Ermir is an Evil/Rogue RMI Registry, it exploits unsecure deserialization on any Java code calling customary RMI strategies on it (record()
/lookup()
/bind()
/rebind()
/unbind()
).
Set up
Set up Ermir from rubygems.org:
or clone the repo and construct the gem:
$ git clone https://github.com/hakivvi/ermir.git
$ rake set up
Utilization
Ermir is a cli gem, it comes with 2 cli information ermir
and gadgetmarshal
, ermir
is the precise gem and the latter is only a fairly interface to GadgetMarshaller.java file which rewrites the devices of Ysoserial to match MarshalInputStream
necessities, the output ought to be then piped into ermir
or a file, in case of customized devices use MarshalOutputStream
as a substitute of ObjectOutputStream
to jot down your serialized object to the output stream.
ermir
utilization:
➜ ~ ermir
Ermir by @hakivvi * https://github.com/hakivvi/ermir.
Data:
Ermir is a Rogue/Evil RMI Registry which exploits unsecure Java deserialization on any Java code calling customary RMI strategies on it.
Utilization: ermir [options]
-l, --listen bind the RMI Registry to this ip and port (default: 0.0.0.0:1099).
-f, --file path to file containing the gadget to be deserialized.
-p, --pipe learn the serialized gadget from the usual enter stream.
-v, --version print Ermir model.
-h, --help print choices assist.
Instance:
$ gadgetmarshal /path/to/ysoserial.jar Groovy1 calc.exe | ermir --listen 127.0.0.1:1099 --pipe
gadgetmarshal
utilization:
➜ ~ gadgetmarshal
Utilization: gadgetmarshal /path/to/ysoserial.jar Gadget1 cmd (non-compulsory)/path/to/output/file
How does it work?
java.rmi.registry.Registry
presents 5 strategies: record()
, lookup()
, bind()
, rebind()
, unbind()
:
-
public Distant lookup(String identify)
: lookup() searches for a sure object within the registry by its identify, the registry returns aDistant
object which references the distant object that was regarded up, the returned object is learn utilizingMarshalInputStream.readObject()
which is simply one other layer on high ofObjectInputStream
, mainly it excpects after every class/proxy descriptor (TC_CLASSDESC
/TC_PROXYCLASSDESC
) an URL that might be used to load this class or proxy class. this is identical wild bug that was fastened in jdk7u21. (Ermir doesn’t specify this URL as solely outdated Java model are weak, as a substitute it simply write null). as Ysoserial devices are being serialized utilizingObjectOutputStream
, Ermir makes use ofgadgetmarshal
-a wrapper round GadgetMarshaller.java– to serialize the required gagdet to matchMarshalInputStream
necessities. -
public String[] record()
: record() asks the registry for all of the sure objects names, whereasString
sort can’t be subsitued with a malicious gadget as it’s not like all peculiar object and it’s not learn utilizingreadObject()
however reasonablyreadUTF()
, nevertheless asrecord()
returnsString[]
which is an precise object and it’s learn utilizingreadObject()
, Ermir sends the gadget as a substitute of thisString[]
sort. -
public void bind(java.lang.String $param_String_1, java.rmi.Distant $param_Remote_2)
: bind() binds an object to a reputation on the registry, in bind() case the return sort isvoid
and there may be nothing being returned, nevertheless if the registry specifies within the RMI return information packet that this return is an execptional return, the consumer/server consumer will namereadObject()
regardless of the return sort isvoid
, that is how the regitry sends exceptions to its consumer (normallyjava.lang.ClassNotFoundException
), as soon as once more Ermir will ship the serialized gadget as a substitute of a legit Exception object. -
public void rebind(java.lang.String $param_String_1, java.rmi.Distant $param_Remote_2)
: rebind() replaces the binding of the handed identify with the provided distant reference, additionally returnsvoid
, Ermir returns an exception identical to bind(). -
public void unbind(java.lang.String $param_String_1)
: unbind() unbinds a distant object by identify within the RMI registry, this one additionally returnsvoid
.
PoC
Contributing
Bug experiences and pull requests are welcome on GitHub at https://github.com/hakivvi/ermir. This challenge is meant to be a secure, welcoming house for collaboration, and contributors are anticipated to stick to the code of conduct.
License
The gem is obtainable as open supply underneath the phrases of the MIT License.
Code of Conduct
Everybody interacting within the Ermir challenge’s codebases, problem trackers, chat rooms and mailing lists is anticipated to observe the code of conduct.