Comments (8)
Hey ztgrace,
I'd be happy to dig into it. I tried to reproduce using this Dockerfile:
FROM openjdk:8
COPY . /rmiscout
WORKDIR /rmiscout
RUN ./gradlew shadowJar
ENTRYPOINT ["./rmiscout.sh"]
CMD ["-h"]
Version looks like it matches:
$ docker run --entrypoint="java" de0b4f75f627 -version
openjdk version "1.8.0_252"
OpenJDK Runtime Environment (build 1.8.0_252-b09)
OpenJDK 64-Bit Server VM (build 25.252-b09, mixed mode)
I use the docker host to simulate a "remote" host:
docker run --network="host" de0b4f75f627 wordlist -i lists/prototypes.txt 127.0.0.1 1099
...omitted for brevity...
Found: public abstract boolean Hello.login(java.lang.String,java.lang.String) throws java.rmi.RemoteException
It appears the "default" installation and wordlist appear to work fine.
That said, did you add any custom prototypes to prototypes.txt
that might be causing the error? If so, could you share your diff?
Thank you!
from rmiscout.
The demo works for me as well and I was running the default prototypes wordlist.
I believe the issue is the class name being returned from the RMI service. I've attachd a screenshot of the tcp stream and it looks like the class name being returned is java.rmi.activation.ActivationSystem
.
from rmiscout.
Thank you for the screenshot! I see the issue and I'm fixing it now. :)
from rmiscout.
Hey ztgrace,
Thank you for reporting this issue! It looks like there is deprecated functionality called RMI Activation (introduced in JDK 1.2; made optional in JDK 8+) that was previously unsupported by RMIScout: https://openjdk.java.net/jeps/385.
I went down a rabbit hole, but RMIScout now has support for this feature. Pull from master, rebuild (rm -rf build/
and rerun ./rmiscout.sh
)
You can re-run the wordlist with ./rmiscout.sh wordlist --activation-server -i lists/prototypes.txt x.x.x.x xxxxx
According the JEP RMI Activiation pretty uncommon these days, so definitely a corner case, but I'm glad we now have coverage :)
Feel free to re-open if needed.
As an aside, I believe these configs are commonly vulnerable to a remote classloading issues. Try nmap --script rmi-vuln-classloader
for detection. There's a metasploit module for exploitation.
from rmiscout.
@the-bumble thanks for the quick response and fix! I rebuilt the tool and I'm getting the following error message when running against that same target.
# ./rmiscout.sh wordlist -i lists/prototypes.txt x.x.x.x xxxxx
Error: Did you forget to remove the interface name from the method name?
Full Stacktrace:
javassist.CannotCompileException: by java.lang.ClassFormatError: Illegal class name "" in class file
at javassist.ClassPool.toClass(ClassPool.java:1120)
at javassist.ClassPool.toClass(ClassPool.java:1063)
at javassist.CtClass.toClass(CtClass.java:1315)
at com.bishopfox.rmiscout.RMIConnector.generateStubs(RMIConnector.java:166)
at com.bishopfox.rmiscout.RMIConnector.<init>(RMIConnector.java:103)
at com.bishopfox.rmiscout.RMIScout.process(RMIScout.java:196)
at com.bishopfox.rmiscout.RMIScout.main(RMIScout.java:134)
Caused by: java.lang.ClassFormatError: Illegal class name "" in class file
at java.lang.ClassLoader.defineClass1(Native Method)
at java.lang.ClassLoader.defineClass(ClassLoader.java:756)
at java.lang.ClassLoader.defineClass(ClassLoader.java:635)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at javassist.ClassPool.toClass2(ClassPool.java:1133)
at javassist.ClassPool.toClass(ClassPool.java:1114)
... 6 more
Thanks for the tips on the other tools. Unfortunately I've already tried them and haven't had any success. I was hoping rmiscout might have an alternate approach that would work. Regardless, awesome tool and thanks for sharing it.
from rmiscout.
Did you try the wordlist attack with --activation-server
? Sorry, I should have called more attention to that added parameter above.
If that still doesn't work. Can you send me the results of nmap --script rmi-dumpregistry <host> <port>
. I wonder if the interface name is being returned as an empty string. If that's what's happening I might be able to create a patch for that.
from rmiscout.
Looks like I missed that new argument, but adding it returns the same stack trace.
# ./rmiscout.sh wordlist --activation-server -i lists/prototypes.txt x.x.x.x 31598
javassist.CannotCompileException: by java.lang.ClassFormatError: Illegal class name "" in class file
at javassist.ClassPool.toClass(ClassPool.java:1120)
at javassist.ClassPool.toClass(ClassPool.java:1063)
at javassist.CtClass.toClass(CtClass.java:1315)
at com.bishopfox.rmiscout.RMIConnector.<init>(RMIConnector.java:121)
at com.bishopfox.rmiscout.RMIScout.process(RMIScout.java:196)
at com.bishopfox.rmiscout.RMIScout.main(RMIScout.java:134)
Caused by: java.lang.ClassFormatError: Illegal class name "" in class file
at java.lang.ClassLoader.defineClass1(Native Method)
at java.lang.ClassLoader.defineClass(ClassLoader.java:756)
at java.lang.ClassLoader.defineClass(ClassLoader.java:635)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at javassist.ClassPool.toClass2(ClassPool.java:1133)
at javassist.ClassPool.toClass(ClassPool.java:1114)
... 5 more
java.lang.NullPointerException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at javassist.ClassPool.toClass2(ClassPool.java:1133)
at javassist.ClassPool.toClass(ClassPool.java:1114)
at javassist.ClassPool.toClass(ClassPool.java:1063)
at javassist.ClassPool.toClass(ClassPool.java:1021)
at javassist.CtClass.toClass(CtClass.java:1259)
at com.bishopfox.rmiscout.RMIConnector.generateDummyClass(RMIConnector.java:44)
at com.bishopfox.rmiscout.RMIConnector.<init>(RMIConnector.java:69)
at com.bishopfox.rmiscout.RMIScout.process(RMIScout.java:196)
at com.bishopfox.rmiscout.RMIScout.main(RMIScout.java:134)
Exception in thread "main" java.lang.NullPointerException
at com.bishopfox.rmiscout.RMIConnector.checkIfPresent(RMIConnector.java:241)
at com.bishopfox.rmiscout.RMIScout.process(RMIScout.java:197)
at com.bishopfox.rmiscout.RMIScout.main(RMIScout.java:134)
Also, for reference here's the response from the rmi-dumpregistry
script.
PORT STATE SERVICE VERSION
31598/tcp open java-rmi Java RMI
| rmi-dumpregistry:
| java.rmi.activation.ActivationSystem
| sun.rmi.server.Activation$ActivationSystemImpl_Stub
| @ops-server04:31598
| extends
| java.rmi.server.RemoteStub
| extends
|_ java.rmi.server.RemoteObject
from rmiscout.
Haha oh man, I see what happened! That's not an rmiregistry
.
That's an RMI activation system daemon (aka RMID).
- https://docs.oracle.com/javase/7/docs/technotes/tools/solaris/rmid.html
- http://doc.novsu.ac.ru/java/jdk1.3/docs/guide/rmi/activation/activation.1.html (tutorial)
As best I understand it, in an RMI activation design, these daemons communicate with the rmiregistry
to allow hotswapping of registered RMI objects. Exposure of the service "may" allow you to upload new code to the server, or allow for another path to RCE. Those tutorials will help you understand how the RMI activiation system works.
sun.rmi.server.Activation$ActivationSystemImpl_Stub
contains a handful of documented calls for interacting with RMID . They are best interacted with the corresponding JDK standard library calls (as demonstrated in the tutorial).
That said, if you do come across the rmiregistry
associated with rmid
, you will be able to use RMIScout on that (using the new --activation-server
flag). Best of luck!
from rmiscout.
Related Issues (16)
- demo does not work
- java.lang.ClassNotFoundException: com.sun.corba.se.spi.logging.LogWrapperBase HOT 3
- RMI services generated by Spring Framework's RmiInvocationHandler?
- [ERROR] RMI Activation Server detected. Re-run with --activation-server
- Is RMIConnector process logic get mistake?
- Errors when trying out the demo
- Dockerfile does not work HOT 1
- No workey
- Gradle build fails on ysoserial dependency
- Build the project manually HOT 2
- Detect Objects Exposed via javax.rmi.ssl.SslRMIClientSocketFactory HOT 2
- [ERROR] Dummy parameter names are required for method signature (e.g., -s 'boolean login(java.lang.String a, java.lang.String b)') HOT 2
- javassist.CannotCompileException: [source error] syntax error near " android.os.IBinder " HOT 1
- Error in openjdk version "11.0.7-ea" 2020-04-14 HOT 3
- javax.net.ssl.SSLException: Unsupported or unrecognized SSL message HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from rmiscout.