The lecture tries to summarize some interesting Java (remote) attack, and how to check / exploit them with Metasploit. The lecture doesn't focus on client attack vectors, like java sandbox abuses through applets, or click2play bypasses. It focus on remote attack vectors abusing RMI endpoints and technologies using RMI. The lecture won't only summarize some of the popular attack vectors, it also will review how to check/exploit them with Metasploit, presenting new capabilities and modules which are being added to the Metasploit Framework to support all the techniques discussed in the lecture.
2. Index
2
• About me
• Motivation
• RMI 101
• Java Object Serialization Protocol
• RMI: Method invocation
• Case Study: java_rmi_registry
• Case Study: java_rmi_server
• Case Study: java_jmx_server
• Conclusions
RMI
Remote
Method
Invoca/on
JMX
Java
Management
Extensions
3. About me
3
• I’m not a Java developer
• I’m not a Java hacker
• Exploit Developer at Rapid7
– Metasploit-Framework
• My English… sorry!
4. Motivation
4
• Leon Johnson, awesome pentester at Rapid7,
asked about a module for exploiting JMX RMI
endpoints.
• Excellent write-up from Braden Thomas:
– http://www.accuvant.com/blog/exploiting-jmx-rmi
8. RMI 101
8
• Wikipedia says:
“The
Java
Remote
Method
Invoca/on
(Java
RMI)
is
a
Java
API
that
performs
the
object-‐oriented
equivalent
of
remote
procedure
calls
(RPC),
with
support
for
direct
transfer
of
serialized
Java
classes
and
distributed
garbage
collec/on.”
*
*
For
a
beLer
introduc/on,
the
Java
specs
are
more
useful,
but
it’s
hard
to
find
1
summary
sentence
in
the
specs
J
19. RMI 101. RMI Transport Protocol
19
“Call
and
return
data
in
RMI
calls
are
formaLed
using
the
Java
Object
SerializaBon
Protocol”
hLp://docs.oracle.com/javase/7/docs/pla]orm/rmi/spec/rmi-‐protocol4.html
20. Java Object Serialization Protocol
20
“The
ability
to
store
and
retrieve
JavaTM
objects
is
essen/al
to
building
all
but
the
most
transient
applica/ons.
The
key
to
storing
and
retrieving
objects
in
a
serialized
form
is
represen/ng
the
state
of
objects
sufficient
to
reconstruct
the
object(s).”
hLp://docs.oracle.com/javase/7/docs/pla]orm/serializa/on/spec/serialTOC.html
Warning:
If
you
haven’t
fought
with
Java
Serializa/on
before,
the
specs
and
the
grammar
can
be
confusing…
21. Java Object Serialization Protocol
21
• Use small programs to
get serialized samples.
import java.io.*;!
!
public class NewArrayInts!
{!
public static void main(String [] args)!
{!
int[] anArray;!
anArray = new int[2];!
anArray[0] = -20;!
anArray[1] = 0x41;!
try!
{!
FileOutputStream fileOut =!
new FileOutputStream("new_array_ints.ser");!
ObjectOutputStream out = new
ObjectOutputStream(fileOut);!
out.writeObject(anArray);!
out.close();!
fileOut.close();!
} catch(IOException i)!
{!
i.printStackTrace();!
}!
}!
}!
24. Java Object Serialization Protocol
24
• Also, you have two useful (Java)
classes:
– java.io.ObjectOutputStream
– java.io.ObjectInputStream
• Read and debug them!
import java.io.*;!
!
public class NewArrayInts!
{!
public static void main(String [] args)!
{!
int[] anArray;!
anArray = new int[2];!
anArray[0] = -20;!
anArray[1] = 0x41;!
try!
{!
FileOutputStream fileOut =!
new FileOutputStream("new_array_ints.ser");!
ObjectOutputStream out = new
ObjectOutputStream(fileOut);!
out.writeObject(anArray);!
out.close();!
fileOut.close();!
} catch(IOException i)!
{!
i.printStackTrace();!
}!
}!
}!
25. Java Object Serialization Protocol
25
• Several days later…:
– Rex::Java::Serialization: Not full support, but good enough for our purposes.
• Includes
modeling
for
the
different
en//es
as
described
in
the
Java
Serializa/on
Protocol
specs/grammar.
• Every
object
allows
to
decode
(unserializa/on)
from
an
IO
or
“self”
encoding
(serializa/on).
• Rex::Java::Serializa/on::Builder
allows
easy
building
of
some
elements.
– Also: tools/java_deserializer.rb allows to inspect java serialized streams,
zooming arrays and objects.
30. Finally….
30
• Rex::Proto::Rmi
– Model for the RMI protocol as described in the specs / grammar. Every object
allows to be “self” read from an IO or written into an String.
• Msf::Java::Rmi::Client
– Mixin including the Exploit::Remote::TCP one
– Methods to made RMI calls easier from the modules.
– Also methods to build calls for some common RMI endpoints
• Registry
• JMX
Management
31. RMI Method Invocation
31
• In order to debug RMI calls, let’s understand them a little bit better.
• Use RMIC to generate the stubs (v1.2). It’s not needed anymore, since
nowadays static stubs are deprecated in favor of dynamic code.
• It will generate a new class HelloImpl_Stub.class.
rmic
-‐classpath
.
example.hello.HelloImpl
34. Case Study: java_rmi_registry
34
• The RMI Registry is just a remote
object provided by Java, so every
virtual machine knows its interface.
• Listens on a well known port
– 1099/TCP.
35. Case Study: java_rmi_registry
35
msf
>
use
auxiliary/gather/java_rmi_registry
msf
auxiliary(java_rmi_registry)
>
set
rhost
172.16.158.131
rhost
=>
172.16.158.131
msf
auxiliary(java_rmi_registry)
>
run
[*]
172.16.158.131:1099
-‐
Sending
RMI
Header...
[*]
172.16.158.131:1099
-‐
Lis/ng
names
in
the
Registry...
[+]
172.16.158.131:1099
-‐
1
names
found
in
the
Registry
[+]
172.16.158.131:1099
-‐
Name
Hello
(example.hello.HelloImpl_Stub)
found
on
172.16.158.131:1175
[*]
Auxiliary
module
execu/on
completed
36. Case Study: java_rmi_server
36
Credits:
Michael
Schierl
@mihi42
hLp://docs.oracle.com/javase/7/docs/pla]orm/rmi/spec/rmi-‐arch5.html
RMI
allows
parameters,
return
values
and
excepBons
passed
in
RMI
calls
to
be
any
object
that
is
serializable.
RMI
uses
the
object
serializa/on
mechanism
to
transmit
data
from
one
virtual
machine
to
another
and
also
annotates
the
call
stream
with
the
appropriate
locaBon
informaBon
so
that
the
class
definiBon
files
can
be
loaded
at
the
receiver.
46. Conclusions
46
• Lot of examples:
– All the RMI/JMX modules have been ported.
– Specs
– New modules: java_rmi_registry, java_jmx_server
• TODO
– Full Java Serialization support.
– Exploit all the things! PR are super welcome!