module

Java RMI Server Insecure Default Configuration Java Code Execution

Disclosed
10/15/2011
Created
05/30/2018

Description

This module takes advantage of the default configuration of the RMI Registry and
RMI Activation services, which allow loading classes from any remote (HTTP) URL. As it
invokes a method in the RMI Distributed Garbage Collector which is available via every
RMI endpoint, it can be used against both rmiregistry and rmid, and against most other
(custom) RMI endpoints as well.

Note that it does not work against Java Management Extension (JMX) ports since those do
not support remote class loading, unless another RMI endpoint is active in the same
Java process.

RMI method calls do not support or require any sort of authentication.

Author

mihi

Platform

Java,Linux,OSX,Solaris,Windows

Module Options

To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:

    msf > use exploit/multi/misc/java_rmi_server
    msf /(r) > show actions
        ...actions...
    msf /(r) > set ACTION < action-name >
    msf /(r) > show options
        ...show and set options...
    msf /(r) > run
  
Title
NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.