rmi NSE Library — Nmap Scripting Engine documentation (original) (raw)

Functions

Library method for communicating over RMI (JRMP + java serialization)

This is a not complete RMI implementation for Lua, which is meant to be able to invoke methods and parse returnvalues which are simple, basically the java primitives. This can be used to e.g dump out the registry, and perform authentication against e.g JMX-services.

This library also contains some classes which works pretty much like the java classes BufferedReader, BufferedWriter, DataOutputStream and DataInputStream.

Most of the methods in the RMIDataStream class is based on the OpenJDK RMI Implementation, and I have kept the methodnames as they are in java, so it should not be too hard to find the corresponding functionality in the jdk codebase to see how things 'should' be done, in case there are bugs or someone wants to make additions. I have only implemented the things that were needed to get things working, but it should be pretty simple to add more functionality by lifting over more stuff from the jdk.

The interesting classes in OpenJDK are: java.io.ObjectStreamConstants java.io.ObjectStreamClass java.io.ObjectInputStream sun.rmi.transport.StreamRemoteCall and a few more.

If you want to add calls to classes you know of, you can use e.g Jode to decompile the stub-class or skeleton class and find out the details that are needed to perform an RMI method invocation. Those are Class hashcode Method number (each method gets a number) Arguments f You also need the object id (so the remote server knows what instance you are talking to). That can be fetched from the registry (afaik) but not currently implemented. Some object ids are static : the registry is always 0

Author:

Copyright © Same as Nmap--See https://nmap.org/book/man-legal.html

Source: https://svn.nmap.org/nmap/nselib/rmi.lua

Functions

bufferSize (self)

canRead (self, count)

This method blocks until the specified number of bytes have been read from the socket and are available for the caller to read, e.g via the unpack function

peekByte (self)

Tries to read a byte, without consuming it.

peekUnpack (self, format)

This function works just like string.unpack (in fact, it is merely a wrapper around it. However, it uses the data already read into the buffer, and the internal position. This method does not update the current position, and the data can be read again

readObject0 (dis)

Deserializes a serialized java object

Registry:list ()

List the named objects in the remote RMI registry

Registry:lookup (name)

Perform a lookup on an object in the Registry, takes the name which is bound in the registry as argument

RmiDataStream:connect (host, port)

Connects to a remote service. The connection process creates a socket and does some handshaking. If this is successful, we are definitely talking to an RMI service.

RmiDataStream:invoke (objNum, hash, op, arguments)

Invokes a method over RMI

RmiDataStream:readReturnData (dis)

Reads an RMI ReturnData packet

skip (self, len)

Skips a number of bytes

UnicastRef (dis)

UnicastRef2 (dis)

unpack (self, format)

This function works just like string.unpack (in fact, it is merely a wrapper around it. However, it uses the data already read into the buffer, and the internal position

Functions

bufferSize (self)

Parameters

self

Return value:

Returns the number of bytes already available for reading

canRead (self, count)

This method blocks until the specified number of bytes have been read from the socket and are available for the caller to read, e.g via the unpack function

Parameters

self

count

peekByte (self)

Tries to read a byte, without consuming it.

Parameters

self

Return values:

1. status
2. bytevalue

peekUnpack (self, format)

This function works just like string.unpack (in fact, it is merely a wrapper around it. However, it uses the data already read into the buffer, and the internal position. This method does not update the current position, and the data can be read again

Parameters

self

format

Return value:

the unpacked value (NOT the index)

readObject0 (dis)

Deserializes a serialized java object

Parameters

dis

Registry:list ()

List the named objects in the remote RMI registry

Return values:

1. status
2. a table of strings , or error message

Registry:lookup (name)

Perform a lookup on an object in the Registry, takes the name which is bound in the registry as argument

Parameters

name

Return values:

1. status
2. JavaClass-object

RmiDataStream:connect (host, port)

Connects to a remote service. The connection process creates a socket and does some handshaking. If this is successful, we are definitely talking to an RMI service.

Parameters

host

port

RmiDataStream:invoke (objNum, hash, op, arguments)

Invokes a method over RMI

Parameters

objNum

-object id (target of call)

hash

- the hashcode for the class that is invoked

op

- the operation number (method) invoked

arguments

- optional, if arguments are needed to this method. Should be an Arguments table or something else which has a getData() function to get binary data

Return values:

1. status
2. a JavaClass instance

RmiDataStream:readReturnData (dis)

Reads an RMI ReturnData packet

Parameters

dis

a JavaDIS inputstream

skip (self, len)

Skips a number of bytes

Parameters

self

len

the number of bytes to skip

UnicastRef (dis)

Parameters

dis

See also:

• sun.rmi.transport.tcp.TCPEndpoint
• sun.rmi.server.UnicastRef
• sun.rmi.server.UnicastRef2

UnicastRef2 (dis)

Parameters

dis

See also:

• sun.rmi.transport.tcp.TCPEndpoint
• sun.rmi.server.UnicastRef
• sun.rmi.server.UnicastRef2

unpack (self, format)

This function works just like string.unpack (in fact, it is merely a wrapper around it. However, it uses the data already read into the buffer, and the internal position

Parameters

self

format

Return value:

the unpacked value (NOT the index)