1.7 KiB
1098/1099 - Pentesting Java RMI
Basic Information
The Java Remote Method Invocation, or Java RMI, is a mechanism that allows an object that exists in one Java virtual machine to access and call methods that are contained in another Java virtual machine; This is basically the same thing as a remote procedure call, but in an object-oriented paradigm instead of a procedural one, which allows for communication between Java programs that are not in the same address space.
One of the major advantages of RMI is the ability for remote objects to load new classes that aren't explicitly defined already, extending the behavior and functionality of an application.
From here.
Default port: 1099, 1098
PORT STATE SERVICE REASON
1099/tcp open rmiregistry syn-ack
Enumeration
The default configuration of rmiregistryallows loading classes from remote URLs, which can lead to remote code execution.
Basically this service could allow you to execute code.
msf> use auxiliary/scanner/misc/java_rmi_server
msf> use auxiliary/gather/java_rmi_registry
nmap -sV --script "rmi-dumpregistry or rmi-vuln-classloader" -p <PORT> <IP>
RMI methods enumeration
https://github.com/BishopFox/rmiscout to explore and try to find RCE vulnerabilities.
https://github.com/NickstaDB/BaRMIe to enumerate and attack
Reverse Shell
MSF
msf> use exploit/multi/browser/java_rmi_connection_impl