Module: Msf::Exploit::Remote::Java::Rmi::Builder

Included in:
Client
Defined in:
lib/msf/core/exploit/remote/java/rmi/builder.rb

Instance Method Summary collapse

Instance Method Details

#build_call(opts = {}) ⇒ Rex::Proto::Rmi::Model::Call

Builds a RMI call stream

Parameters:

  • opts (Hash{Symbol => <Integer, Array>}) (defaults to: {})

Options Hash (opts):

  • :message_id (Integer)
  • :object_number (Integer)

    Random to identify the object.

  • :uid_number (Integer)

    Identifies the VM where the object was generated.

  • :uid_time (Integer)

    Time where the object was generated.

  • :uid_count (Integer)

    Identifies different instance of the same object generated from the same VM at the same time.

  • :operation (Integer)

    On JDK 1.1 stub protocol the operation index in the interface. On JDK 1.2 it is -1.

  • :hash (Integer)

    On JDK 1.1 stub protocol the stub's interface hash. On JDK1.2 is a hash representing the method to call.

  • :arguments (Array)

Returns:



46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
# File 'lib/msf/core/exploit/remote/java/rmi/builder.rb', line 46

def build_call(opts = {})
  message_id = opts[:message_id] || Rex::Proto::Rmi::Model::CALL_MESSAGE
  object_number = opts[:object_number] || 0
  uid_number = opts[:uid_number] || 0
  uid_time = opts[:uid_time] ||  0
  uid_count = opts[:uid_count] || 0
  operation = opts[:operation] || -1
  hash = opts[:hash] || 0
  arguments = opts[:arguments] || []

  uid = Rex::Proto::Rmi::Model::UniqueIdentifier.new(
    number: uid_number,
    time: uid_time,
    count: uid_count
  )

  call_data = Rex::Proto::Rmi::Model::CallData.new(
    object_number: object_number,
    uid: uid,
    operation: operation,
    hash: hash,
    arguments: arguments
  )

  call = Rex::Proto::Rmi::Model::Call.new(
    message_id: message_id,
    call_data: call_data
  )

  call
end

#build_dgc_ack(opts = {}) ⇒ Rex::Proto::Rmi::Model::DgcAck

Builds a RMI dgc ack stream

Parameters:

  • opts (Hash{Symbol => <Integer, String>}) (defaults to: {})

Options Hash (opts):

  • :stream_id (Integer)
  • :unique_identifier (String)

Returns:



84
85
86
87
88
89
90
91
92
93
94
# File 'lib/msf/core/exploit/remote/java/rmi/builder.rb', line 84

def build_dgc_ack(opts = {})
  stream_id = opts[:stream_id] || Rex::Proto::Rmi::Model::DGC_ACK_MESSAGE
  unique_identifier = opts[:unique_identifier] || "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"

  dgc_ack = Rex::Proto::Rmi::Model::DgcAck.new(
      stream_id: stream_id,
      unique_identifier: unique_identifier
  )

  dgc_ack
end

#build_header(opts = {}) ⇒ Rex::Proto::Rmi::Model::OutputHeader

Builds a RMI header stream

Parameters:

  • opts (Hash{Symbol => <String, Integer>}) (defaults to: {})

Options Hash (opts):

  • :signature (String)
  • :version (Integer)
  • :protocol (Integer)

Returns:



18
19
20
21
22
23
24
25
26
27
28
29
# File 'lib/msf/core/exploit/remote/java/rmi/builder.rb', line 18

def build_header(opts = {})
  signature = opts[:signature] || Rex::Proto::Rmi::Model::SIGNATURE
  version = opts[:version] || 2
  protocol = opts[:protocol] || Rex::Proto::Rmi::Model::STREAM_PROTOCOL

  header = Rex::Proto::Rmi::Model::OutputHeader.new(
      signature: signature,
      version: version,
      protocol: protocol)

  header
end