Mirror of metasploit
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

builder.rb 3.1KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677
  1. # -*- coding: binary -*-
  2. module Msf
  3. class Exploit
  4. class Remote
  5. module Java
  6. module Rmi
  7. module Client
  8. module Jmx
  9. module Server
  10. module Builder
  11. # Builds an RMI call to javax/management/remote/rmi/RMIServer_Stub#newClient()
  12. # used to enumerate the names bound in a registry
  13. #
  14. # @param opts [Hash]
  15. # @option opts [String] :username the JMX role to establish the connection if needed
  16. # @option opts [String] :password the JMX password to establish the connection if needed
  17. # @return [Rex::Proto::Rmi::Model::Call]
  18. # @see Msf::Exploit::Remote::Java::Rmi::Builder.build_call
  19. def build_jmx_new_client(opts = {})
  20. object_number = opts[:object_number] || 0
  21. uid_number = opts[:uid_number] || 0
  22. uid_time = opts[:uid_time] || 0
  23. uid_count = opts[:uid_count] || 0
  24. username = opts[:username]
  25. password = opts[:password] || ''
  26. if username
  27. arguments = build_jmx_new_client_args(username, password)
  28. else
  29. arguments = [Rex::Java::Serialization::Model::NullReference.new]
  30. end
  31. call = build_call(
  32. object_number: object_number,
  33. uid_number: uid_number,
  34. uid_time: uid_time,
  35. uid_count: uid_count,
  36. operation: -1,
  37. hash: -1089742558549201240, # javax.management.remote.rmi.RMIServer.newClient
  38. arguments: arguments
  39. )
  40. call
  41. end
  42. # Builds a Rex::Java::Serialization::Model::NewArray with credentials
  43. # to make an javax/management/remote/rmi/RMIServer_Stub#newClient call
  44. #
  45. # @param username [String] The username (role) to authenticate with
  46. # @param password [String] The password to authenticate with
  47. # @return [Array<Rex::Java::Serialization::Model::NewArray>]
  48. def build_jmx_new_client_args(username = '', password = '')
  49. builder = Rex::Java::Serialization::Builder.new
  50. auth_array = builder.new_array(
  51. name: '[Ljava.lang.String;',
  52. serial: Msf::Exploit::Remote::Java::Rmi::Client::Jmx::STRING_ARRAY_UID, # serialVersionUID
  53. values_type: 'java.lang.String;',
  54. values: [
  55. Rex::Java::Serialization::Model::Utf.new(nil, username),
  56. Rex::Java::Serialization::Model::Utf.new(nil, password)
  57. ]
  58. )
  59. [auth_array]
  60. end
  61. end
  62. end
  63. end
  64. end
  65. end
  66. end
  67. end
  68. end
  69. end