Error Retrieving MBeans

[lesleyditlhotlhole]

I faced the following error when using beanshooter:

└─# java -jar beanshooter-4.1.0-jar-with-dependencies.jar enum redacted 30042                             
[+] Checking available bound names:
[+]
[+]     * jmxrmi (JMX endpoint: redacted:30042)
[+]
[+] Checking for unauthorized access:
[+]
[+]     - Remote MBean server does not require authentication.
[+]       Vulnerability Status: Vulnerable
[+]
[+] Checking pre-auth deserialization behavior:
[+]
[+]     - Remote MBeanServer rejected the payload class (correto).
[+]       Vulnerability Status: Non Vulnerable
[+]
[+] Checking available MBeans:
[+]
[-]     Caught unexpected java.rmi.UnmarshalException during listing MBeans.
[-]     Please report this to improve beanshooter :)
[-]     StackTrace:
java.rmi.UnmarshalException: Error unmarshaling return header; nested exception is: 
        java.io.EOFException
        at java.rmi/sun.rmi.transport.StreamRemoteCall.executeCall(StreamRemoteCall.java:255)
        at java.rmi/sun.rmi.server.UnicastRef.invoke(UnicastRef.java:165)
        at jdk.remoteref/jdk.jmx.remote.internal.rmi.PRef.invoke(Unknown Source)
        at java.management.rmi/javax.management.remote.rmi.RMIConnectionImpl_Stub.queryMBeans(RMIConnectionImpl_Stub.java:472)
        at java.management.rmi/javax.management.remote.rmi.RMIConnector$RemoteMBeanServerConnection.queryMBeans(RMIConnector.java:828)
        at de.qtc.beanshooter.operation.MBeanServerClient.getMBeans(MBeanServerClient.java:268)
        at de.qtc.beanshooter.operation.EnumHelper.enumMBeans(EnumHelper.java:554)
        at de.qtc.beanshooter.operation.Dispatcher.enumerate(Dispatcher.java:280)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.base/java.lang.reflect.Method.invoke(Method.java:568)
        at de.qtc.beanshooter.operation.BeanshooterOperation.invoke(BeanshooterOperation.java:470)
        at de.qtc.beanshooter.Starter.main(Starter.java:22)
Caused by: java.io.EOFException
        at java.base/java.io.DataInputStream.readByte(DataInputStream.java:273)
        at java.rmi/sun.rmi.transport.StreamRemoteCall.executeCall(StreamRemoteCall.java:241)
        ... 13 more
[-]     Cannot continue from here.

Kindly assist with troubleshooting as I am not too conversant with Java😃

[qtc-de]

Hi @lesleyditlhotlhole :wave:

thanks for reporting :+1:

From the provided StackTrace it looks like the server terminates the connection in between an RMI call. There are different reasons why this could happen. Do you have still access to the system and can also provide a TCP capture? This probably allows to see when exactly the server cuts off the connection and may allows to guess the reason for the disconnect. If you have any information on the targeted server (what kind of Software is running on it) this could also be helpful.

Best Tobias

[lesleyditlhotlhole]

Thanks for the feedback @qtc-de.

Unfortunately, the target I was testing when I submitted this issue has already been patched as it was on a bug bounty program. I had analyzed the traffic using Wireshark to try and determine that during my testing but couldn't identify exactly why the connection got terminated in between a call, unfortunately, I didn't save the TCP .pcap generated. This was on an Oracle BRM system, please refer to the link below to find out more about the function of the instance.

• https://docs.oracle.com/cd/E70765_01/doc.113/e70768/chr_part_brm.htm

Best regards, Lesley

[qtc-de]

Thanks for the response.

@dinosn already mentioned this is another issue and I also think that antivirus could be a possible explanation. However, it is surprising to me, that the disconnect occurs in the list operation. If antivirus flags the tonka bean as malicious, that's fair, but the list operation is just a regular JMX call :thinking:

@dinoson also mentioned you achieved a tonka deployment with an older version of beanshooter? Was this on the same system and did the enum action worked too?

[lesleyditlhotlhole]

Hi Tobias,

I was successful with tonka deployment using version 3.0.0 as per @dinosn suggestion, it was strange to me that the current version was giving me these errors. I would have loved to extend my research on the target but unfortunately, the target was patched quickly as it posed a great threat to the organization.

I am actually arranging to setup my own instance to just test these out locally, I'll hopefully have slightly useful feedback afterwards.

Thanks.