java rmi deserialization vulnerability detection tool

Posted by trammel at 2020-02-27

Article difficulty: ★★★

Article reading point / knowledge point: the compilation of Java RMI deserialization vulnerability detection tool

Author: Xiaotiantian

Source: safe guest

[technology sharing] compilation of Java RMI deserialization vulnerability detection tool


The deserialization vulnerability has been for some time, and the test code for Weblogic and JBoss has been very mature. However, it is found that the test for RMI service stays in the ysoserial stage, and only by executing the command to listen to rebound Linux Shell, recently I read the code about RMI utilization written by a Daniel. It needs to load jar package remotely to rebound the shell, but if the vulnerable host can't go out of the Internet, it can't rebound the shell. Through private chat, Daniel is too busy to write.


The Java RMI service is a remote method invocation. It is a mechanism that allows objects on one Java virtual machine to call methods of objects on another Java virtual machine.

The RMI transmission process will inevitably use serialization and deserialization. If the RMI server port is developed externally, and the server uses libraries such as Apache commons collections, remote command execution will be caused.

code analysis

Step 1: load and generate a class file under a fixed path;

Step 2: load the generated class file to execute the command, so as to avoid loading the remote jar file, and solve the problem that the host can rebound the shell without going out of the Internet.

Code to execute command

The new URL (claasspath) can load the remote jar package. The local class file is loaded here. The do'exec method of the errorbaseexec class executes the command, so the class file needs to be generated locally first.

Generate code for local class

Call fileoutputstream to write byte array to local path to generate errorbasexec.class file,

Byte array generation

First, put the file into the errorbaseexec.class file under javac, and then parse the class file into a byte array. In order to facilitate vulnerability detection, will throw out a string containing 8888. As long as it matches 8888, it indicates that there is a vulnerability

Vulnerability testing

The vulnerability test code attackrmi.jar supports CMD parameter passing and no parameter passing. The test results are as follows:

For the sake of national network and enterprise security, the 1099 and 1090 ports of some IP segments in some regions are only tested and verified for vulnerability, but not for unethical and uncivilized behaviors such as controlling or stealing data. The test overview is as follows:

In order to facilitate the security operation and maintenance personnel to conduct vulnerability verification test, please do not use it for illegal activities. The test tools are as follows: