Mirror of metasploit
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

util.rb 5.6KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142
  1. # -*- coding: binary -*-
  2. require 'rex/java/serialization'
  3. require 'rex/text'
  4. module Msf
  5. class Exploit
  6. class Remote
  7. module Java
  8. module Rmi
  9. module Util
  10. # Calculates a method hash to make RMI calls as defined by the JDK 1.2
  11. #
  12. # @param signature [String] The remote method signature as specified by the JDK 1.2,
  13. # method name + method descriptor (as explained in the Java Virtual Machine Specification)
  14. # @return [Fixnum] The method hash
  15. # @see http://docs.oracle.com/javase/8/docs/platform/rmi/spec/rmi-stubs24.html The RemoteRef Interface documentation to understand how method hashes are calculated
  16. def calculate_method_hash(signature)
  17. utf = Rex::Java::Serialization::Model::Utf.new(nil, signature)
  18. sha1 = Rex::Text.sha1_raw(utf.encode)
  19. sha1.unpack('Q<')[0]
  20. end
  21. # Calculates an interface hash to make RMI calls as defined by the JDK 1.1
  22. #
  23. # @param methods [Array] set of method names and their descriptors
  24. # @return [Fixnum] The interface hash
  25. # @see http://docs.oracle.com/javase/8/docs/platform/rmi/spec/rmi-stubs24.html The RemoteRef Interface documentation to understand how interface hashes are calculated
  26. def calculate_interface_hash(methods)
  27. stream = ''
  28. stream << [1].pack('N') # stub version number
  29. methods.each do |m|
  30. utf_method = Rex::Java::Serialization::Model::Utf.new(nil, m[:name])
  31. utf_descriptor = Rex::Java::Serialization::Model::Utf.new(nil, m[:descriptor])
  32. stream << utf_method.encode
  33. stream << utf_descriptor.encode
  34. m[:exceptions].each do |e|
  35. utf_exception = Rex::Java::Serialization::Model::Utf.new(nil, e)
  36. stream << utf_exception.encode
  37. end
  38. end
  39. sha1 = Rex::Text.sha1_raw(stream)
  40. sha1.unpack('Q<')[0]
  41. end
  42. # Extracts an string from an IO
  43. #
  44. # @param io [IO] the io to extract the string from
  45. # @return [String, nil] the extracted string if success, nil otherwise
  46. def extract_string(io)
  47. raw_length = io.read(2)
  48. unless raw_length && raw_length.length == 2
  49. return nil
  50. end
  51. length = raw_length.unpack('s>')[0]
  52. string = io.read(length)
  53. unless string && string.length == length
  54. return nil
  55. end
  56. string
  57. end
  58. # Extracts an int from an IO
  59. #
  60. # @param io [IO] the io to extract the int from
  61. # @return [Fixnum, nil] the extracted int if success, nil otherwise
  62. def extract_int(io)
  63. int_raw = io.read(4)
  64. unless int_raw && int_raw.length == 4
  65. return nil
  66. end
  67. int = int_raw.unpack('l>')[0]
  68. int
  69. end
  70. # Extracts a long from an IO
  71. #
  72. # @param io [IO] the io to extract the long from
  73. # @return [Fixnum, nil] the extracted int if success, nil otherwise
  74. def extract_long(io)
  75. int_raw = io.read(8)
  76. unless int_raw && int_raw.length == 8
  77. return nil
  78. end
  79. int = int_raw.unpack('q>')[0]
  80. int
  81. end
  82. # Extract an RMI interface reference from an IO
  83. #
  84. # @param io [IO] the io to extract the reference from, should contain the data
  85. # inside a BlockData with the reference information.
  86. # @return [Hash, nil] the extracted reference if success, nil otherwise
  87. # @see Msf::Exploit::Remote::Java::Rmi::Client::Jmx:Server::Parser#parse_jmx_new_client_endpoint
  88. # @see Msf::Exploit::Remote::Java::Rmi::Client::Registry::Parser#parse_registry_lookup_endpoint
  89. def extract_reference(io)
  90. ref = extract_string(io)
  91. unless ref && ref == 'UnicastRef'
  92. return nil
  93. end
  94. address = extract_string(io)
  95. return nil unless address
  96. port = extract_int(io)
  97. return nil unless port
  98. object_number = extract_long(io)
  99. uid = Rex::Proto::Rmi::Model::UniqueIdentifier.decode(io)
  100. {address: address, port: port, object_number: object_number, uid: uid}
  101. end
  102. # Register ports and services for autofilter support
  103. #
  104. def register_common_rmi_ports_and_services
  105. register_autofilter_ports([
  106. 999, 1090, 1098, 1099, 1100, 1101, 1102, 1103, 1129, 1030, 1035, 1199, 1234, 1440, 3273, 3333, 3900,
  107. 2199, 2809, 5520, 5580, 5521, 5999, 6060, 6789, 6996, 7700, 7800, 7878, 7890, 7801, 8050, 8051, 8085,
  108. 8091, 8205, 8303, 8642, 8701, 8686, 8888, 8889, 8890, 8901, 8902, 8903, 8999, 9001, 9003, 9004, 9005,
  109. 9050, 9090, 9099, 9300, 9500, 9711, 9809, 9810, 9811, 9812, 9813, 9814, 9815, 9875, 9910, 9991, 9999,
  110. 10001, 10162, 10098, 10099, 11001, 11099, 11333, 12000, 13013, 14000, 15000, 15001, 15200, 16000,
  111. 17200, 18980, 20000, 23791, 26256, 31099, 33000, 32913, 37718, 45230, 47001, 47002, 50050, 50500,
  112. 50501, 50502, 50503, 50504
  113. ])
  114. register_autofilter_services(%W{ rmi rmid java-rmi rmiregistry })
  115. end
  116. end
  117. end
  118. end
  119. end
  120. end
  121. end