Land rapid7#9413, Expand the number of class names searched when checking for an exploitable JMX server

busterb · busterb · commit d1569f82805d · 2018-01-22T16:49:01.000-06:00
diff --git a/modules/exploits/multi/misc/java_jmx_server.rb b/modules/exploits/multi/misc/java_jmx_server.rb
@@ -193,10 +193,22 @@ def is_rmi?
   end
 
   def discover_endpoint
+    rmi_classes_and_interfaces = [
+      'javax.management.remote.rmi.RMIConnectionImpl',
+      'javax.management.remote.rmi.RMIConnectionImpl_Stub',
+      'javax.management.remote.rmi.RMIConnector',
+      'javax.management.remote.rmi.RMIConnectorServer',
+      'javax.management.remote.rmi.RMIIIOPServerImpl',
+      'javax.management.remote.rmi.RMIJRMPServerImpl',
+      'javax.management.remote.rmi.RMIServerImpl',
+      'javax.management.remote.rmi.RMIServerImpl_Stub',
+      'javax.management.remote.rmi.RMIConnection',
+      'javax.management.remote.rmi.RMIServer'
+    ]
     ref = send_registry_lookup(name: datastore['JMXRMI'])
     return nil if ref.nil?
 
-    unless ref[:object] == 'javax.management.remote.rmi.RMIServerImpl_Stub'
+    unless rmi_classes_and_interfaces.include? ref[:object]
       vprint_error("JMXRMI discovery returned unexpected object #{ref[:object]}")
       return nil
     end
