sempervictus
diff --git a/‎lib/msf/core.rb
Lines changed: 0 additions & 4 deletions b/‎lib/msf/core.rb
Lines changed: 0 additions & 4 deletions
diff --git a/‎lib/msf/core/exploit/java.rb
Lines changed: 2 additions & 0 deletions b/‎lib/msf/core/exploit/java.rb
Lines changed: 2 additions & 0 deletions
diff --git a/‎lib/msf/core/exploit/java/rmi/builder.rb
Lines changed: 101 additions & 0 deletions b/‎lib/msf/core/exploit/java/rmi/builder.rb
Lines changed: 101 additions & 0 deletions
diff --git a/‎lib/msf/core/exploit/java/rmi/client.rb
Lines changed: 168 additions & 0 deletions b/‎lib/msf/core/exploit/java/rmi/client.rb
Lines changed: 168 additions & 0 deletions
diff --git a/‎lib/msf/core/exploit/java/rmi/client/jmx.rb
Lines changed: 27 additions & 0 deletions b/‎lib/msf/core/exploit/java/rmi/client/jmx.rb
Lines changed: 27 additions & 0 deletions
@@ -75,10 +75,6 @@ module Msf
 # Kerberos Support
 require 'msf/kerberos/client'
 
-# Java RMI Support
-require 'msf/java/rmi/util'
-require 'msf/java/rmi/client'
-
 # Drivers
 require 'msf/core/exploit_driver'
 
@@ -14,6 +14,8 @@
 ###
 
 require 'msf/core'
+require 'msf/core/exploit/java/rmi/util'
+require 'msf/core/exploit/java/rmi/client'
 
 module Msf
 module Exploit::Java
 
@@ -0,0 +1,101 @@
+# -*- coding: binary -*-
+
+require 'rex/java/serialization'
+
+module Msf
+  class Exploit
+    class Remote
+      module Java
+        module Rmi
+          module Builder
+            # Builds a RMI header stream
+            #
+            # @param opts [Hash{Symbol => <String, Fixnum>}]
+            # @option opts [String] :signature
+            # @option opts [Fixnum] :version
+            # @option opts [Fixnum] :protocol
+            # @return [Rex::Proto::Rmi::Model::OutputHeader]
+            def build_header(opts = {})
+              signature = opts[:signature] || Rex::Proto::Rmi::Model::SIGNATURE
+              version = opts[:version] || 2
+              protocol = opts[:protocol] || Rex::Proto::Rmi::Model::STREAM_PROTOCOL
+
+              header = Rex::Proto::Rmi::Model::OutputHeader.new(
+                  signature: signature,
+                  version: version,
+                  protocol: protocol)
+
+              header
+            end
+
+            # Builds a RMI call stream
+            #
+            # @param opts [Hash{Symbol => <Fixnum, Array>}]
+            # @option opts [Fixnum] :message_id
+            # @option opts [Fixnum] :object_number Random to identify the object.
+            # @option opts [Fixnum] :uid_number Identifies the VM where the object was generated.
+            # @option opts [Fixnum] :uid_time Time where the object was generated.
+            # @option opts [Fixnum] :uid_count Identifies different instance of the same object generated from the same VM
+            #   at the same time.
+            # @option opts [Fixnum] :operation On JDK 1.1 stub protocol the operation index in the interface. On JDK 1.2
+            #   it is -1.
+            # @option opts [Fixnum] :hash On JDK 1.1 stub protocol the stub's interface hash. On JDK1.2 is a hash
+            #   representing the method to call.
+            # @option opts [Array] :arguments
+            # @return [Rex::Proto::Rmi::Model::Call]
+            def build_call(opts = {})
+              message_id = opts[:message_id] || Rex::Proto::Rmi::Model::CALL_MESSAGE
+              object_number = opts[:object_number] || 0
+              uid_number = opts[:uid_number] || 0
+              uid_time = opts[:uid_time] ||  0
+              uid_count = opts[:uid_count] || 0
+              operation = opts[:operation] || -1
+              hash = opts[:hash] || 0
+              arguments = opts[:arguments] || []
+
+              uid = Rex::Proto::Rmi::Model::UniqueIdentifier.new(
+                number: uid_number,
+                time: uid_time,
+                count: uid_count
+              )
+
+              call_data = Rex::Proto::Rmi::Model::CallData.new(
+                object_number: object_number,
+                uid: uid,
+                operation: operation,
+                hash: hash,
+                arguments: arguments
+              )
+
+              call = Rex::Proto::Rmi::Model::Call.new(
+                message_id: message_id,
+                call_data: call_data
+              )
+
+              call
+            end
+
+            # Builds a RMI dgc ack stream
+            #
+            # @param opts [Hash{Symbol => <Fixnum, String>}]
+            # @option opts [Fixnum] :stream_id
+            # @option opts [String] :unique_identifier
+            # @return [Rex::Proto::Rmi::Model::DgcAck]
+            def build_dgc_ack(opts = {})
+              stream_id = opts[:stream_id] || Rex::Proto::Rmi::Model::DGC_ACK_MESSAGE
+              unique_identifier = opts[:unique_identifier] || "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+
+              dgc_ack = Rex::Proto::Rmi::Model::DgcAck.new(
+                  stream_id: stream_id,
+                  unique_identifier: unique_identifier
+              )
+
+              dgc_ack
+            end
+
+          end
+        end
+      end
+    end
+  end
+end
@@ -0,0 +1,168 @@
+# -*- coding: binary -*-
+require 'rex/proto/rmi'
+require 'rex/java/serialization'
+require 'stringio'
+require 'msf/core/exploit/java/rmi/util'
+require 'msf/core/exploit/java/rmi/builder'
+require 'msf/core/exploit/java/rmi/client/registry'
+require 'msf/core/exploit/java/rmi/client/jmx'
+
+module Msf
+  class Exploit
+    class Remote
+      module Java
+        module Rmi
+          module Client
+
+            include Msf::Exploit::Remote::Java::Rmi::Util
+            include Msf::Exploit::Remote::Java::Rmi::Builder
+            include Msf::Exploit::Remote::Java::Rmi::Client::Registry
+            include Msf::Exploit::Remote::Java::Rmi::Client::Jmx
+            include Msf::Exploit::Remote::Tcp
+
+            def initialize(info = {})
+              super
+
+              register_advanced_options(
+                [
+                  OptInt.new('RmiReadLoopTimeout', [ true, 'Maximum number of seconds to wait for data between read iterations', 1])
+                ], Msf::Exploit::Remote::Java::Rmi::Client
+              )
+            end
+
+            # Returns the timeout to wait for data between read iterations
+            #
+            # @return [Fixnum]
+            def read_loop_timeout
+              datastore['RmiReadLoopTimeout'] || 1
+            end
+
+            # Returns the target host
+            #
+            # @return [String]
+            def rhost
+              datastore['RHOST']
+            end
+
+            # Returns the target port
+            #
+            # @return [Fixnum]
+            def rport
+              datastore['RPORT']
+            end
+
+            # Returns the RMI server peer
+            #
+            # @return [String]
+            def peer
+              "#{rhost}:#{rport}"
+            end
+
+            # Sends a RMI header stream
+            #
+            # @param opts [Hash]
+            # @option opts [Rex::Socket::Tcp] :sock
+            # @return [Fixnum] the number of bytes sent
+            # @see Msf::Rmi::Client::Streams#build_header
+            def send_header(opts = {})
+              nsock = opts[:sock] || sock
+              stream = build_header(opts)
+              nsock.put(stream.encode + "\x00\x00\x00\x00\x00\x00")
+            end
+
+            # Sends a RMI CALL stream
+            #
+            # @param opts [Hash]
+            # @option opts [Rex::Socket::Tcp] :sock
+            # @option opts [Rex::Proto::Rmi::Model::Call] :call
+            # @return [Fixnum] the number of bytes sent
+            # @see Msf::Rmi::Client::Streams#build_call
+            def send_call(opts = {})
+              nsock = opts[:sock] || sock
+              call = opts[:call] || build_call(opts)
+              nsock.put(call.encode)
+            end
+
+            # Sends a RMI DGCACK stream
+            #
+            # @param opts [Hash]
+            # @option opts [Rex::Socket::Tcp] :sock
+            # @return [Fixnum] the number of bytes sent
+            # @see Msf::Rmi::Client::Streams#build_dgc_ack
+            def send_dgc_ack(opts = {})
+              nsock = opts[:sock] || sock
+              stream = build_dgc_ack(opts)
+              nsock.put(stream.encode)
+            end
+
+            # Reads the Protocol Ack
+            #
+            # @param opts [Hash]
+            # @option opts [Rex::Socket::Tcp] :sock
+            # @return [Rex::Proto::Rmi::Model::ProtocolAck] if success
+            # @return [NilClass] otherwise
+            # @see Rex::Proto::Rmi::Model::ProtocolAck.decode
+            def recv_protocol_ack(opts = {})
+              nsock = opts[:sock] || sock
+              data = safe_get_once(nsock)
+              begin
+                ack = Rex::Proto::Rmi::Model::ProtocolAck.decode(StringIO.new(data))
+              rescue Rex::Proto::Rmi::DecodeError
+                return nil
+              end
+
+              ack
+            end
+
+            # Reads a ReturnData message and returns the java serialized stream
+            # with the return data value.
+            #
+            # @param opts [Hash]
+            # @option opts [Rex::Socket::Tcp] :sock
+            # @return [Rex::Proto::Rmi::Model::ReturnValue] if success
+            # @return [NilClass] otherwise
+            # @see Rex::Proto::Rmi::Model::ReturnData.decode
+            def recv_return(opts = {})
+              nsock = opts[:sock] || sock
+              data = safe_get_once(nsock)
+
+              begin
+                return_data = Rex::Proto::Rmi::Model::ReturnData.decode(StringIO.new(data))
+              rescue Rex::Proto::Rmi::DecodeError
+                return nil
+              end
+
+              return_data.return_value
+            end
+
+            # Helper method to read fragmented data from a ```Rex::Socket::Tcp```
+            #
+            # @param nsock [Rex::Socket::Tcp]
+            # @return [String]
+            def safe_get_once(nsock = sock, loop_timeout = read_loop_timeout)
+              data = ''
+              begin
+                res = nsock.get_once
+              rescue ::EOFError
+                res = nil
+              end
+
+              while res && nsock.has_read_data?(loop_timeout)
+                data << res
+                begin
+                  res = nsock.get_once
+                rescue ::EOFError
+                  res = nil
+                end
+              end
+
+              data << res if res
+              data
+            end
+          end
+
+        end
+      end
+    end
+  end
+end
@@ -0,0 +1,27 @@
+# -*- coding: binary -*-
+require 'msf/core/exploit/java/rmi/client/jmx/server'
+require 'msf/core/exploit/java/rmi/client/jmx/connection'
+
+module Msf
+  class Exploit
+    class Remote
+      module Java
+        module Rmi
+          module Client
+            module Jmx
+
+              include Msf::Exploit::Remote::Java::Rmi::Client::Jmx::Server
+              include Msf::Exploit::Remote::Java::Rmi::Client::Jmx::Connection
+
+              OBJECT_NAME_UID = 1081892073854801359
+              BYTE_ARRAY_UID = -5984413125824719648
+              MARSHALLED_OBJECT_UID = 8988374069173025854
+              STRING_ARRAY_UID = -5921575005990323385
+              OBJECT_ARRAY_UID = -8012369246846506644
+            end
+          end
+        end
+      end
+    end
+  end
+end