You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
RMIRegistryExploit uses registry.list/bind, which triggers unserialization. So malicious registry can attack client with gadgets in ysoserial,such as commonscollections.
Gadgets chain:
RegistryImpl_Stub#list->UnicastRef#invoke->StreamRemoteCall#executeCall->ObjectInputStream#readObject
Fix
Rewrite socket to implement JRMP connections, just like what ysoserial.exploit.JRMPClient does.
The text was updated successfully, but these errors were encountered:
Using RMIRegistryExploit to exploit a malicious rmi registry may lead to rce on client.
Demo
First,start a malicious registry:
and using RMIRegistryExploit to exploit it:
and calc will be executed on client.
Analysis
RMIRegistryExploit uses registry.list/bind, which triggers unserialization. So malicious registry can attack client with gadgets in ysoserial,such as commonscollections.
Gadgets chain:
RegistryImpl_Stub#list->UnicastRef#invoke->StreamRemoteCall#executeCall->ObjectInputStream#readObject
Fix
Rewrite socket to implement JRMP connections, just like what ysoserial.exploit.JRMPClient does.
The text was updated successfully, but these errors were encountered: