SlideShare une entreprise Scribd logo

Abusing Java Remote Interfaces

J
juanvazquezslides

The lecture tries to summarize some interesting Java (remote) attack, and how to check / exploit them with Metasploit. The lecture doesn't focus on client attack vectors, like java sandbox abuses through applets, or click2play bypasses. It focus on remote attack vectors abusing RMI endpoints and technologies using RMI. The lecture won't only summarize some of the popular attack vectors, it also will review how to check/exploit them with Metasploit, presenting new capabilities and modules which are being added to the Metasploit Framework to support all the techniques discussed in the lecture.

Présentations et discours publics
1  sur  47
Télécharger pour lire hors ligne
ISSW 2015 ABUSING JAVA REMOTE INTERFACES Juan Vazquez
Index 2 • About me • Motivation • RMI 101 • Java Object Serialization Protocol • RMI: Method invocation • Case Study: java_rmi_registry • Case Study: java_rmi_server • Case Study: java_jmx_server • Conclusions RMI   Remote  Method  Invoca/on   JMX   Java  Management  Extensions  
About me 3 • I’m not a Java developer • I’m not a Java hacker • Exploit Developer at Rapid7 –  Metasploit-Framework • My English… sorry!
Motivation 4 • Leon Johnson, awesome pentester at Rapid7, asked about a module for exploiting JMX RMI endpoints. • Excellent write-up from Braden Thomas: –  http://www.accuvant.com/blog/exploiting-jmx-rmi
Motivation 5
Motivation 6
Motivation 7
RMI 101 8 • Wikipedia says: “The  Java  Remote  Method  Invoca/on  (Java  RMI)  is  a  Java  API  that   performs  the  object-­‐oriented  equivalent  of  remote  procedure   calls  (RPC),  with  support  for  direct  transfer  of  serialized  Java   classes  and  distributed  garbage  collec/on.”  *   *  For  a  beLer  introduc/on,  the  Java  specs  are  more  useful,  but  it’s  hard  to  find  1  summary  sentence  in  the  specs  J  
RMI 101. Hello World! 9
RMI 101. Hello World! 10
RMI 101. Hello World! 11
RMI 101. Hello World! 12 C:rmi_hello_world>start  rmiregistry   C:rmi_hello_world>javac  -­‐cp  .  examplehello*.java   C:rmi_hello_world>java  -­‐cp  .  example.hello.Server   Server  ready     Server C:rmi_hello_world>javac  -­‐cp  .  examplehello*.java   C:rmi_hello_world>java  -­‐cp  .  example.hello.Client  172.16.158.132   response:  Hello,  world!     Client
RMI 101. RMI Transport Protocol 13 hLp://docs.oracle.com/javase/7/docs/pla]orm/rmi/spec/rmi-­‐protocol3.html  
RMI 101. RMI Transport Protocol. 14hLp://docs.oracle.com/javase/7/docs/pla]orm/rmi/spec/rmi-­‐protocol3.html  
RMI 101. RMI Transport Protocol 15hLp://docs.oracle.com/javase/7/docs/pla]orm/rmi/spec/rmi-­‐protocol3.html  
16
17
18
RMI 101. RMI Transport Protocol 19 “Call  and  return  data  in  RMI  calls  are  formaLed  using  the  Java  Object   SerializaBon  Protocol”   hLp://docs.oracle.com/javase/7/docs/pla]orm/rmi/spec/rmi-­‐protocol4.html  
Java Object Serialization Protocol 20 “The  ability  to  store  and  retrieve  JavaTM  objects  is  essen/al  to  building   all  but  the  most  transient  applica/ons.  The  key  to  storing  and  retrieving   objects  in  a  serialized  form  is  represen/ng  the  state  of  objects  sufficient   to  reconstruct  the  object(s).”   hLp://docs.oracle.com/javase/7/docs/pla]orm/serializa/on/spec/serialTOC.html   Warning:  If  you  haven’t  fought  with  Java  Serializa/on  before,  the  specs  and     the  grammar  can  be  confusing…  
Java Object Serialization Protocol 21 • Use small programs to get serialized samples. import java.io.*;! ! public class NewArrayInts! {! public static void main(String [] args)! {! int[] anArray;! anArray = new int[2];! anArray[0] = -20;! anArray[1] = 0x41;! try! {! FileOutputStream fileOut =! new FileOutputStream("new_array_ints.ser");! ObjectOutputStream out = new ObjectOutputStream(fileOut);! out.writeObject(anArray);! out.close();! fileOut.close();! } catch(IOException i)! {! i.printStackTrace();! }! }! }!
Java Object Serialization Protocol 22 stream:! magic version contents! contents:! content! contents content! content:! object! blockdata! object:! newArray! newArray:! TC_ARRAY classDesc newHandle <size> values! classDesc:! newClassDesc! nullReference! (ClassDesc)prevObject!   newClassDesc:! TC_CLASSDESC className serialVersionUID newHandle classDescInfo! className:! (utf)! serialVersionUID:! (long)! classDescInfo:! classDescFlags fields classAnnotation superClassDesc ! classDescFlags:! (byte) ! fields:! (short)<count> fieldDesc[count]! classAnnotation:! endBlockData! contents endBlockData! superClassDesc:! classDesc!   hLp://docs.oracle.com/javase/7/docs/pla]orm/serializa/on/spec/protocol.html#10258  
Java Object Serialization Protocol 23 $ hexdump new_array_ints.ser! 0000000 ac ed 00 05 75 72 00 02 5b 49 4d ba 60 26 76 ea! 0000010 b2 a5 02 00 00 78 70 00 00 00 02 ff ff ff ec 00! 0000020 00 00 41! STREAM_MAGIC   STREAM_VERSION   TC_ARRAY   TC_CLASSDESC   className:  [I   SerialVersionUID   classDescFlags:  SC_SERIALIZABLE   fields  count     TC_ENDBLOCKDATA   (classAnnota/on)   TC_NULL  (superClassDesc)   (int)<size>   value[0]  =  -­‐20   value[1]  =  0x41     $  serialver  [I   [I:        sta/c  final  long  serialVersionUID  =  5600894804908749477L;  
Java Object Serialization Protocol 24 • Also, you have two useful (Java) classes: –  java.io.ObjectOutputStream –  java.io.ObjectInputStream • Read and debug them! import java.io.*;! ! public class NewArrayInts! {! public static void main(String [] args)! {! int[] anArray;! anArray = new int[2];! anArray[0] = -20;! anArray[1] = 0x41;! try! {! FileOutputStream fileOut =! new FileOutputStream("new_array_ints.ser");! ObjectOutputStream out = new ObjectOutputStream(fileOut);! out.writeObject(anArray);! out.close();! fileOut.close();! } catch(IOException i)! {! i.printStackTrace();! }! }! }!
Java Object Serialization Protocol 25 • Several days later…: –  Rex::Java::Serialization: Not full support, but good enough for our purposes. •  Includes  modeling  for  the  different  en//es  as  described  in  the  Java  Serializa/on   Protocol  specs/grammar.   •  Every  object  allows  to  decode  (unserializa/on)  from  an  IO  or  “self”  encoding   (serializa/on).   •  Rex::Java::Serializa/on::Builder  allows  easy  building  of  some  elements.   –  Also: tools/java_deserializer.rb allows to inspect java serialized streams, zooming arrays and objects.
Java Object Serialization Protocol 26 $ tools/java_deserializer.rb /tmp/call_demo.bin! [*] Deserializing...! ! @magic: 0xaced! @version: 5! @contents: [! BlockData { [ 0x24, 0x5, 0x74, 0x80, 0x6a, 0x0, 0x5, 0x7f, 0x90, 0x3a, 0x40, 0x57, 0x0, 0x0, 0x1, 0x4c, 0x6c, 0xca, 0x1b, 0xae, 0x80, 0x1, 0xff, 0xff, 0xff, 0xff, 0x53, 0xe0, 0x82, 0x2d, 0x3e, 0x37, 0x24, 0xdf ] }! ]! @references: [! ]!
Java Object Serialization Protocol 27 $ tools/java_deserializer.rb /tmp/return_demo.bin! [*] Deserializing...! ! @magic: 0xaced! @version: 5! @contents: [! BlockData { [ 0x1, 0x90, 0x3a, 0x40, 0x57, 0x0, 0x0, 0x1, 0x4c, 0x6c, 0xca, 0x1b, 0xae, 0x80, 0xb ] }! Utf { Hello, world! }! ]! @references: [! [7e0000] Utf { Hello, world! }! ]!
Finally… 28 BlockData { [ 0x24, 0x5, 0x74, 0x80, 0x6a, 0x0, 0x5, 0x7f, 0x90, 0x3a, 0x40, 0x57, 0x0, 0x0, 0x1, 0x4c, 0x6c, 0xca, 0x1b, 0xae, 0x80, 0x1, 0xff, 0xff, 0xff, 0xff, 0x53, 0xe0, 0x82, 0x2d, 0x3e, 0x37, 0x24, 0xdf ] }   hLp://docs.oracle.com/javase/7/docs/pla]orm/rmi/spec/rmi-­‐protocol4.html    
Finally… 29 hLp://docs.oracle.com/javase/7/docs/pla]orm/rmi/spec/rmi-­‐protocol4.html     @contents: [! BlockData { [ 0x1, 0x90, 0x3a, 0x40, 0x57, 0x0, 0x0, 0x1, 0x4c, 0x6c, 0xca, 0x1b, 0xae, 0x80, 0xb ] }! Utf { Hello, world! }! ]!
Finally…. 30 • Rex::Proto::Rmi –  Model for the RMI protocol as described in the specs / grammar. Every object allows to be “self” read from an IO or written into an String. • Msf::Java::Rmi::Client –  Mixin including the Exploit::Remote::TCP one –  Methods to made RMI calls easier from the modules. –  Also methods to build calls for some common RMI endpoints •  Registry   •  JMX  Management  
RMI Method Invocation 31 • In order to debug RMI calls, let’s understand them a little bit better. • Use RMIC to generate the stubs (v1.2). It’s not needed anymore, since nowadays static stubs are deprecated in favor of dynamic code. • It will generate a new class HelloImpl_Stub.class. rmic  -­‐classpath  .  example.hello.HelloImpl  
RMI Method Invocation 32 java.rmi.Remote   example.hello.Hello   java.rmi.server.RemoteObject   java.rmi.server.RemoteStub   implements   java.rmi.server.RemoteRef   ref   sun.rmi.server.UnicastRef   implements  
RMI Method Invocation 33
Case Study: java_rmi_registry 34 • The RMI Registry is just a remote object provided by Java, so every virtual machine knows its interface. • Listens on a well known port –  1099/TCP.
Case Study: java_rmi_registry 35 msf  >  use  auxiliary/gather/java_rmi_registry   msf  auxiliary(java_rmi_registry)  >  set  rhost  172.16.158.131   rhost  =>  172.16.158.131   msf  auxiliary(java_rmi_registry)  >  run     [*]  172.16.158.131:1099  -­‐  Sending  RMI  Header...   [*]  172.16.158.131:1099  -­‐  Lis/ng  names  in  the  Registry...   [+]  172.16.158.131:1099  -­‐  1  names  found  in  the  Registry   [+]  172.16.158.131:1099  -­‐  Name  Hello  (example.hello.HelloImpl_Stub)  found  on  172.16.158.131:1175   [*]  Auxiliary  module  execu/on  completed  
Case Study: java_rmi_server 36 Credits:  Michael  Schierl  @mihi42   hLp://docs.oracle.com/javase/7/docs/pla]orm/rmi/spec/rmi-­‐arch5.html   RMI  allows  parameters,  return  values  and  excepBons  passed  in  RMI  calls  to  be   any  object  that  is  serializable.  RMI  uses  the  object  serializa/on  mechanism  to   transmit  data  from  one  virtual  machine  to  another  and  also  annotates  the  call   stream  with  the  appropriate  locaBon  informaBon  so  that  the  class  definiBon   files  can  be  loaded  at  the  receiver.  
Case Study: java_rmi_server 37 Credits:  Michael  Schierl  @mihi42  
Case Study: java_rmi_server 38 Credits:  Michael  Schierl  @mihi42  
Case Study: java_rmi_server 39 Credits:  Michael  Schierl  @mihi42  
Case Study: java_jmx_server 40 Credits:  Braden  Thomas   hLp://www.accuvant.com/blog/exploi/ng-­‐jmx-­‐rmi   msf  auxiliary(java_rmi_registry)  >  set  rhost  172.16.158.132   rhost  =>  172.16.158.132   msf  auxiliary(java_rmi_registry)  >  set  rport  1617   rport  =>  1617   msf  auxiliary(java_rmi_registry)  >  run     [*]  172.16.158.132:1617  -­‐  Sending  RMI  Header...   [*]  172.16.158.132:1617  -­‐  Lis/ng  names  in  the  Registry...   [+]  172.16.158.132:1617  -­‐  1  names  found  in  the  Registry   [+]  172.16.158.132:1617  -­‐  Name  jmxrmi  (javax.management.remote.rmi.RMIServerImpl_Stub)   found  on  172.16.158.132:1471   [*]  Auxiliary  module  execu/on  completed  
Case Study: java_jmx_server 41 Credits:  Braden  Thomas   hLp://www.accuvant.com/blog/exploi/ng-­‐jmx-­‐rmi  
Case Study: java_jmx_server 42 Credits:  Braden  Thomas   hLp://www.accuvant.com/blog/exploi/ng-­‐jmx-­‐rmi  
Case Study: java_jmx_server 43 Credits:  Braden  Thomas   hLp://www.accuvant.com/blog/exploi/ng-­‐jmx-­‐rmi  
DEMO
Conclusions 45 • Ruby Support on MSF for: –  Java Serialization –  RMI –  Some JMX No  more  RAW  streams!  
Conclusions 46 • Lot of examples: –  All the RMI/JMX modules have been ported. –  Specs –  New modules: java_rmi_registry, java_jmx_server • TODO –  Full Java Serialization support. –  Exploit all the things! PR are super welcome!
QUESTIONS? THANK YOU!

Recommandé

Burp Suite Extension Development
Burp Suite Extension DevelopmentBurp Suite Extension Development
Burp Suite Extension Development
NSConclave
 
Insecure direct object reference (null delhi meet)
Insecure direct object reference (null delhi meet)Insecure direct object reference (null delhi meet)
Insecure direct object reference (null delhi meet)
Abhinav Mishra
 
2022-06-23 Apache Arrow and DataFusion_ Changing the Game for implementing Da...
2022-06-23 Apache Arrow and DataFusion_ Changing the Game for implementing Da...2022-06-23 Apache Arrow and DataFusion_ Changing the Game for implementing Da...
2022-06-23 Apache Arrow and DataFusion_ Changing the Game for implementing Da...
Andrew Lamb
 
Pentesting ReST API
Pentesting ReST APIPentesting ReST API
Pentesting ReST API
Nutan Kumar Panda
 
Spark Autotuning Talk - Strata New York
Spark Autotuning Talk - Strata New YorkSpark Autotuning Talk - Strata New York
Spark Autotuning Talk - Strata New York
Holden Karau
 
OWASP Top 10 A4 – Insecure Direct Object Reference
OWASP Top 10 A4 – Insecure Direct Object ReferenceOWASP Top 10 A4 – Insecure Direct Object Reference
OWASP Top 10 A4 – Insecure Direct Object Reference
Narudom Roongsiriwong, CISSP
 
Hack like a pro with burp suite - nullhyd
Hack like a pro with burp suite - nullhydHack like a pro with burp suite - nullhyd
Hack like a pro with burp suite - nullhyd
n|u - The Open Security Community
 
PySpark Training | PySpark Tutorial for Beginners | Apache Spark with Python ...
PySpark Training | PySpark Tutorial for Beginners | Apache Spark with Python ...PySpark Training | PySpark Tutorial for Beginners | Apache Spark with Python ...
PySpark Training | PySpark Tutorial for Beginners | Apache Spark with Python ...
Edureka!
 

Recommandé

Burp Suite Extension Development
Burp Suite Extension DevelopmentBurp Suite Extension Development
Burp Suite Extension Development
NSConclave
 
Insecure direct object reference (null delhi meet)
Insecure direct object reference (null delhi meet)Insecure direct object reference (null delhi meet)
Insecure direct object reference (null delhi meet)
Abhinav Mishra
 
2022-06-23 Apache Arrow and DataFusion_ Changing the Game for implementing Da...
2022-06-23 Apache Arrow and DataFusion_ Changing the Game for implementing Da...2022-06-23 Apache Arrow and DataFusion_ Changing the Game for implementing Da...
2022-06-23 Apache Arrow and DataFusion_ Changing the Game for implementing Da...
Andrew Lamb
 
Pentesting ReST API
Pentesting ReST APIPentesting ReST API
Pentesting ReST API
Nutan Kumar Panda
 
Spark Autotuning Talk - Strata New York
Spark Autotuning Talk - Strata New YorkSpark Autotuning Talk - Strata New York
Spark Autotuning Talk - Strata New York
Holden Karau
 
OWASP Top 10 A4 – Insecure Direct Object Reference
OWASP Top 10 A4 – Insecure Direct Object ReferenceOWASP Top 10 A4 – Insecure Direct Object Reference
OWASP Top 10 A4 – Insecure Direct Object Reference
Narudom Roongsiriwong, CISSP
 
Hack like a pro with burp suite - nullhyd
Hack like a pro with burp suite - nullhydHack like a pro with burp suite - nullhyd
Hack like a pro with burp suite - nullhyd
n|u - The Open Security Community
 
PySpark Training | PySpark Tutorial for Beginners | Apache Spark with Python ...
PySpark Training | PySpark Tutorial for Beginners | Apache Spark with Python ...PySpark Training | PySpark Tutorial for Beginners | Apache Spark with Python ...
PySpark Training | PySpark Tutorial for Beginners | Apache Spark with Python ...
Edureka!
 
Recon
ReconRecon
Recon
UTD Computer Security Group
 
Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop
Hossam .M Hamed
 
Introduction to path traversal attack
Introduction to path traversal attackIntroduction to path traversal attack
Introduction to path traversal attack
Prashant Hegde
 
How to Manage Scale-Out Environments with MariaDB MaxScale
How to Manage Scale-Out Environments with MariaDB MaxScaleHow to Manage Scale-Out Environments with MariaDB MaxScale
How to Manage Scale-Out Environments with MariaDB MaxScale
MariaDB plc
 
gRPC with java
gRPC with javagRPC with java
gRPC with java
Knoldus Inc.
 
Concurrency With Go
Concurrency With GoConcurrency With Go
Concurrency With Go
John-Alan Simmons
 
Getting the most out of MariaDB MaxScale
Getting the most out of MariaDB MaxScaleGetting the most out of MariaDB MaxScale
Getting the most out of MariaDB MaxScale
MariaDB plc
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
n|u - The Open Security Community
 
HTTP2 and gRPC
HTTP2 and gRPCHTTP2 and gRPC
HTTP2 and gRPC
Guo Jing
 
Portable UDFs: Write Once, Run Anywhere
Portable UDFs: Write Once, Run AnywherePortable UDFs: Write Once, Run Anywhere
Portable UDFs: Write Once, Run Anywhere
Databricks
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
Saran Doraiswamy
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
Soroush Dalili
 
Making threat modeling so easy
Making threat modeling so easyMaking threat modeling so easy
Making threat modeling so easy
Dinis Cruz
 
JsSIP: SIP + WebRTC
JsSIP: SIP + WebRTCJsSIP: SIP + WebRTC
JsSIP: SIP + WebRTC
PaloSanto Solutions
 
OWASP ModSecurity Core Rules Paranoia Mode
OWASP ModSecurity Core Rules Paranoia ModeOWASP ModSecurity Core Rules Paranoia Mode
OWASP ModSecurity Core Rules Paranoia Mode
Christian Folini
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
Mikhail Egorov
 
Go Concurrency
Go ConcurrencyGo Concurrency
Go Concurrency
jgrahamc
 
Exploring Java Heap Dumps (Oracle Code One 2018)
Exploring Java Heap Dumps (Oracle Code One 2018)Exploring Java Heap Dumps (Oracle Code One 2018)
Exploring Java Heap Dumps (Oracle Code One 2018)
Ryan Cuprak
 
Restful api design
Restful api designRestful api design
Restful api design
Mizan Riqzia
 
Ldap intro
Ldap introLdap intro
Ldap intro
yousry ibrahim
 
Ruby on the JVM
Ruby on the JVMRuby on the JVM
Ruby on the JVM
Kresten Krab Thorup
 
Remote Method Invocation (Java RMI)
Remote Method Invocation (Java RMI)Remote Method Invocation (Java RMI)
Remote Method Invocation (Java RMI)
Sonali Parab
 

Contenu connexe

Tendances

Portable UDFs: Write Once, Run Anywhere
Portable UDFs: Write Once, Run AnywherePortable UDFs: Write Once, Run Anywhere
Portable UDFs: Write Once, Run Anywhere
Databricks
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
Soroush Dalili
 
OWASP ModSecurity Core Rules Paranoia Mode
OWASP ModSecurity Core Rules Paranoia ModeOWASP ModSecurity Core Rules Paranoia Mode
OWASP ModSecurity Core Rules Paranoia Mode
Christian Folini
 

Tendances (20)

Recon
ReconRecon
Recon
 
Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop
 
Introduction to path traversal attack
Introduction to path traversal attackIntroduction to path traversal attack
Introduction to path traversal attack
 
How to Manage Scale-Out Environments with MariaDB MaxScale
How to Manage Scale-Out Environments with MariaDB MaxScaleHow to Manage Scale-Out Environments with MariaDB MaxScale
How to Manage Scale-Out Environments with MariaDB MaxScale
 
gRPC with java
gRPC with javagRPC with java
gRPC with java
 
Concurrency With Go
Concurrency With GoConcurrency With Go
Concurrency With Go
 
Getting the most out of MariaDB MaxScale
Getting the most out of MariaDB MaxScaleGetting the most out of MariaDB MaxScale
Getting the most out of MariaDB MaxScale
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
 
HTTP2 and gRPC
HTTP2 and gRPCHTTP2 and gRPC
HTTP2 and gRPC
 
Portable UDFs: Write Once, Run Anywhere
Portable UDFs: Write Once, Run AnywherePortable UDFs: Write Once, Run Anywhere
Portable UDFs: Write Once, Run Anywhere
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
 
Making threat modeling so easy
Making threat modeling so easyMaking threat modeling so easy
Making threat modeling so easy
 
JsSIP: SIP + WebRTC
JsSIP: SIP + WebRTCJsSIP: SIP + WebRTC
JsSIP: SIP + WebRTC
 
OWASP ModSecurity Core Rules Paranoia Mode
OWASP ModSecurity Core Rules Paranoia ModeOWASP ModSecurity Core Rules Paranoia Mode
OWASP ModSecurity Core Rules Paranoia Mode
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
 
Go Concurrency
Go ConcurrencyGo Concurrency
Go Concurrency
 
Exploring Java Heap Dumps (Oracle Code One 2018)
Exploring Java Heap Dumps (Oracle Code One 2018)Exploring Java Heap Dumps (Oracle Code One 2018)
Exploring Java Heap Dumps (Oracle Code One 2018)
 
Restful api design
Restful api designRestful api design
Restful api design
 
Ldap intro
Ldap introLdap intro
Ldap intro
 

Similaire à Abusing Java Remote Interfaces

Unit 1 Core Java for Compter Science 3rd
Unit 1 Core Java for Compter Science 3rdUnit 1 Core Java for Compter Science 3rd
Unit 1 Core Java for Compter Science 3rd
prat0ham
 
A begineers guide of JAVA - Getting Started
A begineers guide of JAVA - Getting Started A begineers guide of JAVA - Getting Started
A begineers guide of JAVA - Getting Started
Rakesh Madugula
 
Building Concurrent WebObjects applications with Scala
Building Concurrent WebObjects applications with ScalaBuilding Concurrent WebObjects applications with Scala
Building Concurrent WebObjects applications with Scala
WO Community
 
Mastering Java Bytecode - JAX.de 2012
Mastering Java Bytecode - JAX.de 2012Mastering Java Bytecode - JAX.de 2012
Mastering Java Bytecode - JAX.de 2012
Anton Arhipov
 
Java programing language unit 1 introduction
Java programing language unit 1 introductionJava programing language unit 1 introduction
Java programing language unit 1 introduction
chnrketan
 
The State of Managed Runtimes 2013, by Attila Szegedi
The State of Managed Runtimes 2013, by Attila SzegediThe State of Managed Runtimes 2013, by Attila Szegedi
The State of Managed Runtimes 2013, by Attila Szegedi
ZeroTurnaround
 
Lecture from javaday.bg by Nayden Gochev/ Ivan Ivanov and Mitia Alexandrov
Lecture from javaday.bg by Nayden Gochev/ Ivan Ivanov and Mitia Alexandrov Lecture from javaday.bg by Nayden Gochev/ Ivan Ivanov and Mitia Alexandrov
Lecture from javaday.bg by Nayden Gochev/ Ivan Ivanov and Mitia Alexandrov
Nayden Gochev
 

Similaire à Abusing Java Remote Interfaces (20)

Ruby on the JVM
Ruby on the JVMRuby on the JVM
Ruby on the JVM
 
Remote Method Invocation (Java RMI)
Remote Method Invocation (Java RMI)Remote Method Invocation (Java RMI)
Remote Method Invocation (Java RMI)
 
ppt_on_java.pptx
ppt_on_java.pptxppt_on_java.pptx
ppt_on_java.pptx
 
Unit 1 Core Java for Compter Science 3rd
Unit 1 Core Java for Compter Science 3rdUnit 1 Core Java for Compter Science 3rd
Unit 1 Core Java for Compter Science 3rd
 
JavaOne 2011 - JVM Bytecode for Dummies
JavaOne 2011 - JVM Bytecode for DummiesJavaOne 2011 - JVM Bytecode for Dummies
JavaOne 2011 - JVM Bytecode for Dummies
 
GOTO Night with Charles Nutter Slides
GOTO Night with Charles Nutter SlidesGOTO Night with Charles Nutter Slides
GOTO Night with Charles Nutter Slides
 
A begineers guide of JAVA - Getting Started
A begineers guide of JAVA - Getting Started A begineers guide of JAVA - Getting Started
A begineers guide of JAVA - Getting Started
 
Building Concurrent WebObjects applications with Scala
Building Concurrent WebObjects applications with ScalaBuilding Concurrent WebObjects applications with Scala
Building Concurrent WebObjects applications with Scala
 
Understanding the Dalvik Virtual Machine
Understanding the Dalvik Virtual MachineUnderstanding the Dalvik Virtual Machine
Understanding the Dalvik Virtual Machine
 
13243967
1324396713243967
13243967
 
oop unit1.pptx
oop unit1.pptxoop unit1.pptx
oop unit1.pptx
 
CS8392 OOP
CS8392 OOPCS8392 OOP
CS8392 OOP
 
The Why and How of Scala at Twitter
The Why and How of Scala at TwitterThe Why and How of Scala at Twitter
The Why and How of Scala at Twitter
 
06.1 .Net memory management
06.1 .Net memory management06.1 .Net memory management
06.1 .Net memory management
 
JAVA PROGRAM CONSTRUCTS OR LANGUAGE BASICS.pptx
JAVA PROGRAM CONSTRUCTS OR LANGUAGE BASICS.pptxJAVA PROGRAM CONSTRUCTS OR LANGUAGE BASICS.pptx
JAVA PROGRAM CONSTRUCTS OR LANGUAGE BASICS.pptx
 
Breakfast cereal for advanced beginners
Breakfast cereal for advanced beginnersBreakfast cereal for advanced beginners
Breakfast cereal for advanced beginners
 
Mastering Java Bytecode - JAX.de 2012
Mastering Java Bytecode - JAX.de 2012Mastering Java Bytecode - JAX.de 2012
Mastering Java Bytecode - JAX.de 2012
 
Java programing language unit 1 introduction
Java programing language unit 1 introductionJava programing language unit 1 introduction
Java programing language unit 1 introduction
 
The State of Managed Runtimes 2013, by Attila Szegedi
The State of Managed Runtimes 2013, by Attila SzegediThe State of Managed Runtimes 2013, by Attila Szegedi
The State of Managed Runtimes 2013, by Attila Szegedi
 
Lecture from javaday.bg by Nayden Gochev/ Ivan Ivanov and Mitia Alexandrov
Lecture from javaday.bg by Nayden Gochev/ Ivan Ivanov and Mitia Alexandrov Lecture from javaday.bg by Nayden Gochev/ Ivan Ivanov and Mitia Alexandrov
Lecture from javaday.bg by Nayden Gochev/ Ivan Ivanov and Mitia Alexandrov
 

Dernier

Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptxChiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
raffaeleoman
 
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...
amilabibi1
 
Uncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac FolorunsoUncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac Folorunso
Kayode Fayemi
 
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Delhi Call girls
 
Sector 62, Noida Call girls :8448380779 Noida Escorts | 100% verified
Sector 62, Noida Call girls :8448380779 Noida Escorts | 100% verifiedSector 62, Noida Call girls :8448380779 Noida Escorts | 100% verified
Sector 62, Noida Call girls :8448380779 Noida Escorts | 100% verified
Delhi Call girls
 
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
Delhi Call girls
 
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
Delhi Call girls
 
If this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaIf this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New Nigeria
Kayode Fayemi
 

Dernier (20)

Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptxChiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
 
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...
 
Uncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac FolorunsoUncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac Folorunso
 
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
 
Report Writing Webinar Training
Report Writing Webinar TrainingReport Writing Webinar Training
Report Writing Webinar Training
 
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdfThe workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
 
Dreaming Marissa Sánchez Music Video Treatment
Dreaming Marissa Sánchez Music Video TreatmentDreaming Marissa Sánchez Music Video Treatment
Dreaming Marissa Sánchez Music Video Treatment
 
Sector 62, Noida Call girls :8448380779 Noida Escorts | 100% verified
Sector 62, Noida Call girls :8448380779 Noida Escorts | 100% verifiedSector 62, Noida Call girls :8448380779 Noida Escorts | 100% verified
Sector 62, Noida Call girls :8448380779 Noida Escorts | 100% verified
 
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
 
Dreaming Music Video Treatment _ Project & Portfolio III
Dreaming Music Video Treatment _ Project & Portfolio IIIDreaming Music Video Treatment _ Project & Portfolio III
Dreaming Music Video Treatment _ Project & Portfolio III
 
SaaStr Workshop Wednesday w/ Lucas Price, Yardstick
SaaStr Workshop Wednesday w/ Lucas Price, YardstickSaaStr Workshop Wednesday w/ Lucas Price, Yardstick
SaaStr Workshop Wednesday w/ Lucas Price, Yardstick
 
ICT role in 21st century education and it's challenges.pdf
ICT role in 21st century education and it's challenges.pdfICT role in 21st century education and it's challenges.pdf
ICT role in 21st century education and it's challenges.pdf
 
Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)
 
Presentation on Engagement in Book Clubs
Presentation on Engagement in Book ClubsPresentation on Engagement in Book Clubs
Presentation on Engagement in Book Clubs
 
My Presentation "In Your Hands" by Halle Bailey
My Presentation "In Your Hands" by Halle BaileyMy Presentation "In Your Hands" by Halle Bailey
My Presentation "In Your Hands" by Halle Bailey
 
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
 
Aesthetic Colaba Mumbai Cst Call girls 📞 7738631006 Grant road Call Girls ❤️-...
Aesthetic Colaba Mumbai Cst Call girls 📞 7738631006 Grant road Call Girls ❤️-...Aesthetic Colaba Mumbai Cst Call girls 📞 7738631006 Grant road Call Girls ❤️-...
Aesthetic Colaba Mumbai Cst Call girls 📞 7738631006 Grant road Call Girls ❤️-...
 
If this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaIf this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New Nigeria
 
Causes of poverty in France presentation.pptx
Causes of poverty in France presentation.pptxCauses of poverty in France presentation.pptx
Causes of poverty in France presentation.pptx
 
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdfAWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
 

Abusing Java Remote Interfaces

  • 1. ISSW 2015 ABUSING JAVA REMOTE INTERFACES Juan Vazquez
  • 2. Index 2 • About me • Motivation • RMI 101 • Java Object Serialization Protocol • RMI: Method invocation • Case Study: java_rmi_registry • Case Study: java_rmi_server • Case Study: java_jmx_server • Conclusions RMI   Remote  Method  Invoca/on   JMX   Java  Management  Extensions  
  • 3. About me 3 • I’m not a Java developer • I’m not a Java hacker • Exploit Developer at Rapid7 –  Metasploit-Framework • My English… sorry!
  • 4. Motivation 4 • Leon Johnson, awesome pentester at Rapid7, asked about a module for exploiting JMX RMI endpoints. • Excellent write-up from Braden Thomas: –  http://www.accuvant.com/blog/exploiting-jmx-rmi
  • 8. RMI 101 8 • Wikipedia says: “The  Java  Remote  Method  Invoca/on  (Java  RMI)  is  a  Java  API  that   performs  the  object-­‐oriented  equivalent  of  remote  procedure   calls  (RPC),  with  support  for  direct  transfer  of  serialized  Java   classes  and  distributed  garbage  collec/on.”  *   *  For  a  beLer  introduc/on,  the  Java  specs  are  more  useful,  but  it’s  hard  to  find  1  summary  sentence  in  the  specs  J  
  • 9. RMI 101. Hello World! 9
  • 10. RMI 101. Hello World! 10
  • 11. RMI 101. Hello World! 11
  • 12. RMI 101. Hello World! 12 C:rmi_hello_world>start  rmiregistry   C:rmi_hello_world>javac  -­‐cp  .  examplehello*.java   C:rmi_hello_world>java  -­‐cp  .  example.hello.Server   Server  ready     Server C:rmi_hello_world>javac  -­‐cp  .  examplehello*.java   C:rmi_hello_world>java  -­‐cp  .  example.hello.Client  172.16.158.132   response:  Hello,  world!     Client
  • 13. RMI 101. RMI Transport Protocol 13 hLp://docs.oracle.com/javase/7/docs/pla]orm/rmi/spec/rmi-­‐protocol3.html  
  • 14. RMI 101. RMI Transport Protocol. 14hLp://docs.oracle.com/javase/7/docs/pla]orm/rmi/spec/rmi-­‐protocol3.html  
  • 15. RMI 101. RMI Transport Protocol 15hLp://docs.oracle.com/javase/7/docs/pla]orm/rmi/spec/rmi-­‐protocol3.html  
  • 16. 16
  • 17. 17
  • 18. 18
  • 19. RMI 101. RMI Transport Protocol 19 “Call  and  return  data  in  RMI  calls  are  formaLed  using  the  Java  Object   SerializaBon  Protocol”   hLp://docs.oracle.com/javase/7/docs/pla]orm/rmi/spec/rmi-­‐protocol4.html  
  • 20. Java Object Serialization Protocol 20 “The  ability  to  store  and  retrieve  JavaTM  objects  is  essen/al  to  building   all  but  the  most  transient  applica/ons.  The  key  to  storing  and  retrieving   objects  in  a  serialized  form  is  represen/ng  the  state  of  objects  sufficient   to  reconstruct  the  object(s).”   hLp://docs.oracle.com/javase/7/docs/pla]orm/serializa/on/spec/serialTOC.html   Warning:  If  you  haven’t  fought  with  Java  Serializa/on  before,  the  specs  and     the  grammar  can  be  confusing…  
  • 21. Java Object Serialization Protocol 21 • Use small programs to get serialized samples. import java.io.*;! ! public class NewArrayInts! {! public static void main(String [] args)! {! int[] anArray;! anArray = new int[2];! anArray[0] = -20;! anArray[1] = 0x41;! try! {! FileOutputStream fileOut =! new FileOutputStream("new_array_ints.ser");! ObjectOutputStream out = new ObjectOutputStream(fileOut);! out.writeObject(anArray);! out.close();! fileOut.close();! } catch(IOException i)! {! i.printStackTrace();! }! }! }!
  • 22. Java Object Serialization Protocol 22 stream:! magic version contents! contents:! content! contents content! content:! object! blockdata! object:! newArray! newArray:! TC_ARRAY classDesc newHandle <size> values! classDesc:! newClassDesc! nullReference! (ClassDesc)prevObject!   newClassDesc:! TC_CLASSDESC className serialVersionUID newHandle classDescInfo! className:! (utf)! serialVersionUID:! (long)! classDescInfo:! classDescFlags fields classAnnotation superClassDesc ! classDescFlags:! (byte) ! fields:! (short)<count> fieldDesc[count]! classAnnotation:! endBlockData! contents endBlockData! superClassDesc:! classDesc!   hLp://docs.oracle.com/javase/7/docs/pla]orm/serializa/on/spec/protocol.html#10258  
  • 23. Java Object Serialization Protocol 23 $ hexdump new_array_ints.ser! 0000000 ac ed 00 05 75 72 00 02 5b 49 4d ba 60 26 76 ea! 0000010 b2 a5 02 00 00 78 70 00 00 00 02 ff ff ff ec 00! 0000020 00 00 41! STREAM_MAGIC   STREAM_VERSION   TC_ARRAY   TC_CLASSDESC   className:  [I   SerialVersionUID   classDescFlags:  SC_SERIALIZABLE   fields  count     TC_ENDBLOCKDATA   (classAnnota/on)   TC_NULL  (superClassDesc)   (int)<size>   value[0]  =  -­‐20   value[1]  =  0x41     $  serialver  [I   [I:        sta/c  final  long  serialVersionUID  =  5600894804908749477L;  
  • 24. Java Object Serialization Protocol 24 • Also, you have two useful (Java) classes: –  java.io.ObjectOutputStream –  java.io.ObjectInputStream • Read and debug them! import java.io.*;! ! public class NewArrayInts! {! public static void main(String [] args)! {! int[] anArray;! anArray = new int[2];! anArray[0] = -20;! anArray[1] = 0x41;! try! {! FileOutputStream fileOut =! new FileOutputStream("new_array_ints.ser");! ObjectOutputStream out = new ObjectOutputStream(fileOut);! out.writeObject(anArray);! out.close();! fileOut.close();! } catch(IOException i)! {! i.printStackTrace();! }! }! }!
  • 25. Java Object Serialization Protocol 25 • Several days later…: –  Rex::Java::Serialization: Not full support, but good enough for our purposes. •  Includes  modeling  for  the  different  en//es  as  described  in  the  Java  Serializa/on   Protocol  specs/grammar.   •  Every  object  allows  to  decode  (unserializa/on)  from  an  IO  or  “self”  encoding   (serializa/on).   •  Rex::Java::Serializa/on::Builder  allows  easy  building  of  some  elements.   –  Also: tools/java_deserializer.rb allows to inspect java serialized streams, zooming arrays and objects.
  • 26. Java Object Serialization Protocol 26 $ tools/java_deserializer.rb /tmp/call_demo.bin! [*] Deserializing...! ! @magic: 0xaced! @version: 5! @contents: [! BlockData { [ 0x24, 0x5, 0x74, 0x80, 0x6a, 0x0, 0x5, 0x7f, 0x90, 0x3a, 0x40, 0x57, 0x0, 0x0, 0x1, 0x4c, 0x6c, 0xca, 0x1b, 0xae, 0x80, 0x1, 0xff, 0xff, 0xff, 0xff, 0x53, 0xe0, 0x82, 0x2d, 0x3e, 0x37, 0x24, 0xdf ] }! ]! @references: [! ]!
  • 27. Java Object Serialization Protocol 27 $ tools/java_deserializer.rb /tmp/return_demo.bin! [*] Deserializing...! ! @magic: 0xaced! @version: 5! @contents: [! BlockData { [ 0x1, 0x90, 0x3a, 0x40, 0x57, 0x0, 0x0, 0x1, 0x4c, 0x6c, 0xca, 0x1b, 0xae, 0x80, 0xb ] }! Utf { Hello, world! }! ]! @references: [! [7e0000] Utf { Hello, world! }! ]!
  • 28. Finally… 28 BlockData { [ 0x24, 0x5, 0x74, 0x80, 0x6a, 0x0, 0x5, 0x7f, 0x90, 0x3a, 0x40, 0x57, 0x0, 0x0, 0x1, 0x4c, 0x6c, 0xca, 0x1b, 0xae, 0x80, 0x1, 0xff, 0xff, 0xff, 0xff, 0x53, 0xe0, 0x82, 0x2d, 0x3e, 0x37, 0x24, 0xdf ] }   hLp://docs.oracle.com/javase/7/docs/pla]orm/rmi/spec/rmi-­‐protocol4.html    
  • 29. Finally… 29 hLp://docs.oracle.com/javase/7/docs/pla]orm/rmi/spec/rmi-­‐protocol4.html     @contents: [! BlockData { [ 0x1, 0x90, 0x3a, 0x40, 0x57, 0x0, 0x0, 0x1, 0x4c, 0x6c, 0xca, 0x1b, 0xae, 0x80, 0xb ] }! Utf { Hello, world! }! ]!
  • 30. Finally…. 30 • Rex::Proto::Rmi –  Model for the RMI protocol as described in the specs / grammar. Every object allows to be “self” read from an IO or written into an String. • Msf::Java::Rmi::Client –  Mixin including the Exploit::Remote::TCP one –  Methods to made RMI calls easier from the modules. –  Also methods to build calls for some common RMI endpoints •  Registry   •  JMX  Management  
  • 31. RMI Method Invocation 31 • In order to debug RMI calls, let’s understand them a little bit better. • Use RMIC to generate the stubs (v1.2). It’s not needed anymore, since nowadays static stubs are deprecated in favor of dynamic code. • It will generate a new class HelloImpl_Stub.class. rmic  -­‐classpath  .  example.hello.HelloImpl  
  • 32. RMI Method Invocation 32 java.rmi.Remote   example.hello.Hello   java.rmi.server.RemoteObject   java.rmi.server.RemoteStub   implements   java.rmi.server.RemoteRef   ref   sun.rmi.server.UnicastRef   implements  
  • 34. Case Study: java_rmi_registry 34 • The RMI Registry is just a remote object provided by Java, so every virtual machine knows its interface. • Listens on a well known port –  1099/TCP.
  • 35. Case Study: java_rmi_registry 35 msf  >  use  auxiliary/gather/java_rmi_registry   msf  auxiliary(java_rmi_registry)  >  set  rhost  172.16.158.131   rhost  =>  172.16.158.131   msf  auxiliary(java_rmi_registry)  >  run     [*]  172.16.158.131:1099  -­‐  Sending  RMI  Header...   [*]  172.16.158.131:1099  -­‐  Lis/ng  names  in  the  Registry...   [+]  172.16.158.131:1099  -­‐  1  names  found  in  the  Registry   [+]  172.16.158.131:1099  -­‐  Name  Hello  (example.hello.HelloImpl_Stub)  found  on  172.16.158.131:1175   [*]  Auxiliary  module  execu/on  completed  
  • 36. Case Study: java_rmi_server 36 Credits:  Michael  Schierl  @mihi42   hLp://docs.oracle.com/javase/7/docs/pla]orm/rmi/spec/rmi-­‐arch5.html   RMI  allows  parameters,  return  values  and  excepBons  passed  in  RMI  calls  to  be   any  object  that  is  serializable.  RMI  uses  the  object  serializa/on  mechanism  to   transmit  data  from  one  virtual  machine  to  another  and  also  annotates  the  call   stream  with  the  appropriate  locaBon  informaBon  so  that  the  class  definiBon   files  can  be  loaded  at  the  receiver.  
  • 37. Case Study: java_rmi_server 37 Credits:  Michael  Schierl  @mihi42  
  • 38. Case Study: java_rmi_server 38 Credits:  Michael  Schierl  @mihi42  
  • 39. Case Study: java_rmi_server 39 Credits:  Michael  Schierl  @mihi42  
  • 40. Case Study: java_jmx_server 40 Credits:  Braden  Thomas   hLp://www.accuvant.com/blog/exploi/ng-­‐jmx-­‐rmi   msf  auxiliary(java_rmi_registry)  >  set  rhost  172.16.158.132   rhost  =>  172.16.158.132   msf  auxiliary(java_rmi_registry)  >  set  rport  1617   rport  =>  1617   msf  auxiliary(java_rmi_registry)  >  run     [*]  172.16.158.132:1617  -­‐  Sending  RMI  Header...   [*]  172.16.158.132:1617  -­‐  Lis/ng  names  in  the  Registry...   [+]  172.16.158.132:1617  -­‐  1  names  found  in  the  Registry   [+]  172.16.158.132:1617  -­‐  Name  jmxrmi  (javax.management.remote.rmi.RMIServerImpl_Stub)   found  on  172.16.158.132:1471   [*]  Auxiliary  module  execu/on  completed  
  • 41. Case Study: java_jmx_server 41 Credits:  Braden  Thomas   hLp://www.accuvant.com/blog/exploi/ng-­‐jmx-­‐rmi  
  • 42. Case Study: java_jmx_server 42 Credits:  Braden  Thomas   hLp://www.accuvant.com/blog/exploi/ng-­‐jmx-­‐rmi  
  • 43. Case Study: java_jmx_server 43 Credits:  Braden  Thomas   hLp://www.accuvant.com/blog/exploi/ng-­‐jmx-­‐rmi  
  • 44. DEMO
  • 45. Conclusions 45 • Ruby Support on MSF for: –  Java Serialization –  RMI –  Some JMX No  more  RAW  streams!  
  • 46. Conclusions 46 • Lot of examples: –  All the RMI/JMX modules have been ported. –  Specs –  New modules: java_rmi_registry, java_jmx_server • TODO –  Full Java Serialization support. –  Exploit all the things! PR are super welcome!