ysoserial JRMPListener模块深度分析<\/h1>

一、JRMPListener模块概述<\/h2>
JRMPListener是ysoserial工具中的一个利用模块，主要功能是通过反序列化漏洞在目标主机上开启一个JRMP Server服务。该模块的核心是利用Java反序列化机制，特别是`UnicastRemoteObject<\/code>类的readObject<\/code>方法，来实现远程命令执行。<\/p>`

二、技术原理<\/h2>
1. 核心利用链<\/h3>
JRMPListener模块的利用基于以下技术原理：<\/p>

利用UnicastRemoteObject<\/code>类的readObject<\/code>方法在反序列化时会自动调用reexport<\/code>方法<\/li>
reexport<\/code>方法会调用exportObject<\/code>，从而开启JRMP监听服务<\/li>
攻击者可以通过JRMP协议与这个服务交互，实现远程命令执行<\/li>
<\/ul>
2. 关键类分析<\/h3>
ActivationGroupImpl<\/h4>

ActivationGroupImpl<\/code>是UnicastRemoteObject<\/code>的子类<\/li>
被选为主要利用类是因为它能够方便地构造出UnicastRemoteObject<\/code>实例<\/li>
实际利用中，ActivationGroupImpl<\/code>可以被替换为UnicastRemoteObject<\/code>本身<\/li>
<\/ul>
UnicastRemoteObject<\/h4>

核心类，实现了readObject<\/code>方法<\/li>
反序列化时会自动调用reexport<\/code>方法<\/li>
reexport<\/code>方法会调用exportObject<\/code>，开启JRMP监听<\/li>
<\/ul>
UnicastServerRef<\/h4>

负责实际的JRMP服务端实现<\/li>
包含exportObject<\/code>方法，用于导出远程对象<\/li>
<\/ul>
三、利用流程详解<\/h2>


构造恶意序列化数据<\/strong>：<\/p>

使用newConstructorForSerialization<\/code>创建UnicastRemoteObject<\/code>或其子类实例<\/li>
设置端口号为攻击者指定的值<\/li>
序列化该对象<\/li>
<\/ul>
<\/li>

发送恶意数据<\/strong>：<\/p>

将序列化数据发送到目标服务器的反序列化入口点<\/li>
<\/ul>
<\/li>

目标服务器反序列化<\/strong>：<\/p>

目标服务器反序列化数据时调用UnicastRemoteObject.readObject<\/code><\/li>
readObject<\/code>调用reexport<\/code>方法<\/li>
reexport<\/code>调用exportObject<\/code>开启JRMP监听<\/li>
<\/ul>
<\/li>

二次攻击<\/strong>：<\/p>

攻击者使用JRMPClient连接新开启的JRMP服务<\/li>
发送实际的攻击payload执行命令<\/li>
<\/ul>
<\/li>
<\/ol>
四、关键代码分析<\/h2>
1. 序列化对象构造<\/h3>
\/\/ 使用newConstructorForSerialization创建对象
<\/span><\/span><\/span><\/span>Class<?><\/span> clazz =<\/span> Class.<\/span>forName<\/span>(<\/span>"sun.rmi.server.UnicastServerRef"<\/span>);<\/span>
<\/span><\/span>Constructor<?><\/span> constructor =<\/span> clazz.<\/span>getDeclaredConstructor<\/span>(<\/span>ObjID.<\/span>class<\/span>,<\/span> TCPEndpoint.<\/span>class<\/span>,<\/span> boolean<\/span>.<\/span>class<\/span>);<\/span>
<\/span><\/span>constructor.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 构造UnicastServerRef实例
<\/span><\/span><\/span><\/span>Object unicastServerRef =<\/span> constructor.<\/span>newInstance<\/span>(<\/span>
<\/span><\/span>    new<\/span> ObjID(<\/span>ObjID.<\/span>ACTIVATOR_ID<\/span>),<\/span> 
<\/span><\/span>    new<\/span> TCPEndpoint(<\/span>port),<\/span> 
<\/span><\/span>    true<\/span>
<\/span><\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 创建RemoteObject子类实例
<\/span><\/span><\/span><\/span>Class<?><\/span> remoteObjectClass =<\/span> Class.<\/span>forName<\/span>(<\/span>"java.rmi.server.RemoteObject"<\/span>);<\/span>
<\/span><\/span>Constructor<?><\/span> remoteObjectConstructor =<\/span> remoteObjectClass.<\/span>getDeclaredConstructor<\/span>(<\/span>RemoteRef.<\/span>class<\/span>);<\/span>
<\/span><\/span>remoteObjectConstructor.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>Object remoteObject =<\/span> remoteObjectConstructor.<\/span>newInstance<\/span>(<\/span>unicastServerRef);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 创建最终的反序列化对象
<\/span><\/span><\/span><\/span>Class<?><\/span> unicastRemoteObjectClass =<\/span> Class.<\/span>forName<\/span>(<\/span>"java.rmi.server.UnicastRemoteObject"<\/span>);<\/span>
<\/span><\/span>Constructor<?><\/span> unicastRemoteObjectConstructor =<\/span> Serializable.<\/span>class<\/span>.<\/span>cast<\/span>(<\/span>
<\/span><\/span>    Reflections.<\/span>getFirstCtor<\/span>(<\/span>"sun.rmi.server.UnicastRemoteObject"<\/span>)<\/span>
<\/span><\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>Object unicastRemoteObject =<\/span> Reflections.<\/span>newInstanceForConstructor<\/span>(<\/span>
<\/span><\/span>    unicastRemoteObjectConstructor,<\/span>
<\/span><\/span>    new<\/span> Class[]{<\/span>RemoteRef.<\/span>class<\/span>},<\/span>
<\/span><\/span>    new<\/span> Object[]{<\/span>unicastServerRef}<\/span>
<\/span><\/span>);<\/span>
<\/span><\/span><\/code><\/pre>2. UnicastRemoteObject.readObject关键代码<\/h3>
private<\/span> void<\/span> readObject<\/span>(<\/span>ObjectInputStream in)<\/span> throws<\/span> IOException,<\/span> ClassNotFoundException {<\/span>
<\/span><\/span>    in.<\/span>defaultReadObject<\/span>();<\/span>
<\/span><\/span>    reexport();<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span>
<\/span><\/span>private<\/span> void<\/span> reexport<\/span>()<\/span> throws<\/span> RemoteException {<\/span>
<\/span><\/span>    if<\/span> (<\/span>ref !=<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>        ref.<\/span>exportObject<\/span>(<\/span>this<\/span>,<\/span> null<\/span>,<\/span> true<\/span>);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>五、技术要点总结<\/h2>


反序列化利用条件<\/strong>：<\/p>

目标类或其父类实现了自定义的readObject<\/code>方法<\/li>
该readObject<\/code>方法能够执行危险操作（如开启网络服务）<\/li>
<\/ul>
<\/li>

JRMPListener特点<\/strong>：<\/p>

不依赖常见的InvocationHandler<\/code>或Proxy<\/code>机制<\/li>
利用UnicastRemoteObject<\/code>的内置反序列化行为<\/li>
需要二次攻击（先开启服务，再通过JRMP发送实际payload）<\/li>
<\/ul>
<\/li>

构造技巧<\/strong>：<\/p>

可以使用UnicastRemoteObject<\/code>或其子类（如ActivationGroupImpl<\/code>）<\/li>
父类可以选择RemoteObject<\/code>或RemoteServer<\/code><\/li>
端口号通过UnicastServerRef<\/code>的TCPEndpoint<\/code>设置<\/li>
<\/ul>
<\/li>
<\/ol>
六、防御建议<\/h2>


输入验证<\/strong>：<\/p>

对所有反序列化入口进行严格校验<\/li>
使用白名单机制限制可反序列化的类<\/li>
<\/ul>
<\/li>

安全配置<\/strong>：<\/p>

使用Java安全管理器限制危险操作<\/li>
配置java.rmi.server.useCodebaseOnly=true<\/code><\/li>
<\/ul>
<\/li>

代码加固<\/strong>：<\/p>

重写关键类的readObject<\/code>方法增加安全检查<\/li>
使用ObjectInputFilter<\/code>过滤危险类<\/li>
<\/ul>
<\/li>

网络防护<\/strong>：<\/p>

限制不必要的JRMP端口开放<\/li>
监控异常的JRMP连接行为<\/li>
<\/ul>
<\/li>
<\/ol>
七、扩展思考<\/h2>


与RMI的关系<\/strong>：<\/p>

RMI基于JRMP协议实现<\/li>
可以使用RMI Client攻击JRMPListener开启的服务<\/li>
但需要注意Java沙盒限制（ExecCheckingSecurityManager<\/code>）<\/li>
<\/ul>
<\/li>

反制风险<\/strong>：<\/p>

攻击者可能利用JRMPListener进行反制<\/li>
需谨慎处理不受信任的JRMP连接<\/li>
<\/ul>
<\/li>

变种利用<\/strong>：<\/p>

可尝试结合其他gadget链增强攻击效果<\/li>
探索其他readObject<\/code>方法的潜在利用点<\/li>
<\/ul>
<\/li>
<\/ol>
通过深入理解JRMPListener的工作原理，安全研究人员可以更好地防御此类攻击，同时也能够开发更有效的检测和防护方案。<\/p>