View
1.500
Download
0
Category
Tags:
Preview:
Citation preview
ISSW 2015
ABUSING JAVA REMOTE INTERFACES
Juan Vazquez
Index
2
• About me
• Motivation
• RMI 101
• Java Object Serialization Protocol
• RMI: Method invocation
• Case Study: java_rmi_registry
• Case Study: java_rmi_server
• Case Study: java_jmx_server
• Conclusions
RMI Remote Method Invoca/on
JMX
Java Management Extensions
About me
3
• I’m not a Java developer • I’m not a Java hacker • Exploit Developer at Rapid7
– Metasploit-Framework
• My English… sorry!
Motivation
4
• Leon Johnson, awesome pentester at Rapid7, asked about a module for exploiting JMX RMI endpoints.
• Excellent write-up from Braden Thomas: – http://www.accuvant.com/blog/exploiting-jmx-rmi
Motivation
5
Motivation
6
Motivation
7
RMI 101
8
• Wikipedia says:
“The Java Remote Method Invoca/on (Java RMI) is a Java API that performs the object-‐oriented equivalent of remote procedure calls (RPC), with support for direct transfer of serialized Java classes and distributed garbage collec/on.” *
* For a beLer introduc/on, the Java specs are more useful, but it’s hard to find 1 summary sentence in the specs J
RMI 101. Hello World!
9
RMI 101. Hello World!
10
RMI 101. Hello World!
11
RMI 101. Hello World!
12
C:\rmi_hello_world>start rmiregistry C:\rmi_hello_world>javac -‐cp . example\hello\*.java C:\rmi_hello_world>java -‐cp . example.hello.Server Server ready
Server
C:\rmi_hello_world>javac -‐cp . example\hello\*.java C:\rmi_hello_world>java -‐cp . example.hello.Client 172.16.158.132 response: Hello, world!
Client
RMI 101. RMI Transport Protocol
13 hLp://docs.oracle.com/javase/7/docs/pla]orm/rmi/spec/rmi-‐protocol3.html
RMI 101. RMI Transport Protocol.
14 hLp://docs.oracle.com/javase/7/docs/pla]orm/rmi/spec/rmi-‐protocol3.html
RMI 101. RMI Transport Protocol
15 hLp://docs.oracle.com/javase/7/docs/pla]orm/rmi/spec/rmi-‐protocol3.html
16
17
18
RMI 101. RMI Transport Protocol
19
“Call and return data in RMI calls are formaLed using the Java Object SerializaBon Protocol”
hLp://docs.oracle.com/javase/7/docs/pla]orm/rmi/spec/rmi-‐protocol4.html
Java Object Serialization Protocol
20
“The ability to store and retrieve JavaTM objects is essen/al to building all but the most transient applica/ons. The key to storing and retrieving objects in a serialized form is represen/ng the state of objects sufficient to reconstruct the object(s).”
hLp://docs.oracle.com/javase/7/docs/pla]orm/serializa/on/spec/serialTOC.html
Warning: If you haven’t fought with Java Serializa/on before, the specs and the grammar can be confusing…
Java Object Serialization Protocol
21
• Use small programs to get serialized samples.
import java.io.*;!!public class NewArrayInts!{! public static void main(String [] args)! {! int[] anArray;! anArray = new int[2];! anArray[0] = -20;! anArray[1] = 0x41;! try! {! FileOutputStream fileOut =! new FileOutputStream("new_array_ints.ser");! ObjectOutputStream out = new ObjectOutputStream(fileOut);! out.writeObject(anArray);! out.close();! fileOut.close();! } catch(IOException i)! {! i.printStackTrace();! }! }!}!
Java Object Serialization Protocol
22
stream:! magic version contents!contents:! content! contents content!content:! object! blockdata!object:! newArray!newArray:! TC_ARRAY classDesc newHandle <size> values!classDesc:! newClassDesc! nullReference! (ClassDesc)prevObject!
newClassDesc:! TC_CLASSDESC className serialVersionUID newHandle classDescInfo!className:! (utf)!serialVersionUID:! (long)!classDescInfo:! classDescFlags fields classAnnotation superClassDesc !classDescFlags:! (byte) !fields:! (short)<count> fieldDesc[count]!classAnnotation:! endBlockData! contents endBlockData!superClassDesc:! classDesc!
hLp://docs.oracle.com/javase/7/docs/pla]orm/serializa/on/spec/protocol.html#10258
Java Object Serialization Protocol
23
$ hexdump new_array_ints.ser!0000000 ac ed 00 05 75 72 00 02 5b 49 4d ba 60 26 76 ea!0000010 b2 a5 02 00 00 78 70 00 00 00 02 ff ff ff ec 00!0000020 00 00 41!
STREAM_MAGIC STREAM_VERSION TC_ARRAY TC_CLASSDESC className: [I SerialVersionUID classDescFlags: SC_SERIALIZABLE fields count
TC_ENDBLOCKDATA (classAnnota/on) TC_NULL (superClassDesc) (int)<size> value[0] = -‐20 value[1] = 0x41
$ serialver [I [I: sta/c final long serialVersionUID = 5600894804908749477L;
Java Object Serialization Protocol
24
• Also, you have two useful (Java) classes:
– java.io.ObjectOutputStream – java.io.ObjectInputStream
• Read and debug them!
import java.io.*;!!public class NewArrayInts!{! public static void main(String [] args)! {! int[] anArray;! anArray = new int[2];! anArray[0] = -20;! anArray[1] = 0x41;! try! {! FileOutputStream fileOut =! new FileOutputStream("new_array_ints.ser");! ObjectOutputStream out = new ObjectOutputStream(fileOut);! out.writeObject(anArray);! out.close();! fileOut.close();! } catch(IOException i)! {! i.printStackTrace();! }! }!}!
Java Object Serialization Protocol
25
• Several days later…: – Rex::Java::Serialization: Not full support, but good enough for our purposes.
• Includes modeling for the different en//es as described in the Java Serializa/on Protocol specs/grammar.
• Every object allows to decode (unserializa/on) from an IO or “self” encoding (serializa/on).
• Rex::Java::Serializa/on::Builder allows easy building of some elements. – Also: tools/java_deserializer.rb allows to inspect java serialized streams,
zooming arrays and objects.
Java Object Serialization Protocol
26
$ tools/java_deserializer.rb /tmp/call_demo.bin![*] Deserializing...!!@magic: 0xaced!@version: 5!@contents: [! BlockData { [ 0x24, 0x5, 0x74, 0x80, 0x6a, 0x0, 0x5, 0x7f, 0x90, 0x3a, 0x40, 0x57, 0x0, 0x0, 0x1, 0x4c, 0x6c, 0xca, 0x1b, 0xae, 0x80, 0x1, 0xff, 0xff, 0xff, 0xff, 0x53, 0xe0, 0x82, 0x2d, 0x3e, 0x37, 0x24, 0xdf ] }!]!@references: [!]!
Java Object Serialization Protocol
27
$ tools/java_deserializer.rb /tmp/return_demo.bin![*] Deserializing...!!@magic: 0xaced!@version: 5!@contents: [! BlockData { [ 0x1, 0x90, 0x3a, 0x40, 0x57, 0x0, 0x0, 0x1, 0x4c, 0x6c, 0xca, 0x1b, 0xae, 0x80, 0xb ] }! Utf { Hello, world! }!]!@references: [! [7e0000] Utf { Hello, world! }!]!
Finally…
28
BlockData { [ 0x24, 0x5, 0x74, 0x80, 0x6a, 0x0, 0x5, 0x7f, 0x90, 0x3a, 0x40, 0x57, 0x0, 0x0, 0x1, 0x4c, 0x6c, 0xca, 0x1b, 0xae, 0x80, 0x1, 0xff, 0xff, 0xff, 0xff, 0x53, 0xe0, 0x82, 0x2d, 0x3e, 0x37, 0x24, 0xdf ] }
hLp://docs.oracle.com/javase/7/docs/pla]orm/rmi/spec/rmi-‐protocol4.html
Finally…
29 hLp://docs.oracle.com/javase/7/docs/pla]orm/rmi/spec/rmi-‐protocol4.html
@contents: [! BlockData { [ 0x1, 0x90, 0x3a, 0x40, 0x57, 0x0, 0x0, 0x1, 0x4c, 0x6c, 0xca, 0x1b, 0xae, 0x80, 0xb ] }! Utf { Hello, world! }!]!
Finally….
30
• Rex::Proto::Rmi – Model for the RMI protocol as described in the specs / grammar. Every object
allows to be “self” read from an IO or written into an String.
• Msf::Java::Rmi::Client – Mixin including the Exploit::Remote::TCP one – Methods to made RMI calls easier from the modules. – Also methods to build calls for some common RMI endpoints
• Registry • JMX Management
RMI Method Invocation
31
• In order to debug RMI calls, let’s understand them a little bit better.
• Use RMIC to generate the stubs (v1.2). It’s not needed anymore, since nowadays static stubs are deprecated in favor of dynamic code.
• It will generate a new class HelloImpl_Stub.class. rmic -‐classpath . example.hello.HelloImpl
RMI Method Invocation
32
java.rmi.Remote
example.hello.Hello
java.rmi.server.RemoteObject
java.rmi.server.RemoteStub
implements
java.rmi.server.RemoteRef ref
sun.rmi.server.UnicastRef
implements
RMI Method Invocation
33
Case Study: java_rmi_registry
34
• The RMI Registry is just a remote object provided by Java, so every virtual machine knows its interface.
• Listens on a well known port – 1099/TCP.
Case Study: java_rmi_registry
35
msf > use auxiliary/gather/java_rmi_registry msf auxiliary(java_rmi_registry) > set rhost 172.16.158.131 rhost => 172.16.158.131 msf auxiliary(java_rmi_registry) > run [*] 172.16.158.131:1099 -‐ Sending RMI Header... [*] 172.16.158.131:1099 -‐ Lis/ng names in the Registry... [+] 172.16.158.131:1099 -‐ 1 names found in the Registry [+] 172.16.158.131:1099 -‐ Name Hello (example.hello.HelloImpl_Stub) found on 172.16.158.131:1175 [*] Auxiliary module execu/on completed
Case Study: java_rmi_server
36 Credits: Michael Schierl @mihi42
hLp://docs.oracle.com/javase/7/docs/pla]orm/rmi/spec/rmi-‐arch5.html
RMI allows parameters, return values and excepBons passed in RMI calls to be any object that is serializable. RMI uses the object serializa/on mechanism to transmit data from one virtual machine to another and also annotates the call stream with the appropriate locaBon informaBon so that the class definiBon files can be loaded at the receiver.
Case Study: java_rmi_server
37 Credits: Michael Schierl @mihi42
Case Study: java_rmi_server
38 Credits: Michael Schierl @mihi42
Case Study: java_rmi_server
39 Credits: Michael Schierl @mihi42
Case Study: java_jmx_server
40 Credits: Braden Thomas hLp://www.accuvant.com/blog/exploi/ng-‐jmx-‐rmi
msf auxiliary(java_rmi_registry) > set rhost 172.16.158.132 rhost => 172.16.158.132 msf auxiliary(java_rmi_registry) > set rport 1617 rport => 1617 msf auxiliary(java_rmi_registry) > run [*] 172.16.158.132:1617 -‐ Sending RMI Header... [*] 172.16.158.132:1617 -‐ Lis/ng names in the Registry... [+] 172.16.158.132:1617 -‐ 1 names found in the Registry [+] 172.16.158.132:1617 -‐ Name jmxrmi (javax.management.remote.rmi.RMIServerImpl_Stub) found on 172.16.158.132:1471 [*] Auxiliary module execu/on completed
Case Study: java_jmx_server
41 Credits: Braden Thomas hLp://www.accuvant.com/blog/exploi/ng-‐jmx-‐rmi
Case Study: java_jmx_server
42 Credits: Braden Thomas hLp://www.accuvant.com/blog/exploi/ng-‐jmx-‐rmi
Case Study: java_jmx_server
43 Credits: Braden Thomas hLp://www.accuvant.com/blog/exploi/ng-‐jmx-‐rmi
DEMO
Conclusions
45
• Ruby Support on MSF for: – Java Serialization – RMI – Some JMX No more RAW streams!
Conclusions
46
• Lot of examples: – All the RMI/JMX modules have been ported. – Specs – New modules: java_rmi_registry, java_jmx_server
• TODO – Full Java Serialization support. – Exploit all the things! PR are super welcome!
QUESTIONS?
THANK YOU!
Recommended