From 4228627a681c5e50aea613c1b77f62479c9ad265 Mon Sep 17 00:00:00 2001 From: TNeitzel Date: Sat, 18 Dec 2021 09:44:08 +0100 Subject: [PATCH 01/14] Add missing exception handling for unknown host --- src/de/qtc/rmg/networking/RMIEndpoint.java | 3 +++ src/de/qtc/rmg/networking/RMIRegistryEndpoint.java | 6 ++++++ 2 files changed, 9 insertions(+) diff --git a/src/de/qtc/rmg/networking/RMIEndpoint.java b/src/de/qtc/rmg/networking/RMIEndpoint.java index 223c2dc0..bb50ff37 100644 --- a/src/de/qtc/rmg/networking/RMIEndpoint.java +++ b/src/de/qtc/rmg/networking/RMIEndpoint.java @@ -118,6 +118,9 @@ public void genericCall(ObjID objID, int callID, long methodHash, MethodArgument } catch(java.rmi.ConnectIOException e) { ExceptionHandler.connectIOException(e, callName); + } catch( java.rmi.UnknownHostException e ) { + ExceptionHandler.unknownHost(e, host, true); + } catch( SSRFException e ) { SSRFSocket.printContent(host, port); } diff --git a/src/de/qtc/rmg/networking/RMIRegistryEndpoint.java b/src/de/qtc/rmg/networking/RMIRegistryEndpoint.java index 9d229f1a..8820e5a6 100644 --- a/src/de/qtc/rmg/networking/RMIRegistryEndpoint.java +++ b/src/de/qtc/rmg/networking/RMIRegistryEndpoint.java @@ -104,6 +104,9 @@ public String[] getBoundNames() throws java.rmi.NoSuchObjectException } catch( java.rmi.ConnectException e ) { ExceptionHandler.connectException(e, "list"); + } catch( java.rmi.UnknownHostException e ) { + ExceptionHandler.unknownHost(e, host, true); + } catch( java.rmi.NoSuchObjectException e ) { throw e; @@ -165,6 +168,9 @@ public Remote lookup(String boundName) } catch( java.rmi.ConnectException e ) { ExceptionHandler.connectException(e, "lookup"); + } catch( java.rmi.UnknownHostException e ) { + ExceptionHandler.unknownHost(e, host, true); + } catch( java.rmi.NoSuchObjectException e ) { ExceptionHandler.noSuchObjectException(e, "registry", true); From 04a02e26c78024a08f973a8e7ae8d2380d854866 Mon Sep 17 00:00:00 2001 From: TNeitzel Date: Tue, 21 Dec 2021 10:22:37 +0100 Subject: [PATCH 02/14] Fix missing signature error message in call action When the call action was used without specifying a method signature, no error message was displayed. --- src/de/qtc/rmg/operations/Dispatcher.java | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/de/qtc/rmg/operations/Dispatcher.java b/src/de/qtc/rmg/operations/Dispatcher.java index d3112f21..ef060388 100644 --- a/src/de/qtc/rmg/operations/Dispatcher.java +++ b/src/de/qtc/rmg/operations/Dispatcher.java @@ -353,6 +353,9 @@ public void dispatchCall() RMIEndpoint rmi = getRMIEndpoint(); Object[] argumentArray = p.getCallArguments(); + if( candidate == null ) + ExceptionHandler.missingSignature(); + RemoteObjectClient client = getRemoteObjectClient(rmi); client.genericCall(candidate, argumentArray); } From f3c7d072de522620a2987926998258caea7b24af Mon Sep 17 00:00:00 2001 From: TNeitzel Date: Wed, 22 Dec 2021 09:43:15 +0100 Subject: [PATCH 03/14] Catch call exception with wrong argument count When a wrong argument count was used for the call action, the corresponding exception was not caught. --- src/de/qtc/rmg/internal/ExceptionHandler.java | 7 +++++++ src/de/qtc/rmg/internal/MethodCandidate.java | 17 +++++++++++++++-- src/de/qtc/rmg/operations/Dispatcher.java | 3 +++ 3 files changed, 25 insertions(+), 2 deletions(-) diff --git a/src/de/qtc/rmg/internal/ExceptionHandler.java b/src/de/qtc/rmg/internal/ExceptionHandler.java index f57d39a9..57008593 100644 --- a/src/de/qtc/rmg/internal/ExceptionHandler.java +++ b/src/de/qtc/rmg/internal/ExceptionHandler.java @@ -444,6 +444,13 @@ public static void invalidObjectId(String objID) RMGUtils.exit(); } + public static void wrongArgumentCount(int expected, int is) + { + Logger.eprintlnMixedYellow("The specified method signature expects", String.valueOf(expected), "arguments,"); + Logger.eprintlnMixedBlue("but", String.valueOf(is), "arguments have been specified."); + RMGUtils.exit(); + } + public static void unrecognizedMethodHash(Exception e, String action, String signature) { Logger.eprintlnMixedYellow("Caught", "UnmarshalException (unrecognized method hash)", "during " + action + " action."); diff --git a/src/de/qtc/rmg/internal/MethodCandidate.java b/src/de/qtc/rmg/internal/MethodCandidate.java index c2945ca6..f3a76861 100644 --- a/src/de/qtc/rmg/internal/MethodCandidate.java +++ b/src/de/qtc/rmg/internal/MethodCandidate.java @@ -32,6 +32,7 @@ public class MethodCandidate { private String signature; private boolean isVoid; + private int argumentCount; private int primitiveSize; /** @@ -94,10 +95,12 @@ public MethodCandidate(CtMethod method) throws NotFoundException */ private void initialize(CtMethod method) throws NotFoundException { - this.hash = getCtMethodHash(method); CtClass[] types = method.getParameterTypes(); - if( types.length == 0 ) { + this.argumentCount = types.length; + this.hash = getCtMethodHash(method); + + if( argumentCount == 0 ) { this.isVoid = true; this.primitiveSize = -99; @@ -212,6 +215,16 @@ public String getName() throws CannotCompileException, NotFoundException return "method"; } + /** + * Returns the expected argument count of the method candidate. + * + * @return expected argument count as int + */ + public int getArgumentCount() + { + return argumentCount; + } + /** * Searches the current MethodCandidate for non primitive arguments (yes, the name is misleading). * Non primitive arguments are required for deserialization attacks. If a non primitive argument is diff --git a/src/de/qtc/rmg/operations/Dispatcher.java b/src/de/qtc/rmg/operations/Dispatcher.java index ef060388..11bf9b79 100644 --- a/src/de/qtc/rmg/operations/Dispatcher.java +++ b/src/de/qtc/rmg/operations/Dispatcher.java @@ -356,6 +356,9 @@ public void dispatchCall() if( candidate == null ) ExceptionHandler.missingSignature(); + if( argumentArray.length != candidate.getArgumentCount() ) + ExceptionHandler.wrongArgumentCount(candidate.getArgumentCount(), argumentArray.length); + RemoteObjectClient client = getRemoteObjectClient(rmi); client.genericCall(candidate, argumentArray); } From 486338773cc563ff30d8dea926be3b4e392662d4 Mon Sep 17 00:00:00 2001 From: TNeitzel Date: Wed, 22 Dec 2021 10:01:58 +0100 Subject: [PATCH 04/14] [docker] Fix indentation bug in ssrf-container When an error occured while processing an HTTP request, the indent was never reset. This has now been fixed. --- .../server/src/de/qtc/rmg/server/ssrf/http/SSRFHandler.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/ssrf-server/resources/server/src/de/qtc/rmg/server/ssrf/http/SSRFHandler.java b/docker/ssrf-server/resources/server/src/de/qtc/rmg/server/ssrf/http/SSRFHandler.java index 75b60cc2..16ac3a2f 100644 --- a/docker/ssrf-server/resources/server/src/de/qtc/rmg/server/ssrf/http/SSRFHandler.java +++ b/docker/ssrf-server/resources/server/src/de/qtc/rmg/server/ssrf/http/SSRFHandler.java @@ -75,7 +75,6 @@ public void handle(HttpExchange t) throws IOException } response.write(output); - Logger.decreaseIndent(); } } catch( IOException | InterruptedException e ){ @@ -90,6 +89,7 @@ public void handle(HttpExchange t) throws IOException } response.close(); + Logger.decreaseIndent(); } /** From 61aa033a8fc60bc333f1dfd9c2ec55762cab388d Mon Sep 17 00:00:00 2001 From: TNeitzel Date: Wed, 22 Dec 2021 10:05:07 +0100 Subject: [PATCH 05/14] Log errors to stderr remote-method-guesser logged error messages to stdout so far. This behavior was now changed. Furthermore, disabling logging can now be done separately for stdout and stderr. This was required to make error messages appear when using the --raw option. --- src/de/qtc/rmg/internal/ArgumentHandler.java | 2 +- src/de/qtc/rmg/io/Logger.java | 33 +++++++++++++++----- 2 files changed, 27 insertions(+), 8 deletions(-) diff --git a/src/de/qtc/rmg/internal/ArgumentHandler.java b/src/de/qtc/rmg/internal/ArgumentHandler.java index fc1889de..ff452dc5 100644 --- a/src/de/qtc/rmg/internal/ArgumentHandler.java +++ b/src/de/qtc/rmg/internal/ArgumentHandler.java @@ -111,7 +111,7 @@ private void initialize() Logger.disableColor(); if( RMGOption.SSRF_RAW.getBool() ) - Logger.disable(); + Logger.disableStdout(); PluginSystem.init(RMGOption.GLOBAL_PLUGIN.getValue()); } diff --git a/src/de/qtc/rmg/io/Logger.java b/src/de/qtc/rmg/io/Logger.java index 64ba1862..dd7d46a9 100644 --- a/src/de/qtc/rmg/io/Logger.java +++ b/src/de/qtc/rmg/io/Logger.java @@ -22,10 +22,20 @@ public class Logger { public static int indent = 0; public static int printCount = 0; - public static boolean enabled = true; + public static boolean stdout = true; + public static boolean stderr = true; public static void disable() { - Logger.enabled = false; + Logger.stdout = false; + Logger.stderr = false; + } + + public static void disableStdout() { + Logger.stdout = false; + } + + public static void disableStderr() { + Logger.stderr = false; } public static void disableIfNotVerbose() { @@ -34,7 +44,16 @@ public static void disableIfNotVerbose() { } public static void enable() { - Logger.enabled = true; + Logger.stdout = true; + Logger.stderr = true; + } + + public static void enableStdout() { + Logger.stdout = true; + } + + public static void enableStderr() { + Logger.stderr = true; } public static String blue(String msg) @@ -81,7 +100,7 @@ private static void log(String msg) private static void log(String msg, boolean newline) { - if( Logger.enabled ) { + if( Logger.stdout ) { if( newline ) System.out.println(msg); @@ -97,12 +116,12 @@ private static void elog(String msg) private static void elog(String msg, boolean newline) { - if( Logger.enabled ) { + if( Logger.stderr ) { if( newline ) - System.out.println(msg); + System.err.println(msg); else - System.out.print(msg); + System.err.print(msg); } } From 74d80f73cb2987c610ac6eeb7b688fa17a0ebed7 Mon Sep 17 00:00:00 2001 From: TNeitzel Date: Wed, 22 Dec 2021 21:52:25 +0100 Subject: [PATCH 06/14] Report TLS usage during enum action The enum action now reports whether bound names use TLS or a plaintext connection. --- src/de/qtc/rmg/io/Formatter.java | 17 ++++++++++- src/de/qtc/rmg/io/Logger.java | 15 ++++++++++ src/de/qtc/rmg/utils/RemoteObjectWrapper.java | 30 +++++++++++++++++++ 3 files changed, 61 insertions(+), 1 deletion(-) diff --git a/src/de/qtc/rmg/io/Formatter.java b/src/de/qtc/rmg/io/Formatter.java index 5bac6044..42d18e35 100644 --- a/src/de/qtc/rmg/io/Formatter.java +++ b/src/de/qtc/rmg/io/Formatter.java @@ -248,6 +248,21 @@ private void printLiveRef(RemoteObjectWrapper ref) Logger.print(" "); Logger.printPlainMixedBlue("Endpoint:", ref.getTarget()); - Logger.printlnPlainMixedBlue(" ObjID:", ref.objID.toString()); + + switch( ref.isTLSProtected() ) { + + case 1: + Logger.printPlainMixedGreen(" TLS:", "yes"); + break; + + case -1: + Logger.printPlainMixedRed(" TLS:", "no"); + break; + + default: + Logger.printPlainMixedPurple(" TLS:", "unknown"); + } + + Logger.printlnPlainMixedBlue(" ObjID:", ref.objID.toString()); } } diff --git a/src/de/qtc/rmg/io/Logger.java b/src/de/qtc/rmg/io/Logger.java index dd7d46a9..7a22bc4a 100644 --- a/src/de/qtc/rmg/io/Logger.java +++ b/src/de/qtc/rmg/io/Logger.java @@ -239,6 +239,11 @@ public static void printlnPlainMixedRed(String first, String second) log(first + " " + red(second)); } + public static void printPlainMixedRed(String first, String second) + { + log(first + " " + red(second), false); + } + public static void printlnMixedGreen(String first, String second) { log(prefix() + first + " " + green(second)); @@ -249,6 +254,11 @@ public static void printlnPlainMixedGreen(String first, String second) log(first + " " + green(second)); } + public static void printPlainMixedGreen(String first, String second) + { + log(first + " " + green(second), false); + } + public static void printlnMixedPurple(String first, String second) { log(prefix() + first + " " + purple(second)); @@ -259,6 +269,11 @@ public static void printlnPlainMixedPurple(String first, String second) log(first + " " + purple(second)); } + public static void printPlainMixedPurple(String first, String second) + { + log(first + " " + purple(second), false); + } + public static void printlnMixedBlue(String first, String second) { log(prefix() + first + " " + blue(second)); diff --git a/src/de/qtc/rmg/utils/RemoteObjectWrapper.java b/src/de/qtc/rmg/utils/RemoteObjectWrapper.java index fb230d3c..4eabc978 100644 --- a/src/de/qtc/rmg/utils/RemoteObjectWrapper.java +++ b/src/de/qtc/rmg/utils/RemoteObjectWrapper.java @@ -6,11 +6,14 @@ import java.rmi.server.ObjID; import java.rmi.server.RMIClientSocketFactory; import java.rmi.server.RMIServerSocketFactory; +import java.rmi.server.RMISocketFactory; import java.rmi.server.RemoteObjectInvocationHandler; import java.rmi.server.RemoteRef; import java.util.ArrayList; import java.util.List; +import javax.rmi.ssl.SslRMIClientSocketFactory; + import de.qtc.rmg.endpoints.KnownEndpoint; import de.qtc.rmg.endpoints.KnownEndpointHolder; import de.qtc.rmg.internal.ExceptionHandler; @@ -170,6 +173,33 @@ public boolean hasDuplicates() return true; } + /** + * Checks whether the socket factory used by the remote object is TLS protected. This function + * returns 1 if the default SslRMIClientSocketFactory class is used. -1 if the default RMISocketFactory + * class is used and 0 if none of the previously mentioned cases applies. Notice that a client + * socket factory with a value of null implies the default socket factory (RMISocketFactory). + * + * @return 1 -> SslRMIClientSocketFactory, -1 -> RMISocketFactory, 0 -> Unknown + */ + public int isTLSProtected() + { + if( csf != null ) { + + Class factoryClass = csf.getClass(); + + if( factoryClass == SslRMIClientSocketFactory.class ) + return 1; + + if( factoryClass == RMISocketFactory.class ) + return -1; + + } else if( remoteObject != null ) { + return -1; + } + + return 0; + } + /** * Add a duplicate to the RemoteObjectWrapper. This should be a wrapper that implements the same * remote interface as the original wrapper. From cccbdf6923a359443d3aa391c6a9f360c91d8549 Mon Sep 17 00:00:00 2001 From: TNeitzel Date: Wed, 22 Dec 2021 22:22:05 +0100 Subject: [PATCH 07/14] Catch port number out of range exception When the specified port number is out of range, the corresponding exception was not caught so far. --- src/de/qtc/rmg/internal/ArgumentHandler.java | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/src/de/qtc/rmg/internal/ArgumentHandler.java b/src/de/qtc/rmg/internal/ArgumentHandler.java index ff452dc5..b183f6e6 100644 --- a/src/de/qtc/rmg/internal/ArgumentHandler.java +++ b/src/de/qtc/rmg/internal/ArgumentHandler.java @@ -106,6 +106,7 @@ private void initialize() { config = loadConfig(args.get(RMGOption.GLOBAL_CONFIG.name)); RMGOption.prepareOptions(args, config); + checkPortRange(); if( RMGOption.GLOBAL_NO_COLOR.getBool() ) Logger.disableColor(); @@ -116,6 +117,23 @@ private void initialize() PluginSystem.init(RMGOption.GLOBAL_PLUGIN.getValue()); } + /** + * If the current action uses the TARGET_PORT argument, this function validates that the specified + * port number is not out of range. + */ + private void checkPortRange() + { + if( RMGOption.TARGET_PORT.isNull() ) + return; + + int port = RMGOption.TARGET_PORT.getValue(); + + if( port < 1 || port > 65535 ) { + Logger.eprintlnMixedYellow("The specified port number", String.valueOf(port), "is out of range."); + RMGUtils.exit(); + } + } + /** * Returns the user specified remote-method-guesser action. * From 6dbfbeb569a182d1d90a1cc898571e8b42daacd5 Mon Sep 17 00:00:00 2001 From: TNeitzel Date: Wed, 22 Dec 2021 23:03:35 +0100 Subject: [PATCH 08/14] [docker] Update log format of the SSRF server The SSRF server now logs the hexdump of received curl responses. This makes debugging easier. --- .../qtc/rmg/server/ssrf/http/SSRFHandler.java | 42 +++++++++++++------ 1 file changed, 30 insertions(+), 12 deletions(-) diff --git a/docker/ssrf-server/resources/server/src/de/qtc/rmg/server/ssrf/http/SSRFHandler.java b/docker/ssrf-server/resources/server/src/de/qtc/rmg/server/ssrf/http/SSRFHandler.java index 16ac3a2f..24b7ead3 100644 --- a/docker/ssrf-server/resources/server/src/de/qtc/rmg/server/ssrf/http/SSRFHandler.java +++ b/docker/ssrf-server/resources/server/src/de/qtc/rmg/server/ssrf/http/SSRFHandler.java @@ -1,6 +1,8 @@ package de.qtc.rmg.server.ssrf.http; +import java.io.ByteArrayOutputStream; import java.io.IOException; +import java.io.InputStream; import java.io.OutputStream; import com.sun.net.httpserver.HttpExchange; @@ -8,6 +10,7 @@ import de.qtc.rmg.server.ssrf.utils.Logger; +import org.apache.commons.io.HexDump; import org.apache.commons.io.IOUtils; /** @@ -49,29 +52,44 @@ public void handle(HttpExchange t) throws IOException } else { - byte[] output = null; - int length = urlParam.length() > 50 ? 50 : urlParam.length(); + ByteArrayOutputStream bos = new ByteArrayOutputStream(); + int length = urlParam.length() > 57 ? 57 : urlParam.length(); Logger.printlnMixedYellow("url parameter:", urlParam.substring(0, length) + "[...]"); - Process p = Runtime.getRuntime().exec(new String[] {"curl", urlParam}); + Process p = Runtime.getRuntime().exec(new String[] {"curl", urlParam}); int exitStatus = p.waitFor(); - Logger.printlnMixedBlue("curl exit status:", String.valueOf(exitStatus)); - if( exitStatus != 0 ) { - output = IOUtils.toByteArray(p.getErrorStream()); + Logger.printlnMixedBlue("curl exit status:", String.valueOf(exitStatus)); + InputStream stream; - Logger.printlnMixedYellow("Stderr:", new String(output)); - Logger.printlnMixedBlue("Sending", "500 Internal Server Error", "response."); - t.sendResponseHeaders(500, output.length); + if( exitStatus == 0 ) { + stream = p.getInputStream(); + Logger.println("Stdout:"); } else { - output = IOUtils.toByteArray(p.getInputStream()); - length = output.length > 50 ? 50 : output.length; + stream = p.getErrorStream(); + Logger.println("Stderr:"); + } + + byte[] output = IOUtils.toByteArray(stream); + HexDump.dump(output, 0, bos, 0); + String[] hexDump = new String(bos.toByteArray()).split("\n"); - Logger.printlnMixedYellow("Stdout:", new String(output).substring(0, length)); + Logger.increaseIndent(); + + for(String line : hexDump) + Logger.printlnBlue(line); + + Logger.decreaseIndent(); + + if( exitStatus == 0 ) { Logger.printlnMixedBlue("Sending", "200 OK", "response."); t.sendResponseHeaders(200, output.length); + + } else { + Logger.printlnMixedBlue("Sending", "500 Internal Server Error", "response."); + t.sendResponseHeaders(500, output.length); } response.write(output); From ccb1fb05d67d3e640ac19557c349e2b3288daf88 Mon Sep 17 00:00:00 2001 From: TNeitzel Date: Wed, 22 Dec 2021 23:05:31 +0100 Subject: [PATCH 09/14] [docker] Bump SSRF server version number --- docker/ssrf-server/docker-compose.yml | 2 +- docker/ssrf-server/resources/server/pom.xml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docker/ssrf-server/docker-compose.yml b/docker/ssrf-server/docker-compose.yml index 0c6c7f63..ad37ad93 100644 --- a/docker/ssrf-server/docker-compose.yml +++ b/docker/ssrf-server/docker-compose.yml @@ -2,5 +2,5 @@ version: '3.7' services: rmg: - image: ghcr.io/qtc-de/remote-method-guesser/rmg-ssrf-server:1.1 + image: ghcr.io/qtc-de/remote-method-guesser/rmg-ssrf-server:1.2 build: . diff --git a/docker/ssrf-server/resources/server/pom.xml b/docker/ssrf-server/resources/server/pom.xml index 1c39ef04..58b3092c 100644 --- a/docker/ssrf-server/resources/server/pom.xml +++ b/docker/ssrf-server/resources/server/pom.xml @@ -5,7 +5,7 @@ de.qtc.rmg.server.ssrf rmg-ssrf-server - 1.0.0 + 1.2.0 rmg-ssrf-server RMG SSRF Server From b46994e5e5071576c5e36bd0db01c9b13e5b3a6e Mon Sep 17 00:00:00 2001 From: TNeitzel Date: Wed, 22 Dec 2021 23:06:34 +0100 Subject: [PATCH 10/14] [docker] Bump example server version number Nothing changed, but the version number was not updated during the last releases. --- docker/example-server/resources/server/pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/example-server/resources/server/pom.xml b/docker/example-server/resources/server/pom.xml index 343599af..f7f2ec31 100644 --- a/docker/example-server/resources/server/pom.xml +++ b/docker/example-server/resources/server/pom.xml @@ -3,7 +3,7 @@ 4.0.0 de.qtc.rmg.server.ExampleServer rmg-example-server - 2.0.0 + 3.1.0 rmg-example-server RMG Example Server From a62fc457d96670cd647e237365c938504b4ca860 Mon Sep 17 00:00:00 2001 From: TNeitzel Date: Wed, 22 Dec 2021 23:09:51 +0100 Subject: [PATCH 11/14] Update CHANGELOG.md and bump version number --- CHANGELOG.md | 21 +++++++++++++++++++++ pom.xml | 2 +- 2 files changed, 22 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 85470c3c..60552162 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,27 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [4.1.0] - Dec 23, 2021 + +### Added + +* Add *TLS* enumeration during ``enum`` action. + +### Changed + +* Error messages are now printed to stderr. +* Bugfix: Error messages not being shown when using ``--raw`` +* Bugfix: Uncaught ``UnknownHostException`` +* Bugfix: Uncaught exception during ``call`` action when used with wrong argument count +* Bugfix: Uncaught exception during ``call`` action when no signature was specified +* Bugfix: Uncaught exception when the specified port number is out of range + +### Docker + +* The *SSRF* server now logs in hexdump format +* Bugfix: Indentation issue within the *SSRF* server + + ## [4.0.0] - Dec 05, 2021 ### Added diff --git a/pom.xml b/pom.xml index 415bb26b..df5768ff 100644 --- a/pom.xml +++ b/pom.xml @@ -8,7 +8,7 @@ remote-method-guesser remote-method-guesser jar - 4.0.0 + 4.1.0 Identify common misconfigurations on Java RMI endpoints From caa9134596477e033a274d212dd3fce151358348 Mon Sep 17 00:00:00 2001 From: TNeitzel Date: Wed, 22 Dec 2021 23:25:02 +0100 Subject: [PATCH 12/14] Fix --no-color bug when invalid port was specified --- src/de/qtc/rmg/internal/ArgumentHandler.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/de/qtc/rmg/internal/ArgumentHandler.java b/src/de/qtc/rmg/internal/ArgumentHandler.java index b183f6e6..352a0627 100644 --- a/src/de/qtc/rmg/internal/ArgumentHandler.java +++ b/src/de/qtc/rmg/internal/ArgumentHandler.java @@ -106,7 +106,6 @@ private void initialize() { config = loadConfig(args.get(RMGOption.GLOBAL_CONFIG.name)); RMGOption.prepareOptions(args, config); - checkPortRange(); if( RMGOption.GLOBAL_NO_COLOR.getBool() ) Logger.disableColor(); @@ -114,6 +113,8 @@ private void initialize() if( RMGOption.SSRF_RAW.getBool() ) Logger.disableStdout(); + checkPortRange(); + PluginSystem.init(RMGOption.GLOBAL_PLUGIN.getValue()); } From 23dc0963277da3bd875deb7d1a0a70877a36c469 Mon Sep 17 00:00:00 2001 From: TNeitzel Date: Wed, 22 Dec 2021 23:41:16 +0100 Subject: [PATCH 13/14] [test] Update test cases --- tests/generic/tests/rogue-jmx.yml | 2 +- tests/generic/tests/ssrf-response.yml | 2 +- tests/jdk11/tests/enum.yml | 2 +- tests/jdk11/tests/listen.yml | 3 +-- tests/jdk8/tests/enum.yml | 2 +- tests/jdk8/tests/listen.yml | 3 +-- tests/jdk9/tests/enum.yml | 2 +- tests/jdk9/tests/listen.yml | 3 +-- tests/tricot.yml | 2 +- 9 files changed, 9 insertions(+), 12 deletions(-) diff --git a/tests/generic/tests/rogue-jmx.yml b/tests/generic/tests/rogue-jmx.yml index 65243aef..4512f99d 100644 --- a/tests/generic/tests/rogue-jmx.yml +++ b/tests/generic/tests/rogue-jmx.yml @@ -12,7 +12,7 @@ tester: containers: - name: 'rmg-ssrf' - image: 'ghcr.io/qtc-de/remote-method-guesser/rmg-ssrf-server:1.0' + image: 'ghcr.io/qtc-de/remote-method-guesser/rmg-ssrf-server:1.2' network_mode: host diff --git a/tests/generic/tests/ssrf-response.yml b/tests/generic/tests/ssrf-response.yml index ddd1a140..ef2cae4b 100644 --- a/tests/generic/tests/ssrf-response.yml +++ b/tests/generic/tests/ssrf-response.yml @@ -78,7 +78,7 @@ tests: values: - 'plain-server' - 'de.qtc.rmg.server.interfaces.IPlainServer (unknown class)' - - 'Endpoint: iinsecure.dev:37797 ObjID: [79bf1d8a:17b14e4e4b0:-7ff8, -8372830402508756097]' + - 'Endpoint: iinsecure.dev:37797 TLS: no ObjID: [79bf1d8a:17b14e4e4b0:-7ff8, -8372830402508756097]' - 'http://iinsecure.dev/well-hidden-development-folder/' diff --git a/tests/jdk11/tests/enum.yml b/tests/jdk11/tests/enum.yml index 90dee9bd..a41e6757 100644 --- a/tests/jdk11/tests/enum.yml +++ b/tests/jdk11/tests/enum.yml @@ -40,7 +40,7 @@ tests: description: |- 'Check whether objID values are displayed' match: - - 'Endpoint: iinsecure.dev:\d+ ObjID: \[[0-9a-f:-]+, [0-9-]+\]' + - 'Endpoint: iinsecure.dev:\d+ TLS: (yes|no|unknown) ObjID: \[[0-9a-f:-]+, [0-9-]+\]' - contains: description: |- diff --git a/tests/jdk11/tests/listen.yml b/tests/jdk11/tests/listen.yml index 330628e3..4ae3d811 100644 --- a/tests/jdk11/tests/listen.yml +++ b/tests/jdk11/tests/listen.yml @@ -119,8 +119,7 @@ tests: - error: True - contains: values: - - Caught IllegalArgumentException - - 'Port value out of range: 4444444' + - The specified port number 44444444 is out of range - Cannot continue from here diff --git a/tests/jdk8/tests/enum.yml b/tests/jdk8/tests/enum.yml index d3a1be01..89f3f7b2 100644 --- a/tests/jdk8/tests/enum.yml +++ b/tests/jdk8/tests/enum.yml @@ -40,7 +40,7 @@ tests: description: |- 'Check whether objID values are displayed' match: - - 'Endpoint: iinsecure.dev:\d+ ObjID: \[[0-9a-f:-]+, [0-9-]+\]' + - 'Endpoint: iinsecure.dev:\d+ TLS: (yes|no|unknown) ObjID: \[[0-9a-f:-]+, [0-9-]+\]' - contains: description: |- diff --git a/tests/jdk8/tests/listen.yml b/tests/jdk8/tests/listen.yml index 8e23ee27..13cdffc4 100644 --- a/tests/jdk8/tests/listen.yml +++ b/tests/jdk8/tests/listen.yml @@ -119,8 +119,7 @@ tests: - error: True - contains: values: - - Caught IllegalArgumentException - - 'Port value out of range: 4444444' + - The specified port number 44444444 is out of range - Cannot continue from here diff --git a/tests/jdk9/tests/enum.yml b/tests/jdk9/tests/enum.yml index 6deb8ec3..14dda40b 100644 --- a/tests/jdk9/tests/enum.yml +++ b/tests/jdk9/tests/enum.yml @@ -40,7 +40,7 @@ tests: description: |- 'Check whether objID values are displayed' match: - - 'Endpoint: iinsecure.dev:\d+ ObjID: \[[0-9a-f:-]+, [0-9-]+\]' + - 'Endpoint: iinsecure.dev:\d+ TLS: (yes|no|unknown) ObjID: \[[0-9a-f:-]+, [0-9-]+\]' - contains: description: |- diff --git a/tests/jdk9/tests/listen.yml b/tests/jdk9/tests/listen.yml index 67b78224..932a43ff 100644 --- a/tests/jdk9/tests/listen.yml +++ b/tests/jdk9/tests/listen.yml @@ -119,8 +119,7 @@ tests: - error: True - contains: values: - - Caught IllegalArgumentException - - 'Port value out of range: 4444444' + - The specified port number 44444444 is out of range - Cannot continue from here diff --git a/tests/tricot.yml b/tests/tricot.yml index 68242c73..52fe95e5 100644 --- a/tests/tricot.yml +++ b/tests/tricot.yml @@ -7,7 +7,7 @@ tester: variables: - rmg: rmg-4.0.0-jar-with-dependencies.jar + rmg: rmg-4.1.0-jar-with-dependencies.jar volume: /tmp/rmg-tricot-test/ volume-d: /rce/ codebase-class: CodebaseTest From 7669062af7bda5ed9338867f0c1307ddaf1fe8bd Mon Sep 17 00:00:00 2001 From: TNeitzel Date: Wed, 22 Dec 2021 23:41:54 +0100 Subject: [PATCH 14/14] Fix stderr bugs Some error messages still used split output to stderr and stdout. This should now be fixed. --- src/de/qtc/rmg/internal/ExceptionHandler.java | 4 ++-- src/de/qtc/rmg/io/Logger.java | 11 +++++++++++ 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/src/de/qtc/rmg/internal/ExceptionHandler.java b/src/de/qtc/rmg/internal/ExceptionHandler.java index 57008593..120e2ca7 100644 --- a/src/de/qtc/rmg/internal/ExceptionHandler.java +++ b/src/de/qtc/rmg/internal/ExceptionHandler.java @@ -189,7 +189,7 @@ public static void noJRMPServer(Exception e, String during1, String during2) { Logger.eprintlnMixedYellow("Caught unexpected", "ConnectIOException", "during " + during1 + " " + during2 + "."); Logger.eprintMixedBlue("Remote endpoint is either", "no RMI endpoint", "or uses an"); - Logger.printlnPlainBlue(" SSL socket."); + Logger.eprintlnPlainBlue(" SSL socket."); ExceptionHandler.sslOption(); @@ -499,7 +499,7 @@ public static void connectionReset(Exception e, String during1, String during2) { Logger.eprintlnMixedYellow("Caught", "Connection Reset", "during " + during1 + " " + during2 + "."); Logger.eprintMixedBlue("The specified port is probably", "not an RMI service "); - Logger.printlnPlainMixedBlue("or you used a wrong", "TLS", "setting."); + Logger.eprintlnPlainMixedBlue("or you used a wrong", "TLS", "setting."); ExceptionHandler.sslOption(); ExceptionHandler.showStackTrace(e); diff --git a/src/de/qtc/rmg/io/Logger.java b/src/de/qtc/rmg/io/Logger.java index 7a22bc4a..8746cc2c 100644 --- a/src/de/qtc/rmg/io/Logger.java +++ b/src/de/qtc/rmg/io/Logger.java @@ -323,11 +323,22 @@ public static void printlnPlainMixedBlue(String first, String second) log(first + " " + blue(second)); } + public static void eprintlnPlainMixedBlue(String first, String second) + { + elog(first + " " + blue(second)); + } + public static void printlnPlainMixedBlue(String first, String second, String third) { log(first + " " + blue(second) + " " + third); } + public static void eprintlnPlainMixedBlue(String first, String second, String third) + { + elog(first + " " + blue(second) + " " + third); + } + + public static void printPlainMixedBlue(String first, String second) { log(first + " " + blue(second), false);