Re: rmiregistry default configuration vulnerability script

[Patrik Karlsson <patrik () cqure net>]

On Fri, May 25, 2012 at 8:48 PM, Aleksandar Nikolic
<nikolic.alek () gmail com>wrote:

> Hi All,
>
> I've written a script to test rmiregistry servers for this default
> configuration
> vulnerability which allows remote class loading and therefore remote
> code execution.
>
> There is a Metasploit exploit for this vulnerability.
>
> To test it , you just need to run rmiregistry which comes with
> any JRE installation (rmiregistry.exe on Windows, rmiregistry on Linux)
> and then run the script against it.
>
> I've attached the script and a small patch for rmi.lua library as I needed
> one function to add raw data as arguments to writeMethodCall.
> The sciript contains already serialized data, it was easier to do it
> that way then implement the whole serialization in the library.
> For additional info , see references in the script.
>
> Please tell me if you have any comments and suggestions.
>
>
> Thanks,
> Aleksandar
>
> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
> Archived at http://seclists.org/nmap-dev/

Great job! I just tested it and it worked great for me.
I'm wondering whether the match for "RMI class loader disabled" could be a
problem if it's localized?
Is there anything else you could match in the packet, like an error code or
something?

An alternative I initially thought of and tested was to use a http-link
pointing to the scanning host and to pick it up with pcap. But that's
probably not very solid as there may be firewalls or other device blocking
the connect back request.

//Patrik
-- 
Patrik Karlsson
http://www.cqure.net
http://twitter.com/nevdull77
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/