Remote Method Guesser v3.2 releases: Java RMI enumeration and bruteforce of remote methods
Remote Method Guesser
Remote Method Guesser (rmg) is a command-line utility written in Java and can be used to identify security vulnerabilities on Java RMI endpoints. Currently, the following operations are supported:
- List available bound names and their corresponding interface class names
- List codebase locations (if exposed by the remote server)
- Check for known vulnerabilities (enabled class loader, missing JEP290, localhost bypass)
- Identify existing remote methods by using a bruteforce (wordlist) approach
- Call remote methods with ysoserial gadgets within the arguments
- Call remote methods with a client-specified codebase (remote class loading attack)
- Perform DGC and registry calls with ysoserial gadgets or a client-specified codebase
- Perform bind, unbind and rebind operations against a registry
- Extend ysoserial gadgets with An Trinhs registry bypass
- Enumerate the unmarshalling behavior of java.lang.String
- Create Java code dynamically to invoke remote methods manually
During remote method guessing, deserialization, and codebase attacks, the argument types of remote method calls are confused to prevent method invocation on the server-side. This technique is not unique to remote-method-guesser and was used first (to the best of my knowledge) by Jake Miller in the rmiscout project.
Changelog v3.2
Added
- Add
calloperation to regulary call remote methods- Can be used with bound names (
--bound-name) - And also with ObjID values (
--objid)
- Can be used with bound names (
- Add plugin system to allow custom gadgets, call arguments and return handlers
- Add an example plugin and a build script
- Add tests based on tricot
Changed
- Global refactoring – Renamed and moved many classes and functions
- The calling convention changed slightly for some actions
- The
guessoperation now also lists methods for known remote objects- These are obtained via reflection, not by guessing
- You can force guessing anyway by using
--force-guessing
- Method arguments are now marshalled correctly (previously, always writeObject was used)
Install & Use
Copyright (C) 2019 qtc-de
