{"id":315,"date":"2014-06-30T21:57:27","date_gmt":"2014-06-30T21:57:27","guid":{"rendered":"http:\/\/www.hackwhackandsmack.com\/?p=315"},"modified":"2014-07-11T11:22:12","modified_gmt":"2014-07-11T11:22:12","slug":"javarmi-remote-class-loading-exploitation-with-av-bypass","status":"publish","type":"post","link":"https:\/\/www.hackwhackandsmack.com\/?p=315","title":{"rendered":"JavaRMI Remote Class Loading Exploitation with AV Bypass"},"content":{"rendered":"<p>Hi folks,<\/p>\n<p>For some time now I have been finding\u00a0the Java RMI\u00a0remote class loading vulnerability and have been very suceesful with metasploit, however recently I have had Anti-Virus (AV) pick this up. While this is not a standard executable my usual AV bypass techniques were useless so I had to expand my research. For those who don&#8217;t know, Java Remote Method Invocation (RMI) services are used within applications to allow Java objects to be used from a remote location without the use of any authentication. If a client invokes a remote method to be called, the client would pass all the information in the form of a Java Object to the RMI service for this to then be executed.<\/p>\n<p>When passing the Object the client can also specify a Class Loader which specifies where the Java code for manipulating the Object can be found, this is typically a URL to a Jar file. Without authentication or verification, the server then downloads the Java object and executes it under the same permissions as the Java RMI service (usually SYSTEM).<\/p>\n<p>As a pentester you can take advantage of this RMI service to load and execute Java code on the system.\u00a0This can all be done using metasploit just search for java_rmi. Anyway I am more interested in the times if fails because of Anti-Virus. To get around this I had to decompile the Payload.class file from within metasploit and make some fundamental changes as seen below.<\/p>\n<p><strong>cd\u00a0\/usr\/share\/metasploit-framework\/data\/java\/metasploit\/<br \/>\ncp Payload.class Payload-backup.class<br \/>\njad Payload.class<\/strong><br \/>\n<strong>sed -i &#8216;s\/spawn\/runme\/&#8217; Payload.jad<\/strong><br \/>\n<strong>mv Payload.jad Payload.java<\/strong><br \/>\n<strong>javac Payload.java<\/strong><\/p>\n<p>Once I did this I could successfully exploit this again. One thing to note is that I was using the Java target so you end up with a Java meterpreter shell to which you can escalate into a normal Meterpreter after.<\/p>\n<p><a href=\"http:\/\/www.hackwhackandsmack.com\/wp-content\/uploads\/2014\/06\/javarmi.png\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone  wp-image-317\" src=\"http:\/\/www.hackwhackandsmack.com\/wp-content\/uploads\/2014\/06\/javarmi.png\" alt=\"javarmi\" width=\"899\" height=\"513\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<p>There are probably better Java obfuscation techniques that may have done this easier so any comments would be appreciated.<\/p>\n<p>Cheers \ud83d\ude42<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hi folks, For some time now I have been finding\u00a0the Java RMI\u00a0remote class loading vulnerability and have been very suceesful with metasploit, however recently I have had Anti-Virus (AV) pick this up. While this is not a standard executable my usual AV bypass techniques were useless so I had to expand my research. For those&hellip; <a class=\"more-link\" href=\"https:\/\/www.hackwhackandsmack.com\/?p=315\">Continue reading <span class=\"screen-reader-text\">JavaRMI Remote Class Loading Exploitation with AV Bypass<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hackwhackandsmack.com\/index.php?rest_route=\/wp\/v2\/posts\/315"}],"collection":[{"href":"https:\/\/www.hackwhackandsmack.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hackwhackandsmack.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hackwhackandsmack.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hackwhackandsmack.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=315"}],"version-history":[{"count":3,"href":"https:\/\/www.hackwhackandsmack.com\/index.php?rest_route=\/wp\/v2\/posts\/315\/revisions"}],"predecessor-version":[{"id":351,"href":"https:\/\/www.hackwhackandsmack.com\/index.php?rest_route=\/wp\/v2\/posts\/315\/revisions\/351"}],"wp:attachment":[{"href":"https:\/\/www.hackwhackandsmack.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=315"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hackwhackandsmack.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=315"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hackwhackandsmack.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=315"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}