Port: TCP 1099
Service: Java rmiregistry
Vulnerability: The vulnerability is due to the default configuration of the RMI Registry and RMI Activation services allowing the loading of classes from a remote URL. A remote unauthenticated attacker can leverage this vulnerability by sending a crafted RMI message to a target server. (http://telussecuritylabs.com/threats/show/TSL20110718-02)
Mitigation: Upgrade to the latest software versions from the vendor’s website. (http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html)
Proof of Concept
1. From your Kali machine, load up Metasploit, and do a search for “java_rmi”.
2. Set Metasploit to use the “java_rmi_server” exploit, and configure the options based on the IP of your Metasploitable VM.
With Metasploit, some of the exploit modules can be paired with payloads. The payload can be anything from a basic shell, to a Meterpreter session. In order to see the payloads available for a particular exploit, type in the command “show payloads” at the msf prompt. If you’re new to Metasploit, I suggest visiting their website, and reading through the various tutorials they have.
The payload I’m using here is “java/shell/bind_tcp”. I had to try a couple different payloads to get a stable one, so the results may be different with your setup.
3. Once the options are set, type in “exploit”, and you should be presented with a shell.
As always, with root level access, you have control of the entire victim machine, and can continue enumerating the box for interesting data.