Java RMI Registry

Port: TCP 1099
Service: Java rmiregistry

Vulnerability: The vulnerability is due to the default configuration of the RMI Registry and RMI Activation services allowing the loading of classes from a remote URL. A remote unauthenticated attacker can leverage this vulnerability by sending a crafted RMI message to a target server. (

Mitigation: Upgrade to the latest software versions from the vendor’s website. (

Proof of Concept
1. From your Kali machine, load up Metasploit, and do a search for “java_rmi”.


2. Set Metasploit to use the “java_rmi_server” exploit, and configure the options based on the IP of your Metasploitable VM.


With Metasploit, some of the exploit modules can be paired with payloads. The payload can be anything from a basic shell, to a Meterpreter session. In order to see the payloads available for a particular exploit, type in the command “show payloads” at the msf prompt. If you’re new to Metasploit, I suggest visiting their website, and reading through the various tutorials they have.

The payload I’m using here is “java/shell/bind_tcp”. I had to try a couple different payloads to get a stable one, so the results may be different with your setup.

3. Once the options are set, type in “exploit”, and you should be presented with a shell.


As always, with root level access, you have control of the entire victim machine, and can continue enumerating the box for interesting data.