Nmap Development mailing list archives
Re: rmiregistry default configuration vulnerability script
From: Patrik Karlsson <patrik () cqure net>
Date: Fri, 25 May 2012 21:16:00 +0200
On Fri, May 25, 2012 at 8:48 PM, Aleksandar Nikolic <nikolic.alek () gmail com>wrote:
Hi All, I've written a script to test rmiregistry servers for this default configuration vulnerability which allows remote class loading and therefore remote code execution. There is a Metasploit exploit for this vulnerability. To test it , you just need to run rmiregistry which comes with any JRE installation (rmiregistry.exe on Windows, rmiregistry on Linux) and then run the script against it. I've attached the script and a small patch for rmi.lua library as I needed one function to add raw data as arguments to writeMethodCall. The sciript contains already serialized data, it was easier to do it that way then implement the whole serialization in the library. For additional info , see references in the script. Please tell me if you have any comments and suggestions. Thanks, Aleksandar _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Great job! I just tested it and it worked great for me. I'm wondering whether the match for "RMI class loader disabled" could be a problem if it's localized? Is there anything else you could match in the packet, like an error code or something? An alternative I initially thought of and tested was to use a http-link pointing to the scanning host and to pick it up with pcap. But that's probably not very solid as there may be firewalls or other device blocking the connect back request. //Patrik -- Patrik Karlsson http://www.cqure.net http://twitter.com/nevdull77 _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- rmiregistry default configuration vulnerability script Aleksandar Nikolic (May 25)
- Re: rmiregistry default configuration vulnerability script Patrik Karlsson (May 25)
- <Possible follow-ups>
- Re: rmiregistry default configuration vulnerability script Marcus Haebler (May 26)
- Re: rmiregistry default configuration vulnerability script Aleksandar Nikolic (May 26)
- Re: rmiregistry default configuration vulnerability script David Fifield (May 27)
- Re: rmiregistry default configuration vulnerability script Aleksandar Nikolic (May 28)
- Re: rmiregistry default configuration vulnerability script Patrik Karlsson (May 29)
- Re: rmiregistry default configuration vulnerability script Aleksandar Nikolic (May 26)