Abusing Java Remote Interfaces

ISSW 2015

ABUSING JAVA REMOTE INTERFACES

Juan Vazquez

Index

2

• About me

• Motivation

• RMI 101

•  Java Object Serialization Protocol

• RMI: Method invocation

• Case Study: java_rmi_registry

• Case Study: java_rmi_server

• Case Study: java_jmx_server

• Conclusions

RMI Remote Method Invoca/on

JMX

Java Management Extensions

About me

3

• I’m not a Java developer • I’m not a Java hacker • Exploit Developer at Rapid7

– Metasploit-Framework

• My English… sorry!

Motivation

4

• Leon Johnson, awesome pentester at Rapid7, asked about a module for exploiting JMX RMI endpoints.

• Excellent write-up from Braden Thomas: –  http://www.accuvant.com/blog/exploiting-jmx-rmi

Motivation

5

Motivation

6

Motivation

7

RMI 101

8

• Wikipedia says:

“The Java Remote Method Invoca/on (Java RMI) is a Java API that performs the object-‐oriented equivalent of remote procedure calls (RPC), with support for direct transfer of serialized Java classes and distributed garbage collec/on.” *

* For a beLer introduc/on, the Java specs are more useful, but it’s hard to find 1 summary sentence in the specs J

RMI 101. Hello World!

9


10


11


12

C:\rmi_hello_world>start rmiregistry C:\rmi_hello_world>javac -‐cp . example\hello\*.java C:\rmi_hello_world>java -‐cp . example.hello.Server Server ready

Server

C:\rmi_hello_world>javac -‐cp . example\hello\*.java C:\rmi_hello_world>java -‐cp . example.hello.Client 172.16.158.132 response: Hello, world!

Client

RMI 101. RMI Transport Protocol

13 hLp://docs.oracle.com/javase/7/docs/pla]orm/rmi/spec/rmi-‐protocol3.html

RMI 101. RMI Transport Protocol.




16

17

18


19

“Call and return data in RMI calls are formaLed using the Java Object SerializaBon Protocol”

hLp://docs.oracle.com/javase/7/docs/pla]orm/rmi/spec/rmi-‐protocol4.html

Java Object Serialization Protocol

20

“The ability to store and retrieve JavaTM objects is essen/al to building all but the most transient applica/ons. The key to storing and retrieving objects in a serialized form is represen/ng the state of objects sufficient to reconstruct the object(s).”

hLp://docs.oracle.com/javase/7/docs/pla]orm/serializa/on/spec/serialTOC.html

Warning: If you haven’t fought with Java Serializa/on before, the specs and the grammar can be confusing…


21

• Use small programs to get serialized samples.

import java.io.*;!!public class NewArrayInts!{! public static void main(String [] args)! {! int[] anArray;! anArray = new int[2];! anArray[0] = -20;! anArray[1] = 0x41;! try! {! FileOutputStream fileOut =! new FileOutputStream("new_array_ints.ser");! ObjectOutputStream out = new ObjectOutputStream(fileOut);! out.writeObject(anArray);! out.close();! fileOut.close();! } catch(IOException i)! {! i.printStackTrace();! }! }!}!


22

stream:! magic version contents!contents:! content! contents content!content:! object! blockdata!object:! newArray!newArray:! TC_ARRAY classDesc newHandle <size> values!classDesc:! newClassDesc! nullReference! (ClassDesc)prevObject!

newClassDesc:! TC_CLASSDESC className serialVersionUID newHandle classDescInfo!className:! (utf)!serialVersionUID:! (long)!classDescInfo:! classDescFlags fields classAnnotation superClassDesc !classDescFlags:! (byte) !fields:! (short)<count> fieldDesc[count]!classAnnotation:! endBlockData! contents endBlockData!superClassDesc:! classDesc!

hLp://docs.oracle.com/javase/7/docs/pla]orm/serializa/on/spec/protocol.html#10258


23

$ hexdump new_array_ints.ser!0000000 ac ed 00 05 75 72 00 02 5b 49 4d ba 60 26 76 ea!0000010 b2 a5 02 00 00 78 70 00 00 00 02 ff ff ff ec 00!0000020 00 00 41!

STREAM_MAGIC STREAM_VERSION TC_ARRAY TC_CLASSDESC className: [I SerialVersionUID classDescFlags: SC_SERIALIZABLE fields count

TC_ENDBLOCKDATA (classAnnota/on) TC_NULL (superClassDesc) (int)<size> value[0] = -‐20 value[1] = 0x41

$ serialver [I [I: sta/c final long serialVersionUID = 5600894804908749477L;


24

• Also, you have two useful (Java) classes:

–  java.io.ObjectOutputStream –  java.io.ObjectInputStream

• Read and debug them!

import java.io.*;!!public class NewArrayInts!{! public static void main(String [] args)! {! int[] anArray;! anArray = new int[2];! anArray[0] = -20;! anArray[1] = 0x41;! try! {! FileOutputStream fileOut =! new FileOutputStream("new_array_ints.ser");! ObjectOutputStream out = new ObjectOutputStream(fileOut);! out.writeObject(anArray);! out.close();! fileOut.close();! } catch(IOException i)! {! i.printStackTrace();! }! }!}!


25

• Several days later…: –  Rex::Java::Serialization: Not full support, but good enough for our purposes.

•  Includes modeling for the different en//es as described in the Java Serializa/on Protocol specs/grammar.

•  Every object allows to decode (unserializa/on) from an IO or “self” encoding (serializa/on).

•  Rex::Java::Serializa/on::Builder allows easy building of some elements. –  Also: tools/java_deserializer.rb allows to inspect java serialized streams,

zooming arrays and objects.


26

$ tools/java_deserializer.rb /tmp/call_demo.bin![*] Deserializing...!!@magic: 0xaced!@version: 5!@contents: [! BlockData { [ 0x24, 0x5, 0x74, 0x80, 0x6a, 0x0, 0x5, 0x7f, 0x90, 0x3a, 0x40, 0x57, 0x0, 0x0, 0x1, 0x4c, 0x6c, 0xca, 0x1b, 0xae, 0x80, 0x1, 0xff, 0xff, 0xff, 0xff, 0x53, 0xe0, 0x82, 0x2d, 0x3e, 0x37, 0x24, 0xdf ] }!]!@references: [!]!


27

$ tools/java_deserializer.rb /tmp/return_demo.bin![*] Deserializing...!!@magic: 0xaced!@version: 5!@contents: [! BlockData { [ 0x1, 0x90, 0x3a, 0x40, 0x57, 0x0, 0x0, 0x1, 0x4c, 0x6c, 0xca, 0x1b, 0xae, 0x80, 0xb ] }! Utf { Hello, world! }!]!@references: [! [7e0000] Utf { Hello, world! }!]!

Finally…

28

BlockData { [ 0x24, 0x5, 0x74, 0x80, 0x6a, 0x0, 0x5, 0x7f, 0x90, 0x3a, 0x40, 0x57, 0x0, 0x0, 0x1, 0x4c, 0x6c, 0xca, 0x1b, 0xae, 0x80, 0x1, 0xff, 0xff, 0xff, 0xff, 0x53, 0xe0, 0x82, 0x2d, 0x3e, 0x37, 0x24, 0xdf ] }

hLp://docs.oracle.com/javase/7/docs/pla]orm/rmi/spec/rmi-‐protocol4.html

Finally…


@contents: [! BlockData { [ 0x1, 0x90, 0x3a, 0x40, 0x57, 0x0, 0x0, 0x1, 0x4c, 0x6c, 0xca, 0x1b, 0xae, 0x80, 0xb ] }! Utf { Hello, world! }!]!

Finally….

30

• Rex::Proto::Rmi –  Model for the RMI protocol as described in the specs / grammar. Every object

allows to be “self” read from an IO or written into an String.

• Msf::Java::Rmi::Client –  Mixin including the Exploit::Remote::TCP one –  Methods to made RMI calls easier from the modules. –  Also methods to build calls for some common RMI endpoints

•  Registry •  JMX Management

RMI Method Invocation

31

• In order to debug RMI calls, let’s understand them a little bit better.

• Use RMIC to generate the stubs (v1.2). It’s not needed anymore, since nowadays static stubs are deprecated in favor of dynamic code.

• It will generate a new class HelloImpl_Stub.class. rmic -‐classpath . example.hello.HelloImpl


32

java.rmi.Remote

example.hello.Hello

java.rmi.server.RemoteObject

java.rmi.server.RemoteStub

implements

java.rmi.server.RemoteRef ref

sun.rmi.server.UnicastRef

implements


33

Case Study: java_rmi_registry

34

• The RMI Registry is just a remote object provided by Java, so every virtual machine knows its interface.

• Listens on a well known port –  1099/TCP.

Case Study: java_rmi_registry

35

msf > use auxiliary/gather/java_rmi_registry msf auxiliary(java_rmi_registry) > set rhost 172.16.158.131 rhost => 172.16.158.131 msf auxiliary(java_rmi_registry) > run [*] 172.16.158.131:1099 -‐ Sending RMI Header... [*] 172.16.158.131:1099 -‐ Lis/ng names in the Registry... [+] 172.16.158.131:1099 -‐ 1 names found in the Registry [+] 172.16.158.131:1099 -‐ Name Hello (example.hello.HelloImpl_Stub) found on 172.16.158.131:1175 [*] Auxiliary module execu/on completed

Case Study: java_rmi_server

36 Credits: Michael Schierl @mihi42

hLp://docs.oracle.com/javase/7/docs/pla]orm/rmi/spec/rmi-‐arch5.html

RMI allows parameters, return values and excepBons passed in RMI calls to be any object that is serializable. RMI uses the object serializa/on mechanism to transmit data from one virtual machine to another and also annotates the call stream with the appropriate locaBon informaBon so that the class definiBon files can be loaded at the receiver.







Case Study: java_jmx_server

40 Credits: Braden Thomas hLp://www.accuvant.com/blog/exploi/ng-‐jmx-‐rmi

msf auxiliary(java_rmi_registry) > set rhost 172.16.158.132 rhost => 172.16.158.132 msf auxiliary(java_rmi_registry) > set rport 1617 rport => 1617 msf auxiliary(java_rmi_registry) > run [*] 172.16.158.132:1617 -‐ Sending RMI Header... [*] 172.16.158.132:1617 -‐ Lis/ng names in the Registry... [+] 172.16.158.132:1617 -‐ 1 names found in the Registry [+] 172.16.158.132:1617 -‐ Name jmxrmi (javax.management.remote.rmi.RMIServerImpl_Stub) found on 172.16.158.132:1471 [*] Auxiliary module execu/on completed







DEMO

Conclusions

45

• Ruby Support on MSF for: –  Java Serialization –  RMI –  Some JMX No more RAW streams!

Conclusions

46

• Lot of examples: –  All the RMI/JMX modules have been ported. –  Specs –  New modules: java_rmi_registry, java_jmx_server

• TODO –  Full Java Serialization support. –  Exploit all the things! PR are super welcome!

QUESTIONS?

THANK YOU!

Abusing Java Remote Interfaces

Presentations & Public Speaking

motivation rmi

rmi calls

client rmi

rmi transport protocol

java specs

jmx rmi endpoints

specs j rmi

java api