Package eu.tneitzel.rmg.operations

Class RemoteObjectClient

  • public class RemoteObjectClient
extends Object
    The RemoteObjectClient class is used for method guessing and communication to user defined remote objects. It can be used to perform regular RMI calls to objects specified by either a bound name or an ObjID. Apart from regular RMI calls, it also supports invoking methods with payload objects and user specified codebases.
    Author:
    Tobias Neitzel (@qtc_de)

    • Field Detail

      • remoteObject

        public UnicastWrapper remoteObject
        underlying UnicastWrapper

    • Constructor Detail

      • RemoteObjectClient

        public RemoteObjectClient​(RMIRegistryEndpoint rmiRegistry,
                          String boundName)
        The RemoteObjectClient makes use of an RMIRegistryEndpoint to obtain a RemoteObject reference from the RMI registry. Afterwards, it needs access to the underlying UnicastRemoteRef to perform low level RMI calls.
        Parameters:
        rmiRegistry - RMIRegistryEndpoint to perform lookup operations
        boundName - for the lookup on the RMI registry

      • RemoteObjectClient

        public RemoteObjectClient​(RMIEndpoint rmiEndpoint,
                          ObjID objID)
        When the ObjID of a remote object is already known, we can talk to this object without a previous lookup operation. In this case, the corresponding remote reference is constructed from scratch, as the ObjID and the target address (host:port) are the only required information.
        Parameters:
        rmiEndpoint - RMIEndpoint that represents the server where the object is located
        objID - ObjID of the remote object to talk to

      • RemoteObjectClient

        public RemoteObjectClient​(UnicastWrapper remoteObject)
        If you already obtained a reference to the remote object, you can also use it directly in form of passing an UnicastWrapper.
        Parameters:
        remoteObject - Previously obtained remote reference contained in a UnicastWrapper

    • Method Detail

      • createProxy

        public <T> T createProxy​(Class<T> intf)
        Create a proxy for the RemoteObjectClient.
        Type Parameters:
        T - interface implemented by the proxy
        Parameters:
        intf - the interface class
        Returns:
        proxy implementing the specified interface

      • assignInterface

        public UnicastWrapper assignInterface​(Class<?> intf)
        When a RemoteObjectClient was obtained using an ObjID, it has no assigned UnicastWrapper. remote-method-guesser only creates a UnicastRef using the endpoint information and the ObjID, which is sufficient for RMI calls. Constructing a RemoteObject from a UnicastRef is easily possible, but it is only useful when also the implemented remote interface is known. This functions creates a UnicastWrapper (RemoteObject) that is based on the already constructed UnicastRef and implements the specified interface.
        Parameters:
        intf - Interface implemented by the RemoteObject
        Returns:
        newly created UnicastWrapper for the specified interface

      • addRemoteMethod

        public void addRemoteMethod​(MethodCandidate candidate)
        Adds a successfully guessed MethodCandidate to the client's method list.
        Parameters:
        candidate - Successfully guessed method candidate

      • addRemoteMethods

        public void addRemoteMethods​(List<MethodCandidate> candidates)
        Adds a list of successfully guessed MethodCandidates to the client's method list.
        Parameters:
        candidates - Successfully guessed method candidates

      • getBoundName

        public String getBoundName()
        Getter function for the bound name.
        Returns:
        bound name associated with the RemoteObjectClient

      • getBoundNames

        public String[] getBoundNames()
        Gets a list of bound names associated with the RemoteObjectClient itself and all of its duplicates.
        Returns:
        bound name associated with the RemoteObjectClient

      • gadgetCall

        public void gadgetCall​(MethodCandidate targetMethod,
                       Object gadget,
                       int argumentPosition)
        Invokes the specified MethodCandiate with a user specified payload object. This is used during deserialization attacks and needs to target non primitive input arguments of RMI methods. By default, the function attempts to find a non primitive method argument on its own. However, by using the argumentPosition parameter, it is also possible to specify it manually.
        Parameters:
        targetMethod - method to target for the attack
        gadget - payload object to use for the call
        argumentPosition - argument position to attack. Can be negative for auto selection.

      • codebaseCall

        public void codebaseCall​(MethodCandidate targetMethod,
                         Object gadget,
                         int argumentPosition)
        This function invokes the specified MethodCandidate with a user specified codebase. The specified payload object is expected to be an instance of the class that should be loaded from the codebase. Usually this is created dynamically by rmg and the user has only to specify the class name. The function needs to target a non primitive method argument, that is selected by default, but users can also specify an argumentPosition explicitly.
        Parameters:
        targetMethod - method to target for the attack
        gadget - instance of class that should be loaded from the client specified codebase
        argumentPosition - argument to use for the attack. Can be negative for auto selection

      • genericCall

        public void genericCall​(MethodCandidate targetMethod,
                        Object[] argumentArray)
        This function is used for regular RMI calls on the specified MethodCandidate. It takes an array of Objects as input arguments and invokes the MethodCandidate with them accordingly. The function itself is basically just a wrapper around the genericCall function of the RMIEndpoint class. Especially the transformation from the raw Object array into the MethodArguments type is one of its purposes.
        Parameters:
        targetMethod - remote method to call
        argumentArray - method arguments to use for the call

      • unmanagedCall

        public void unmanagedCall​(MethodCandidate targetMethod,
                          MethodArguments args)
                   throws Exception
        Technically the same as the genericCall method, but does not perform any exception handling.
        Parameters:
        targetMethod - remote method to call
        args - method arguments to use for the call
        Throws:
        Exception - all possible encountered exceptions are passed to the caller

      • guessingCall

        public void guessingCall​(MethodCandidate targetMethod)
                  throws Exception
        Just a wrapper around the guessingCall function of the RMIEndpoint class.
        Parameters:
        targetMethod - method to invoke
        Throws:
        Exception - this function is used e.g. for remote method guessing and raising all kind of exceptions is required.

      • filterEmpty

        public static List<RemoteObjectClient> filterEmpty​(List<RemoteObjectClient> clientList)
        Takes a list of RemoteObjectClients and filters clients that have no methods within their method list.
        Parameters:
        clientList - List of RemoteObjectClients to filter
        Returns:
        List of RemoteObjectClients that contain methods

      • toString

        public String toString()
        Returns the string representation of an RemoteObjectClient. The format is host:port:identifier, where the identifier is either the bound name or the ObjID associated with the RemoteObjectClient.
        Overrides:
        toString in class Object
        Returns:
        String representation of the RemoteObjectClient