Table of Contents
Goal: Exploit Java Remote Method Invocation (java_rmi) to Get Root access.
Java Remote Method Invocation, or Java RMI, is an object-oriented RPC mechanism that allows an object located in one Java virtual machine to call methods on an object located in another Java virtual machine. This enables developers to write distributed applications using an object-oriented paradigm.
Auxiliary scanning using msfconsole
Start the Metasploit database and console by typing the below command in the terminal:
There's an auxiliary scanner we can use to detect whether the Java RMI vulnerability exists on our target; At the prompt, type search java_rmi and log the "auxiliary/scanner/misc/java_rmi_server" module.
Next, enter use auxiliary/scanner/misc/java_rmi_server, and type options to display the settings.
The options indicate that we have to set the RHOSTS and THREADS. Once everything is fine execute and run the command to find out if the java_rmi exploit is possible or not.
We can see that the scanner detected a Java RMI endpoint on port 1099, which suggests the target may be vulnerable. Let's try to exploit it.
Exploiting Java_RMI
Back in our previous search results, locate the "exploit/multi/misc/java_rmi_server" module, and type use exploit/multi/misc/java_rmi_server to load it.
From the upper command, the payload is automatically configured to java/meterpreter/reverse_tcp. If you want to configure payload, then run set payload {payload options}.
To find out compatible payloads, then use the show payloads command to display the compatible payloads for this exploit.
From above we have found out that we have to set the LHOST and RHOST and the run exploit command.
From above, we found that a meterpreter session was created and you can find out the session using the below command:
From above we found an active meterpreter session. Use the below command to get the meterpreter prompt: