search

BishopFox / rmiscout

RMIScout uses wordlist and bruteforce strategies to enumerate Java RMI functions and exploit RMI parameter unmarshalling vulnerabilities
https://labs.bishopfox.com/tech-blog/rmiscout
MIT License
420 stars 60 forks source link

Errors when trying out the demo #14

Open anna-seppala opened 3 years ago

anna-seppala commented 3 years ago

Hi, I've just downloaded your project and get errors when trying out the demo. When launching the docker image, I get the following output:

$ sudo ./start_demo.sh 
Sending build context to Docker daemon  39.42kB
Step 1/7 : FROM openjdk:8
 ---> 08121337b7a4
Step 2/7 : COPY . /demo/
 ---> Using cache
 ---> cf5a149f4afa
Step 3/7 : WORKDIR /demo/
 ---> Using cache
 ---> 32a252e1431d
Step 4/7 : RUN chmod +x run.sh
 ---> Using cache
 ---> 4726b9e20b05
Step 5/7 : RUN javac com/bishopfox/example/*.java
 ---> Using cache
 ---> 7a9380ddf249
Step 6/7 : RUN rmic -d . com.bishopfox.example.ActivationImpl &&     rmic -d . -iiop com.bishopfox.example.CorbaImpl &&     rmic -d . com.bishopfox.example.SSLServer
 ---> Using cache
 ---> 11b2c341ba51
Step 7/7 : ENTRYPOINT ["./run.sh"]
 ---> Using cache
 ---> c786833d4889
Successfully built c786833d4889
Successfully tagged rmiscout-demo:latest
java.lang.Exception: Stack trace
    at java.lang.Thread.dumpStack(Thread.java:1336)
    at sun.rmi.server.Activation$ActivationSystemImpl.registerGroup(Activation.java:538)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:357)
    at sun.rmi.transport.Transport$1.run(Transport.java:200)
    at sun.rmi.transport.Transport$1.run(Transport.java:197)
    at java.security.AccessController.doPrivileged(Native Method)
    at sun.rmi.transport.Transport.serviceCall(Transport.java:196)
    at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:573)
    at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(TCPTransport.java:834)
    at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.lambda$run$0(TCPTransport.java:688)
    at java.security.AccessController.doPrivileged(Native Method)
    at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:687)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at java.lang.Thread.run(Thread.java:748)
Got the stub for HelloInterface
ActivationServer ready on port 1099...
Plain Server ready on port 1099...
RMI-IIOP Server ready on port 1050...
SSL Server ready on port 1100...

The stack trace looks scary but the servers are up and I can scan them with nmap.

When I then try to use rmiscout to connect to port 1099, I get this:

$ ./rmiscout.sh wordlist -i demo/wordlist.txt -n ActivationServer 127.0.0.1 1099
java.lang.ClassNotFoundException: com.sun.corba.se.spi.logging.LogWrapperBase
    at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:581)
    at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:178)
    at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:522)
    at java.base/java.lang.Class.forName0(Native Method)
    at java.base/java.lang.Class.forName(Class.java:315)
    at com.bishopfox.rmiscout.RMIScout.disableAccessWarnings(RMIScout.java:75)
    at com.bishopfox.rmiscout.RMIScout.main(RMIScout.java:170)
[INFO] Attempting operation on the "ActivationServer" registry.
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by javassist.ClassPool (file:/home/rmiscout/build/libs/rmiscout-1.4-SNAPSHOT-all.jar) to method java.lang.ClassLoader.defineClass(java.lang.String,byte[],int,int)
WARNING: Please consider reporting this to the maintainers of javassist.ClassPool
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
[INFO] Skipping, void args: String restart()

A similar thing happens with the registry 'plaintest'. Listing of the regirstier works even tough the same error gets shown:

$ ./rmiscout.sh list 127.0.0.1 1099
java.lang.ClassNotFoundException: com.sun.corba.se.spi.logging.LogWrapperBase
    at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:581)
    at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:178)
    at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:522)
    at java.base/java.lang.Class.forName0(Native Method)
    at java.base/java.lang.Class.forName(Class.java:315)
    at com.bishopfox.rmiscout.RMIScout.disableAccessWarnings(RMIScout.java:75)
    at com.bishopfox.rmiscout.RMIScout.main(RMIScout.java:170)
[INFO] Registries available on 127.0.0.1:1099 = [
    name[0] = ActivationServer
        class = com.bishopfox.example.ActivationImpl_Stub
    name[1] = plaintest
        class = com.bishopfox.example.HelloInterface

My JAVA_HOME is /opt/jdk1.8.0_301 and the build of rmiscout was successful. What could be the issue?

Loads of thanks for your help!