Nmap rmi-vuln-classloader NSE Script
This page contains detailed information about how to use the rmi-vuln-classloader NSE script. For list of all NSE scripts, visit the Nmap NSE Library.
| Select: |
|---|
Script Overview
Script source code: https://github.com/nmap/nmap/tree/master/scripts/rmi-vuln-classloader.nse
Script categories: intrusive, vuln
Target service / protocol: java-rmi, rmiregistry
Target network port(s): 1098, 1099, 1090, 8901, 8902, 8903
List of CVEs: -
Script Description
The rmi-vuln-classloader.nse script tests whether Java rmiregistry allows class loading. The default configuration of rmiregistry allows loading classes from remote URLs, which can lead to remote code execution. The vendor (Oracle/Sun) classifies this as a design feature.
Based on original Metasploit module by mihi.
References:
Rmi-vuln-classloader NSE Script Arguments
This is a full list of arguments supported by the rmi-vuln-classloader.nse script:
vulns.shortIf set, vulnerabilities will be output in short format, a single line consisting of the host's target name or IP, the state, and either the CVE ID or the title of the vulnerability. Does not affect XML output.
vulns.showall
If set, the library will show and report all the registered vulnerabilities which includes the NOT VULNERABLE ones. By default the library will only report the VULNERABLE entries: VULNERABLE, LIKELY VULNERABLE, VULNERABLE (DoS) and VULNERABLE (Exploitable). This argument affects the following functions: vulns.Report.make_output(): the default output function for portule/hostrule scripts. vulns.make_output(): the default output function for postrule scripts. vulns.format_vuln() and vulns.format_vuln_table() functions.
- - -
To use these script arguments, add them to the Nmap command line using the --script-args arg1=value,[arg2=value,..] syntax. For example:
nmap --script=rmi-vuln-classloader --script-args vulns.short=value,vulns.showall=value <target>Rmi-vuln-classloader NSE Script Example Usage
Here's an example of how to use the rmi-vuln-classloader.nse script:
Rmi-vuln-classloader NSE Script Example Output
Here's a sample output from the rmi-vuln-classloader.nse script:
PORT STATE SERVICE
1099/tcp open rmiregistry
| rmi-vuln-classloader:
| VULNERABLE:
| RMI registry default configuration remote code execution vulnerability
| State: VULNERABLE
| Description:
| Default configuration of RMI registry allows loading classes from remote URLs which can lead to remote code executeion.
|
| References:
|_ https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/misc/java_rmi_server.rb
Rmi-vuln-classloader NSE Script Example XML Output
There is no sample XML output for this module. However, by providing the -oX <file> option, Nmap will produce a XML output and save it in the file.xml file.
Author
- Aleksandar Nikolic
References
- https://nmap.org/nsedoc/scripts/rmi-vuln-classloader.html
- https://github.com/nmap/nmap/tree/master/scripts/rmi-vuln-classloader.nse
- https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/misc/java_rmi_server.rb
See Also
Related NSE scripts to the rmi-vuln-classloader.nse script:
Visit Nmap NSE Library for more scripts.
The rmi-vuln-classloader.nse script may fail with the following error messages. Check for the possible causes by using the code snippets highlighted below found in the script source code. This can often times help in identifying the root cause of the problem.
No return data received from server
Here is a relevant code snippet related to the "No return data received from server" error message:
91: -- we are calling DGC's (its objectId is 2) method with opnum 0
92: -- DCG's hashcode is f6b6898d8bf28643 hex or -669196253586618813 dec
93: local status, j_array = registry.out:writeMethodCall(registry.out, 2, "f6b6898d8bf28643", 0, rmiArgs);
94: local status, retByte = registry.out.dis:readByte();
95: if not status then
96: return false, "No return data received from server";
97: end
98:
99: if 0x51 ~= retByte then
100: -- 0x51 : Returndata
101: return false, "No return data received from server";
No return data received from server
Here is a relevant code snippet related to the "No return data received from server" error message:
96: return false, "No return data received from server";
97: end
98:
99: if 0x51 ~= retByte then
100: -- 0x51 : Returndata
101: return false, "No return data received from server";
102: end
103: -- Need to make sure we get a good chunk of data. It's going to be a java
104: -- stack trace. But if we don't get enough, I guess we can check with
105: -- whatever we get.
106: registry.out.dis:canRead(256)
Version
This page has been created based on Nmap version 7.92.
Go back to menu.
