Package eu.tneitzel.rmg.networking

Class SSRFResponseSocket

java.lang.Object

java.net.Socket

eu.tneitzel.rmg.networking.SSRFResponseSocket

All Implemented Interfaces:

Closeable, AutoCloseable

public class SSRFResponseSocket
extends Socket

Socket implementation that prevents outputs from being sent anywhere and that simulates input by using a byte array that is set when calling the constructor. This socket is used for the --ssrf-response option, where no real network interaction is desired and where the server response is already present in form of a byte array. Due to the nature of ssrf, the SSRFResponseSocket is a single use socket. It is expected to contain the information for one particular remote-method-guesser action. When using e.g. the default enum action with --ssrf-response, the socket is expected to only contain information for the 'list' action. If other actions are desired, they have to be specified explicitly. Multiple actions within a single ssrf operation are not supported. remote-method-guesser attempts to shutdown itself after a single operation was executed with --ssrf-response. As a fallback, the SSRFResponseSocket terminates the program if it is used for multiple actions. This is implemented by a count that tracks how often the OutputStream was used. Notice that the count needs to be implemented on the object level. When using a static count for the class, you get into trouble with the 'lookup' action. During a lookup, a LiveRef is read from the network. This causes the 'read' function of the LiveRef class to trigger, which sends a DGCAck to the obtained remote object. Therefore, performing a lookup causes two SSRFResponseSockets to be created and one InputStream and OutputStream is used on both of them.

Author:

Tobias Neitzel (@qtc_de)

Constructor Summary

Constructors

Constructor	Description
SSRFResponseSocket(String host, int port, byte[] response)	Create a new SSRFResponseSocket.

Method Summary

Modifier and Type	Method	Description
InputStream	getInputStream()	Before the input stream is returned, we compare the first byte of the response to the TransportConstants.Return value.
OutputStream	getOutputStream()

Methods inherited from class java.net.Socket

bind, close, connect, connect, getChannel, getInetAddress, getKeepAlive, getLocalAddress, getLocalPort, getLocalSocketAddress, getOOBInline, getOption, getPort, getReceiveBufferSize, getRemoteSocketAddress, getReuseAddress, getSendBufferSize, getSoLinger, getSoTimeout, getTcpNoDelay, getTrafficClass, isBound, isClosed, isConnected, isInputShutdown, isOutputShutdown, sendUrgentData, setKeepAlive, setOOBInline, setOption, setPerformancePreferences, setReceiveBufferSize, setReuseAddress, setSendBufferSize, setSocketImplFactory, setSoLinger, setSoTimeout, setTcpNoDelay, setTrafficClass, shutdownInput, shutdownOutput, supportedOptions, toString

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Constructor Detail

SSRFResponseSocket

public SSRFResponseSocket(String host,
                          int port,
                          byte[] response)

Create a new SSRFResponseSocket.

Parameters:

host - remote host

port - remote port

response - RMI response data to simulate

Method Detail

getInputStream

public InputStream getInputStream()
                           throws IOException

Before the input stream is returned, we compare the first byte of the response to the TransportConstants.Return value. If it matches, the response was created by a single operation protocol request. In this case we need to prefix the response with a fake-handshake to simulate the response from a stream protocol request.

Overrides:

getInputStream in class Socket

Throws:

IOException

getOutputStream

public OutputStream getOutputStream()

Overrides:

getOutputStream in class Socket