Package eu.tneitzel.rmg.operations

Class MethodGuesser

  • public class MethodGuesser
extends Object
    The MethodGuesser class is used to brute force available remote methods on Java RMI endpoints. It uses low level Java RMI functions to invoke methods parsed from a wordlist with incorrect argument types. The server-side exception can be used as an indicator whether the invoked method exists on the server. When a RMI client calls a remote method, it establishes a TCP connection to the remote endpoint and sends (among others) the following information: - The ObjID of the RemoteObject that should receive the call - A method hash, that identifies the remote method to be called - A collection of method arguments to be used for the call During method guessing, remote-method-guesser uses a wordlist of Java methods and computes their hash values. The corresponding hashes are then sent to the server, together with invalid method arguments. If the remote method does not exist, the server throws an exception complaining about an unknown method hash. On the other hand, if the remote method exists, the server will complain about the invalid method arguments.
    Author:
    Tobias Neitzel (@qtc_de)

    • Constructor Detail

      • MethodGuesser

        public MethodGuesser​(UnicastWrapper[] remoteObjects,
                     Set<MethodCandidate> candidates)
        To create a MethodGuesser you need to pass the references for remote objects you want to guess on. These are usually obtained from the RMI registry and can be passed as an array of UnicastWrapper. Furthermore, you need to specify a Set of MethodCandidates that represents the methods you want to guess. If one of the UnicastWrapper objects within the array is a SpringRemotingWrapper, the set of MethodCandidates gets cloned and transformed into a set of RemoteInvocation. Both sets are still available and the guessing procedure decides based on the wrapper type which set should be used.
        Parameters:
        remoteObjects - Array of looked up remote objects from the RMI registry
        candidates - MethodCandidates that should be guessed

    • Method Detail

      • printGuessingIntro

        public void printGuessingIntro()
        Helper function that prints some visual text when the guesser is started. Just contains information on the number of methods that are guessed or the concrete method signature (if specified).

      • guessMethods

        public List<RemoteObjectClient> guessMethods()
        This method starts the actual guessing process. It creates a GuessingWorker for each remoteClient in the clientList and for each Set of MethodCandidates in the candidateSets. If the underlying RemoteObjectWrapper type of a client is a SpringRemotingWrapper, the spring remoting compatible SpringGuessingWorker will be used.
        Returns:
        List of RemoteObjectClient containing the successfully guessed methods. Only clients containing guessed methods are returned. Clients without guessed methods are filtered.