Nmap Development mailing list archives
Re: NSE: RMI Dumpregistry
From: Martin Holst Swende <martin () swende se>
Date: Thu, 30 Sep 2010 23:42:31 +0200
Hi list, I have now rewritten and expanded large parts of the rmi registry dumper. I took some inspiration from Patriks OO-approach to java classes/fields, but most of the codebase is still based on the OpenJDK implementation. Some additions that have been made - Better protocol support, now parses out the ip:port to the actual objects - Catches 'custom data' , which actually discloses the classpath in some cases - Tested a lot against rmi registrys I found out on the series of tubes This script could do with some more polishing, but that's mostly documentation and decreasing verbosity. I think it is robust enough for testing, and for that reason I let the output be pretty verbose, so I can interpret any errors that occurs. In the final version, some of the debugging-info should be removed. Scripts are attached, but the latest can also be cloned or downloaded from http://martin.swende.se/hgwebdir.cgi/nsescripts/ Some example outputs below. Example output against a jmx-enable application: PORT STATE SERVICE REASON 1099/tcp open rmi syn-ack | rmi-dumpregistry: | jmxrmi | javax.management.remote.rmi.RMIServerImpl_Stub | @127.0.1.1:40353 | extends | java.rmi.server.RemoteStub | extends |_ java.rmi.server.RemoteObject Example output against a 'proprietary' java app using rmi for distribution: PORT STATE SERVICE REASON 1099/tcp open rmi syn-ack | rmi-dumpregistry: | secretobject | implements java.rmi.Remote, VulnerableServerIF, | extends | java.lang.reflect.Proxy | fields | Ljava/lang/reflect/InvocationHandler; h | java.rmi.server.RemoteObjectInvocationHandler | @127.0.0.1:59119 | extends | java.rmi.server.RemoteObject | mrtickle | implements java.rmi.Remote, VulnerableServerIF, | extends | java.lang.reflect.Proxy | fields | Ljava/lang/reflect/InvocationHandler; h | java.rmi.server.RemoteObjectInvocationHandler | @127.0.0.1:59119 | extends | java.rmi.server.RemoteObject | HiddenObject | implements java.rmi.Remote, VulnerableServerIF, | extends | java.lang.reflect.Proxy | fields | Ljava/lang/reflect/InvocationHandler; h | java.rmi.server.RemoteObjectInvocationHandler | @127.0.0.1:59119 | extends |_ java.rmi.server.RemoteObject Final times for host: srtt: 63 rttvar: 2829 to: And finally, an anonymized output of a coldfusion-application I found on the net, which discloses the classpath: @output PORT STATE SERVICE REASON 1099/tcp open rmi syn-ack | rmi-dumpregistry: | cfassembler/default | coldfusion.flex.rmi.DataServicesCFProxyServer_Stub | @192.168.15.55:1371 | extends | java.rmi.server.RemoteStub | extends | java.rmi.server.RemoteObject | Custom data | Classpath | file:/C:/CFusionMX7/runtime/../lib/ant-launcher.jar | file:/C:/CFusionMX7/runtime/../lib/ant.jar | file:/C:/CFusionMX7/runtime/../lib/axis.jar | file:/C:/CFusionMX7/runtime/../lib/backport-util-concurrent.jar | file:/C:/CFusionMX7/runtime/../lib/bcel.jar | file:/C:/CFusionMX7/runtime/../lib/cdo.jar | file:/C:/CFusionMX7/runtime/../lib/cdohost.jar | file:/C:/CFusionMX7/runtime/../lib/cf4was.jar | file:/C:/CFusionMX7/runtime/../lib/cf4was_ae.jar | file:/C:/CFusionMX7/runtime/../lib/cfmx-ssl.jar | file:/C:/CFusionMX7/runtime/../lib/cfusion.jar | file:/C:/CFusionMX7/runtime/../lib/commons-beanutils-1.5.jar | file:/C:/CFusionMX7/runtime/../lib/commons-collections-2.1.jar | file:/C:/CFusionMX7/runtime/../lib/commons-digester-1.3.jar | file:/C:/CFusionMX7/runtime/../lib/commons-digester-1.7.jar | file:/C:/CFusionMX7/runtime/../lib/commons-discovery-0.2.jar | file:/C:/CFusionMX7/runtime/../lib/commons-discovery.jar | file:/C:/CFusionMX7/runtime/../lib/commons-logging-1.0.2.jar | file:/C:/CFusionMX7/runtime/../lib/commons-logging-api-1.0.2.jar | file:/C:/CFusionMX7/runtime/../lib/commons-net-1.2.2.jar | file:/C:/CFusionMX7/runtime/../lib/crystal.jar | file:/C:/CFusionMX7/runtime/../lib/flashgateway.jar | file:/C:/CFusionMX7/runtime/../lib/flashremoting_update.jar | file:/C:/CFusionMX7/runtime/../lib/flex-assemblerservice.jar | file:/C:/CFusionMX7/runtime/../lib/flex-messaging-common.jar | file:/C:/CFusionMX7/runtime/../lib/flex-messaging-opt.jar | file:/C:/CFusionMX7/runtime/../lib/flex-messaging-req.jar | file:/C:/CFusionMX7/runtime/../lib/flex-messaging.jar | file:/C:/CFusionMX7/runtime/../lib/httpclient.jar | file:/C:/CFusionMX7/runtime/../lib/ib61patch.jar | file:/C:/CFusionMX7/runtime/../lib/ib6addonpatch.jar | file:/C:/CFusionMX7/runtime/../lib/ib6core.jar | file:/C:/CFusionMX7/runtime/../lib/ib6swing.jar | file:/C:/CFusionMX7/runtime/../lib/ib6util.jar | file:/C:/CFusionMX7/runtime/../lib/im.jar | file:/C:/CFusionMX7/runtime/../lib/iText.jar | file:/C:/CFusionMX7/runtime/../lib/iTextAsian.jar | file:/C:/CFusionMX7/runtime/../lib/izmado.jar | file:/C:/CFusionMX7/runtime/../lib/jakarta-oro-2.0.6.jar | file:/C:/CFusionMX7/runtime/../lib/java2wsdl.jar | file:/C:/CFusionMX7/runtime/../lib/jaxrpc.jar | file:/C:/CFusionMX7/runtime/../lib/jdom.jar | file:/C:/CFusionMX7/runtime/../lib/jeb.jar | file:/C:/CFusionMX7/runtime/../lib/jintegra.jar | file:/C:/CFusionMX7/runtime/../lib/ldap.jar | file:/C:/CFusionMX7/runtime/../lib/ldapbp.jar | file:/C:/CFusionMX7/runtime/../lib/log4j.jar | file:/C:/CFusionMX7/runtime/../lib/macromedia_drivers.jar | file:/C:/CFusionMX7/runtime/../lib/mail.jar | file:/C:/CFusionMX7/runtime/../lib/msapps.jar | file:/C:/CFusionMX7/runtime/../lib/pbclient42RE.jar | file:/C:/CFusionMX7/runtime/../lib/pbembedded42RE.jar | file:/C:/CFusionMX7/runtime/../lib/pbserver42RE.jar | file:/C:/CFusionMX7/runtime/../lib/pbtools42RE.jar | file:/C:/CFusionMX7/runtime/../lib/poi-2.5.1-final-20040804.jar | file:/C:/CFusionMX7/runtime/../lib/poi-contrib-2.5.1-final-20040804.jar | file:/C:/CFusionMX7/runtime/../lib/ri_generic.jar | file:/C:/CFusionMX7/runtime/../lib/saaj.jar | file:/C:/CFusionMX7/runtime/../lib/smack.jar | file:/C:/CFusionMX7/runtime/../lib/smpp.jar | file:/C:/CFusionMX7/runtime/../lib/STComm.jar | file:/C:/CFusionMX7/runtime/../lib/tools.jar | file:/C:/CFusionMX7/runtime/../lib/tt-bytecode.jar | file:/C:/CFusionMX7/runtime/../lib/vadmin.jar | file:/C:/CFusionMX7/runtime/../lib/verity.jar | file:/C:/CFusionMX7/runtime/../lib/vparametric.jar | file:/C:/CFusionMX7/runtime/../lib/vsearch.jar | file:/C:/CFusionMX7/runtime/../lib/wc50.jar | file:/C:/CFusionMX7/runtime/../lib/webchartsJava2D.jar | file:/C:/CFusionMX7/runtime/../lib/wsdl2java.jar | file:/C:/CFusionMX7/runtime/../lib/wsdl4j-1.5.1.jar | file:/C:/CFusionMX7/runtime/../lib/wsdl4j.jar | file:/C:/CFusionMX7/runtime/../lib/xalan.jar | file:/C:/CFusionMX7/runtime/../lib/xercesImpl.jar | file:/C:/CFusionMX7/runtime/../lib/xml-apis.jar | file:/C:/CFusionMX7/runtime/../lib/ | file:/C:/CFusionMX7/runtime/../gateway/lib/examples.jar | file:/C:/CFusionMX7/runtime/../gateway/lib/ | file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/batik-awt-util.jar | file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/batik-css.jar | file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/batik-ext.jar | file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/batik-transcoder.jar | file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/batik-util.jar | file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/commons-discovery.jar | file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/commons-logging.jar | file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/concurrent.jar | file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/flex.jar | file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/jakarta-oro-2.0.7.jar | file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/jcert.jar | file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/jnet.jar | file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/jsse.jar | file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/oscache.jar |_ file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/ Regards, Martin
Attachment:
rmi.tar.gz
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: NSE: RMI Dumpregistry David Fifield (Aug 03)
- Re: NSE: RMI Dumpregistry Martin Holst Swende (Aug 08)
- Re: NSE: RMI Dumpregistry David Fifield (Aug 08)
- Re: NSE: RMI Dumpregistry Martin Holst Swende (Sep 30)
- Re: NSE: RMI Dumpregistry David Fifield (Aug 08)
- Re: NSE: RMI Dumpregistry Martin Holst Swende (Aug 08)