PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-06 04:31:29 +00:00
Code Issues Projects Releases Wiki Activity
Files
ba67aa59930754828916e19411081a55cd7b9473
nmap/scripts/rmi-vuln-classloader.nse
aca ba67aa5993 Commited rmi-vuln-classloader script
2012-05-28 18:04:28 +00:00

116 lines
3.7 KiB
Lua
Raw Blame History

local shortport = require "shortport"
local stdnse = require "stdnse"
local vulns = require "vulns"
local rmi = require "rmi"
description = [[
Checks if rmiregistry allows class loading.
The default configuration of rmiregistry allows loading classes from remote
URLs which can lead to remote code execution. This is considered as "by
design".
Based on original Metasploit module by mihi.
References:
* http://dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/multi/misc/java_rmi_server.rb
]];
---
-- @usage
-- nmap nmap --script=rmi-vuln-classloader -p 1099 <target>
--
-- @output
-- PORT STATE SERVICE
-- 1099/tcp open rmiregistry
-- | rmi-vuln:
-- | VULNERABLE:
-- | RMI registry default configuration remote code execution vulnerability
-- | State: VULNERABLE
-- | Description:
-- | Default configuration of RMI registry allows loading classes from remote URLs which can lead to remote code executeion.
-- |
-- | References:
-- |_ http://dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/multi/misc/java_rmi_server.rb
author = "Aleksandar Nikolic";
license = "Same as Nmap--See http://nmap.org/book/man-legal.html";
categories = {
"intrusive",
"vuln"
};
portrule = shortport.port_or_service({
1099
}, {
"rmiregistry"
});
action = function (host, port)
local registry = rmi.Registry:new(host.ip, port.number);
registry:_handshake();
local rmiArgs = rmi.Arguments:new();
local argsRaw = "75" .. --TC_ARRAY
"72" .. -- TC_CLASSDESC
"0018" .. -- string len
"5B4C6A6176612E726D692E7365727665722E4F626A49443B" .. -- class name "[Ljava.rmi.server.ObjID;"
"871300B8D02C647E" .. -- serial id
"02" .. -- FLAGS (serializable)
"0000" .. -- FIELD COUNT
"70787000000000" .. --TC_NULL TC_BLOCKEND TC_NULL
"77080000000000000000" .. -- TC_BLOCKDATA
"73" .. -- TC_OBJECT
"72" .. -- TC_CLASSDESC
"0005" .. -- string len
"64756D6D79" .. -- class name "dummy"
"A16544BA26F9C2F4" .. -- serial id
"02" .. -- FLAGS (serializable)
"0000" .. -- FIELD COUNT
"74" .. -- TC_STRING
"0010" .. -- string len
"66696C653A2E2F64756D6D792E6A6172" .. -- annotation "file:./dummy.jar"
"78" .. -- TC_ENDBLOCKDATA
"70" .. -- TC_NULL
"7701000A"; -- TC_BLOCKDATA
local rmi_vuln = {
title = "RMI registry default configuration remote code execution vulnerability",
description = [[
Default configuration of RMI registry allows loading classes from remote URLs which can lead to remote code executeion.
]],
references = {
'http://dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/multi/misc/java_rmi_server.rb',
},
exploit_results = {},
};
local report = vulns.Report:new(SCRIPT_NAME, host, port);
rmi_vuln.state = vulns.STATE.NOT_VULN;
rmiArgs:addRaw(bin.pack("H", argsRaw));
-- reference: java/rmi/dgc/DGCImpl_Stub.java and java/rmi/dgc/DGCImpl_Skel.java
-- we are calling DGC's (it's objectId is 2) method with opnum 0
-- DCG's hashcode is f6b6898d8bf28643 hex or -669196253586618813 dec
local status, j_array = registry.out:writeMethodCall(registry.out, 2, "f6b6898d8bf28643", 0, rmiArgs);
local status, retByte = registry.out.dis:readByte();
if not status then
return false, "No return data received from server";
end
if 0x51 ~= retByte then
-- 0x51 : Returndata
return false, "No return data received from server";
end
data = registry.out.dis.bReader.readBuffer;
if string.find(data, "RMI class loader disabled") == nil then
rmi_vuln.state = vulns.STATE.VULN;
return report:make_output(rmi_vuln);
end
return report:make_output(rmi_vuln);
end;
Reference in New Issue View Git Blame Copy Permalink