summaryrefslogtreecommitdiffstats
path: root/scripts/rmi-dumpregistry.nse
diff options
context:
space:
mode:
Diffstat (limited to 'scripts/rmi-dumpregistry.nse')
-rw-r--r--scripts/rmi-dumpregistry.nse234
1 files changed, 234 insertions, 0 deletions
diff --git a/scripts/rmi-dumpregistry.nse b/scripts/rmi-dumpregistry.nse
new file mode 100644
index 0000000..e7ae039
--- /dev/null
+++ b/scripts/rmi-dumpregistry.nse
@@ -0,0 +1,234 @@
+local rmi = require "rmi"
+local shortport = require "shortport"
+local stdnse = require "stdnse"
+local string = require "string"
+local table = require "table"
+
+description = [[
+Connects to a remote RMI registry and attempts to dump all of its
+objects.
+
+First it tries to determine the names of all objects bound in the
+registry, and then it tries to determine information about the
+objects, such as the the class names of the superclasses and
+interfaces. This may, depending on what the registry is used for, give
+valuable information about the service. E.g, if the app uses JMX (Java
+Management eXtensions), you should see an object called "jmxconnector"
+on it.
+
+It also gives information about where the objects are located, (marked
+with @<ip>:port in the output).
+
+Some apps give away the classpath, which this scripts catches in
+so-called "Custom data".
+]]
+
+---
+-- @usage nmap --script rmi-dumpregistry -p 1098 <host>
+-- @output
+-- PORT STATE SERVICE REASON
+-- 1099/tcp open rmiregistry syn-ack
+-- | rmi-dumpregistry:
+-- | jmxrmi
+-- | javax.management.remote.rmi.RMIServerImpl_Stub
+-- | @127.0.1.1:40353
+-- | extends
+-- | java.rmi.server.RemoteStub
+-- | extends
+-- |_ java.rmi.server.RemoteObject
+--
+-- @output
+-- PORT STATE SERVICE REASON
+-- 1099/tcp open rmiregistry syn-ack
+-- | rmi-dumpregistry:
+-- | cfassembler/default
+-- | coldfusion.flex.rmi.DataServicesCFProxyServer_Stub
+-- | @192.168.0.3:1271
+-- | extends
+-- | java.rmi.server.RemoteStub
+-- | extends
+-- | java.rmi.server.RemoteObject
+-- | Custom data
+-- | Classpath
+-- | file:/C:/CFusionMX7/runtime/../lib/ant-launcher.jar
+-- | file:/C:/CFusionMX7/runtime/../lib/ant.jar
+-- | file:/C:/CFusionMX7/runtime/../lib/axis.jar
+-- | file:/C:/CFusionMX7/runtime/../lib/backport-util-concurrent.jar
+-- | file:/C:/CFusionMX7/runtime/../lib/bcel.jar
+-- | file:/C:/CFusionMX7/runtime/../lib/cdo.jar
+-- | file:/C:/CFusionMX7/runtime/../lib/cdohost.jar
+-- | file:/C:/CFusionMX7/runtime/../lib/cf4was.jar
+-- | file:/C:/CFusionMX7/runtime/../lib/cf4was_ae.jar
+-- | file:/C:/CFusionMX7/runtime/../lib/cfmx-ssl.jar
+-- | file:/C:/CFusionMX7/runtime/../lib/cfusion.jar
+-- | file:/C:/CFusionMX7/runtime/../lib/commons-beanutils-1.5.jar
+-- | file:/C:/CFusionMX7/runtime/../lib/commons-collections-2.1.jar
+-- | file:/C:/CFusionMX7/runtime/../lib/commons-digester-1.3.jar
+-- | file:/C:/CFusionMX7/runtime/../lib/commons-digester-1.7.jar
+-- | file:/C:/CFusionMX7/runtime/../lib/commons-discovery-0.2.jar
+-- | file:/C:/CFusionMX7/runtime/../lib/commons-discovery.jar
+-- | file:/C:/CFusionMX7/runtime/../lib/commons-logging-1.0.2.jar
+-- | file:/C:/CFusionMX7/runtime/../lib/commons-logging-api-1.0.2.jar
+-- | file:/C:/CFusionMX7/runtime/../lib/commons-net-1.2.2.jar
+-- | file:/C:/CFusionMX7/runtime/../lib/crystal.jar
+-- | file:/C:/CFusionMX7/runtime/../lib/flashgateway.jar
+-- | file:/C:/CFusionMX7/runtime/../lib/flashremoting_update.jar
+-- | file:/C:/CFusionMX7/runtime/../lib/flex-assemblerservice.jar
+-- | file:/C:/CFusionMX7/runtime/../lib/flex-messaging-common.jar
+-- | file:/C:/CFusionMX7/runtime/../lib/flex-messaging-opt.jar
+-- | file:/C:/CFusionMX7/runtime/../lib/flex-messaging-req.jar
+-- | file:/C:/CFusionMX7/runtime/../lib/flex-messaging.jar
+-- | file:/C:/CFusionMX7/runtime/../lib/httpclient.jar
+-- | file:/C:/CFusionMX7/runtime/../lib/ib61patch.jar
+-- | file:/C:/CFusionMX7/runtime/../lib/ib6addonpatch.jar
+-- | file:/C:/CFusionMX7/runtime/../lib/ib6core.jar
+-- | file:/C:/CFusionMX7/runtime/../lib/ib6swing.jar
+-- | file:/C:/CFusionMX7/runtime/../lib/ib6util.jar
+-- | file:/C:/CFusionMX7/runtime/../lib/im.jar
+-- | file:/C:/CFusionMX7/runtime/../lib/iText.jar
+-- | file:/C:/CFusionMX7/runtime/../lib/iTextAsian.jar
+-- | file:/C:/CFusionMX7/runtime/../lib/izmado.jar
+-- | file:/C:/CFusionMX7/runtime/../lib/jakarta-oro-2.0.6.jar
+-- | file:/C:/CFusionMX7/runtime/../lib/java2wsdl.jar
+-- | file:/C:/CFusionMX7/runtime/../lib/jaxrpc.jar
+-- | file:/C:/CFusionMX7/runtime/../lib/jdom.jar
+-- | file:/C:/CFusionMX7/runtime/../lib/jeb.jar
+-- | file:/C:/CFusionMX7/runtime/../lib/jintegra.jar
+-- | file:/C:/CFusionMX7/runtime/../lib/ldap.jar
+-- | file:/C:/CFusionMX7/runtime/../lib/ldapbp.jar
+-- | file:/C:/CFusionMX7/runtime/../lib/log4j.jar
+-- | file:/C:/CFusionMX7/runtime/../lib/macromedia_drivers.jar
+-- | file:/C:/CFusionMX7/runtime/../lib/mail.jar
+-- | file:/C:/CFusionMX7/runtime/../lib/msapps.jar
+-- | file:/C:/CFusionMX7/runtime/../lib/pbclient42RE.jar
+-- | file:/C:/CFusionMX7/runtime/../lib/pbembedded42RE.jar
+-- | file:/C:/CFusionMX7/runtime/../lib/pbserver42RE.jar
+-- | file:/C:/CFusionMX7/runtime/../lib/pbtools42RE.jar
+-- | file:/C:/CFusionMX7/runtime/../lib/poi-2.5.1-final-20040804.jar
+-- | file:/C:/CFusionMX7/runtime/../lib/poi-contrib-2.5.1-final-20040804.jar
+-- | file:/C:/CFusionMX7/runtime/../lib/ri_generic.jar
+-- | file:/C:/CFusionMX7/runtime/../lib/saaj.jar
+-- | file:/C:/CFusionMX7/runtime/../lib/smack.jar
+-- | file:/C:/CFusionMX7/runtime/../lib/smpp.jar
+-- | file:/C:/CFusionMX7/runtime/../lib/STComm.jar
+-- | file:/C:/CFusionMX7/runtime/../lib/tools.jar
+-- | file:/C:/CFusionMX7/runtime/../lib/tt-bytecode.jar
+-- | file:/C:/CFusionMX7/runtime/../lib/vadmin.jar
+-- | file:/C:/CFusionMX7/runtime/../lib/verity.jar
+-- | file:/C:/CFusionMX7/runtime/../lib/vparametric.jar
+-- | file:/C:/CFusionMX7/runtime/../lib/vsearch.jar
+-- | file:/C:/CFusionMX7/runtime/../lib/wc50.jar
+-- | file:/C:/CFusionMX7/runtime/../lib/webchartsJava2D.jar
+-- | file:/C:/CFusionMX7/runtime/../lib/wsdl2java.jar
+-- | file:/C:/CFusionMX7/runtime/../lib/wsdl4j-1.5.1.jar
+-- | file:/C:/CFusionMX7/runtime/../lib/wsdl4j.jar
+-- | file:/C:/CFusionMX7/runtime/../lib/xalan.jar
+-- | file:/C:/CFusionMX7/runtime/../lib/xercesImpl.jar
+-- | file:/C:/CFusionMX7/runtime/../lib/xml-apis.jar
+-- | file:/C:/CFusionMX7/runtime/../lib/
+-- | file:/C:/CFusionMX7/runtime/../gateway/lib/examples.jar
+-- | file:/C:/CFusionMX7/runtime/../gateway/lib/
+-- | file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/batik-awt-util.jar
+-- | file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/batik-css.jar
+-- | file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/batik-ext.jar
+-- | file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/batik-transcoder.jar
+-- | file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/batik-util.jar
+-- | file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/commons-discovery.jar
+-- | file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/commons-logging.jar
+-- | file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/concurrent.jar
+-- | file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/flex.jar
+-- | file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/jakarta-oro-2.0.7.jar
+-- | file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/jcert.jar
+-- | file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/jnet.jar
+-- | file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/jsse.jar
+-- | file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/oscache.jar
+-- |_ file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/
+--
+--
+--@version 0.5
+
+author = "Martin Holst Swende"
+license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
+categories = {"default", "discovery", "safe"}
+
+portrule = shortport.port_or_service({1098, 1099, 1090, 8901, 8902, 8903}, {"java-rmi", "rmiregistry"})
+
+-- Some lazy shortcuts
+
+local function dbg(str,...)
+ stdnse.debug3("RMI-DUMPREG:"..str, ...)
+end
+
+local function dbg_err(str, ... )
+ stdnse.debug1("RMI-DUMPREG-ERR:"..str, ...)
+end
+
+-- Function to split a string
+local function split(str, sep)
+ local sep, fields = sep or "; ", {}
+ local pattern = string.format("([^%s]+)", sep)
+ str:gsub(pattern, function(c) fields[#fields+1] = c end)
+ return fields
+end
+
+---This is a customData formatter. In some cases, the RMI library finds "custom
+-- data" that belongs to an object. This data is not handled correctly; it is
+-- instead dumped into the object's customData field (which is a table with
+-- strings).
+-- The RMI library does not do anything more than that. However, here, in the
+-- land of rmi-dumpregistry, we may have more knowledge about how to interpret
+-- that data. For example, coldfusion.flex.rmi.DataServicesCFProxyServer_Stub
+-- discloses the classpath in this variable.
+-- This method looks at the contents of the custom data and if it looks like
+-- a class path, we display it as such. This method is passed to the toTable()
+-- method of the returned RMI object.
+-- @return title, data
+function customDataFormatter(className, customData)
+ if customData == nil then return nil end
+ if #customData == 0 then return nil end
+
+ local retData = {}
+ for k,v in ipairs(customData) do
+ if v:find("file:/") == 1 then
+ -- This is a classpath
+ local cp = split(v, "; ") -- Splits into table
+ table.insert(retData, "Classpath")
+ table.insert(retData, cp)
+ else
+ table.insert(retData[v])
+ end
+ end
+
+ return "Custom data", retData
+end
+
+
+function action(host,port, args)
+ local registry = rmi.Registry:new( host, port )
+
+ local status, j_array = registry:list()
+ local output = {}
+ if not status then
+ table.insert(output, ("Registry listing failed (%s)"):format(tostring(j_array)))
+ return stdnse.format_output(false, output)
+ end
+
+ -- Monkey patch the java-class in rmi, to set our own custom data formatter
+ -- for classpaths
+ rmi.JavaClass.customDataFormatter = customDataFormatter
+
+ -- We expect an array of strings to be the return data
+ local data = j_array:getValues()
+ for i,name in ipairs( data ) do
+ --print(data)
+ table.insert(output, name)
+ dbg("Querying object %s", name)
+ local status, j_object = registry:lookup(name)
+
+ if status then
+ table.insert(output, j_object:toTable())
+ end
+ end
+
+ return stdnse.format_output(true, output)
+end
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-12 14:10:42 +0000