abusing java remote interfaces
TRANSCRIPT
![Page 1: Abusing Java Remote Interfaces](https://reader034.vdocuments.net/reader034/viewer/2022052413/55a8c4771a28abb6108b4696/html5/thumbnails/1.jpg)
ISSW 2015
ABUSING JAVA REMOTE INTERFACES
Juan Vazquez
![Page 2: Abusing Java Remote Interfaces](https://reader034.vdocuments.net/reader034/viewer/2022052413/55a8c4771a28abb6108b4696/html5/thumbnails/2.jpg)
Index
2
• About me
• Motivation
• RMI 101
• Java Object Serialization Protocol
• RMI: Method invocation
• Case Study: java_rmi_registry
• Case Study: java_rmi_server
• Case Study: java_jmx_server
• Conclusions
RMI Remote Method Invoca/on
JMX
Java Management Extensions
![Page 3: Abusing Java Remote Interfaces](https://reader034.vdocuments.net/reader034/viewer/2022052413/55a8c4771a28abb6108b4696/html5/thumbnails/3.jpg)
About me
3
• I’m not a Java developer • I’m not a Java hacker • Exploit Developer at Rapid7
– Metasploit-Framework
• My English… sorry!
![Page 4: Abusing Java Remote Interfaces](https://reader034.vdocuments.net/reader034/viewer/2022052413/55a8c4771a28abb6108b4696/html5/thumbnails/4.jpg)
Motivation
4
• Leon Johnson, awesome pentester at Rapid7, asked about a module for exploiting JMX RMI endpoints.
• Excellent write-up from Braden Thomas: – http://www.accuvant.com/blog/exploiting-jmx-rmi
![Page 5: Abusing Java Remote Interfaces](https://reader034.vdocuments.net/reader034/viewer/2022052413/55a8c4771a28abb6108b4696/html5/thumbnails/5.jpg)
Motivation
5
![Page 6: Abusing Java Remote Interfaces](https://reader034.vdocuments.net/reader034/viewer/2022052413/55a8c4771a28abb6108b4696/html5/thumbnails/6.jpg)
Motivation
6
![Page 7: Abusing Java Remote Interfaces](https://reader034.vdocuments.net/reader034/viewer/2022052413/55a8c4771a28abb6108b4696/html5/thumbnails/7.jpg)
Motivation
7
![Page 8: Abusing Java Remote Interfaces](https://reader034.vdocuments.net/reader034/viewer/2022052413/55a8c4771a28abb6108b4696/html5/thumbnails/8.jpg)
RMI 101
8
• Wikipedia says:
“The Java Remote Method Invoca/on (Java RMI) is a Java API that performs the object-‐oriented equivalent of remote procedure calls (RPC), with support for direct transfer of serialized Java classes and distributed garbage collec/on.” *
* For a beLer introduc/on, the Java specs are more useful, but it’s hard to find 1 summary sentence in the specs J
![Page 9: Abusing Java Remote Interfaces](https://reader034.vdocuments.net/reader034/viewer/2022052413/55a8c4771a28abb6108b4696/html5/thumbnails/9.jpg)
RMI 101. Hello World!
9
![Page 10: Abusing Java Remote Interfaces](https://reader034.vdocuments.net/reader034/viewer/2022052413/55a8c4771a28abb6108b4696/html5/thumbnails/10.jpg)
RMI 101. Hello World!
10
![Page 11: Abusing Java Remote Interfaces](https://reader034.vdocuments.net/reader034/viewer/2022052413/55a8c4771a28abb6108b4696/html5/thumbnails/11.jpg)
RMI 101. Hello World!
11
![Page 12: Abusing Java Remote Interfaces](https://reader034.vdocuments.net/reader034/viewer/2022052413/55a8c4771a28abb6108b4696/html5/thumbnails/12.jpg)
RMI 101. Hello World!
12
C:\rmi_hello_world>start rmiregistry C:\rmi_hello_world>javac -‐cp . example\hello\*.java C:\rmi_hello_world>java -‐cp . example.hello.Server Server ready
Server
C:\rmi_hello_world>javac -‐cp . example\hello\*.java C:\rmi_hello_world>java -‐cp . example.hello.Client 172.16.158.132 response: Hello, world!
Client
![Page 13: Abusing Java Remote Interfaces](https://reader034.vdocuments.net/reader034/viewer/2022052413/55a8c4771a28abb6108b4696/html5/thumbnails/13.jpg)
RMI 101. RMI Transport Protocol
13 hLp://docs.oracle.com/javase/7/docs/pla]orm/rmi/spec/rmi-‐protocol3.html
![Page 14: Abusing Java Remote Interfaces](https://reader034.vdocuments.net/reader034/viewer/2022052413/55a8c4771a28abb6108b4696/html5/thumbnails/14.jpg)
RMI 101. RMI Transport Protocol.
14 hLp://docs.oracle.com/javase/7/docs/pla]orm/rmi/spec/rmi-‐protocol3.html
![Page 15: Abusing Java Remote Interfaces](https://reader034.vdocuments.net/reader034/viewer/2022052413/55a8c4771a28abb6108b4696/html5/thumbnails/15.jpg)
RMI 101. RMI Transport Protocol
15 hLp://docs.oracle.com/javase/7/docs/pla]orm/rmi/spec/rmi-‐protocol3.html
![Page 16: Abusing Java Remote Interfaces](https://reader034.vdocuments.net/reader034/viewer/2022052413/55a8c4771a28abb6108b4696/html5/thumbnails/16.jpg)
16
![Page 17: Abusing Java Remote Interfaces](https://reader034.vdocuments.net/reader034/viewer/2022052413/55a8c4771a28abb6108b4696/html5/thumbnails/17.jpg)
17
![Page 18: Abusing Java Remote Interfaces](https://reader034.vdocuments.net/reader034/viewer/2022052413/55a8c4771a28abb6108b4696/html5/thumbnails/18.jpg)
18
![Page 19: Abusing Java Remote Interfaces](https://reader034.vdocuments.net/reader034/viewer/2022052413/55a8c4771a28abb6108b4696/html5/thumbnails/19.jpg)
RMI 101. RMI Transport Protocol
19
“Call and return data in RMI calls are formaLed using the Java Object SerializaBon Protocol”
hLp://docs.oracle.com/javase/7/docs/pla]orm/rmi/spec/rmi-‐protocol4.html
![Page 20: Abusing Java Remote Interfaces](https://reader034.vdocuments.net/reader034/viewer/2022052413/55a8c4771a28abb6108b4696/html5/thumbnails/20.jpg)
Java Object Serialization Protocol
20
“The ability to store and retrieve JavaTM objects is essen/al to building all but the most transient applica/ons. The key to storing and retrieving objects in a serialized form is represen/ng the state of objects sufficient to reconstruct the object(s).”
hLp://docs.oracle.com/javase/7/docs/pla]orm/serializa/on/spec/serialTOC.html
Warning: If you haven’t fought with Java Serializa/on before, the specs and the grammar can be confusing…
![Page 21: Abusing Java Remote Interfaces](https://reader034.vdocuments.net/reader034/viewer/2022052413/55a8c4771a28abb6108b4696/html5/thumbnails/21.jpg)
Java Object Serialization Protocol
21
• Use small programs to get serialized samples.
import java.io.*;!!public class NewArrayInts!{! public static void main(String [] args)! {! int[] anArray;! anArray = new int[2];! anArray[0] = -20;! anArray[1] = 0x41;! try! {! FileOutputStream fileOut =! new FileOutputStream("new_array_ints.ser");! ObjectOutputStream out = new ObjectOutputStream(fileOut);! out.writeObject(anArray);! out.close();! fileOut.close();! } catch(IOException i)! {! i.printStackTrace();! }! }!}!
![Page 22: Abusing Java Remote Interfaces](https://reader034.vdocuments.net/reader034/viewer/2022052413/55a8c4771a28abb6108b4696/html5/thumbnails/22.jpg)
Java Object Serialization Protocol
22
stream:! magic version contents!contents:! content! contents content!content:! object! blockdata!object:! newArray!newArray:! TC_ARRAY classDesc newHandle <size> values!classDesc:! newClassDesc! nullReference! (ClassDesc)prevObject!
newClassDesc:! TC_CLASSDESC className serialVersionUID newHandle classDescInfo!className:! (utf)!serialVersionUID:! (long)!classDescInfo:! classDescFlags fields classAnnotation superClassDesc !classDescFlags:! (byte) !fields:! (short)<count> fieldDesc[count]!classAnnotation:! endBlockData! contents endBlockData!superClassDesc:! classDesc!
hLp://docs.oracle.com/javase/7/docs/pla]orm/serializa/on/spec/protocol.html#10258
![Page 23: Abusing Java Remote Interfaces](https://reader034.vdocuments.net/reader034/viewer/2022052413/55a8c4771a28abb6108b4696/html5/thumbnails/23.jpg)
Java Object Serialization Protocol
23
$ hexdump new_array_ints.ser!0000000 ac ed 00 05 75 72 00 02 5b 49 4d ba 60 26 76 ea!0000010 b2 a5 02 00 00 78 70 00 00 00 02 ff ff ff ec 00!0000020 00 00 41!
STREAM_MAGIC STREAM_VERSION TC_ARRAY TC_CLASSDESC className: [I SerialVersionUID classDescFlags: SC_SERIALIZABLE fields count
TC_ENDBLOCKDATA (classAnnota/on) TC_NULL (superClassDesc) (int)<size> value[0] = -‐20 value[1] = 0x41
$ serialver [I [I: sta/c final long serialVersionUID = 5600894804908749477L;
![Page 24: Abusing Java Remote Interfaces](https://reader034.vdocuments.net/reader034/viewer/2022052413/55a8c4771a28abb6108b4696/html5/thumbnails/24.jpg)
Java Object Serialization Protocol
24
• Also, you have two useful (Java) classes:
– java.io.ObjectOutputStream – java.io.ObjectInputStream
• Read and debug them!
import java.io.*;!!public class NewArrayInts!{! public static void main(String [] args)! {! int[] anArray;! anArray = new int[2];! anArray[0] = -20;! anArray[1] = 0x41;! try! {! FileOutputStream fileOut =! new FileOutputStream("new_array_ints.ser");! ObjectOutputStream out = new ObjectOutputStream(fileOut);! out.writeObject(anArray);! out.close();! fileOut.close();! } catch(IOException i)! {! i.printStackTrace();! }! }!}!
![Page 25: Abusing Java Remote Interfaces](https://reader034.vdocuments.net/reader034/viewer/2022052413/55a8c4771a28abb6108b4696/html5/thumbnails/25.jpg)
Java Object Serialization Protocol
25
• Several days later…: – Rex::Java::Serialization: Not full support, but good enough for our purposes.
• Includes modeling for the different en//es as described in the Java Serializa/on Protocol specs/grammar.
• Every object allows to decode (unserializa/on) from an IO or “self” encoding (serializa/on).
• Rex::Java::Serializa/on::Builder allows easy building of some elements. – Also: tools/java_deserializer.rb allows to inspect java serialized streams,
zooming arrays and objects.
![Page 26: Abusing Java Remote Interfaces](https://reader034.vdocuments.net/reader034/viewer/2022052413/55a8c4771a28abb6108b4696/html5/thumbnails/26.jpg)
Java Object Serialization Protocol
26
$ tools/java_deserializer.rb /tmp/call_demo.bin![*] Deserializing...!!@magic: 0xaced!@version: 5!@contents: [! BlockData { [ 0x24, 0x5, 0x74, 0x80, 0x6a, 0x0, 0x5, 0x7f, 0x90, 0x3a, 0x40, 0x57, 0x0, 0x0, 0x1, 0x4c, 0x6c, 0xca, 0x1b, 0xae, 0x80, 0x1, 0xff, 0xff, 0xff, 0xff, 0x53, 0xe0, 0x82, 0x2d, 0x3e, 0x37, 0x24, 0xdf ] }!]!@references: [!]!
![Page 27: Abusing Java Remote Interfaces](https://reader034.vdocuments.net/reader034/viewer/2022052413/55a8c4771a28abb6108b4696/html5/thumbnails/27.jpg)
Java Object Serialization Protocol
27
$ tools/java_deserializer.rb /tmp/return_demo.bin![*] Deserializing...!!@magic: 0xaced!@version: 5!@contents: [! BlockData { [ 0x1, 0x90, 0x3a, 0x40, 0x57, 0x0, 0x0, 0x1, 0x4c, 0x6c, 0xca, 0x1b, 0xae, 0x80, 0xb ] }! Utf { Hello, world! }!]!@references: [! [7e0000] Utf { Hello, world! }!]!
![Page 28: Abusing Java Remote Interfaces](https://reader034.vdocuments.net/reader034/viewer/2022052413/55a8c4771a28abb6108b4696/html5/thumbnails/28.jpg)
Finally…
28
BlockData { [ 0x24, 0x5, 0x74, 0x80, 0x6a, 0x0, 0x5, 0x7f, 0x90, 0x3a, 0x40, 0x57, 0x0, 0x0, 0x1, 0x4c, 0x6c, 0xca, 0x1b, 0xae, 0x80, 0x1, 0xff, 0xff, 0xff, 0xff, 0x53, 0xe0, 0x82, 0x2d, 0x3e, 0x37, 0x24, 0xdf ] }
hLp://docs.oracle.com/javase/7/docs/pla]orm/rmi/spec/rmi-‐protocol4.html
![Page 29: Abusing Java Remote Interfaces](https://reader034.vdocuments.net/reader034/viewer/2022052413/55a8c4771a28abb6108b4696/html5/thumbnails/29.jpg)
Finally…
29 hLp://docs.oracle.com/javase/7/docs/pla]orm/rmi/spec/rmi-‐protocol4.html
@contents: [! BlockData { [ 0x1, 0x90, 0x3a, 0x40, 0x57, 0x0, 0x0, 0x1, 0x4c, 0x6c, 0xca, 0x1b, 0xae, 0x80, 0xb ] }! Utf { Hello, world! }!]!
![Page 30: Abusing Java Remote Interfaces](https://reader034.vdocuments.net/reader034/viewer/2022052413/55a8c4771a28abb6108b4696/html5/thumbnails/30.jpg)
Finally….
30
• Rex::Proto::Rmi – Model for the RMI protocol as described in the specs / grammar. Every object
allows to be “self” read from an IO or written into an String.
• Msf::Java::Rmi::Client – Mixin including the Exploit::Remote::TCP one – Methods to made RMI calls easier from the modules. – Also methods to build calls for some common RMI endpoints
• Registry • JMX Management
![Page 31: Abusing Java Remote Interfaces](https://reader034.vdocuments.net/reader034/viewer/2022052413/55a8c4771a28abb6108b4696/html5/thumbnails/31.jpg)
RMI Method Invocation
31
• In order to debug RMI calls, let’s understand them a little bit better.
• Use RMIC to generate the stubs (v1.2). It’s not needed anymore, since nowadays static stubs are deprecated in favor of dynamic code.
• It will generate a new class HelloImpl_Stub.class. rmic -‐classpath . example.hello.HelloImpl
![Page 32: Abusing Java Remote Interfaces](https://reader034.vdocuments.net/reader034/viewer/2022052413/55a8c4771a28abb6108b4696/html5/thumbnails/32.jpg)
RMI Method Invocation
32
java.rmi.Remote
example.hello.Hello
java.rmi.server.RemoteObject
java.rmi.server.RemoteStub
implements
java.rmi.server.RemoteRef ref
sun.rmi.server.UnicastRef
implements
![Page 33: Abusing Java Remote Interfaces](https://reader034.vdocuments.net/reader034/viewer/2022052413/55a8c4771a28abb6108b4696/html5/thumbnails/33.jpg)
RMI Method Invocation
33
![Page 34: Abusing Java Remote Interfaces](https://reader034.vdocuments.net/reader034/viewer/2022052413/55a8c4771a28abb6108b4696/html5/thumbnails/34.jpg)
Case Study: java_rmi_registry
34
• The RMI Registry is just a remote object provided by Java, so every virtual machine knows its interface.
• Listens on a well known port – 1099/TCP.
![Page 35: Abusing Java Remote Interfaces](https://reader034.vdocuments.net/reader034/viewer/2022052413/55a8c4771a28abb6108b4696/html5/thumbnails/35.jpg)
Case Study: java_rmi_registry
35
msf > use auxiliary/gather/java_rmi_registry msf auxiliary(java_rmi_registry) > set rhost 172.16.158.131 rhost => 172.16.158.131 msf auxiliary(java_rmi_registry) > run [*] 172.16.158.131:1099 -‐ Sending RMI Header... [*] 172.16.158.131:1099 -‐ Lis/ng names in the Registry... [+] 172.16.158.131:1099 -‐ 1 names found in the Registry [+] 172.16.158.131:1099 -‐ Name Hello (example.hello.HelloImpl_Stub) found on 172.16.158.131:1175 [*] Auxiliary module execu/on completed
![Page 36: Abusing Java Remote Interfaces](https://reader034.vdocuments.net/reader034/viewer/2022052413/55a8c4771a28abb6108b4696/html5/thumbnails/36.jpg)
Case Study: java_rmi_server
36 Credits: Michael Schierl @mihi42
hLp://docs.oracle.com/javase/7/docs/pla]orm/rmi/spec/rmi-‐arch5.html
RMI allows parameters, return values and excepBons passed in RMI calls to be any object that is serializable. RMI uses the object serializa/on mechanism to transmit data from one virtual machine to another and also annotates the call stream with the appropriate locaBon informaBon so that the class definiBon files can be loaded at the receiver.
![Page 37: Abusing Java Remote Interfaces](https://reader034.vdocuments.net/reader034/viewer/2022052413/55a8c4771a28abb6108b4696/html5/thumbnails/37.jpg)
Case Study: java_rmi_server
37 Credits: Michael Schierl @mihi42
![Page 38: Abusing Java Remote Interfaces](https://reader034.vdocuments.net/reader034/viewer/2022052413/55a8c4771a28abb6108b4696/html5/thumbnails/38.jpg)
Case Study: java_rmi_server
38 Credits: Michael Schierl @mihi42
![Page 39: Abusing Java Remote Interfaces](https://reader034.vdocuments.net/reader034/viewer/2022052413/55a8c4771a28abb6108b4696/html5/thumbnails/39.jpg)
Case Study: java_rmi_server
39 Credits: Michael Schierl @mihi42
![Page 40: Abusing Java Remote Interfaces](https://reader034.vdocuments.net/reader034/viewer/2022052413/55a8c4771a28abb6108b4696/html5/thumbnails/40.jpg)
Case Study: java_jmx_server
40 Credits: Braden Thomas hLp://www.accuvant.com/blog/exploi/ng-‐jmx-‐rmi
msf auxiliary(java_rmi_registry) > set rhost 172.16.158.132 rhost => 172.16.158.132 msf auxiliary(java_rmi_registry) > set rport 1617 rport => 1617 msf auxiliary(java_rmi_registry) > run [*] 172.16.158.132:1617 -‐ Sending RMI Header... [*] 172.16.158.132:1617 -‐ Lis/ng names in the Registry... [+] 172.16.158.132:1617 -‐ 1 names found in the Registry [+] 172.16.158.132:1617 -‐ Name jmxrmi (javax.management.remote.rmi.RMIServerImpl_Stub) found on 172.16.158.132:1471 [*] Auxiliary module execu/on completed
![Page 41: Abusing Java Remote Interfaces](https://reader034.vdocuments.net/reader034/viewer/2022052413/55a8c4771a28abb6108b4696/html5/thumbnails/41.jpg)
Case Study: java_jmx_server
41 Credits: Braden Thomas hLp://www.accuvant.com/blog/exploi/ng-‐jmx-‐rmi
![Page 42: Abusing Java Remote Interfaces](https://reader034.vdocuments.net/reader034/viewer/2022052413/55a8c4771a28abb6108b4696/html5/thumbnails/42.jpg)
Case Study: java_jmx_server
42 Credits: Braden Thomas hLp://www.accuvant.com/blog/exploi/ng-‐jmx-‐rmi
![Page 43: Abusing Java Remote Interfaces](https://reader034.vdocuments.net/reader034/viewer/2022052413/55a8c4771a28abb6108b4696/html5/thumbnails/43.jpg)
Case Study: java_jmx_server
43 Credits: Braden Thomas hLp://www.accuvant.com/blog/exploi/ng-‐jmx-‐rmi
![Page 44: Abusing Java Remote Interfaces](https://reader034.vdocuments.net/reader034/viewer/2022052413/55a8c4771a28abb6108b4696/html5/thumbnails/44.jpg)
DEMO
![Page 45: Abusing Java Remote Interfaces](https://reader034.vdocuments.net/reader034/viewer/2022052413/55a8c4771a28abb6108b4696/html5/thumbnails/45.jpg)
Conclusions
45
• Ruby Support on MSF for: – Java Serialization – RMI – Some JMX No more RAW streams!
![Page 46: Abusing Java Remote Interfaces](https://reader034.vdocuments.net/reader034/viewer/2022052413/55a8c4771a28abb6108b4696/html5/thumbnails/46.jpg)
Conclusions
46
• Lot of examples: – All the RMI/JMX modules have been ported. – Specs – New modules: java_rmi_registry, java_jmx_server
• TODO – Full Java Serialization support. – Exploit all the things! PR are super welcome!
![Page 47: Abusing Java Remote Interfaces](https://reader034.vdocuments.net/reader034/viewer/2022052413/55a8c4771a28abb6108b4696/html5/thumbnails/47.jpg)
QUESTIONS?
THANK YOU!