From 0737e79f7f34d6eca486103568a3c6d7993f4cff Mon Sep 17 00:00:00 2001 From: TNeitzel Date: Thu, 6 Jan 2022 07:50:51 +0100 Subject: [PATCH 1/6] Fix missing --yso parameter As pointed out in issue #26, the --yso parameter was missing for operations that use deserialization gadgets. The parameter was now added to resolve this issue. --- src/de/qtc/rmg/internal/ArgumentHandler.java | 8 ++++++-- src/de/qtc/rmg/internal/ExceptionHandler.java | 4 ++-- src/de/qtc/rmg/internal/RMGOption.java | 2 ++ src/de/qtc/rmg/operations/Operation.java | 8 ++++++++ 4 files changed, 18 insertions(+), 4 deletions(-) diff --git a/src/de/qtc/rmg/internal/ArgumentHandler.java b/src/de/qtc/rmg/internal/ArgumentHandler.java index 352a0627..29172b38 100644 --- a/src/de/qtc/rmg/internal/ArgumentHandler.java +++ b/src/de/qtc/rmg/internal/ArgumentHandler.java @@ -271,8 +271,12 @@ public Object getGadget() String command = null; if( this.getAction() == Operation.BIND || this.getAction() == Operation.REBIND ) { - gadget = "jmx"; - command = RMGOption.require(RMGOption.BIND_ADDRESS); + + boolean customGadget = RMGOption.BIND_GADGET_NAME.notNull(); + boolean customCommand = RMGOption.BIND_GADGET_CMD.notNull(); + + gadget = customGadget ? RMGOption.BIND_GADGET_NAME.getValue() : "jmx"; + command = customCommand ? RMGOption.BIND_GADGET_CMD.getValue() : RMGOption.require(RMGOption.BIND_ADDRESS); } else { gadget = (String) RMGOption.require(RMGOption.GADGET_NAME); diff --git a/src/de/qtc/rmg/internal/ExceptionHandler.java b/src/de/qtc/rmg/internal/ExceptionHandler.java index 120e2ca7..3fa75f8d 100644 --- a/src/de/qtc/rmg/internal/ExceptionHandler.java +++ b/src/de/qtc/rmg/internal/ExceptionHandler.java @@ -416,8 +416,8 @@ public static void bindException(Exception e) public static void ysoNotPresent(String location) { - Logger.eprintlnMixedYellow("Unable to find ysoserial library in path", location); - Logger.eprintlnMixedYellow("Check your configuration file or specify it on the command line using the", "--yso", "parameter"); + Logger.eprintlnMixedBlue("Unable to find ysoserial library in path", location); + Logger.eprintlnMixedYellow("Check your configuration file or use the", "--yso", "command line parameter."); RMGUtils.exit(); } diff --git a/src/de/qtc/rmg/internal/RMGOption.java b/src/de/qtc/rmg/internal/RMGOption.java index 340408ae..7d27dfaa 100644 --- a/src/de/qtc/rmg/internal/RMGOption.java +++ b/src/de/qtc/rmg/internal/RMGOption.java @@ -55,6 +55,8 @@ public enum RMGOption { BIND_ADDRESS("bind-host", "host specifications the bound remote object should point to", Arguments.store(), RMGOptionGroup.ACTION, "host:port"), BIND_BOUND_NAME("bound-name", "Bound name to use for (un)bind action", Arguments.store(), RMGOptionGroup.ACTION, "name"), BIND_BYPASS("--localhost-bypass", "attempt localhost bypass (CVE-2019-2684)", Arguments.storeTrue(), RMGOptionGroup.ACTION), + BIND_GADGET_NAME("--gadget-name", "attempt to bind the specified gadget instead of JMXServer", Arguments.store(), RMGOptionGroup.ACTION, "gadget"), + BIND_GADGET_CMD("--gadget-cmd", "command for a custom gadget", Arguments.store(), RMGOptionGroup.ACTION, "cmd"), CODEBASS_CLASS("classname", "classname to load during codebase attack", Arguments.store(), RMGOptionGroup.ACTION, "classname"), CODEBASE_URL("url", "codebase URL to load the payload from", Arguments.store(), RMGOptionGroup.ACTION, "url"), diff --git a/src/de/qtc/rmg/operations/Operation.java b/src/de/qtc/rmg/operations/Operation.java index 4250f3ca..df394638 100644 --- a/src/de/qtc/rmg/operations/Operation.java +++ b/src/de/qtc/rmg/operations/Operation.java @@ -41,6 +41,9 @@ public enum Operation { RMGOption.BIND_BYPASS, RMGOption.BIND_OBJID, RMGOption.BIND_ADDRESS, + RMGOption.BIND_GADGET_NAME, + RMGOption.BIND_GADGET_CMD, + RMGOption.YSO, }), CALL("dispatchCall", "", "Regulary calls a method with the specified arguments", new RMGOption[] { @@ -154,6 +157,7 @@ public enum Operation { RMGOption.LISTEN_PORT, RMGOption.GADGET_NAME, RMGOption.GADGET_CMD, + RMGOption.YSO, }), OBJID("dispatchObjID", "", "Print information contained within an ObjID", new RMGOption[] { @@ -183,6 +187,9 @@ public enum Operation { RMGOption.BIND_BYPASS, RMGOption.BIND_OBJID, RMGOption.BIND_ADDRESS, + RMGOption.BIND_GADGET_NAME, + RMGOption.BIND_GADGET_CMD, + RMGOption.YSO, }), ROGUEJMX("dispatchRogueJMX", "[forward-host]", "Creates a rogue JMX listener (collect credentials)", new RMGOption[] { @@ -236,6 +243,7 @@ public enum Operation { RMGOption.ARGUMENT_POS, RMGOption.GADGET_NAME, RMGOption.GADGET_CMD, + RMGOption.YSO, }), UNBIND("dispatchUnbind", "", "Removes the specified bound name from the registry", new RMGOption[] { From 1dcad5dfa4ed12067f271fa021f7de04a8f4d6a0 Mon Sep 17 00:00:00 2001 From: TNeitzel Date: Thu, 6 Jan 2022 07:53:56 +0100 Subject: [PATCH 2/6] Update completion script Update completion script to support the --yso parameter as suggested in issue #26. --- resources/bash_completion.d/rmg | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/resources/bash_completion.d/rmg b/resources/bash_completion.d/rmg index d9421cb9..e58e2e01 100644 --- a/resources/bash_completion.d/rmg +++ b/resources/bash_completion.d/rmg @@ -38,11 +38,11 @@ function _rmg() { elif [[ ${words[1]} == "bind" || ${words[1]} == "rebind" ]]; then - if _comp_contains "--config --plugin" $prev; then + if _comp_contains "--config --plugin --yso" $prev; then _filedir return 0 - elif _comp_contains "--ssrf-response --bind-objid" $prev; then + elif _comp_contains "--ssrf-response --bind-objid --gadget-name --gadget-cmd" $prev; then return 0 elif [[ $cur == -* ]] || [[ $args -ge 8 ]]; then @@ -62,6 +62,9 @@ function _rmg() { opts="$opts --no-color" opts="$opts --stack-trace" opts="$opts --ssl" + opts="$opts --yso" + opts="$opts --gadget-name" + opts="$opts --gadget-cmd" elif [[ $cword -eq 4 ]]; then _ip_addresses @@ -251,7 +254,7 @@ function _rmg() { elif [[ ${words[1]} == "listen" ]]; then - if _comp_contains "--config --plugin" $prev; then + if _comp_contains "--config --plugin --yso" $prev; then _filedir return 0 @@ -262,6 +265,7 @@ function _rmg() { opts="$opts --plugin" opts="$opts --no-color" opts="$opts --stack-trace" + opts="$opts --yso" elif [[ $cword -eq 2 ]]; then _ip_addresses @@ -352,7 +356,7 @@ function _rmg() { elif [[ ${words[1]} == "serial" ]]; then - if _comp_contains "--config --plugin" $prev; then + if _comp_contains "--config --plugin --yso" $prev; then _filedir return 0 @@ -382,6 +386,7 @@ function _rmg() { opts="$opts --signature" opts="$opts --follow" opts="$opts --ssl" + opts="$opts --yso" elif [[ $cword -eq 4 ]]; then opts="$gadgets" From d81391e0aa651a43dc5ded44ea21ff69fc7a26cb Mon Sep 17 00:00:00 2001 From: TNeitzel Date: Fri, 7 Jan 2022 06:49:19 +0100 Subject: [PATCH 3/6] Improve completion script The completion script had problems when value options were used. Some completions used cword to determine what to complete. However, cword does not exclude value options and is therefore not suitable for this case. Instead, $args is the correct choice, as it excludes value options and counts from start of the command line to the current word. --- resources/bash_completion.d/rmg | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/resources/bash_completion.d/rmg b/resources/bash_completion.d/rmg index e58e2e01..21e5e75a 100644 --- a/resources/bash_completion.d/rmg +++ b/resources/bash_completion.d/rmg @@ -66,7 +66,7 @@ function _rmg() { opts="$opts --gadget-name" opts="$opts --gadget-cmd" - elif [[ $cword -eq 4 ]]; then + elif [[ $args -eq 4 ]]; then _ip_addresses compopt -o nospace return 0 @@ -145,7 +145,7 @@ function _rmg() { opts="$opts --follow" opts="$opts --ssl" - elif [[ $cword -eq 5 ]]; then + elif [[ $args -eq 5 ]]; then _ip_addresses compopt -o nospace return 0 @@ -267,11 +267,11 @@ function _rmg() { opts="$opts --stack-trace" opts="$opts --yso" - elif [[ $cword -eq 2 ]]; then + elif [[ $args -eq 2 ]]; then _ip_addresses return 0 - elif [[ $cword -eq 4 ]]; then + elif [[ $args -eq 4 ]]; then opts="$gadgets" else @@ -320,7 +320,7 @@ function _rmg() { opts="$opts --follow" opts="$opts --ssl" - elif [[ $cword -eq 2 ]]; then + elif [[ $args -eq 2 ]]; then _ip_addresses return 0 @@ -388,7 +388,7 @@ function _rmg() { opts="$opts --ssl" opts="$opts --yso" - elif [[ $cword -eq 4 ]]; then + elif [[ $args -eq 4 ]]; then opts="$gadgets" else From e1acb189ecce9d3d9cc6e42989b4f6d05918f33b Mon Sep 17 00:00:00 2001 From: TNeitzel Date: Fri, 7 Jan 2022 06:54:03 +0100 Subject: [PATCH 4/6] Update changelog --- CHANGELOG.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index cecd53ed..c3a446be 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,15 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [4.2.1] - Jan 07, 2022 + +### Changed + +* Fix missing ``--yso`` option for some actions (resolves issue #26) +* Improve the bash completion script +* Improve test cases + + ## [4.2.0] - Dec 30, 2021 ### Changed From ac6bb5658e055ba13457cec90ea1aad9dc2bc40b Mon Sep 17 00:00:00 2001 From: TNeitzel Date: Fri, 7 Jan 2022 06:55:15 +0100 Subject: [PATCH 5/6] Bump version number --- README.md | 2 +- pom.xml | 2 +- tests/tricot.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index fa7b7743..784e6d77 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ [![](https://github.com/qtc-de/remote-method-guesser/workflows/master%20maven%20CI/badge.svg?branch=master)](https://github.com/qtc-de/remote-method-guesser/actions/workflows/master.yml) [![](https://github.com/qtc-de/remote-method-guesser/workflows/develop%20maven%20CI/badge.svg?branch=develop)](https://github.com/qtc-de/remote-method-guesser/actions/workflows/develop.yml) -[![](https://img.shields.io/badge/version-4.2.0-blue)](https://github.com/qtc-de/remote-method-guesser/releases) +[![](https://img.shields.io/badge/version-4.2.1-blue)](https://github.com/qtc-de/remote-method-guesser/releases) [![](https://img.shields.io/badge/build%20system-maven-blue)](https://maven.apache.org/) ![](https://img.shields.io/badge/java-8%2b-blue) [![](https://img.shields.io/badge/license-GPL%20v3.0-blue)](https://github.com/qtc-de/remote-method-guesser/blob/master/LICENSE) diff --git a/pom.xml b/pom.xml index 29bd9031..007fc446 100644 --- a/pom.xml +++ b/pom.xml @@ -8,7 +8,7 @@ remote-method-guesser remote-method-guesser jar - 4.2.0 + 4.2.1 Identify common misconfigurations on Java RMI endpoints diff --git a/tests/tricot.yml b/tests/tricot.yml index 6b760037..d938fd09 100644 --- a/tests/tricot.yml +++ b/tests/tricot.yml @@ -18,7 +18,7 @@ tester: ge: 1.9.0 variables: - rmg: rmg-4.2.0-jar-with-dependencies.jar + rmg: rmg-4.2.1-jar-with-dependencies.jar volume: /tmp/rmg-tricot-test/ volume-d: /rce/ codebase-class: CodebaseTest From 3338a34d6aaf4597302fbea5de24efa2cb800d46 Mon Sep 17 00:00:00 2001 From: TNeitzel Date: Fri, 7 Jan 2022 07:02:14 +0100 Subject: [PATCH 6/6] Improve completion script Add gadget name completion for --gadget-name argument. --- resources/bash_completion.d/rmg | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/resources/bash_completion.d/rmg b/resources/bash_completion.d/rmg index 21e5e75a..b6e4cf26 100644 --- a/resources/bash_completion.d/rmg +++ b/resources/bash_completion.d/rmg @@ -42,9 +42,12 @@ function _rmg() { _filedir return 0 - elif _comp_contains "--ssrf-response --bind-objid --gadget-name --gadget-cmd" $prev; then + elif _comp_contains "--ssrf-response --bind-objid --gadget-cmd" $prev; then return 0 + elif _comp_contains "--gadget-name" $prev; then + opts="$gadgets" + elif [[ $cur == -* ]] || [[ $args -ge 8 ]]; then opts="--help" opts="$opts --gopher"