Nmap Development mailing list archives

Re: NSE: RMI Dumpregistry

From: Martin Holst Swende <martin () swende se>
Date: Thu, 30 Sep 2010 23:42:31 +0200

Hi list,

I have now rewritten and expanded large parts of the rmi registry
dumper. I took some inspiration from Patriks OO-approach to java
classes/fields, but most of the codebase is still based on the OpenJDK
implementation. Some additions that have been made
- Better protocol support, now parses out the ip:port to the actual objects
- Catches 'custom data' , which actually discloses the classpath in some
cases
- Tested a lot against rmi registrys I found out on the series of tubes

This script could do with some more polishing, but that's mostly
documentation and decreasing verbosity. I think it is robust enough for
testing, and for that reason I let the output be pretty verbose, so I
can interpret any errors that occurs. In the final version, some of the
debugging-info should be removed.

Scripts are attached, but the latest can also be cloned or downloaded
from http://martin.swende.se/hgwebdir.cgi/nsescripts/

Some example outputs below.

Example output against a jmx-enable application:


PORT     STATE SERVICE REASON
1099/tcp open  rmi     syn-ack
| rmi-dumpregistry: 
|   jmxrmi
|     javax.management.remote.rmi.RMIServerImpl_Stub
|     @127.0.1.1:40353
|     extends
|       java.rmi.server.RemoteStub
|       extends
|_        java.rmi.server.RemoteObject


Example output against a 'proprietary' java app using rmi for distribution:
PORT     STATE SERVICE REASON
1099/tcp open  rmi     syn-ack
| rmi-dumpregistry: 
|   secretobject
|      implements java.rmi.Remote, VulnerableServerIF,
|     extends
|       java.lang.reflect.Proxy
|       fields
|           Ljava/lang/reflect/InvocationHandler; h
|             java.rmi.server.RemoteObjectInvocationHandler
|             @127.0.0.1:59119
|             extends
|               java.rmi.server.RemoteObject
|   mrtickle
|      implements java.rmi.Remote, VulnerableServerIF,
|     extends
|       java.lang.reflect.Proxy
|       fields
|           Ljava/lang/reflect/InvocationHandler; h
|             java.rmi.server.RemoteObjectInvocationHandler
|             @127.0.0.1:59119
|             extends
|               java.rmi.server.RemoteObject
|   HiddenObject
|      implements java.rmi.Remote, VulnerableServerIF,
|     extends
|       java.lang.reflect.Proxy
|       fields
|           Ljava/lang/reflect/InvocationHandler; h
|             java.rmi.server.RemoteObjectInvocationHandler
|             @127.0.0.1:59119
|             extends
|_              java.rmi.server.RemoteObject
Final times for host: srtt: 63 rttvar: 2829  to:

And finally, an anonymized output of a coldfusion-application I found on
the net, which discloses the classpath:

@output
PORT     STATE SERVICE REASON
1099/tcp open  rmi     syn-ack
| rmi-dumpregistry: 
|   cfassembler/default
|     coldfusion.flex.rmi.DataServicesCFProxyServer_Stub
|     @192.168.15.55:1371
|     extends
|       java.rmi.server.RemoteStub
|       extends
|         java.rmi.server.RemoteObject
|     Custom data
|       Classpath
|         file:/C:/CFusionMX7/runtime/../lib/ant-launcher.jar
|         file:/C:/CFusionMX7/runtime/../lib/ant.jar
|         file:/C:/CFusionMX7/runtime/../lib/axis.jar
|         file:/C:/CFusionMX7/runtime/../lib/backport-util-concurrent.jar
|         file:/C:/CFusionMX7/runtime/../lib/bcel.jar
|         file:/C:/CFusionMX7/runtime/../lib/cdo.jar
|         file:/C:/CFusionMX7/runtime/../lib/cdohost.jar
|         file:/C:/CFusionMX7/runtime/../lib/cf4was.jar
|         file:/C:/CFusionMX7/runtime/../lib/cf4was_ae.jar
|         file:/C:/CFusionMX7/runtime/../lib/cfmx-ssl.jar
|         file:/C:/CFusionMX7/runtime/../lib/cfusion.jar
|         file:/C:/CFusionMX7/runtime/../lib/commons-beanutils-1.5.jar
|         file:/C:/CFusionMX7/runtime/../lib/commons-collections-2.1.jar
|         file:/C:/CFusionMX7/runtime/../lib/commons-digester-1.3.jar
|         file:/C:/CFusionMX7/runtime/../lib/commons-digester-1.7.jar
|         file:/C:/CFusionMX7/runtime/../lib/commons-discovery-0.2.jar
|         file:/C:/CFusionMX7/runtime/../lib/commons-discovery.jar
|         file:/C:/CFusionMX7/runtime/../lib/commons-logging-1.0.2.jar
|         file:/C:/CFusionMX7/runtime/../lib/commons-logging-api-1.0.2.jar
|         file:/C:/CFusionMX7/runtime/../lib/commons-net-1.2.2.jar
|         file:/C:/CFusionMX7/runtime/../lib/crystal.jar
|         file:/C:/CFusionMX7/runtime/../lib/flashgateway.jar
|         file:/C:/CFusionMX7/runtime/../lib/flashremoting_update.jar
|         file:/C:/CFusionMX7/runtime/../lib/flex-assemblerservice.jar
|         file:/C:/CFusionMX7/runtime/../lib/flex-messaging-common.jar
|         file:/C:/CFusionMX7/runtime/../lib/flex-messaging-opt.jar
|         file:/C:/CFusionMX7/runtime/../lib/flex-messaging-req.jar
|         file:/C:/CFusionMX7/runtime/../lib/flex-messaging.jar
|         file:/C:/CFusionMX7/runtime/../lib/httpclient.jar
|         file:/C:/CFusionMX7/runtime/../lib/ib61patch.jar
|         file:/C:/CFusionMX7/runtime/../lib/ib6addonpatch.jar
|         file:/C:/CFusionMX7/runtime/../lib/ib6core.jar
|         file:/C:/CFusionMX7/runtime/../lib/ib6swing.jar
|         file:/C:/CFusionMX7/runtime/../lib/ib6util.jar
|         file:/C:/CFusionMX7/runtime/../lib/im.jar
|         file:/C:/CFusionMX7/runtime/../lib/iText.jar
|         file:/C:/CFusionMX7/runtime/../lib/iTextAsian.jar
|         file:/C:/CFusionMX7/runtime/../lib/izmado.jar
|         file:/C:/CFusionMX7/runtime/../lib/jakarta-oro-2.0.6.jar
|         file:/C:/CFusionMX7/runtime/../lib/java2wsdl.jar
|         file:/C:/CFusionMX7/runtime/../lib/jaxrpc.jar
|         file:/C:/CFusionMX7/runtime/../lib/jdom.jar
|         file:/C:/CFusionMX7/runtime/../lib/jeb.jar
|         file:/C:/CFusionMX7/runtime/../lib/jintegra.jar
|         file:/C:/CFusionMX7/runtime/../lib/ldap.jar
|         file:/C:/CFusionMX7/runtime/../lib/ldapbp.jar
|         file:/C:/CFusionMX7/runtime/../lib/log4j.jar
|         file:/C:/CFusionMX7/runtime/../lib/macromedia_drivers.jar
|         file:/C:/CFusionMX7/runtime/../lib/mail.jar
|         file:/C:/CFusionMX7/runtime/../lib/msapps.jar
|         file:/C:/CFusionMX7/runtime/../lib/pbclient42RE.jar
|         file:/C:/CFusionMX7/runtime/../lib/pbembedded42RE.jar
|         file:/C:/CFusionMX7/runtime/../lib/pbserver42RE.jar
|         file:/C:/CFusionMX7/runtime/../lib/pbtools42RE.jar
|         file:/C:/CFusionMX7/runtime/../lib/poi-2.5.1-final-20040804.jar
|        
file:/C:/CFusionMX7/runtime/../lib/poi-contrib-2.5.1-final-20040804.jar
|         file:/C:/CFusionMX7/runtime/../lib/ri_generic.jar
|         file:/C:/CFusionMX7/runtime/../lib/saaj.jar
|         file:/C:/CFusionMX7/runtime/../lib/smack.jar
|         file:/C:/CFusionMX7/runtime/../lib/smpp.jar
|         file:/C:/CFusionMX7/runtime/../lib/STComm.jar
|         file:/C:/CFusionMX7/runtime/../lib/tools.jar
|         file:/C:/CFusionMX7/runtime/../lib/tt-bytecode.jar
|         file:/C:/CFusionMX7/runtime/../lib/vadmin.jar
|         file:/C:/CFusionMX7/runtime/../lib/verity.jar
|         file:/C:/CFusionMX7/runtime/../lib/vparametric.jar
|         file:/C:/CFusionMX7/runtime/../lib/vsearch.jar
|         file:/C:/CFusionMX7/runtime/../lib/wc50.jar
|         file:/C:/CFusionMX7/runtime/../lib/webchartsJava2D.jar
|         file:/C:/CFusionMX7/runtime/../lib/wsdl2java.jar
|         file:/C:/CFusionMX7/runtime/../lib/wsdl4j-1.5.1.jar
|         file:/C:/CFusionMX7/runtime/../lib/wsdl4j.jar
|         file:/C:/CFusionMX7/runtime/../lib/xalan.jar
|         file:/C:/CFusionMX7/runtime/../lib/xercesImpl.jar
|         file:/C:/CFusionMX7/runtime/../lib/xml-apis.jar
|         file:/C:/CFusionMX7/runtime/../lib/
|         file:/C:/CFusionMX7/runtime/../gateway/lib/examples.jar
|         file:/C:/CFusionMX7/runtime/../gateway/lib/
|        
file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/batik-awt-util.jar
|        
file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/batik-css.jar
|        
file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/batik-ext.jar
|        
file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/batik-transcoder.jar
|        
file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/batik-util.jar
|        
file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/commons-discovery.jar
|        
file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/commons-logging.jar
|        
file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/concurrent.jar
|        
file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/flex.jar
|        
file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/jakarta-oro-2.0.7.jar
|        
file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/jcert.jar
|        
file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/jnet.jar
|        
file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/jsse.jar
|        
file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/oscache.jar
|_        file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/



Regards,
Martin

Attachment: rmi.tar.gz
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

Re: NSE: RMI Dumpregistry David Fifield (Aug 03)
- Re: NSE: RMI Dumpregistry Martin Holst Swende (Aug 08)
  - Re: NSE: RMI Dumpregistry David Fifield (Aug 08)
    - Re: NSE: RMI Dumpregistry Martin Holst Swende (Sep 30)