Package eu.tneitzel.rmg.utils

Class YsoIntegration

  • public class YsoIntegration
extends Object
    remote-method-guesser does not include the ysoserial library as one of its dependencies. This is on purpose for the following reasons: 1. The ysoserial library is quite big in file size (~55MB). If each offensive tool includes it within its own .jar file, you loose a non negligible amount of disc space to duplicate stuff. 2. Including ysoserial as a dependency means that you have all available gadgets within your own classpath, which make you vulnerable against deserialization attacks on the client side. 3. Each security professional is expected to have a ysoserial.jar on his machine anyway, so why shipping an additional one? Instead of using it as a library, remote-method-guesser uses a URLClassLoader to load the .jar and Reflection to invoke methods on it.
    Author:
    Tobias Neitzel (@qtc_de)

    • Constructor Detail

      • YsoIntegration

        public YsoIntegration()

    • Method Detail

      • createJRMPListener

        public static void createJRMPListener​(String host,
                                      int port,
                                      Object payloadObject)
        Opens a malicious JRMPListener that answers with ysoserial gadgets to incoming JRMP connections. The actual JRMPListener is spawned by ysoserial. This function is basically just a wrapper around the JRMPListener class of ysoserial. The ysoserial library is loaded via URLClassLoader and the JRMPListener class is accessed via reflection. The only noticeable difference to the default JRMPListener of ysoserial is, that you can specify the listening host in this implementation. The JRMPListener will then only be opened on the specified IP address.
        Parameters:
        host - IP address where to listen for connections
        port - port where to listen for connections
        payloadObject - to deliver to incoming connections

      • getPayloadObject

        public static Object getPayloadObject​(String gadget,
                                      String command)
        Loads ysoserial using and separate URLClassLoader and invokes the makePayloadObject function by using reflection. The result is a ysoserial gadget as it would be created on the command line.
        Parameters:
        gadget - name of the desired gadget
        command - command specification for the desired gadget
        Returns:
        ysoserial gadget

      • prepareAnTrinhGadget

        public static Object prepareAnTrinhGadget​(String host,
                                          int port)
                                   throws Exception
        The bypass technique implemented by this code was discovered by An Trinh (@_tint0) and a detailed analysis was provided by Hans-Martin Münch (@h0ng10). Certain portions of the code were copied from the corresponding blog post: https://mogwailabs.de/de/blog/2020/02/an-trinhs-rmi-registry-bypass/ Noticeable differences are that the UnicastRemoteObject is created with a DummySocketFactory to prevent it from being bound locally and the fact that it is unexported manually after its creation. Apart from removing the object from the local runtime, unexporting has an additional benefit: As Hans-Martin Münch mentioned, RemoteObjects are normally replaced by a Proxy during RMI communication. This is handled by the replaceObject function from the MarshalOutputStream class. Thus, he recommends to set the enableReplace field of ObjectOutput to false manually. This is however not necessary when unexporting the object first, as RemoteObjects are only replaced by a Proxy if they can be found within the local ObjectTable.
        Parameters:
        host - listener address for the outgoing JRMP connection
        port - listener port for the outgoing JRMP connection
        Returns:
        payload object
        Throws:
        Exception - internal error