        end
31
-
32
-        # Returns the timeout to wait for data between read iterations
33
-        #
34
-        # @return [Fixnum]
35
-        def read_loop_timeout
36
-          datastore['RmiReadLoopTimeout'] || 1
37
-        end
38
-
39
-        # Returns the target host
40
-        #
41
-        # @return [String]
42
-        def rhost
43
-          datastore['RHOST']
44
-        end
45
-
46
-        # Returns the target port
47
-        #
48
-        # @return [Fixnum]
49
-        def rport
50
-          datastore['RPORT']
51
-        end
52
-
53
-        # Returns the RMI server peer
54
-        #
55
-        # @return [String]
56
-        def peer
57
-          "#{rhost}:#{rport}"
58
-        end
59
-
60
-        # Sends a RMI header stream
61
-        #
62
-        # @param opts [Hash]
63
-        # @option opts [Rex::Socket::Tcp] :sock
64
-        # @return [Fixnum] the number of bytes sent
65
-        # @see Msf::Rmi::Client::Streams#build_header
66
-        def send_header(opts = {})
67
-          nsock = opts[:sock] || sock
68
-          stream = build_header(opts)
69
-          nsock.put(stream.encode + "\x00\x00\x00\x00\x00\x00")
70
-        end
71
-
72
-        # Sends a RMI CALL stream
73
-        #
74
-        # @param opts [Hash]
75
-        # @option opts [Rex::Socket::Tcp] :sock
76
-        # @option opts [Rex::Proto::Rmi::Model::Call] :call
77
-        # @return [Fixnum] the number of bytes sent
78
-        # @see Msf::Rmi::Client::Streams#build_call
79
-        def send_call(opts = {})
80
-          nsock = opts[:sock] || sock
81
-          call = opts[:call] || build_call(opts)
82
-          nsock.put(call.encode)
83
-        end
84
-
85
-        # Sends a RMI DGCACK stream
86
-        #
87
-        # @param opts [Hash]
88
-        # @option opts [Rex::Socket::Tcp] :sock
89
-        # @return [Fixnum] the number of bytes sent
90
-        # @see Msf::Rmi::Client::Streams#build_dgc_ack
91
-        def send_dgc_ack(opts = {})
92
-          nsock = opts[:sock] || sock
93
-          stream = build_dgc_ack(opts)
94
-          nsock.put(stream.encode)
95
-        end
96
-
97
-        # Reads the Protocol Ack
98
-        #
99
-        # @param opts [Hash]
100
-        # @option opts [Rex::Socket::Tcp] :sock
101
-        # @return [Rex::Proto::Rmi::Model::ProtocolAck] if success
102
-        # @return [NilClass] otherwise
103
-        # @see Rex::Proto::Rmi::Model::ProtocolAck.decode
104
-        def recv_protocol_ack(opts = {})
105
-          nsock = opts[:sock] || sock
106
-          data = safe_get_once(nsock)
107
-          begin
108
-            ack = Rex::Proto::Rmi::Model::ProtocolAck.decode(StringIO.new(data))
109
-          rescue Rex::Proto::Rmi::DecodeError
110
-            return nil
111
-          end
112
-
113
-          ack
114
-        end
115
-
116
-        # Reads a ReturnData message and returns the java serialized stream
117
-        # with the return data value.
118
-        #
119
-        # @param opts [Hash]
120
-        # @option opts [Rex::Socket::Tcp] :sock
121
-        # @return [Rex::Proto::Rmi::Model::ReturnValue] if success
122
-        # @return [NilClass] otherwise
123
-        # @see Rex::Proto::Rmi::Model::ReturnData.decode
124
-        def recv_return(opts = {})
125
-          nsock = opts[:sock] || sock
126
-          data = safe_get_once(nsock)
127
-
128
-          begin
129
-            return_data = Rex::Proto::Rmi::Model::ReturnData.decode(StringIO.new(data))
130
-          rescue Rex::Proto::Rmi::DecodeError
131
-            return nil
132
-          end
133
-
134
-          return_data.return_value
135
-        end
136
-
137
-        # Helper method to read fragmented data from a ```Rex::Socket::Tcp```
138
-        #
139
-        # @param nsock [Rex::Socket::Tcp]
140
-        # @return [String]
141
-        def safe_get_once(nsock = sock, loop_timeout = read_loop_timeout)
142
-          data = ''
143
-          begin
144
-            res = nsock.get_once
145
-          rescue ::EOFError
146
-            res = nil
147
-          end
148
-
149
-          while res && nsock.has_read_data?(loop_timeout)
150
-            data << res
151
-            begin
152
-              res = nsock.get_once
153
-            rescue ::EOFError
154
-              res = nil
155
-            end
156
-          end
157
-
158
-          data << res if res
159
-          data
160
-        end
161
-      end
162
-    end
163
-  end
164
-end

+ 0
- 23
lib/msf/java/rmi/client/jmx.rb View File

@@ -1,23 +0,0 @@
1
-# -*- coding: binary -*-
2
-
3
-module Msf
4
-  module Java
5
-    module Rmi
6
-      module Client
7
-        module Jmx
8
-          require 'msf/java/rmi/client/jmx/server'
9
-          require 'msf/java/rmi/client/jmx/connection'
10
-
11
-          include Msf::Java::Rmi::Client::Jmx::Server
12
-          include Msf::Java::Rmi::Client::Jmx::Connection
13
-
14
-          OBJECT_NAME_UID = 1081892073854801359
15
-          BYTE_ARRAY_UID = -5984413125824719648
16
-          MARSHALLED_OBJECT_UID = 8988374069173025854
17
-          STRING_ARRAY_UID = -5921575005990323385
18
-          OBJECT_ARRAY_UID = -8012369246846506644
19
-        end
20
-      end
21
-    end
22
-  end
23
-end

+ 0
- 122
lib/msf/java/rmi/client/jmx/connection.rb View File

@@ -1,122 +0,0 @@
1
-# -*- coding: binary -*-
2
-
3
-module Msf
4
-  module Java
5
-    module Rmi
6
-      module Client
7
-        module Jmx
8
-          # This mixin provides methods to simulate calls to the Java
9
-          # javax/management/remote/rmi/RMIConnectionImpl_Stub
10
-          # interface
11
-          module Connection
12
-            require 'msf/java/rmi/client/jmx/connection/builder'
13
-
14
-            include Msf::Java::Rmi::Client::Jmx::Connection::Builder
15
-
16
-            # Sends a call to the JMXRMI endpoint to retrieve an MBean instance. Simulates a call
17
-            # to the Java javax/management/remote/rmi/RMIConnectionImpl_Stub#getObjectInstance()
18
-            # method.
19
-            #
20
-            # @param opts [Hash]
21
-            # @option opts [Rex::Socket::Tcp] :sock
22
-            # @return [TrueClass, NilClass] true if success, nil otherwise
23
-            # @raise [Rex::Proto::Rmi::Exception] if the endpoint raises a remote exception
24
-            # @see Msf::Java::Rmi::Client::Registry::Builder.build_jmx_get_object_instance
25
-            def send_jmx_get_object_instance(opts = {})
26
-              send_call(
27
-                sock: opts[:sock] || sock,
28
-                call: build_jmx_get_object_instance(opts)
29
-              )
30
-
31
-              return_value = recv_return(
32
-                sock: opts[:sock] || sock
33
-              )
34
-
35
-              if return_value.nil?
36
-                return nil
37
-              end
38
-
39
-              if return_value.is_exception?
40
-                raise ::Rex::Proto::Rmi::Exception, return_value.get_class_name
41
-              end
42
-
43
-              unless return_value.get_class_name == 'javax.management.ObjectInstance'
44
-                return nil
45
-              end
46
-
47
-              true
48
-            end
49
-
50
-            # Sends a call to the JMXRMI endpoint to create an MBean instance. Simulates a call
51
-            # to the Java javax/management/remote/rmi/RMIConnectionImpl_Stub#createMBean()
52
-            # method.
53
-            #
54
-            # @param opts [Hash]
55
-            # @option opts [Rex::Socket::Tcp] :sock
56
-            # @return [TrueClass, NilClass] true if success, nil otherwise
57
-            # @raise [Rex::Proto::Rmi::Exception] if the endpoint raises a remote exception
58
-            # @see Msf::Java::Rmi::Client::Registry::Builder.build_jmx_create_mbean
59
-            def send_jmx_create_mbean(opts = {})
60
-              send_call(
61
-                sock: opts[:sock] || sock,
62
-                call: build_jmx_create_mbean(opts)
63
-              )
64
-
65
-              return_value = recv_return(
66
-                sock: opts[:sock] || sock
67
-              )
68
-
69
-              if return_value.nil?
70
-                return nil
71
-              end
72
-
73
-              if return_value.is_exception?
74
-                raise ::Rex::Proto::Rmi::Exception, return_value.get_class_name
75
-              end
76
-
77
-              unless return_value.get_class_name == 'javax.management.ObjectInstance'
78
-                return nil
79
-              end
80
-
81
-              true
82
-            end
83
-
84
-            # Sends a call to the JMXRMI endpoint to invoke an MBean method. Simulates a call
85
-            # to the Java javax/management/remote/rmi/RMIConnectionImpl_Stub#invoke()
86
-            # method.
87
-            #
88
-            # @param opts [Hash]
89
-            # @option opts [Rex::Socket::Tcp] :sock
90
-            # @return [TrueClass, NilClass] true if success, nil otherwise
91
-            # @raise [Rex::Proto::Rmi::Exception] if the endpoint raises a remote exception
92
-            # @see Msf::Java::Rmi::Client::Registry::Builder.build_jmx_invoke
93
-            def send_jmx_invoke(opts = {})
94
-              send_call(
95
-                sock: opts[:sock] || sock,
96
-                call: build_jmx_invoke(opts)
97
-              )
98
-
99
-              return_value = recv_return(
100
-                sock: opts[:sock] || sock
101
-              )
102
-
103
-              if return_value.nil?
104
-                return nil
105
-              end
106
-
107
-              if return_value.is_exception?
108
-                raise ::Rex::Proto::Rmi::Exception, return_value.get_class_name
109
-              end
110
-
111
-              unless return_value.get_class_name == 'java.util.HashSet'
112
-                return nil
113
-              end
114
-
115
-              true
116
-            end
117
-          end
118
-        end
119
-      end
120
-    end
121
-  end
122
-end

+ 0
- 234
lib/msf/java/rmi/client/jmx/connection/builder.rb View File

@@ -1,234 +0,0 @@
1
-# -*- coding: binary -*-
2
-
3
-module Msf
4
-  module Java
5
-    module Rmi
6
-      module Client
7
-        module Jmx
8
-          module Connection
9
-            module Builder
10
-              # Builds an RMI call to javax/management/remote/rmi/RMIConnectionImpl_Stub#getObjectInstance()
11
-              # used to retrieve an MBean instance
12
-              #
13
-              # @param opts [Hash]
14
-              # @option opts [String] :name the MBean name
15
-              # @return [Rex::Proto::Rmi::Model::Call]
16
-              # @see Msf::Java::Rmi::Builder.build_call
17
-              def build_jmx_get_object_instance(opts = {})
18
-                object_number = opts[:object_number] || 0
19
-                uid_number = opts[:uid_number] || 0
20
-                uid_time = opts[:uid_time] || 0
21
-                uid_count = opts[:uid_count] || 0
22
-                name = opts[:name] || ''
23
-
24
-                arguments = build_jmx_get_object_instance_args(name)
25
-
26
-                method_hash = calculate_method_hash('getObjectInstance(Ljavax/management/ObjectName;Ljavax/security/auth/Subject;)Ljavax/management/ObjectInstance;')
27
-
28
-                call = build_call(
29
-                  object_number: object_number,
30
-                  uid_number: uid_number,
31
-                  uid_time: uid_time,
32
-                  uid_count: uid_count,
33
-                  operation: -1,
34
-                  hash: method_hash,
35
-                  arguments: arguments
36
-                )
37
-
38
-                call
39
-              end
40
-
41
-              # Builds an an array of arguments o build a call to
42
-              # javax/management/remote/rmi/RMIConnectionImpl_Stub#getObjectInstance()
43
-              #
44
-              # @param name [String] the MBean name
45
-              # @return [Array]
46
-              def build_jmx_get_object_instance_args(name = '')
47
-                builder = Rex::Java::Serialization::Builder.new
48
-
49
-                new_object = builder.new_object(
50
-                  name: 'javax.management.ObjectName',
51
-                  serial: Msf::Java::Rmi::Client::Jmx::OBJECT_NAME_UID, # serialVersionUID
52
-                  flags: 3
53
-                )
54
-
55
-                arguments = [
56
-                  new_object,
57
-                  Rex::Java::Serialization::Model::Utf.new(nil, name),
58
-                  Rex::Java::Serialization::Model::EndBlockData.new,
59
-                  Rex::Java::Serialization::Model::NullReference.new
60
-                ]
61
-
62
-                arguments
63
-              end
64
-
65
-              # Builds an RMI call to javax/management/remote/rmi/RMIConnectionImpl_Stub#createMBean()
66
-              # used to retrieve an MBean instance
67
-              #
68
-              # @param opts [Hash]
69
-              # @option opts [String] :name the MBean name
70
-              # @return [Rex::Proto::Rmi::Model::Call]
71
-              # @see Msf::Java::Rmi::Builder.build_call
72
-              def build_jmx_create_mbean(opts = {})
73
-                name = opts[:name] || ''
74
-                object_number = opts[:object_number] || 0
75
-                uid_number = opts[:uid_number] || 0
76
-                uid_time = opts[:uid_time] || 0
77
-                uid_count = opts[:uid_count] || 0
78
-
79
-                method_hash = calculate_method_hash('createMBean(Ljava/lang/String;Ljavax/management/ObjectName;Ljavax/security/auth/Subject;)Ljavax/management/ObjectInstance;')
80
-
81
-                arguments = build_jmx_create_mbean_args(name)
82
-
83
-                call = build_call(
84
-                  object_number: object_number,
85
-                  uid_number: uid_number,
86
-                  uid_time: uid_time,
87
-                  uid_count: uid_count,
88
-                  operation: -1,
89
-                  hash: method_hash,
90
-                  arguments: arguments
91
-                )
92
-
93
-                call
94
-              end
95
-
96
-              # Builds an an array of arguments o build a call to
97
-              # javax/management/remote/rmi/RMIConnectionImpl_Stub#createMBean()
98
-              #
99
-              # @param name [Hash] the MBean name
100
-              # @return [Array]
101
-              def build_jmx_create_mbean_args(name = '')
102
-                arguments = [
103
-                  Rex::Java::Serialization::Model::Utf.new(nil, name),
104
-                  Rex::Java::Serialization::Model::NullReference.new,
105
-                  Rex::Java::Serialization::Model::NullReference.new
106
-                ]
107
-
108
-                arguments
109
-              end
110
-            end
111
-
112
-
113
-            # Builds an RMI call to javax/management/remote/rmi/RMIConnectionImpl_Stub#invoke()
114
-            # used to invoke an MBean method
115
-            #
116
-            # @param opts [Hash]
117
-            # @option opts [String] :name the MBean name
118
-            # @return [Rex::Proto::Rmi::Model::Call]
119
-            # @see Msf::Java::Rmi::Builder.build_call
120
-            # @see #build_jmx_invoke_args
121
-            def build_jmx_invoke(opts = {})
122
-              object_number = opts[:object_number] || 0
123
-              uid_number = opts[:uid_number] || 0
124
-              uid_time = opts[:uid_time] || 0
125
-              uid_count = opts[:uid_count] || 0
126
-
127
-              method_hash = calculate_method_hash('invoke(Ljavax/management/ObjectName;Ljava/lang/String;Ljava/rmi/MarshalledObject;[Ljava/lang/String;Ljavax/security/auth/Subject;)Ljava/lang/Object;')
128
-
129
-              arguments = build_jmx_invoke_args(opts)
130
-
131
-              call = build_call(
132
-                object_number: object_number,
133
-                uid_number: uid_number,
134
-                uid_time: uid_time,
135
-                uid_count: uid_count,
136
-                operation: -1,
137
-                hash: method_hash,
138
-                arguments: arguments
139
-              )
140
-
141
-              call
142
-            end
143
-
144
-            # Builds an an array of arguments o build a call to
145
-            # javax/management/remote/rmi/RMIConnectionImpl_Stub#invoke()
146
-            #
147
-            # @param opts [Hash]
148
-            # @option opts [String] :object the MBean name
149
-            # @option opts [String] :method the method name
150
-            # @option opts [Hash] :args the method arguments
151
-            # @return [Array]
152
-            def build_jmx_invoke_args(opts = {})
153
-              object_name = opts[:object] || ''
154
-              method_name = opts[:method] || ''
155
-              args = opts[:args] || {}
156
-
157
-              builder = Rex::Java::Serialization::Builder.new
158
-
159
-              new_object = builder.new_object(
160
-                name: 'javax.management.ObjectName',
161
-                serial: Msf::Java::Rmi::Client::Jmx::OBJECT_NAME_UID, # serialVersionUID
162
-                flags: 3
163
-              )
164
-
165
-              data_binary = builder.new_array(
166
-                name: '[B',
167
-                serial: Msf::Java::Rmi::Client::Jmx::BYTE_ARRAY_UID, # serialVersionUID
168
-                values_type: 'byte',
169
-                values: build_invoke_arguments_obj_bytes(args).encode.unpack('C*')
170
-              )
171
-
172
-              marshall_object = builder.new_object(
173
-                name: 'java.rmi.MarshalledObject',
174
-                serial: Msf::Java::Rmi::Client::Jmx::MARSHALLED_OBJECT_UID, # serialVersionUID
175
-                fields: [
176
-                  ['int', 'hash'],
177
-                  ['array', 'locBytes', '[B'],
178
-                  ['array', 'objBytes', '[B']
179
-                ],
180
-                data: [
181
-                  ["int", 1919492550],
182
-                  Rex::Java::Serialization::Model::NullReference.new,
183
-                  data_binary
184
-                ]
185
-              )
186
-
187
-              new_array = builder.new_array(
188
-                name: '[Ljava.lang.String;',
189
-                serial: Msf::Java::Rmi::Client::Jmx::STRING_ARRAY_UID, # serialVersionUID
190
-                values_type: 'java.lang.String;',
191
-                values: args.keys.collect { |k| Rex::Java::Serialization::Model::Utf.new(nil, k) }
192
-              )
193
-
194
-              arguments = [
195
-                new_object,
196
-                Rex::Java::Serialization::Model::Utf.new(nil, object_name),
197
-                Rex::Java::Serialization::Model::EndBlockData.new,
198
-                Rex::Java::Serialization::Model::Utf.new(nil, method_name),
199
-                marshall_object,
200
-                new_array,
201
-                Rex::Java::Serialization::Model::NullReference.new
202
-              ]
203
-
204
-              arguments
205
-            end
206
-
207
-            # Builds a Rex::Java::Serialization::Model::Stream with the arguments to
208
-            # simulate a call to the Java javax/management/remote/rmi/RMIConnectionImpl_Stub#invoke()
209
-            # method.
210
-            #
211
-            # @param args [Hash] the arguments of the method to invoke
212
-            # @return [Rex::Java::Serialization::Model::Stream]
213
-            def build_invoke_arguments_obj_bytes(args = {})
214
-              builder = Rex::Java::Serialization::Builder.new
215
-
216
-              new_array = builder.new_array(
217
-                name: '[Ljava.lang.Object;',
218
-                serial: Msf::Java::Rmi::Client::Jmx::OBJECT_ARRAY_UID, # serialVersionUID
219
-                annotations: [Rex::Java::Serialization::Model::EndBlockData.new],
220
-                values_type: 'java.lang.Object;',
221
-                values: args.values.collect { |arg| Rex::Java::Serialization::Model::Utf.new(nil, arg) }
222
-              )
223
-
224
-              stream = Rex::Java::Serialization::Model::Stream.new
225
-              stream.contents << new_array
226
-
227
-              stream
228
-            end
229
-          end
230
-        end
231
-      end
232
-    end
233
-  end
234
-end

+ 0
- 57
lib/msf/java/rmi/client/jmx/server.rb View File

@@ -1,57 +0,0 @@
1
-# -*- coding: binary -*-
2
-
3
-module Msf
4
-  module Java
5
-    module Rmi
6
-      module Client
7
-        module Jmx
8
-          module Server
9
-            require 'msf/java/rmi/client/jmx/server/builder'
10
-            require 'msf/java/rmi/client/jmx/server/parser'
11
-
12
-            include Msf::Java::Rmi::Client::Jmx::Server::Builder
13
-            include Msf::Java::Rmi::Client::Jmx::Server::Parser
14
-
15
-            # Sends a call to the JMXRMI endpoint to retrieve an MBean instance. Simulates a call
16
-            # to the Java javax/management/remote/rmi/RMIServer_Stub#newClient()
17
-            # method.
18
-            #
19
-            # @param opts [Hash]
20
-            # @option opts [Rex::Socket::Tcp] :sock
21
-            # @return [Hash, NilClass] The connection information if success, nil otherwise
22
-            # @raise [Rex::Proto::Rmi::Exception] if the endpoint raises a remote exception
23
-            # @see Msf::Java::Rmi::Client::Registry::Builder.build_jmx_new_client
24
-            def send_new_client(opts = {})
25
-              send_call(
26
-                sock: opts[:sock] || sock,
27
-                call: build_jmx_new_client(opts)
28
-              )
29
-
30
-              return_value = recv_return(
31
-                sock: opts[:sock] || sock
32
-              )
33
-
34
-              if return_value.nil?
35
-                return nil
36
-              end
37
-
38
-              if return_value.is_exception?
39
-                raise ::Rex::Proto::Rmi::Exception, return_value.get_class_name
40
-              end
41
-
42
-              remote_object = return_value.get_class_name
43
-
44
-              unless remote_object && remote_object == 'javax.management.remote.rmi.RMIConnectionImpl_Stub'
45
-                return nil
46
-              end
47
-
48
-              reference = parse_jmx_new_client_endpoint(return_value)
49
-
50
-              reference
51
-            end
52
-          end
53
-        end
54
-      end
55
-    end
56
-  end
57
-end

+ 0
- 73
lib/msf/java/rmi/client/jmx/server/builder.rb View File

@@ -1,73 +0,0 @@
1
-# -*- coding: binary -*-
2
-
3
-module Msf
4
-  module Java
5
-    module Rmi
6
-      module Client
7
-        module Jmx
8
-          module Server
9
-            module Builder
10
-
11
-              # Builds an RMI call to javax/management/remote/rmi/RMIServer_Stub#newClient()
12
-              # used to enumerate the names bound in a registry
13
-              #
14
-              # @param opts [Hash]
15
-              # @option opts [String] :username the JMX role to establish the connection if needed
16
-              # @option opts [String] :password the JMX password to establish the connection if needed
17
-              # @return [Rex::Proto::Rmi::Model::Call]
18
-              # @see Msf::Java::Rmi::Builder.build_call
19
-              def build_jmx_new_client(opts = {})
20
-                object_number = opts[:object_number] || 0
21
-                uid_number = opts[:uid_number] || 0
22
-                uid_time = opts[:uid_time] || 0
23
-                uid_count = opts[:uid_count] || 0
24
-                username = opts[:username]
25
-                password = opts[:password] || ''
26
-
27
-                if username
28
-                  arguments = build_jmx_new_client_args(username, password)
29
-                else
30
-                  arguments = [Rex::Java::Serialization::Model::NullReference.new]
31
-                end
32
-
33
-                call = build_call(
34
-                  object_number: object_number,
35
-                  uid_number: uid_number,
36
-                  uid_time: uid_time,
37
-                  uid_count: uid_count,
38
-                  operation: -1,
39
-                  hash: -1089742558549201240, # javax.management.remote.rmi.RMIServer.newClient
40
-                  arguments: arguments
41
-                )
42
-
43
-                call
44
-              end
45
-
46
-              # Builds a Rex::Java::Serialization::Model::NewArray with credentials
47
-              # to make an javax/management/remote/rmi/RMIServer_Stub#newClient call
48
-              #
49
-              # @param username [String] The username (role) to authenticate with
50
-              # @param password [String] The password to authenticate with
51
-              # @return [Array<Rex::Java::Serialization::Model::NewArray>]
52
-              def build_jmx_new_client_args(username = '', password = '')
53
-                builder = Rex::Java::Serialization::Builder.new
54
-
55
-                auth_array = builder.new_array(
56
-                  name: '[Ljava.lang.String;',
57
-                  serial: Msf::Java::Rmi::Client::Jmx::STRING_ARRAY_UID, # serialVersionUID
58
-                  values_type: 'java.lang.String;',
59
-                  values: [
60
-                    Rex::Java::Serialization::Model::Utf.new(nil, username),
61
-                    Rex::Java::Serialization::Model::Utf.new(nil, password)
62
-                  ]
63
-                )
64
-
65
-                [auth_array]
66
-              end
67
-            end
68
-          end
69
-        end
70
-      end
71
-    end
72
-  end
73
-end

+ 0
- 35
lib/msf/java/rmi/client/jmx/server/parser.rb View File

@@ -1,35 +0,0 @@
1
-# -*- coding: binary -*-
2
-
3
-module Msf
4
-  module Java
5
-    module Rmi
6
-      module Client
7
-        module Jmx
8
-          module Server
9
-            module Parser
10
-              # Parses a javax/management/remote/rmi/RMIServer_Stub#newClient() return value
11
-              # to find out the remote reference information.
12
-              #
13
-              # @param return_value [Rex::Java::Serialization::Model::ReturnValue]
14
-              # @return [Hash, NilClass] The remote interface information if success, nil otherwise
15
-              def parse_jmx_new_client_endpoint(return_value)
16
-                values_size = return_value.value.length
17
-                end_point_block_data = return_value.value[values_size - 2]
18
-
19
-                unless end_point_block_data.is_a?(Rex::Java::Serialization::Model::BlockData)
20
-                  return nil
21
-                end
22
-
23
-                return_io = StringIO.new(end_point_block_data.contents, 'rb')
24
-
25
-                reference = extract_reference(return_io)
26
-
27
-                reference
28
-              end
29
-            end
30
-          end
31
-        end
32
-      end
33
-    end
34
-  end
35
-end

+ 0
- 129
lib/msf/java/rmi/client/registry.rb View File

@@ -1,129 +0,0 @@
1
-# -*- coding: binary -*-
2
-
3
-module Msf
4
-  module Java
5
-    module Rmi
6
-      module Client
7
-        # This mixin provides methods to simulate calls to the Java java/rmi/registry/RegistryImpl_Stub
8
-        # interface
9
-        module Registry
10
-          require 'msf/java/rmi/client/registry/builder'
11
-          require 'msf/java/rmi/client/registry/parser'
12
-
13
-          include Msf::Java::Rmi::Client::Registry::Builder
14
-          include Msf::Java::Rmi::Client::Registry::Parser
15
-
16
-          # Sends a Registry lookup call to the RMI endpoint. Simulates a call to the Java
17
-          # java/rmi/registry/RegistryImpl_Stub#lookup() method.
18
-          #
19
-          # @param opts [Hash]
20
-          # @option opts [Rex::Socket::Tcp] :sock
21
-          # @return [Hash, NilClass] The remote reference information if success, nil otherwise
22
-          # @raise [Rex::Proto::Rmi::Exception] if the endpoint raises a remote exception
23
-          # @see Msf::Java::Rmi::Client::Registry::Builder.build_registry_lookup
24
-          def send_registry_lookup(opts = {})
25
-            send_call(
26
-              sock: opts[:sock] || sock,
27
-              call: build_registry_lookup(opts)
28
-            )
29
-
30
-            return_value = recv_return(
31
-              sock: opts[:sock] || sock
32
-            )
33
-
34
-            if return_value.nil?
35
-              return nil
36
-            end
37
-
38
-            if return_value.is_exception?
39
-              raise ::Rex::Proto::Rmi::Exception, return_value.get_class_name
40
-            end
41
-
42
-            remote_object = return_value.get_class_name
43
-
44
-            if remote_object.nil?
45
-              return nil
46
-            end
47
-
48
-            remote_location = parse_registry_lookup_endpoint(return_value)
49
-
50
-            if remote_location.nil?
51
-              return nil
52
-            end
53
-
54
-            remote_location.merge(object: remote_object)
55
-          end
56
-
57
-          # Sends a Registry list call to the RMI endpoint. Simulates a call to the Java
58
-          # java/rmi/registry/RegistryImpl_Stub#list() method
59
-          #
60
-          # @param opts [Hash]
61
-          # @option opts [Rex::Socket::Tcp] :sock
62
-          # @return [Array, NilClass] The set of names if success, nil otherwise
63
-          # @raise [Rex::Proto::Rmi::Exception] if the endpoint raises a remote exception
64
-          # @see Msf::Java::Rmi::Client::Registry::Builder.build_registry_list
65
-          def send_registry_list(opts = {})
66
-            send_call(
67
-              sock: opts[:sock] || sock,
68
-              call: build_registry_list(opts)
69
-            )
70
-
71
-            return_value = recv_return(
72
-              sock: opts[:sock] || sock
73
-            )
74
-
75
-            if return_value.nil?
76
-              return nil
77
-            end
78
-
79
-            if return_value.is_exception?
80
-              raise ::Rex::Proto::Rmi::Exception, return_value.get_class_name
81
-            end
82
-
83
-            names = parse_registry_list(return_value)
84
-
85
-            names
86
-          end
87
-
88
-          # Calculates the hash to make RMI calls for the
89
-          # java/rmi/registry/RegistryImpl_Stub interface
90
-          #
91
-          # @return [Fixnum] The interface's hash
92
-          def registry_interface_hash
93
-            hash = calculate_interface_hash(
94
-              [
95
-                {
96
-                  name: 'bind',
97
-                  descriptor: '(Ljava/lang/String;Ljava/rmi/Remote;)V',
98
-                  exceptions: ['java.rmi.AccessException', 'java.rmi.AlreadyBoundException', 'java.rmi.RemoteException']
99
-                },
100
-                {
101
-                  name: 'list',
102
-                  descriptor: '()[Ljava/lang/String;',
103
-                  exceptions: ['java.rmi.AccessException', 'java.rmi.RemoteException']
104
-                },
105
-                {
106
-                  name: 'lookup',
107
-                  descriptor: '(Ljava/lang/String;)Ljava/rmi/Remote;',
108
-                  exceptions: ['java.rmi.AccessException', 'java.rmi.NotBoundException', 'java.rmi.RemoteException']
109
-                },
110
-                {
111
-                  name: 'rebind',
112
-                  descriptor: '(Ljava/lang/String;Ljava/rmi/Remote;)V',
113
-                  exceptions: ['java.rmi.AccessException', 'java.rmi.RemoteException']
114
-                },
115
-                {
116
-                  name: 'unbind',
117
-                  descriptor: '(Ljava/lang/String;)V',
118
-                  exceptions: ['java.rmi.AccessException', 'java.rmi.NotBoundException', 'java.rmi.RemoteException']
119
-                }
120
-              ]
121
-            )
122
-
123
-            hash
124
-          end
125
-        end
126
-      end
127
-    end
128
-  end
129
-end

+ 0
- 66
lib/msf/java/rmi/client/registry/builder.rb View File

@@ -1,66 +0,0 @@
1
-# -*- coding: binary -*-
2
-
3
-module Msf
4
-  module Java
5
-    module Rmi
6
-      module Client
7
-        module Registry
8
-          module Builder
9
-
10
-            # Builds an RMI call to java/rmi/registry/RegistryImpl_Stub#lookup() used to
11
-            # retrieve the remote reference bound to a name.
12
-            #
13
-            # @param opts [Hash]
14
-            # @option opts [String] :name the name to lookup
15
-            # @return [Rex::Proto::Rmi::Model::Call]
16
-            # @see Msf::Java::Rmi::Builder.build_call
17
-            def build_registry_lookup(opts = {})
18
-              object_number = opts[:object_number] || 0
19
-              uid_number = opts[:uid_number] || 0
20
-              uid_time = opts[:uid_time] || 0
21
-              uid_count = opts[:uid_count] || 0
22
-              name = opts[:name] || ''
23
-
24
-              call = build_call(
25
-                object_number: object_number,
26
-                uid_number: uid_number,
27
-                uid_time: uid_time,
28
-                uid_count: uid_count,
29
-                operation: 2, # java.rmi.Remote lookup(java.lang.String)
30
-                hash: registry_interface_hash,
31
-                arguments: [Rex::Java::Serialization::Model::Utf.new(nil, name)]
32
-              )
33
-
34
-              call
35
-            end
36
-
37
-            # Builds an RMI call to java/rmi/registry/RegistryImpl_Stub#list() used to
38
-            # enumerate the names bound in a registry
39
-            #
40
-            # @param opts [Hash]
41
-            # @return [Rex::Proto::Rmi::Model::Call]
42
-            # @see Msf::Java::Rmi::Builder.build_call
43
-            def build_registry_list(opts = {})
44
-              object_number = opts[:object_number] || 0
45
-              uid_number = opts[:uid_number] || 0
46
-              uid_time = opts[:uid_time] || 0
47
-              uid_count = opts[:uid_count] || 0
48
-
49
-              call = build_call(
50
-                object_number: object_number,
51
-                uid_number: uid_number,
52
-                uid_time: uid_time,
53
-                uid_count: uid_count,
54
-                operation: 1, # java.lang.String list()[]
55
-                hash: registry_interface_hash,
56
-                arguments: []
57
-              )
58
-
59
-              call
60
-            end
61
-          end
62
-        end
63
-      end
64
-    end
65
-  end
66
-end

+ 0
- 49
lib/msf/java/rmi/client/registry/parser.rb View File

@@ -1,49 +0,0 @@
1
-# -*- coding: binary -*-
2
-
3
-module Msf
4
-  module Java
5
-    module Rmi
6
-      module Client
7
-        module Registry
8
-          module Parser
9
-            # Parses a java/rmi/registry/RegistryImpl_Stub#lookup() return value to find out
10
-            # the remote reference information.
11
-            #
12
-            # @param return_value [Rex::Java::Serialization::Model::ReturnValue]
13
-            # @return [Hash, NilClass] The remote interface information if success, nil otherwise
14
-            def parse_registry_lookup_endpoint(return_value)
15
-              values_size = return_value.value.length
16
-              end_point_block_data = return_value.value[values_size - 2]
17
-              unless end_point_block_data.is_a?(Rex::Java::Serialization::Model::BlockData)
18
-                return nil
19
-              end
20
-
21
-              return_io = StringIO.new(end_point_block_data.contents, 'rb')
22
-
23
-              reference = extract_reference(return_io)
24
-
25
-              reference
26
-            end
27
-
28
-            # Parses a java/rmi/registry/RegistryImpl_Stub#list() return value to find out
29
-            # the list of names registered.
30
-            #
31
-            # @param return_value [Rex::Java::Serialization::Model::ReturnValue]
32
-            # @return [Array, NilClass] The list of names registered if success, nil otherwise
33
-            def parse_registry_list(return_value)
34
-              unless return_value.value[0].is_a?(Rex::Java::Serialization::Model::NewArray)
35
-                return nil
36
-              end
37
-
38
-              unless return_value.value[0].type == 'java.lang.String;'
39
-                return nil
40
-              end
41
-
42
-              return_value.value[0].values.collect { |val| val.contents }
43
-            end
44
-          end
45
-        end
46
-      end
47
-    end
48
-  end
49
-end

+ 0
- 122
lib/msf/java/rmi/util.rb View File

@@ -1,122 +0,0 @@
1
-# -*- coding: binary -*-
2
-require 'rex/java/serialization'
3
-require 'rex/text'
4
-
5
-module Msf
6
-  module Java
7
-    module Rmi
8
-      module Util
9
-        # Calculates a method hash to make RMI calls as defined by the JDK 1.2
10
-        #
11
-        # @param signature [String] The remote method signature as specified by the JDK 1.2,
12
-        #   method name + method descriptor (as explained in the Java Virtual Machine Specification)
13
-        # @return [Fixnum] The method hash
14
-        # @see http://docs.oracle.com/javase/8/docs/platform/rmi/spec/rmi-stubs24.html The RemoteRef Interface documentation to understand how method hashes are calculated
15
-        def calculate_method_hash(signature)
16
-          utf = Rex::Java::Serialization::Model::Utf.new(nil, signature)
17
-          sha1 = Rex::Text.sha1_raw(utf.encode)
18
-
19
-          sha1.unpack('Q<')[0]
20
-        end
21
-
22
-        # Calculates an interface hash to make RMI calls as defined by the JDK 1.1
23
-        #
24
-        # @param methods [Array] set of method names and their descriptors
25
-        # @return [Fixnum] The interface hash
26
-        # @see http://docs.oracle.com/javase/8/docs/platform/rmi/spec/rmi-stubs24.html The RemoteRef Interface documentation to understand how interface hashes are calculated
27
-        def calculate_interface_hash(methods)
28
-          stream = ''
29
-          stream << [1].pack('N') # stub version number
30
-
31
-          methods.each do |m|
32
-            utf_method = Rex::Java::Serialization::Model::Utf.new(nil, m[:name])
33
-            utf_descriptor = Rex::Java::Serialization::Model::Utf.new(nil, m[:descriptor])
34
-            stream << utf_method.encode
35
-            stream << utf_descriptor.encode
36
-            m[:exceptions].each do |e|
37
-              utf_exception = Rex::Java::Serialization::Model::Utf.new(nil, e)
38
-              stream << utf_exception.encode
39
-            end
40
-          end
41
-
42
-          sha1 = Rex::Text.sha1_raw(stream)
43
-
44
-          sha1.unpack('Q<')[0]
45
-        end
46
-
47
-        # Extracts an string from an IO
48
-        #
49
-        # @param io [IO] the io to extract the string from
50
-        # @return [String, nil] the extracted string if success, nil otherwise
51
-        def extract_string(io)
52
-          raw_length = io.read(2)
53
-          unless raw_length && raw_length.length == 2
54
-            return nil
55
-          end
56
-          length = raw_length.unpack('s>')[0]
57
-
58
-          string = io.read(length)
59
-          unless string && string.length == length
60
-            return nil
61
-          end
62
-
63
-          string
64
-        end
65
-
66
-        # Extracts an int from an IO
67
-        #
68
-        # @param io [IO] the io to extract the int from
69
-        # @return [Fixnum, nil] the extracted int if success, nil otherwise
70
-        def extract_int(io)
71
-          int_raw = io.read(4)
72
-          unless int_raw && int_raw.length == 4
73
-            return nil
74
-          end
75
-          int = int_raw.unpack('l>')[0]
76
-
77
-          int
78
-        end
79
-
80
-        # Extracts a long from an IO
81
-        #
82
-        # @param io [IO] the io to extract the long from
83
-        # @return [Fixnum, nil] the extracted int if success, nil otherwise
84
-        def extract_long(io)
85
-          int_raw = io.read(8)
86
-          unless int_raw && int_raw.length == 8
87
-            return nil
88
-          end
89
-          int = int_raw.unpack('q>')[0]
90
-
91
-          int
92
-        end
93
-
94
-        # Extract an RMI interface reference from an IO
95
-        #
96
-        # @param io [IO] the io to extract the reference from, should contain the data
97
-        #   inside a BlockData with the reference information.
98
-        # @return [Hash, nil] the extracted reference if success, nil otherwise
99
-        # @see Msf::Java::Rmi::Client::Jmx:Server::Parser#parse_jmx_new_client_endpoint
100
-        # @see Msf::Java::Rmi::Client::Registry::Parser#parse_registry_lookup_endpoint
101
-        def extract_reference(io)
102
-          ref = extract_string(io)
103
-          unless ref && ref == 'UnicastRef'
104
-            return nil
105
-          end
106
-
107
-          address = extract_string(io)
108
-          return nil unless address
109
-
110
-          port = extract_int(io)
111
-          return nil unless port
112
-
113
-          object_number = extract_long(io)
114
-
115
-          uid = Rex::Proto::Rmi::Model::UniqueIdentifier.decode(io)
116
-
117
-          {address: address, port: port, object_number: object_number, uid: uid}
118
-        end
119
-      end
120
-    end
121
-  end
122
-end

+ 1
- 1
modules/auxiliary/gather/java_rmi_registry.rb View File

@@ -9,7 +9,7 @@ require 'rex/java/serialization'
9 9
 class Metasploit3 < Msf::Auxiliary
10 10
 
11 11
   include Msf::Auxiliary::Report
12
-  include Msf::Java::Rmi::Client
12
+  include Msf::Exploit::Remote::Java::Rmi::Client
13 13
 
14 14
   def initialize
15 15
     super(

+ 1
- 1
modules/auxiliary/scanner/misc/java_rmi_server.rb View File

@@ -8,7 +8,7 @@ require 'rex/java/serialization'
8 8
 
9 9
 class Metasploit3 < Msf::Auxiliary
10 10
 
11
-  include Msf::Java::Rmi::Client
11
+  include Msf::Exploit::Remote::Java::Rmi::Client
12 12
   include Msf::Auxiliary::Scanner
13 13
   include Msf::Auxiliary::Report
14 14
 

+ 1
- 1
modules/exploits/multi/misc/java_jmx_server.rb View File

@@ -9,7 +9,7 @@ class Metasploit3 < Msf::Exploit::Remote
9 9
   Rank = ExcellentRanking
10 10
 
11 11
   include Msf::Exploit::Remote::HttpServer
12
-  include Msf::Java::Rmi::Client
12
+  include Msf::Exploit::Remote::Java::Rmi::Client
13 13
 
14 14
   def initialize(info = {})
15 15
     super(update_info(info,

+ 1
- 1
modules/exploits/multi/misc/java_rmi_server.rb View File

@@ -8,7 +8,7 @@ require 'msf/core'
8 8
 class Metasploit3 < Msf::Exploit::Remote
9 9
   Rank = ExcellentRanking
10 10
 
11
-  include Msf::Java::Rmi::Client
11
+  include Msf::Exploit::Remote::Java::Rmi::Client
12 12
   include Msf::Exploit::Remote::HttpServer
13 13
 
14 14
   def initialize(info = {})

spec/lib/msf/java/rmi/builder_spec.rb → spec/lib/msf/core/exploit/remote/java/rmi/builder_spec.rb View File

@@ -3,12 +3,12 @@ require 'spec_helper'
3 3
 
4 4
 require 'rex/java/serialization'
5 5
 require 'rex/proto/rmi'
6
-require 'msf/java/rmi/builder'
6
+require 'msf/core/exploit/java/rmi/builder'
7 7
 
8
-describe Msf::Java::Rmi::Builder do
8
+describe Msf::Exploit::Remote::Java::Rmi::Builder do
9 9
   subject(:mod) do
10 10
     mod = ::Msf::Exploit.new
11
-    mod.extend ::Msf::Java::Rmi::Builder
11
+    mod.extend ::Msf::Exploit::Remote::Java::Rmi::Builder
12 12
     mod.send(:initialize)
13 13
     mod
14 14
   end

spec/lib/msf/java/rmi/client/jmx/connection/builder_spec.rb → spec/lib/msf/core/exploit/remote/java/rmi/client/jmx/connection/builder_spec.rb View File

@@ -4,12 +4,12 @@ require 'spec_helper'
4 4
 require 'stringio'
5