Land #11521, add RMI support for UnicastRef2 responses

rapid7 · Mar 7, 2019 · 3670dd8 · 3670dd8
2 parents 76de3b1 + ecfd52d
commit 3670dd8
Showing 1 changed file with 24 additions and 1 deletion.
diff --git a/lib/msf/core/exploit/java/rmi/util.rb b/lib/msf/core/exploit/java/rmi/util.rb
@@ -79,6 +79,21 @@ def extract_int(io)
               int
             end
 
+            # Extracts a byte from an IO
+            #
+            # @param io [IO] the io to extract the byte from
+            # @return [Byte, nil] the extracted byte if success, nil otherwise
+            def extract_byte(io)
+              byte_raw = io.read(1)
+
+              unless byte_raw && byte_raw.length == 1
+                return nil
+              end
+              byte = byte_raw.unpack('C')[0]
+
+              byte
+            end
+
             # Extracts a long from an IO
             #
             # @param io [IO] the io to extract the long from
@@ -102,9 +117,17 @@ def extract_long(io)
             # @see Msf::Exploit::Remote::Java::Rmi::Client::Registry::Parser#parse_registry_lookup_endpoint
             def extract_reference(io)
               ref = extract_string(io)
-              unless ref && ref == 'UnicastRef'
+              unless ref && (ref == 'UnicastRef' || ref == 'UnicastRef2')
                 return nil
               end
+
+              if ref == 'UnicastRef2'
+                form = extract_byte(io)
+
+                unless form == 0 || form == 1 # FORMAT_HOST_PORT or FORMAT_HOST_PORT_FACTORY
+                  return nil
+                end
+              end
 
               address = extract_string(io)
               return nil unless address