Hi folks,
For some time now I have been finding the Java RMI remote class loading vulnerability and have been very suceesful with metasploit, however recently I have had Anti-Virus (AV) pick this up. While this is not a standard executable my usual AV bypass techniques were useless so I had to expand my research. For those who don’t know, Java Remote Method Invocation (RMI) services are used within applications to allow Java objects to be used from a remote location without the use of any authentication. If a client invokes a remote method to be called, the client would pass all the information in the form of a Java Object to the RMI service for this to then be executed.
When passing the Object the client can also specify a Class Loader which specifies where the Java code for manipulating the Object can be found, this is typically a URL to a Jar file. Without authentication or verification, the server then downloads the Java object and executes it under the same permissions as the Java RMI service (usually SYSTEM).
As a pentester you can take advantage of this RMI service to load and execute Java code on the system. This can all be done using metasploit just search for java_rmi. Anyway I am more interested in the times if fails because of Anti-Virus. To get around this I had to decompile the Payload.class file from within metasploit and make some fundamental changes as seen below.
cd /usr/share/metasploit-framework/data/java/metasploit/
cp Payload.class Payload-backup.class
jad Payload.class
sed -i ‘s/spawn/runme/’ Payload.jad
mv Payload.jad Payload.java
javac Payload.java
Once I did this I could successfully exploit this again. One thing to note is that I was using the Java target so you end up with a Java meterpreter shell to which you can escalate into a normal Meterpreter after.
There are probably better Java obfuscation techniques that may have done this easier so any comments would be appreciated.
Cheers 🙂