diff options
Diffstat (limited to 'scripts/rmi-dumpregistry.nse')
-rw-r--r-- | scripts/rmi-dumpregistry.nse | 234 |
1 files changed, 234 insertions, 0 deletions
diff --git a/scripts/rmi-dumpregistry.nse b/scripts/rmi-dumpregistry.nse new file mode 100644 index 0000000..e7ae039 --- /dev/null +++ b/scripts/rmi-dumpregistry.nse @@ -0,0 +1,234 @@ +local rmi = require "rmi" +local shortport = require "shortport" +local stdnse = require "stdnse" +local string = require "string" +local table = require "table" + +description = [[ +Connects to a remote RMI registry and attempts to dump all of its +objects. + +First it tries to determine the names of all objects bound in the +registry, and then it tries to determine information about the +objects, such as the the class names of the superclasses and +interfaces. This may, depending on what the registry is used for, give +valuable information about the service. E.g, if the app uses JMX (Java +Management eXtensions), you should see an object called "jmxconnector" +on it. + +It also gives information about where the objects are located, (marked +with @<ip>:port in the output). + +Some apps give away the classpath, which this scripts catches in +so-called "Custom data". +]] + +--- +-- @usage nmap --script rmi-dumpregistry -p 1098 <host> +-- @output +-- PORT STATE SERVICE REASON +-- 1099/tcp open rmiregistry syn-ack +-- | rmi-dumpregistry: +-- | jmxrmi +-- | javax.management.remote.rmi.RMIServerImpl_Stub +-- | @127.0.1.1:40353 +-- | extends +-- | java.rmi.server.RemoteStub +-- | extends +-- |_ java.rmi.server.RemoteObject +-- +-- @output +-- PORT STATE SERVICE REASON +-- 1099/tcp open rmiregistry syn-ack +-- | rmi-dumpregistry: +-- | cfassembler/default +-- | coldfusion.flex.rmi.DataServicesCFProxyServer_Stub +-- | @192.168.0.3:1271 +-- | extends +-- | java.rmi.server.RemoteStub +-- | extends +-- | java.rmi.server.RemoteObject +-- | Custom data +-- | Classpath +-- | file:/C:/CFusionMX7/runtime/../lib/ant-launcher.jar +-- | file:/C:/CFusionMX7/runtime/../lib/ant.jar +-- | file:/C:/CFusionMX7/runtime/../lib/axis.jar +-- | file:/C:/CFusionMX7/runtime/../lib/backport-util-concurrent.jar +-- | file:/C:/CFusionMX7/runtime/../lib/bcel.jar +-- | file:/C:/CFusionMX7/runtime/../lib/cdo.jar +-- | file:/C:/CFusionMX7/runtime/../lib/cdohost.jar +-- | file:/C:/CFusionMX7/runtime/../lib/cf4was.jar +-- | file:/C:/CFusionMX7/runtime/../lib/cf4was_ae.jar +-- | file:/C:/CFusionMX7/runtime/../lib/cfmx-ssl.jar +-- | file:/C:/CFusionMX7/runtime/../lib/cfusion.jar +-- | file:/C:/CFusionMX7/runtime/../lib/commons-beanutils-1.5.jar +-- | file:/C:/CFusionMX7/runtime/../lib/commons-collections-2.1.jar +-- | file:/C:/CFusionMX7/runtime/../lib/commons-digester-1.3.jar +-- | file:/C:/CFusionMX7/runtime/../lib/commons-digester-1.7.jar +-- | file:/C:/CFusionMX7/runtime/../lib/commons-discovery-0.2.jar +-- | file:/C:/CFusionMX7/runtime/../lib/commons-discovery.jar +-- | file:/C:/CFusionMX7/runtime/../lib/commons-logging-1.0.2.jar +-- | file:/C:/CFusionMX7/runtime/../lib/commons-logging-api-1.0.2.jar +-- | file:/C:/CFusionMX7/runtime/../lib/commons-net-1.2.2.jar +-- | file:/C:/CFusionMX7/runtime/../lib/crystal.jar +-- | file:/C:/CFusionMX7/runtime/../lib/flashgateway.jar +-- | file:/C:/CFusionMX7/runtime/../lib/flashremoting_update.jar +-- | file:/C:/CFusionMX7/runtime/../lib/flex-assemblerservice.jar +-- | file:/C:/CFusionMX7/runtime/../lib/flex-messaging-common.jar +-- | file:/C:/CFusionMX7/runtime/../lib/flex-messaging-opt.jar +-- | file:/C:/CFusionMX7/runtime/../lib/flex-messaging-req.jar +-- | file:/C:/CFusionMX7/runtime/../lib/flex-messaging.jar +-- | file:/C:/CFusionMX7/runtime/../lib/httpclient.jar +-- | file:/C:/CFusionMX7/runtime/../lib/ib61patch.jar +-- | file:/C:/CFusionMX7/runtime/../lib/ib6addonpatch.jar +-- | file:/C:/CFusionMX7/runtime/../lib/ib6core.jar +-- | file:/C:/CFusionMX7/runtime/../lib/ib6swing.jar +-- | file:/C:/CFusionMX7/runtime/../lib/ib6util.jar +-- | file:/C:/CFusionMX7/runtime/../lib/im.jar +-- | file:/C:/CFusionMX7/runtime/../lib/iText.jar +-- | file:/C:/CFusionMX7/runtime/../lib/iTextAsian.jar +-- | file:/C:/CFusionMX7/runtime/../lib/izmado.jar +-- | file:/C:/CFusionMX7/runtime/../lib/jakarta-oro-2.0.6.jar +-- | file:/C:/CFusionMX7/runtime/../lib/java2wsdl.jar +-- | file:/C:/CFusionMX7/runtime/../lib/jaxrpc.jar +-- | file:/C:/CFusionMX7/runtime/../lib/jdom.jar +-- | file:/C:/CFusionMX7/runtime/../lib/jeb.jar +-- | file:/C:/CFusionMX7/runtime/../lib/jintegra.jar +-- | file:/C:/CFusionMX7/runtime/../lib/ldap.jar +-- | file:/C:/CFusionMX7/runtime/../lib/ldapbp.jar +-- | file:/C:/CFusionMX7/runtime/../lib/log4j.jar +-- | file:/C:/CFusionMX7/runtime/../lib/macromedia_drivers.jar +-- | file:/C:/CFusionMX7/runtime/../lib/mail.jar +-- | file:/C:/CFusionMX7/runtime/../lib/msapps.jar +-- | file:/C:/CFusionMX7/runtime/../lib/pbclient42RE.jar +-- | file:/C:/CFusionMX7/runtime/../lib/pbembedded42RE.jar +-- | file:/C:/CFusionMX7/runtime/../lib/pbserver42RE.jar +-- | file:/C:/CFusionMX7/runtime/../lib/pbtools42RE.jar +-- | file:/C:/CFusionMX7/runtime/../lib/poi-2.5.1-final-20040804.jar +-- | file:/C:/CFusionMX7/runtime/../lib/poi-contrib-2.5.1-final-20040804.jar +-- | file:/C:/CFusionMX7/runtime/../lib/ri_generic.jar +-- | file:/C:/CFusionMX7/runtime/../lib/saaj.jar +-- | file:/C:/CFusionMX7/runtime/../lib/smack.jar +-- | file:/C:/CFusionMX7/runtime/../lib/smpp.jar +-- | file:/C:/CFusionMX7/runtime/../lib/STComm.jar +-- | file:/C:/CFusionMX7/runtime/../lib/tools.jar +-- | file:/C:/CFusionMX7/runtime/../lib/tt-bytecode.jar +-- | file:/C:/CFusionMX7/runtime/../lib/vadmin.jar +-- | file:/C:/CFusionMX7/runtime/../lib/verity.jar +-- | file:/C:/CFusionMX7/runtime/../lib/vparametric.jar +-- | file:/C:/CFusionMX7/runtime/../lib/vsearch.jar +-- | file:/C:/CFusionMX7/runtime/../lib/wc50.jar +-- | file:/C:/CFusionMX7/runtime/../lib/webchartsJava2D.jar +-- | file:/C:/CFusionMX7/runtime/../lib/wsdl2java.jar +-- | file:/C:/CFusionMX7/runtime/../lib/wsdl4j-1.5.1.jar +-- | file:/C:/CFusionMX7/runtime/../lib/wsdl4j.jar +-- | file:/C:/CFusionMX7/runtime/../lib/xalan.jar +-- | file:/C:/CFusionMX7/runtime/../lib/xercesImpl.jar +-- | file:/C:/CFusionMX7/runtime/../lib/xml-apis.jar +-- | file:/C:/CFusionMX7/runtime/../lib/ +-- | file:/C:/CFusionMX7/runtime/../gateway/lib/examples.jar +-- | file:/C:/CFusionMX7/runtime/../gateway/lib/ +-- | file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/batik-awt-util.jar +-- | file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/batik-css.jar +-- | file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/batik-ext.jar +-- | file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/batik-transcoder.jar +-- | file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/batik-util.jar +-- | file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/commons-discovery.jar +-- | file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/commons-logging.jar +-- | file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/concurrent.jar +-- | file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/flex.jar +-- | file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/jakarta-oro-2.0.7.jar +-- | file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/jcert.jar +-- | file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/jnet.jar +-- | file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/jsse.jar +-- | file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/oscache.jar +-- |_ file:/C:/CFusionMX7/runtime/../wwwroot/WEB-INF/cfform/jars/ +-- +-- +--@version 0.5 + +author = "Martin Holst Swende" +license = "Same as Nmap--See https://nmap.org/book/man-legal.html" +categories = {"default", "discovery", "safe"} + +portrule = shortport.port_or_service({1098, 1099, 1090, 8901, 8902, 8903}, {"java-rmi", "rmiregistry"}) + +-- Some lazy shortcuts + +local function dbg(str,...) + stdnse.debug3("RMI-DUMPREG:"..str, ...) +end + +local function dbg_err(str, ... ) + stdnse.debug1("RMI-DUMPREG-ERR:"..str, ...) +end + +-- Function to split a string +local function split(str, sep) + local sep, fields = sep or "; ", {} + local pattern = string.format("([^%s]+)", sep) + str:gsub(pattern, function(c) fields[#fields+1] = c end) + return fields +end + +---This is a customData formatter. In some cases, the RMI library finds "custom +-- data" that belongs to an object. This data is not handled correctly; it is +-- instead dumped into the object's customData field (which is a table with +-- strings). +-- The RMI library does not do anything more than that. However, here, in the +-- land of rmi-dumpregistry, we may have more knowledge about how to interpret +-- that data. For example, coldfusion.flex.rmi.DataServicesCFProxyServer_Stub +-- discloses the classpath in this variable. +-- This method looks at the contents of the custom data and if it looks like +-- a class path, we display it as such. This method is passed to the toTable() +-- method of the returned RMI object. +-- @return title, data +function customDataFormatter(className, customData) + if customData == nil then return nil end + if #customData == 0 then return nil end + + local retData = {} + for k,v in ipairs(customData) do + if v:find("file:/") == 1 then + -- This is a classpath + local cp = split(v, "; ") -- Splits into table + table.insert(retData, "Classpath") + table.insert(retData, cp) + else + table.insert(retData[v]) + end + end + + return "Custom data", retData +end + + +function action(host,port, args) + local registry = rmi.Registry:new( host, port ) + + local status, j_array = registry:list() + local output = {} + if not status then + table.insert(output, ("Registry listing failed (%s)"):format(tostring(j_array))) + return stdnse.format_output(false, output) + end + + -- Monkey patch the java-class in rmi, to set our own custom data formatter + -- for classpaths + rmi.JavaClass.customDataFormatter = customDataFormatter + + -- We expect an array of strings to be the return data + local data = j_array:getValues() + for i,name in ipairs( data ) do + --print(data) + table.insert(output, name) + dbg("Querying object %s", name) + local status, j_object = registry:lookup(name) + + if status then + table.insert(output, j_object:toTable()) + end + end + + return stdnse.format_output(true, output) +end |