403Webshell
Server IP : 80.87.202.40  /  Your IP : 216.73.216.169
Web Server : Apache
System : Linux rospirotorg.ru 5.14.0-539.el9.x86_64 #1 SMP PREEMPT_DYNAMIC Thu Dec 5 22:26:13 UTC 2024 x86_64
User : bitrix ( 600)
PHP Version : 8.2.27
Disable Function : NONE
MySQL : OFF |  cURL : ON |  WGET : ON |  Perl : ON |  Python : OFF |  Sudo : ON |  Pkexec : ON
Directory :  /usr/share/nmap/nselib/

Upload File :
current_dir [ Writeable] document_root [ Writeable]

 

Command :


[ Back ]     

Current File : /usr/share/nmap/nselib/rmi.lua
--- Library method for communicating over RMI (JRMP + java serialization)
--
-- This is a not complete RMI implementation for Lua, which is meant to be able
-- to invoke methods and parse returnvalues which are simple, basically the java primitives.
-- This can be used to e.g dump out the registry, and perform authentication against
-- e.g JMX-services.
--
-- This library also contains some classes which works pretty much like the
-- java classes BufferedReader, BufferedWriter, DataOutputStream and DataInputStream.
--
-- Most of the methods in the RMIDataStream class is based on the OpenJDK RMI Implementation,
-- and I have kept the methodnames  as they are in java, so it should not be too hard to find
-- the corresponding functionality in the jdk codebase to see how things 'should' be done, in case
-- there are bugs or someone wants to make additions. I have only implemented the
-- things that were needed to get things working, but it should be pretty simple to add more
-- functionality by lifting over more stuff from the jdk.
--
-- The interesting classes in OpenJDK are:
--  java.io.ObjectStreamConstants
--  java.io.ObjectStreamClass
--  java.io.ObjectInputStream
--  sun.rmi.transport.StreamRemoteCall
-- and a few more.
--
-- If you want to add calls to classes you know of, you can use e.g Jode to decompile the
-- stub-class or skeleton class and find out the details that are needed to perform an
-- RMI method invocation. Those are
--  Class hashcode
--  Method number (each method gets a number)
--  Arguments f
-- You also need the object id (so the remote server knows what instance you are talking to). That can be
-- fetched from the registry (afaik) but not currently implemented. Some object ids are static : the registry is always 0
--
-- @author Martin Holst Swende
-- @copyright Same as Nmap--See https://nmap.org/book/man-legal.html
-- @see java 1.4 RMI-spec: http://java.sun.com/j2se/1.4.2/docs/guide/rmi/
-- @see java 5 RMI-spec: http://java.sun.com/j2se/1.5.0/docs/guide/rmi/spec/rmiTOC.html
-- @see java 6 RMI-spec : http://java.sun.com/javase/6/docs/technotes/guides/rmi/index.html
-- @see The protocol for Java object serializtion : http://java.sun.com/javase/6/docs/platform/serialization/spec/protocol.html
-- Version 0.2

-- Created 09/06/2010 - v0.1 - created by Martin Holst Swende <martin@swende.se>
-- Fixed more documentation - v0.2 Martin Holst Swende <martin@swende.se>

local nmap = require "nmap"
local stdnse = require "stdnse"
local string = require "string"
local table = require "table"
_ENV = stdnse.module("rmi", stdnse.seeall)
-- Some lazy shortcuts

local function dbg(str,...)
  local arg={...}
  stdnse.debug3("RMI:"..str, table.unpack(arg))
end
-- Convenience function to both print an error message and return <false, msg>
-- Example usage :
-- if foo ~= "gazonk" then
--   return doh("Foo should be gazonk but was %s", foo)
-- end
local function doh(str,...)
  local arg={...}
  stdnse.debug1("RMI-ERR:"..tostring(str), table.unpack(arg))
  return false, str
end

---
-- BufferedWriter
-- This buffering writer provide functionality much like javas BufferedWriter.
--
-- BufferedWriter wraps string.pack, and buffers data internally
-- until flush is called. When flush is called, it either sends the data to the socket OR
-- returns the data, if no socket has been set.
--@usage:
-- local bWriter = BufferedWriter:new(socket)
-- local breader= BufferedReader:new(socket)
--
-- bWriter.pack('>i4', integer)
-- bWriter.flush() -- sends the data
--
-- if bsocket:canRead(4) then -- Waits until four bytes can be read
--   local packetLength = bsocket:unpack('>i4') -- Read the four bytess
--   if bsocket:canRead(packetLength) then
--     -- ...continue reading packet values

BufferedWriter = {
  new = function(self, socket)
    local o = {}
    setmetatable(o, self)
    self.__index = self
    o.writeBuffer = ''
    o.pos = 1
    o.socket = socket
    return o
  end,

  -- Sends data over the socket
  -- (Actually, just buffers until flushed)
  -- @return Status (true or false).
  -- @return Error code (if status is false).
  send = function( self, data )
    self.writeBuffer = self.writeBuffer .. data
  end,
  -- Convenience function, wraps string.pack
  pack = function(self, fmt, ... )
    local arg={...}
    self.writeBuffer = self.writeBuffer .. string.pack( fmt, table.unpack(arg))
  end,

  -- This function flushes the buffer contents, thereby emptying
  -- the buffer. If a socket has been supplied, that's where it will be sent
  -- otherwise the buffer contents are returned
  --@return status
  --@return content of buffer, in case no socket was used
  flush = function(self)

    local content = self.writeBuffer
    self.writeBuffer = ''

    if not self.socket then
      return true, content
    end
    return self.socket:send(content)
  end,

}
---
-- BufferedReader reads data from the supplied socket and contains functionality
-- to read all that is available and store all that is not currently needed, so the caller
-- gets an exact number of bytes (which is not the case with the basic nmap socket implementation)
-- If not enough data is available, it blocks until data is received, thereby handling the case
-- if data is spread over several tcp packets (which is a pitfall for many scripts)
--
-- It wraps string.unpack for the reading.
-- OBS! You need to check before invoking skip or unpack that there is enough
-- data to read. Since this class does not parse arguments to unpack, it does not
-- know how much data to read ahead on those calls.
--@usage:
-- local bWriter = BufferedWriter:new(socket)
-- local breader= BufferedReader:new(socket)
--
-- bWriter.pack('>i4', integer)
-- bWriter.flush() -- sends the data
--
-- if bsocket:canRead(4) then -- Waits until four bytes can be read
--   local packetLength = bsocket:unpack('>i4') -- Read the four bytess
--   if bsocket:canRead(packetLength) then
--     -- ...continue reading packet values

BufferedReader = {
  new = function(self, socket, readBuffer)
    local o = {}
    setmetatable(o, self)
    self.__index = self
    o.readBuffer = readBuffer -- May be nil
    o.pos = 1
    o.socket = socket -- May also be nil
    return o
  end,
  ---
  -- This method blocks until the specified number of bytes
  -- have been read from the socket and are available for
  -- the caller to read, e.g via the unpack function
  canRead= function(self,count)
    local status, data
    self.readBuffer = self.readBuffer or ""
    local missing = self.pos + count - #self.readBuffer -1
    if ( missing > 0) then
      if self.socket == nil then
        return doh("Not enough data in static buffer")
      end

      status, data = self.socket:receive_bytes( missing )
      if ( not(status) ) then
        return false, data
      end
      self.readBuffer = self.readBuffer .. data
    end
    -- Now and then, we flush the buffer
    if ( self.pos > 1024) then
      self.readBuffer = self.readBuffer:sub( self.pos )
      self.pos = 1
    end
    return true
  end,
  ---
  --@return Returns the number of bytes already available for reading
  bufferSize = function(self)
    return #self.readBuffer +1 -self.pos
  end,
  ---
  -- This function works just like string.unpack (in fact, it is
  -- merely a wrapper around it.  However, it uses the data
  -- already read into the buffer, and the internal position
  --@param format
  --@return the unpacked value (NOT the index)
  unpack = function(self,format)
    local ret = {string.unpack(format, self.readBuffer, self.pos)}
    self.pos = ret[#ret]
    ret[#ret] = nil
    return table.unpack(ret)
  end,
  ---
  -- This function works just like string.unpack (in fact, it is
  -- merely a wrapper around it.  However, it uses the data
  -- already read into the buffer, and the internal position.
  -- This method does not update the current position, and the
  -- data can be read again
  --@param format
  --@return the unpacked value (NOT the index)
  peekUnpack = function(self,format)
    return string.unpack(format, self.readBuffer, self.pos)
  end,
  ---
  -- Tries to read a byte, without consuming it.
  --@return status
  --@return bytevalue
  peekByte = function(self)
    if self:canRead(1) then
      return true, self:peekUnpack('B')
    end
    return false
  end,
  ---
  -- Skips a number of bytes
  --@param len the number of bytes to skip
  skip = function(self, len)
    if(#self.readBuffer < len + self.pos) then
      return doh("ERROR: reading too far ahead")
    end
    local skipped = self.readBuffer:sub(self.pos, self.pos+len-1)
    self.pos = self.pos + len
    return true, skipped
  end,

}

-- The classes are generated when this file is loaded, by the definitions in the JavaTypes
-- table. That table contains mappings between the format used by string.pack and the types
-- available in java, as well as the lengths (used for availability-checks) and the name which
-- is prefixed by read* or write* when monkey-patching the classes and adding functions.
-- For example: {name = 'Int', expr = '>i', len=  4}, will generate the functions
-- writeInt(self, value) and readInt() respectively

local JavaTypes = {
  {name = 'Int', expr = '>i4', len=  4},
  {name = 'UnsignedInt', expr = '>I4', len=  4},
  {name = 'Short', expr = '>i2', len=  2},
  {name = 'UnsignedShort', expr = '>I2', len=  2},
  {name = 'Long', expr = '>i8', len=  8},
  {name = 'UnsignedLong', expr = '>I8', len=  8},
  {name = 'Byte', expr = '>B', len=  1},
}

---
-- The JavaDOS classes
-- The JavaDOS class is an approximation of a java DataOutputStream. It provides convenience functions
-- for writing java types to an underlying BufferedWriter
--
-- When used in conjunction with the BufferedX- classes, they handle the availability-
-- checks transparently, i.e the caller does not have to check if enough data is available
--
-- @usage:
-- local dos = JavaDOS:new(BufferedWriter:new(socket))
-- local dos = JavaDIS:new(BufferedReader:new(socket))
-- dos:writeUTF("Hello world")
-- dos:writeInt(3)
-- dos:writeLong(3)
-- dos:flush() -- send data
-- local answer = dis:readUTF()
-- local int = dis:readInt()
-- local long = dis:readLong()

JavaDOS = {
  new = function  (self,bWriter)
    local o = {}   -- create new object if user does not provide one
    setmetatable(o, self)
    self.__index = self -- DIY inheritance
    o.bWriter = bWriter
    return o
  end,
  -- This closure method generates all writer methods on the fly
  -- according to the definitions in JavaTypes
  _generateWriterFunc = function(self, javatype)
    local functionName = 'write'..javatype.name
    local newFunc = function(_self, value)
      --dbg(functionName .."(%s) called" ,tostring(value))
      return _self:pack(javatype.expr, value)
    end
    self[functionName] = newFunc
  end,

  writeUTF = function(self, text)
    -- TODO: Make utf-8 of it
    return self:pack('>s2', text)
  end,
  pack = function(self, ...)
    local arg={...}
    return self.bWriter:pack(table.unpack(arg))
  end,
  write = function(self, data)
    return self.bWriter:send(data)
  end,
  flush = function(self)
    return self.bWriter:flush()
  end,
}

---
-- The JavaDIS class
-- JavaDIS is close to java DataInputStream. It provides convenience functions
-- for reading java types from an underlying BufferedReader
--
-- When used in conjunction with the BufferedX- classes, they handle the availability-
-- checks transparently, i.e the caller does not have to check if enough data is available
--
-- @usage:
-- local dos = JavaDOS:new(BufferedWriter:new(socket))
-- local dos = JavaDIS:new(BufferedReader:new(socket))
-- dos:writeUTF("Hello world")
-- dos:writeInt(3)
-- dos:writeLong(3)
-- dos:flush() -- send data
-- local answer = dis:readUTF()
-- local int = dis:readInt()
-- local long = dis:readLong()
JavaDIS = {
  new = function  (self,bReader)
    local o = {}   -- create new object if user does not provide one
    setmetatable(o, self)
    self.__index = self -- DIY inheritance
    o.bReader = bReader
    return o
  end,

  -- This closure method generates all reader methods (except nonstandard ones) on the fly
  -- according to the definitions in JavaTypes.
  _generateReaderFunc = function(self, javatype)
    local functionName = 'read'..javatype.name
    local newFunc = function(_self)
      --dbg(functionName .."() called" )
      if not _self.bReader:canRead(javatype.len)  then
        local err = ("Not enough data in buffer (%d required by %s)"):format(javatype.len, functionName)
        return doh(err)
      end
      return true, _self.bReader:unpack(javatype.expr)
    end
    self[functionName] = newFunc
  end,
  -- This is a bit special, since we do not know beforehand how many bytes must be read. Therefore
  -- this cannot be generated on the fly like the others.
  readUTF = function(self, text)
    -- First, we need to read the length, 2 bytes
    if not self.bReader:canRead(2)  then-- Length of the string is two bytes
      return false, "Not enough data in buffer [0]"
    end
    -- We do it as a 'peek', so string.unpack can reuse the data to unpack with '>s2'
    local len = self.bReader:peekUnpack('>I2')
    --dbg("Reading utf, len %d" , len)
    -- Check that we have data
    if not self.bReader:canRead(len) then
      return false, "Not enough data in buffer [1]"
    end
    -- For some reason, the 'P' switch does not work for me.
    -- Probably some idiot thing. This is a hack:
    local val = self.bReader.readBuffer:sub(self.bReader.pos+2, self.bReader.pos+len+2-1)
    self.bReader.pos = self.bReader.pos+len+2
    -- Someone smarter than me can maybe get this working instead:
    --local val = self.bReader:unpack('>s2')
    --dbg("Read UTF: %s", val)
    return true, val
  end,
  readLongAsHexString = function(self)
    if not self.bReader:canRead(8)  then-- Length of the string is two bytes
      return false, "Not enough data in buffer [3]"
    end
    return true, stdnse.tohex(self.bReader:unpack('c8'))

  end,
  skip = function(self, len)
    return self.bReader:skip(len)
  end,
  canRead = function(self, len)
    return self.bReader:canRead(len)
  end,
}

-- Generate writer-functions on the JavaDOS/JavaDIS classes on the fly
for _,x in ipairs(JavaTypes) do
  JavaDOS._generateWriterFunc(JavaDOS, x)
  JavaDIS._generateReaderFunc(JavaDIS, x)
end
---
-- This class represents a java class and is what is returned by the library
-- when invoking a remote function. Therefore, this can also represent a java
-- object instance.
JavaClass = {
  new = function(self)
    local o = {}
    setmetatable(o, self)
    self.__index = self
    return o
  end,

  customDataFormatter  = nil,

  setName = function( self, name )
    dbg("Setting class name to %s", name)
    self.name = name
  end,
  setSerialID = function( self, serial ) self.serial = serial end,
  setFlags = function( self, flags )
    self.flags = RMIUtils.flagsToString(flags)
    self._binaryflags = flags
  end,

  isExternalizable = function(self)
    if self._binaryFlags == nil then return false end

    return (self._binaryflags & RMIUtils.SC_EXTERNALIZABLE)
  end,

  addField = function( self, field )
    if self.fields == nil then self.fields = {} end
    table.insert( self.fields, field )
    --self[field.name] = field
  end,
  setSuperClass = function(self,super) self.superClass = super end,

  setCustomData = function(self, data) self.customData = data end,
  getCustomData = function(self) return self.customData end,

  setInterfaces = function(self,ifaces) self.ifaces = ifaces end,
  getName = function( self ) return self.name end,
  getSuperClass = function(self) return self.superClass end,
  getSerialID = function( self ) return self.serial end,
  getFlags = function( self ) return self.flags end,
  getFields = function( self ) return self.fields end,
  getFieldByName = function( self, name )
    if self.fields == nil then return end
    for i=1, #self.fields do
      if ( self.fields[i].name == name ) then
        return self.fields[i]
      end
    end
  end,

  __tostring = function( self )
    local data = {}
    if self.name ~=nil then
      data[#data+1] = ("%s "):format(self.name)
    else
      data[#data+1] = "???"
    end
    if  self.superClass~=nil then
      data[#data+1] = " extends ".. tostring( self.superClass)
    end
    if self.ifaces ~= nil then
      data[#data+1] = " implements " ..  self.ifaces
    end
    if self.fields ~=nil then
      for i=1, #self.fields do
        if i == 1 then
          data[#data+1] = "["
        end
        data[#data+1] = tostring(self.fields[i])
        if ( i < #self.fields ) then
          data[#data+1] = ";"
        else
          data[#data+1] = "]"
        end

      end
    end
    return table.concat(data)
  end,
  toTable = function(self, customDataFormatter)
    local data = {self.name}

    if self.externalData ~=nil then
      table.insert(data, tostring(self.externalData))
    end

    --if self.name ~=nil then
    --  data.class = self.name
    --end
    if self.ifaces ~= nil then
      table.insert(data, " implements " .. self.ifaces)
    end

    if  self.superClass~=nil then
      local extends = self.superClass:toTable()
      table.insert(data ,"extends")
      table.insert(data, extends)
      --data.extends = self.superClass:toTable()
    end
    if self.fields ~=nil then
      table.insert(data, "fields")
      local f = {}
      for i=1, #self.fields do
        table.insert(f, self.fields[i]:toTable())
      end
      table.insert(data, f)
    end

    if self.customData ~=nil then
      local formatter =  JavaClass['customDataFormatter']
      if formatter ~= nil then
        local title, cdata = formatter(self.name, self.customData)
        table.insert(data, title)
        table.insert(data, cdata)
      else
        table.insert(data, "Custom data")
        table.insert(data, self.customData)
      end
    end

    return data

  end,

}
--- Represents a field in an object, i.e an object member
JavaField = {

  new = function(self, name, typ )
    local o = {}
    setmetatable(o, self)
    self.__index = self
    o.name = name
    o.type = typ
    return o
  end,

  setType = function( self, typ ) self.type = typ end,
  setSignature = function( self, sig ) self.signature = sig end,
  setName = function( self, name ) self.name = name end,
  setObjectType = function( self, ot ) self.object_type = ot end,
  setReference = function( self, ref ) self.ref = ref end,
  setValue = function (self, val)
    dbg("Setting field value to %s", tostring(val))
    self.value = val

  end,

  getType = function( self ) return self.type end,
  getSignature = function( self ) return self.signature end,
  getName  = function( self ) return self.name end,
  getObjectType = function( self ) return self.object_type end,
  getReference = function( self ) return self.ref end,
  getValue = function( self ) return self.value end,

  __tostring = function( self )
    if self.value ~= nil then
      return string.format("%s %s = %s", self.type, self.name, self.value)
    else
      return string.format("%s %s", self.type, self.name)
    end
  end,
  toTable = function(self)
    local data = {tostring(self.type) .. " " .. tostring(self.name)}
    --print("FIELD VALUE:", self.value)
    if self.value ~= nil then
      if type(self.value) == 'table' then
        if self.value.toTable ~=nil then
          table.insert(data, self.value:toTable())
        else
          table.insert(data, self.value)
        end
      else
        table.insert(data, self.value)
      end
    end
    return data
  end,

}
---
-- Represents a java array. Internally, this is a lua list of JavaClass-instances
JavaArray = {
  new = function(self)
    local o = {}
    setmetatable(o, self)
    self.__index = self
    o.values = {}
    return o
  end,
  setClass = function( self, class ) self.class = class end,
  setLength = function( self, length ) self.length = length end,
  setValue = function(self, index, object) self.values[index] = object end,
  __tostring=function(self)
    local data = {
      ("Array: %s [%d] = {"):format(tostring(self.class), self.length)
    }

    for i=1, #self.values do
      data[#data+1] = self.values[i]..","
    end
    data[#data+1] = "}"
    return table.concat(data)
  end,
  toTable = function(self)
    local title = ("Array: %s [%d] = {"):format(tostring(self.class), self.length)
    local t =  {title = self.values}
    return t
  end,

  getValues = function(self) return self.values end
}





TC = {
  TC_NULL = 0x70,
  TC_REFERENCE = 0x71,
  TC_CLASSDESC = 0x72,
  TC_OBJECT = 0x73,
  TC_STRING = 0x74,
  TC_ARRAY = 0x75,
  TC_CLASS = 0x76,
  TC_BLOCKDATA = 0x77,
  TC_ENDBLOCKDATA = 0x78,
  TC_RESET = 0x79,
  TC_BLOCKDATALONG = 0x7A,
  TC_EXCEPTION = 0x7B,
  TC_LONGSTRING =  0x7C,
  TC_PROXYCLASSDESC =  0x7D,
  TC_ENUM =  0x7E,

  Integer = 0x49,
  Object = 0x4c,

  Strings = {
    [0x49] = "Integer",
    [0x4c] = "Object",
    [0x71] = "TC_REFERENCE",
    [0x70] = "TC_NULL",
    [0x71] = "TC_REFERENCE",
    [0x72] = "TC_CLASSDESC",
    [0x73] = "TC_OBJECT",
    [0x74] = "TC_STRING",
    [0x75] = "TC_ARRAY",
    [0x76] = "TC_CLASS",
    [0x77] = "TC_BLOCKDATA",
    [0x78] = "TC_ENDBLOCKDATA",
    [0x79] = "TC_RESET",
    [0x7A] = "TC_BLOCKDATALONG",
    [0x7B] = "TC_EXCEPTION",
    [0x7C] = "TC_LONGSTRING",
    [0x7D] = "TC_PROXYCLASSDESC",
    [0x7E] = "TC_ENUM",
  },

}

local Version= 0x02
local Proto= {Stream=0x4b, SingleOp=0x4c, Multiplex=0x4d}

---
-- RmiDataStream class
-- This class can handle reading and writing JRMP, i.e RMI wire protocol and
-- can do some very limited java deserialization. This implementation has
-- borrowed from OpenJDK RMI implementation, but only implements an
-- absolute minimum of what is required in order to perform some basic calls
--

RmiDataStream = {
  new = function  (self,o)
    o = o or {}   -- create object if user does not provide one
    setmetatable(o, self)
    self.__index = self -- DIY inheritance
    return o
  end,
}
-- An output stream in RMI consists of transport Header information followed by a sequence of Messages.
--  Out:
--    Header Messages
--    HttpMessage
--  Header:
--    0x4a 0x52 0x4d 0x49 Version Protocol
-- (4a 52 4d 49 === JRMI)
--  Version:
--    0x00 0x01
--  Protocol:
--    StreamProtocol
--    SingleOpProtocol
--    MultiplexProtocol
--  StreamProtocol:
--    0x4b
--  SingleOpProtocol:
--    0x4c
--  MultiplexProtocol:
--    0x4d
--  Messages:
--    Message
--    Messages Message

----
-- Connects to a remote service. The connection process creates a
-- socket and does some handshaking. If this is successful,
-- we are definitely talking to an RMI service.
function RmiDataStream:connect(host, port)
  local status, err

  local socket = nmap.new_socket()
  socket:set_timeout(5000)

  --  local bsocket = BufferedSocket:new()
  socket:connect(host,port, "tcp")

  -- Output and input
  local dos = JavaDOS:new(BufferedWriter:new(socket))
  local dis = JavaDIS:new(BufferedReader:new(socket))

  -- Start sending a message --
  -- Add Header, Version and Protocol

  dos:writeInt(1246907721) -- == JRMI
  dos:writeShort(Version)
  dos:writeByte(Proto.Stream)
  status = dos:flush()
  if not status then
    return doh(err)
  end

  -- For the StreamProtocol and the MultiplexProtocol, the server must respond with a a byte 0x4e
  -- acknowledging support for the protocol, and an EndpointIdentifier that contains the host name
  -- and port number that the server can see is being used by the client.
  -- The client can use this information to determine its host name if it is otherwise unable to do that for security reasons.

  -- Read ack
  status, err = self:readAck(dis)
  if not status then
    return doh("No ack received from server:" .. tostring(err))
  end

  -- The client must then respond with another EndpointIdentifier that contains the clients
  -- default endpoint for accepting connections. This can be used by a server in the MultiplexProtocol case to identify the client.

  dos:writeUTF("127.0.0.1") -- TODO, write our own ip instead (perhaps not necessary, since we are not using MultiplexProtocol
  dos:writeInt(0) -- Port ( 0 works fine)
  dos:flush()
  self.dos = dos
  self.dis =dis
  return true
end

-- Reads a DgcAck message, which is sent during connection handshake
--@param dis - a JavaDIS to read from
--@return status
--@return error message
function RmiDataStream:readAck(dis)
  local status, ack = dis:readByte()

  if not status then return doh( "Could not read data") end

  if ack ~= 78 then
    return doh("No ack received: ".. tostring(ack))
  end
  local status, host = dis:readUTF()
  if not status then return false, "Could not read data" end
  local status, port = dis:readUnsignedInt()
  if not status then return false, "Could not read data" end

  dbg("RMI-Ack received (host %s, port: %d) " , host, port)
  return true
end

-- Sends an RMI method call
--@param out - a JavaDos outputstream
--@param objNum -object id (target of call)
--@param hash - the hashcode for the class that is invoked
--@param op - the operation number (method) invoked
--@param arguments - optional, if arguments are needed to this method. Should be an Arguments table
--  or something else which has a getData() function to get binary data
function RmiDataStream:writeMethodCall(out,objNum, hash, op, arguments)
  dbg("Invoking object %s, hash %s, opNum %s, args %s", tostring(objNum), tostring(hash), tostring(op), tostring(arguments))
  local dos = self.dos
  local dis = self.dis

  -- Send Call:
  dos:writeByte(0x50)
  -- Send Magic 0xaced
  dos:writeUnsignedShort(0xACED)
  -- Send version 0x0005
  dos:writeShort(0x0005)
  -- Send TC_BLOKDATA
  dos:writeByte(0x77)

  -- send length (byte)
  dos:writeByte(0x22)

  -- From sun.rmi.transport.StreamRemoteCall :
  --   // write out remote call header info...
  --   // call header, part 1 (read by Transport)
  --   conn.getOutputStream().write(TransportConstants.Call);
  --   getOutputStream();           // creates a MarshalOutputStream
  --   id.write(out);               // object id (target of call)
  --   // call header, part 2 (read by Dispatcher)
  --   out.writeInt(op);            // method number (operation index)
  --   out.writeLong(hash);         // stub/skeleton hash
  -- Send rest of the call

  local unique, time, count =0,0,0

  dos:writeLong(objNum);-- id objNum
  dos:writeInt(unique); -- space
  dos:writeLong(time);
  dos:writeShort(count);
  dos:writeInt(op)
  dos:write(stdnse.fromhex(hash))

  -- And now, the arguments
  if arguments ~= nil then
    dos:write(arguments:getData())
  end


  dos:flush()

end
---
-- Invokes a method over RMI
--@param methodData, a table which should contain the following
--@param objNum -object id (target of call)
--@param hash - the hashcode for the class that is invoked
--@param op - the operation number (method) invoked
--@param arguments - optional, if arguments are needed to this method. Should be an Arguments table
--  or something else which has a getData() function to get binary data
--@return status
--@return a JavaClass instance
function RmiDataStream:invoke(objNum, hash, op, arguments)
  local status, data
  local out = self.out
  local dis = self.dis
  self:writeMethodCall(out,objNum,hash, op, arguments)
  local status, retByte = dis:readByte()
  if not status then return false, "No return data received from server" end

  if 0x51 ~= retByte then -- 0x51 : Returndata
    return false, "No return data received from server"
  end

  status, data = self:readReturnData(dis)
  return status, data
end

---
-- Reads an RMI ReturnData packet
--@param dis a JavaDIS inputstream
function RmiDataStream:readReturnData(dis)

  --[[
  From -http://turtle.ee.ncku.edu.tw/docs/java/jdk1.2.2/guide/rmi/spec/rmi-protocol.doc3.html :
  A ReturnValue of an RMI call consists of a return code to indicate either a normal or
  exceptional return, a UniqueIdentifier to tag the return value (used to send a DGCAck if necessary)
  followed by the return result: either the Value returned or the Exception thrown.


  CallData: ObjectIdentifier Operation Hash (Arguments)
  ReturnValue:
    0x01 UniqueIdentifier (Value)
    0x02 UniqueIdentifier Exception

  ObjectIdentifier: ObjectNumber UniqueIdentifier
  UniqueIdentifier: Number Time Count
  Arguments: Value Arguments Value
  Value: Object Primitive

  Example:  [ac ed][00 05][77][0f][01][25 14 95 21][00 00 01 2b 16 9a 62 5a 80 0b]
      [magc][ver    ][BL][L ][Ok][ --------------- not interesting atm ----------------------]

  --]]

  -- We need to be able to read at least 7 bytes
  -- If that is doable, we can ignore the status on the following readbyte operations
  if not dis:canRead(7) then
    return doh("Not enough data received")
  end

  local status, magic = dis:readUnsignedShort() -- read magic
  local status, version = dis:readShort() -- read version


  local status, typ = dis:readByte()
  if typ ~= TC.TC_BLOCKDATA then
    return doh("Expected block data when reading return data")
  end
  local status, len = dis:readByte() -- packet length
  --dis:setReadLimit(len)
  local status, ex = dis:readByte() -- 1=ok, 2=exception thrown
  if ex ~= 1 then
    return doh("Remote call threw exception")
  end

  -- We can skip the rest of this block
  dis:skip(len -1)

  -- Now, the return value object:
  local status, x = readObject0(dis)
  dbg("Read object, got %d left in buffer", dis.bReader:bufferSize())


  if(dis.bReader:bufferSize() > 0) then
    local content = dis.bReader:unpack('c'..tostring(dis.bReader:bufferSize()))
    dbg("Buffer content: %s", stdnse.tohex(content))
  end
  return status, x
end
---
-- Deserializes a serialized java object
function readObject0(dis)

  local finished = false
  local data, status, responseType

  status, responseType = dis:readByte()
  if not status then
    return doh("Not enough data received")
  end

  dbg("Reading object of type : %s" , RMIUtils.tcString(responseType))
  local decoder = TypeDecoders[responseType]
  if decoder ~= nil then
    status, data = decoder(dis)
    if not status then return doh("readObject0: Could not read data %s", tostring(data)) end
    dbg("Read: %s", tostring(data))
    return true, data
  else
    return doh("No decoder found for responsetype: %s" , RMIUtils.tcString(responseType))
  end
end
function readString(dis)
  return dis:readUTF()
end
-- Reads return type array
function readArray(dis)
  local array  = JavaArray:new()
  dbg("Reading array class description")
  local status, classDesc = readClassDesc(dis)
  array:setClass(classDesc)
  dbg("Reading array length")
  local status, len = dis:readInt()

  if not status then
    return doh("Could not read data")
  end

  array:setLength(len)
  dbg("Reading array of length is %X", len)
  for i =1, len, 1 do
    local status, object = readObject0(dis)
    array:setValue(i,object)
  end
  return true, array
end

function readClassDesc(dis)
  local status, p = dis:readByte()
  if not status then return doh( "Could not read data" ) end

  dbg("reading classdesc: %s" , RMIUtils.tcString(p))

  local val

  if p == TC.TC_CLASSDESC then
    dbg("Reading TC_CLASSDESC")
    status, val = readNonProxyDesc(dis)
  elseif p == TC.TC_NULL then
    dbg("Reading TC_NULL")
    status, val = true, nil
  elseif p == TC.TC_PROXYCLASSDESC then
    dbg("Reading TC_PROXYCLASSDESC")
    status, val = readProxyDesc(dis)
  else
    return doh("TC_classdesc is other %d", p)
  end

  if not status then
    return doh("Error reading class description")
  end
  return status, val


end
function readOrdinaryObject(dis)
  local status, desc =  readClassDesc(dis)
  if not status then
    return doh("Error reading ordinary object")
  end


  if  desc:isExternalizable() then
    dbg("External content")
    local status, extdata = readExternalData(dis)
    if status then
      desc["externalData"] = extdata
    end
  else
    dbg("Serial content")
    local status, serdata = readExternalData(dis)
    if status then
      desc["externalData"] = serdata
      local status, data =parseExternalData(desc)
      if status then
        desc['externalData'] = data
      end
    end
  end
  return status, desc

end

-- Attempts to read some object-data, at least remove the block
-- header. This method returns the external data in 'raw' form,
-- since it is up to each class to define an readExternal method
function readExternalData(dis)
  local  data = {}
  while dis.bReader:bufferSize() > 0 do
    local status, tc= dis:readByte()
    if not status then
      return doh("Could not read external data")
    end
    dbg("readExternalData: %s", RMIUtils.tcString(tc))
    local status, len, content
    if tc == TC.TC_BLOCKDATA then
      status, len = dis:readByte()
      status, content = dis.bReader:skip(len)
      --print(makeStringReadable(content))
      dbg("Read external data (%d bytes): %s " ,len, content)
      --local object = ExternalClassParsers['java.rmi.server.RemoteObject'](dis)
      --print(object)
      return status, content
    elseif tc == TC.TC_BLOCKDATALONG then
      status, len = dis:readUnsignedInt()
      status, content = dis.bReader:skip(len)
      return status, content
    elseif tc == TC.TC_ENDBLOCKDATA then
      --noop
    else
      return doh("Got unexpected field in readExternalData: %s ", RMIUtils.tcString(tc))
    end
  end
end

----
-- ExternalClassParsers : External Java Classes
-- This 'class' contains information about certain specific java classes,
-- such as UnicastRef, UnicastRef2. After such an object has been read by
-- the object serialization protocol, it will contain a lump of data which is
-- in 'external' form, and needs to be read in a way which is specific for the class
-- itself. This class contains the implementations for reading out the
-- 'goodies' of e.g UnicastRef, which contain important information about
-- where another RMI-socket is listening and waiting for someone to connect.
ExternalClassParsers = {
  ---
  --@see sun.rmi.transport.tcp.TCPEndpoint
  --@see sun.rmi.server.UnicastRef
  --@see sun.rmi.server.UnicastRef2
  UnicastRef = function(dis)
    local sts_host, host = dis:readUTF()
    if not sts_host then
      return doh("Parsing external data, could not read host (UTF)")
    end
    local sts_port, port = dis:readUnsignedInt()
    if not sts_port then
      return doh("Parsing external data, could not read port (int)")
    end
    dbg("a host: %s, port %d", host, port)
    return true, ("@%s:%d"):format(host,port)
  end,
  ---
  --@see sun.rmi.transport.tcp.TCPEndpoint
  --@see sun.rmi.server.UnicastRef
  --@see sun.rmi.server.UnicastRef2
  UnicastRef2 = function(dis)
    local sts_form, form = dis:readByte()
    if not sts_form then
      return doh("Parsing external data, could not read byte")
    end
    if not (form == 0 or form == 1) then-- FORMAT_HOST_PORT or  FORMAT_HOST_PORT_FACTORY
      return doh("Invalid endpoint format")
    end
    local sts_host, host = dis:readUTF()
    if not sts_host then
      return doh("Parsing external data, could not read host (UTF)")
    end
    local sts_port, port = dis:readUnsignedInt()
    if not sts_port then
      return doh("Parsing external data, could not read port (int)")
    end
    dbg("b host: %s, port %d", host, port)
    if form == 0 then
      return true, ("@%s:%d"):format(host,port)
    end
    -- for FORMAT_HOST_PORT_FACTORY, there's an object left to read
    local sts_object, object = readObject0(dis)
    return true, ("@%s:%d"):format(host,port)
    --return true, {host = host, port = port, factory = object}
  end
}
--@see java.rmi.server.RemoteObject:readObject()
ExternalClassParsers['java.rmi.server.RemoteObject'] = function(dis)
  local status, refClassName = dis:readUTF()
  if not status then return doh("Parsing external data, could not read classname (UTF)") end
  if #refClassName == 0 then
    local status, ref = readObject0(dis)
    return status, ref
  end
  dbg("Ref class name: %s ", refClassName)
  local parser = ExternalClassParsers[refClassName]

  if parser == nil then
    return doh("No external class reader for %s" , refClassName)
  end

  local status, object = parser(dis)
  return status, object
end

-- Attempts to parse the externalized data of an object.
--@return status, the object data
function parseExternalData(j_object)

  if j_object == nil then
    return doh("parseExternalData got nil object")
  end

  local className = j_object:getName()

  -- Find parser for the object, move up the hierarchy
  local obj = j_object
  local parser = nil
  while(className  ~= nil) do
    parser = ExternalClassParsers[className]
    if parser ~= nil then break end

    obj = obj:getSuperClass()
    if obj== nil then break  end-- No more super classes
    className = obj:getName()
  end

  if parser == nil then
    return doh("External reader for class %s is not implemented", tostring(className))
  end
  -- Read the actual object, start by creating a new dis based on the data-string
  local dis = JavaDIS:new(BufferedReader:new(nil,j_object.externalData))
  local status, object = parser(dis)
  if not status then
    return doh("Could not parse external data")
  end
  return true, object
end

-- Helper function to display data
-- returns the string with all non-printable chars
-- coded as hex
function makeStringReadable(data)
  return data:gsub("[\x00-\x1f\x7f-\xff]", function (x)
      return ("\\x%02x"):format(x:byte())
    end)
end

function readNonProxyDesc(dis)
  dbg("-- entering readNonProxyDesc--")
  local j_class = JavaClass:new()
  local status, classname = dis:readUTF()
  if not status then return doh( "Could not read data" ) end
  j_class:setName(classname)

  local status, serialID = dis:readLongAsHexString()
  if not status then return doh("Could not read data") end
  j_class:setSerialID(serialID)

  dbg("Set serial ID to %s", tostring(serialID))

  local status, flags = dis:readByte()
  if not status then return doh("Could not read data") end
  j_class:setFlags(flags)


  local status, fieldCount = dis:readShort()
  if not status then return doh( "Could not read data") end

  dbg("Fieldcount %d", fieldCount)

  local fields = {}
  for i =0, fieldCount-1,1 do
    local status, fieldDesc = readFieldDesc(dis)
    j_class:addField(fieldDesc)
    -- Need to store in list, the field values need to be read
    -- after we have finished reading the class description
    -- hierarchy
    table.insert(fields,fieldDesc)
  end
  local status, customStrings = skipCustomData(dis)
  if status and customStrings ~= nil and #customStrings > 0 then
    j_class:setCustomData(customStrings)
  end

  local _,superDescriptor = readClassDesc(dis)

  j_class:setSuperClass(superDescriptor)
  dbg("Superclass read, now reading %i field values", #fields)
  --Read field values
  for i=1, #fields, 1 do
    local status, fieldType = dis:readByte()
    local value = nil
    if ( TypeDecoders[fieldType] ) then
      status, value= TypeDecoders[fieldType](dis)
    else
      dbg("error reading".. RMIUtils.tcString(fieldType))
      return
    end
    dbg("Read fieldvalue ".. tostring(value) .. " for field ".. tostring(fields[i]))
    fields[i]:setValue(value)
  end
  dbg("-- leaving readNonProxyDesc--")
  return true, j_class


end

function readProxyDesc(dis)
  dbg("-- in readProxyDesc--")
  local interfaces = ''
  local superclass = nil
  local status, ifaceNum= dis:readInt()
  if not status then return doh("Could not read data") end
  --dbg("# interfaces: %d" , ifaceNum)
  while ifaceNum > 0 do
    local status, iface = dis:readUTF()
    if not status then return doh( "Could not read data") end
    --table.insert(interfaces, iface)
    interfaces = interfaces .. iface ..', '
    dbg("Interface: %s " ,iface)
    ifaceNum = ifaceNum-1
  end

  local j_class = JavaClass:new()

  local status, customStrings = skipCustomData(dis)
  if status and customStrings ~= nil and #customStrings > 0 then
    j_class:setCustomData(customStrings)
  end

  local _,superDescriptor = readClassDesc(dis)


  --print ("superdescriptor", superDescriptor)
  j_class:setSuperClass(superDescriptor)
  j_class:setInterfaces(interfaces)

  dbg("-- leaving readProxyDesc--")
  return true, j_class

end
--
-- Skips over all block data and objects until TC_ENDBLOCKDATA is
-- encountered.
-- @see java.io.ObjectInputStream.skipCustomData()
--@return status
--@return any strings found while searching
function skipCustomData(dis)
  -- If we come across something interesting, just put it into
  -- the returnData list
  local returnData = {}
  while true do
    local status, p = dis:readByte()
    if not status then
      return doh("Could not read data")
    end

    if not status then return doh("Could not read data") end
    dbg("skipCustomData read %s", RMIUtils.tcString(p))

    if p == TC.TC_BLOCKDATA or p == TC.TC_BLOCKDATALONG then
      dbg("continuing")
      --return
    elseif p == TC.TC_ENDBLOCKDATA then
      return true, returnData
    else
      -- In the java impl, this is a function called readObject0. We just
      -- use the read null, otherwise error
      if p == TC.TC_NULL then
        -- No op, already read the byte, continue reading
      elseif p == TC.TC_STRING then
        --dbg("A string is coming!")
        local status,  str = dis:readUTF()
        if not status then
          return doh("Could not read data")
        end
        dbg("Got a string, but don't know what to do with it! : %s",str)
        -- Object serialization is a bit messy. I have seen the
        -- classpath being sent over a customdata-field, so it is
        -- definitely interesting. Quick fix to get it showing
        -- is to just stick it onto the object we are currently at.
        -- So, just put the string into the returnData and continue
        table.insert(returnData, str)
      else
        return doh("Not implemented in skipcustomData:: %s", RMIUtils.tcString(p))
      end
    end
  end
end

function readFieldDesc(dis)
  -- fieldDesc:
  --   primitiveDesc
  --   objectDesc
  -- primitiveDesc:
  --   prim_typecode fieldName
  -- objectDesc:
  --   obj_typecode fieldName className1
  --   prim_typecode:
  --   `B'  // byte
  --   `C'  // char
  --   `D'  // double
  --   `F'  // float
  --   `I'  // integer
  --   `J'  // long
  --   `S'  // short
  --   `Z'  // boolean
  -- obj_typecode:
  --   `[`  // array
  --   `L'  // object
  local j_field = JavaField:new()

  local status, c = dis:readByte()
  if not status then return doh("Could not read data") end

  local char = string.char(c)

  local status, name = dis:readUTF()
  if not status then return doh("Could not read data") end

  local fieldType = ('primitive type: (%s) '):format(char)
  dbg("Fieldtype, char = %s, %s", tostring(fieldType), tostring(char))
  if char == 'L' or char == '['  then
    -- These also have classname which tells the type
    -- on the field
    local status, fieldclassname = readTypeString(dis)
    if not status then return doh("Could not read data") end
    if char == '[' then
      fieldType = fieldclassname .. " []"
    else
      fieldType = fieldclassname
    end
  end

  if not status then
    return false, fieldType
  end

  dbg("Field description: name: %s, type: %s", tostring(name), tostring(fieldType))

  j_field:setType(fieldType)
  j_field:setName(name)
  -- setType = function( self, typ ) self.type = typ end,
  -- setSignature = function( self, sig ) self.signature = sig end,
  -- setName = function( self, name ) self.name = name end,
  -- setObjectType = function( self, ot ) self.object_type = ot end,
  -- setReference = function( self, ref ) self.ref = ref end,

  dbg("Created java field:".. tostring(j_field))

  return true, j_field

end

function readTypeString(dis)
  local status, tc = dis:readByte()
  if not status then return doh("Could not read data") end
  if  tc == TC.TC_NULL then
    return true, nil
  elseif tc== TC.TC_REFERENCE then
    return doh("Not implemented, readTypeString(TC_REFERENCE)");
  elseif tc == TC.TC_STRING then
    return dis:readUTF()
  elseif tc == TC.TC_LONGSTRING then
    --TODO, add this (will throw error as is)
    return dis:readLongUTF()
  end
end

TypeDecoders =
{
  [TC.TC_ARRAY] = readArray,
  [TC.TC_CLASSDESC] = readClassDesc,
  [TC.TC_STRING] = readString,
  [TC.TC_OBJECT] = readOrdinaryObject,
}

---
-- Registry
-- Class to represent the RMI Registry.
--@usage:
-- registry = rmi.Registry:new()
-- status, data = registry:list()
Registry ={
  new = function  (self,host, port)
    local o ={}   -- create object
    setmetatable(o, self)
    self.__index = self -- DIY inheritance
    -- Hash code for sun.rmi.registry.RegistryImpl_Stub, which we are invoking :
    -- hex: 0x44154dc9d4e63bdf, dec: 4905912898345647071
    self.hash = '44154dc9d4e63bdf'
    -- RmiRegistry object id is 0
    self.objId = 0
    o.host = host
    o.port = port
    return o
  end
}
-- Connect to the remote registry.
--@return status
--@return error message
function Registry:_handshake()
  local out = RmiDataStream:new()
  local status, err = out:connect(self.host,self.port)

  if not status then
    return doh("Registry connection failed: %s", tostring(err))
  end
  dbg("Registry connection OK "..tostring(out.bsocket) )
  self.out = out
  return true
end
---
-- List the named objects in the remote RMI registry
--@return status
--@return a table of strings , or error message
function Registry:list()
  if not self:_handshake() then
    return doh("Handshake failed")
  end
  -- Method list() is op number 1
  return self.out:invoke(self.objId, self.hash,1)
end
---
-- Perform a lookup on an object in the Registry,
-- takes the name which is bound in the registry
-- as argument
--@return status
--@return JavaClass-object
function Registry:lookup(name)
  self:_handshake()
  -- Method lookup() is op number 2
  -- Takes a string as arguments
  local a = Arguments:new()
  a:addString(name)
  return self.out:invoke(self.objId, self.hash,2, a)
end
----
-- Arguments class
-- This class is meant to handle arguments which is sent to a method invoked
-- remotely. It is mean to contain functionality to add java primitive datatypes,
-- such as pushInt, pushString, pushLong etc. All of these are not implemented
-- currently
--@usage: When invoking a remote method
-- use this class in this manner:
--  Arguments a = Arguments:new()
--  a:addString("foo")
--  datastream:invoke{objNum=oid, hash=hash, opNum = opid, arguments=a}
--  ...
--
Arguments = {

  new = function  (self,o)
    o = o or {}   -- create object if user does not provide one
    setmetatable(o, self)
    self.__index = self -- DIY inheritance
    -- We use a buffered socket just to be able to use a javaDOS for writing
    self.dos = JavaDOS:new(BufferedWriter:new())
    return o
  end,
  addString = function(self, str)
    self.dos:writeByte(TC.TC_STRING)
    self.dos:writeUTF(str)
  end,
  addRaw = function(self, str)
    self.dos:write(str)
  end,
  getData = function(self)
    local _, res = self.dos:flush()
    return res
  end
}


---
-- RMIUtils class provides some some codes and definitions from Java
-- There are three types of output messages: Call, Ping  and DgcAck.
-- A Call encodes a method invocation. A Ping  is a transport-level message
-- for testing liveness of a remote virtual machine.
-- A DGCAck is an acknowledgment directed to a
-- server's distributed garbage collector that indicates that remote objects
-- in a return value from a server have been received by the client.

RMIUtils = {

  -- Indicates a Serializable class defines its own writeObject method.
  SC_WRITE_METHOD = 0x01,
  -- Indicates Externalizable data written in Block Data mode.
  SC_BLOCK_DATA = 0x08,
  -- Bit mask for ObjectStreamClass flag. Indicates class is Serializable.
  SC_SERIALIZABLE = 0x02,
  --Bit mask for ObjectStreamClass flag. Indicates class is Externalizable.
  SC_EXTERNALIZABLE = 0x04,
  --Bit mask for ObjectStreamClass flag. Indicates class is an enum type.
  SC_ENUM = 0x10,

  flagsToString = function(flags)
    local retval = ''
    if ( (flags & RMIUtils.SC_WRITE_METHOD) ~= 0) then
      retval = retval .. " WRITE_METHOD"
    end
    if ( (flags & RMIUtils.SC_BLOCK_DATA) ~= 0) then
      retval = retval .. " BLOCK_DATA"
    end
    if ( (flags & RMIUtils.SC_EXTERNALIZABLE) ~= 0) then
      retval = retval .. " EXTERNALIZABLE"
    end
    if ( (flags & RMIUtils.SC_SERIALIZABLE) ~= 0) then
      retval = retval .. " SC_SERIALIZABLE"
    end
    if ( (flags & RMIUtils.SC_ENUM) ~= 0) then
      retval = retval .. " SC_ENUM"
    end
    return retval
  end,
  tcString = function (constant)
    local x = TC.Strings[constant] or "Unknown code"
    return ("%s (0x%x)"):format(x,tostring(constant))

  end,

}

local RMIMessage = {
  Call = 0x50,
  Ping = 0x52,
  DgcAck= 0x54,
}
STREAM_MAGIC =  0xaced
STREAM_VERSION = 5

baseWireHandle = 0x7E0000

return _ENV;

Youez - 2016 - github.com/yon3zu
LinuXploit