Package eu.tneitzel.rmg.plugin

Class DefaultProvider

  • All Implemented Interfaces:
    IArgumentProvider, IPayloadProvider, ISocketFactoryProvider
    public class DefaultProvider
extends Object
implements IArgumentProvider, IPayloadProvider, ISocketFactoryProvider
    The DefaultProvider is a default implementation of an rmg plugin. It implements the IArgumentProvider, IPayloadProvider and ISocketFactoryProvider interfaces and is always loaded when no user specified plugin overwrites one of these interfaces. Within its IPayloadProvider override, it returns either a RMIServerImpl object as used by JMX (for bind, rebind and unbind actions) or a ysoserial gadget (for basically all other actions). The IArgumentProvider override attempts to evaluate the user specified argument string as Java code and attempts to create an Object array out of it that is used for method calls. The ISocketFactoryProvider implementation returns remote-method-guesser's loopback factories that prevent redirections from the server side.
    Author:
    Tobias Neitzel (@qtc_de)

    • Constructor Detail

      • DefaultProvider

        public DefaultProvider()

    • Method Detail

      • getPayloadObject

        public Object getPayloadObject​(Operation action,
                               String name,
                               String args)
        Return an RMIServerImpl object as used by JMX endpoints when invoked from the bind, rebind or unbind actions. In this case, name is expected to be 'jmx' or args is expected to be null. When the name is 'jmx', the args parameter is expected to contain the address definition for the remote object (host:port). Otherwise, if args is null and the name is not 'jmx', name is expected to contain the listener definition. This allows to perform the bind like 'rmg 127.0.0.1 9010 bind jmx 127.0.0.1:4444' or like 'rmg 127.0.0.1 9010 bind 127.0.0.1:4444'. Otherwise, pass the user specified gadget name and gadget arguments to ysoserial and return the corresponding gadget.
        Specified by:
        getPayloadObject in interface IPayloadProvider
        Parameters:
        action - the current RMG action that requested the gadget
        name - the name of the gadget being requested
        args - the arguments provided for the gadget
        Returns:
        a payload object to use for deserialization attacks

      • getArgumentArray

        public Object[] getArgumentArray​(String[] args)
        This function performs basically an eval operation on the user specified arguments. The argument string is inserted into the following expression: return new Object[] { arg1, arg2, arg3, ... }; This expression is evaluated and the resulting Object array is returned by this function. For this to work it is important that all arguments within the argumentString are valid Java Object definitions. E.g. one has to use new Integer(5) instead of a plain 5.
        Specified by:
        getArgumentArray in interface IArgumentProvider
        Parameters:
        args - the arguments specified on the command line
        Returns:
        argument array for a remote method call

      • getClientSocketFactory

        public RMIClientSocketFactory getClientSocketFactory​(String host,
                                                     int port)
        Returns an RMIClientSocketFactory according to the specified options on the command line.
        Specified by:
        getClientSocketFactory in interface ISocketFactoryProvider
        Parameters:
        host - remote host
        port - remote port
        Returns:
        RMIClientSocketFactory to use

      • getDefaultSocketFactory

        public RMISocketFactory getDefaultSocketFactory​(String host,
                                                int port)
        The default RMISocketFactory used by remote-method-guesser is the LoopbackSocketFactory, which redirects all connection to the original target and thus prevents unwanted RMI redirections. This function is only used for 'managed' RMI calls that rely on an RMI registry. Remote objects that are looked up from the RMI registry use the RMISocketFactory.getDefaultSocketFactory function to obtain a SocketFactory. This factory is then used for explicit calls (method invocations) and for implicit calls (DGC actions like clean or dirty). When contacting an RMI endpoint directly (by using the RMIEndpoint class) we do not need to call this function as we specify a socket factory already during the call. When using the RMI registry (RMIRegistryEndpoint class), it is required. In this case, this function should be called and the result should be used within the RMISocketFactory.setSocketFactory function. When the --ssrf-response option is used, we do neither perform any explicit calls nor we want DGC actions to take place. For this purpose, we use a custom socket factory that ignores writes of outgoing DGC requests and simulates incoming DGC responses. Notice, that the --ssrf option does not affect this function. This is because sockets created by this function are only used for 'managed' RMI calls. SSRF calls in remote-method-guesser are always unmanaged.
        Specified by:
        getDefaultSocketFactory in interface ISocketFactoryProvider
        Parameters:
        host - remote host
        port - remote port
        Returns:
        RMISocketFactory to use

      • getDefaultSSLSocketFactory

        public String getDefaultSSLSocketFactory​(String host,
                                         int port)
        The default SSLRMISocketFactory used by remote-method-guesser is the LoopbackSslSocketFactory, which redirects all connection to the original target and thus prevents unwanted RMI redirections. As in the case of plain TCP connections, we use different socket factory if --ssrf-response was specified on the command line. Check the getDefaultSocketFactory function for more details. Notice, that the --ssrf option does not affect this function. This is because sockets created by this function are only used for 'managed' RMI calls. SSRF calls in remote-method-guesser are always unmanaged.
        Specified by:
        getDefaultSSLSocketFactory in interface ISocketFactoryProvider
        Parameters:
        host - remote host
        port - remote port
        Returns:
        name of the SSL socket factory class to use for SSL connections.