Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: rmiregistry default configuration vulnerability script
From: Patrik Karlsson <patrik () cqure net>
Date: Fri, 25 May 2012 21:16:00 +0200

On Fri, May 25, 2012 at 8:48 PM, Aleksandar Nikolic
<nikolic.alek () gmail com>wrote:

Hi All,

I've written a script to test rmiregistry servers for this default
configuration
vulnerability which allows remote class loading and therefore remote
code execution.

There is a Metasploit exploit for this vulnerability.

To test it , you just need to run rmiregistry which comes with
any JRE installation (rmiregistry.exe on Windows, rmiregistry on Linux)
and then run the script against it.

I've attached the script and a small patch for rmi.lua library as I needed
one function to add raw data as arguments to writeMethodCall.
The sciript contains already serialized data, it was easier to do it
that way then implement the whole serialization in the library.
For additional info , see references in the script.

Please tell me if you have any comments and suggestions.


Thanks,
Aleksandar

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


Great job! I just tested it and it worked great for me.
I'm wondering whether the match for "RMI class loader disabled" could be a
problem if it's localized?
Is there anything else you could match in the packet, like an error code or
something?

An alternative I initially thought of and tested was to use a http-link
pointing to the scanning host and to pick it up with pcap. But that's
probably not very solid as there may be firewalls or other device blocking
the connect back request.

//Patrik
-- 
Patrik Karlsson
http://www.cqure.net
http://twitter.com/nevdull77
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault