Nmap Development mailing list archives

rmiregistry default configuration vulnerability script

From: Aleksandar Nikolic <nikolic.alek () gmail com>
Date: Fri, 25 May 2012 20:48:07 +0200

Hi All,

I've written a script to test rmiregistry servers for this default
configuration
vulnerability which allows remote class loading and therefore remote
code execution.

There is a Metasploit exploit for this vulnerability.

To test it , you just need to run rmiregistry which comes with
any JRE installation (rmiregistry.exe on Windows, rmiregistry on Linux)
and then run the script against it.

I've attached the script and a small patch for rmi.lua library as I needed
one function to add raw data as arguments to writeMethodCall.
The sciript contains already serialized data, it was easier to do it
that way then implement the whole serialization in the library.
For additional info , see references in the script.

Please tell me if you have any comments and suggestions.


Thanks,
Aleksandar

Attachment: rmi-vuln-classloader.nse
Description:

Attachment: rmi.diff
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

rmiregistry default configuration vulnerability script Aleksandar Nikolic (May 25)
- Re: rmiregistry default configuration vulnerability script Patrik Karlsson (May 25)
- <Possible follow-ups>
- Re: rmiregistry default configuration vulnerability script Marcus Haebler (May 26)
  - Re: rmiregistry default configuration vulnerability script Aleksandar Nikolic (May 26)
    - Re: rmiregistry default configuration vulnerability script David Fifield (May 27)
    - Re: rmiregistry default configuration vulnerability script Aleksandar Nikolic (May 28)
    - Re: rmiregistry default configuration vulnerability script Patrik Karlsson (May 29)