Module: Msf::Exploit::Remote::Java::Rmi::Client::Jmx::Server::Builder

Included in:

Msf::Exploit::Remote::Java::Rmi::Client::Jmx::Server

Defined in:

lib/msf/core/exploit/remote/java/rmi/client/jmx/server/builder.rb

Instance Method Summary

• #build_jmx_new_client(opts = {}) ⇒ Rex::Proto::Rmi::Model::Call

  Builds an RMI call to javax/management/remote/rmi/RMIServer_Stub#newClient() used to enumerate the names bound in a registry.

• #build_jmx_new_client_args(username = '', password = '') ⇒ Array<Rex::Java::Serialization::Model::NewArray>

  Builds a Rex::Java::Serialization::Model::NewArray with credentials to make an javax/management/remote/rmi/RMIServer_Stub#newClient call.

Instance Method Details

#build_jmx_new_client(opts = {}) ⇒ Rex::Proto::Rmi::Model::Call

Builds an RMI call to javax/management/remote/rmi/RMIServer_Stub#newClient() used to enumerate the names bound in a registry

Parameters:

• opts (Hash) (defaults to: {})

Options Hash (opts):

• :username (String) —

  the JMX role to establish the connection if needed

• :password (String) —

  the JMX password to establish the connection if needed

Returns:

• (Rex::Proto::Rmi::Model::Call)

See Also:

• Builder.build_call

# File 'lib/msf/core/exploit/remote/java/rmi/client/jmx/server/builder.rb', line 21

def build_jmx_new_client(opts = {})
  object_number = opts[:object_number] || 0
  uid_number = opts[:uid_number] || 0
  uid_time = opts[:uid_time] || 0
  uid_count = opts[:uid_count] || 0
  username = opts[:username]
  password = opts[:password] || ''

  if username
    arguments = build_jmx_new_client_args(username, password)
  else
    arguments = [Rex::Java::Serialization::Model::NullReference.new]
  end

  call = build_call(
    object_number: object_number,
    uid_number: uid_number,
    uid_time: uid_time,
    uid_count: uid_count,
    operation: -1,
    hash: -1089742558549201240, # javax.management.remote.rmi.RMIServer.newClient
    arguments: arguments
  )

  call
end

#build_jmx_new_client_args(username = '', password = '') ⇒ Array<Rex::Java::Serialization::Model::NewArray>

Builds a Rex::Java::Serialization::Model::NewArray with credentials to make an javax/management/remote/rmi/RMIServer_Stub#newClient call

Parameters:

• username (String) (defaults to: '') —

  The username (role) to authenticate with

• password (String) (defaults to: '') —

  The password to authenticate with

Returns:

• (Array<Rex::Java::Serialization::Model::NewArray>)

# File 'lib/msf/core/exploit/remote/java/rmi/client/jmx/server/builder.rb', line 54

def build_jmx_new_client_args(username = '', password = '')
  builder = Rex::Java::Serialization::Builder.new

  auth_array = builder.new_array(
    name: '[Ljava.lang.String;',
    serial: Msf::Exploit::Remote::Java::Rmi::Client::Jmx::STRING_ARRAY_UID, # serialVersionUID
    values_type: 'java.lang.String;',
    values: [
      Rex::Java::Serialization::Model::Utf.new(nil, username),
      Rex::Java::Serialization::Model::Utf.new(nil, password)
    ]
  )

  [auth_array]
end