Package eu.tneitzel.rmg.networking

Class SSRFSocket

java.lang.Object

java.net.Socket

eu.tneitzel.rmg.networking.SSRFSocket

All Implemented Interfaces:

Closeable, AutoCloseable

public class SSRFSocket
extends Socket

The SSRFSocket class is an alternative Socket implementation that sends all socket output to a byte array and that uses another static byte array for simulating server input. This kind of socket is used when the --ssrf option was specified. In this case, all RMI output should be printed instead of being sent to a server. Since no real server communication occurs, server responses have to be simulated. When simulating server responses, the socket uses some static data that always ends in an ExceptionalReturn (RMI transport code for an exception that was caused on the server side). The corresponding exception is an SSRFException, that is defined within remote-method-guesser. This mechanism is used to terminate the program after the output operation has finished. As soon as the tool attempts to read the server's response, it will catch the exception, print all data that was collected by the output stream, byte array buffer, and exit.

Author:

Tobias Neitzel (@qtc_de)

Constructor Summary

Constructors

Constructor	Description
SSRFSocket(String host, int port)	Create a new SSRFSocket.

Method Summary

Modifier and Type	Method	Description
InputStream	getInputStream()	Simulate an InputStream that is connected to an RMI server.
OutputStream	getOutputStream()	Simulate an OutputStream that is connected to an RMI server.
static void	printContent(String host, int port)	This function is used to print the collected output stream data.

Methods inherited from class java.net.Socket

bind, close, connect, connect, getChannel, getInetAddress, getKeepAlive, getLocalAddress, getLocalPort, getLocalSocketAddress, getOOBInline, getOption, getPort, getReceiveBufferSize, getRemoteSocketAddress, getReuseAddress, getSendBufferSize, getSoLinger, getSoTimeout, getTcpNoDelay, getTrafficClass, isBound, isClosed, isConnected, isInputShutdown, isOutputShutdown, sendUrgentData, setKeepAlive, setOOBInline, setOption, setPerformancePreferences, setReceiveBufferSize, setReuseAddress, setSendBufferSize, setSocketImplFactory, setSoLinger, setSoTimeout, setTcpNoDelay, setTrafficClass, shutdownInput, shutdownOutput, supportedOptions, toString

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Constructor Detail

SSRFSocket

public SSRFSocket(String host,
                  int port)

Create a new SSRFSocket.

Parameters:

host - remote host

port - remote port

Method Detail

getInputStream

public InputStream getInputStream()
                           throws IOException

Simulate an InputStream that is connected to an RMI server. Always returns the same static data that ends in an ExceptionalReturn containing an SSRFException.

Overrides:

getInputStream in class Socket

Throws:

IOException

getOutputStream

public OutputStream getOutputStream()

Simulate an OutputStream that is connected to an RMI server. Instead of sending anything, collect all data in a byte array. If the SSRF_SINGLEOP option was used, we choose an SingleOpOutputStream. This stream inspects data written to it and modifies stream protocol messages to single operation protocol messages.

Overrides:

getOutputStream in class Socket

printContent

public static void printContent(String host,
                                int port)

This function is used to print the collected output stream data. It is intended to be called when the SSRFException is caught, as this is an indicator that the output operation has finished.

Parameters:

host - can be specified to set the host when gopher output is used

port - can be specified to set the port when gopher output is used