Java RMI Registry

Port: TCP 1099
Service: Java rmiregistry

Vulnerability: The vulnerability is due to the default configuration of the RMI Registry and RMI Activation services allowing the loading of classes from a remote URL. A remote unauthenticated attacker can leverage this vulnerability by sending a crafted RMI message to a target server. (http://telussecuritylabs.com/threats/show/TSL20110718-02)

Mitigation: Upgrade to the latest software versions from the vendor’s website. (http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html)

Proof of Concept
1. From your Kali machine, load up Metasploit, and do a search for “java_rmi”.

javarmi-msf-searchexploit

2. Set Metasploit to use the “java_rmi_server” exploit, and configure the options based on the IP of your Metasploitable VM.

javarmi-msf-setoptions

With Metasploit, some of the exploit modules can be paired with payloads. The payload can be anything from a basic shell, to a Meterpreter session. In order to see the payloads available for a particular exploit, type in the command “show payloads” at the msf prompt. If you’re new to Metasploit, I suggest visiting their website, and reading through the various tutorials they have.

The payload I’m using here is “java/shell/bind_tcp”. I had to try a couple different payloads to get a stable one, so the results may be different with your setup.

3. Once the options are set, type in “exploit”, and you should be presented with a shell.

javarmi-msf-exploit-rootshell

As always, with root level access, you have control of the entire victim machine, and can continue enumerating the box for interesting data.