SlideShare a Scribd company logo

Abusing Java Remote Interfaces

J
juanvazquezslides

The lecture tries to summarize some interesting Java (remote) attack, and how to check / exploit them with Metasploit. The lecture doesn't focus on client attack vectors, like java sandbox abuses through applets, or click2play bypasses. It focus on remote attack vectors abusing RMI endpoints and technologies using RMI. The lecture won't only summarize some of the popular attack vectors, it also will review how to check/exploit them with Metasploit, presenting new capabilities and modules which are being added to the Metasploit Framework to support all the techniques discussed in the lecture.

Presentations & Public Speaking
1 of 47
Download to read offline
ISSW 2015 ABUSING JAVA REMOTE INTERFACES Juan Vazquez
Index 2 • About me • Motivation • RMI 101 • Java Object Serialization Protocol • RMI: Method invocation • Case Study: java_rmi_registry • Case Study: java_rmi_server • Case Study: java_jmx_server • Conclusions RMI   Remote  Method  Invoca/on   JMX   Java  Management  Extensions  
About me 3 • I’m not a Java developer • I’m not a Java hacker • Exploit Developer at Rapid7 –  Metasploit-Framework • My English… sorry!
Motivation 4 • Leon Johnson, awesome pentester at Rapid7, asked about a module for exploiting JMX RMI endpoints. • Excellent write-up from Braden Thomas: –  http://www.accuvant.com/blog/exploiting-jmx-rmi
Motivation 5
Motivation 6
Motivation 7
RMI 101 8 • Wikipedia says: “The  Java  Remote  Method  Invoca/on  (Java  RMI)  is  a  Java  API  that   performs  the  object-­‐oriented  equivalent  of  remote  procedure   calls  (RPC),  with  support  for  direct  transfer  of  serialized  Java   classes  and  distributed  garbage  collec/on.”  *   *  For  a  beLer  introduc/on,  the  Java  specs  are  more  useful,  but  it’s  hard  to  find  1  summary  sentence  in  the  specs  J  
RMI 101. Hello World! 9
RMI 101. Hello World! 10
RMI 101. Hello World! 11
RMI 101. Hello World! 12 C:rmi_hello_world>start  rmiregistry   C:rmi_hello_world>javac  -­‐cp  .  examplehello*.java   C:rmi_hello_world>java  -­‐cp  .  example.hello.Server   Server  ready     Server C:rmi_hello_world>javac  -­‐cp  .  examplehello*.java   C:rmi_hello_world>java  -­‐cp  .  example.hello.Client  172.16.158.132   response:  Hello,  world!     Client
RMI 101. RMI Transport Protocol 13 hLp://docs.oracle.com/javase/7/docs/pla]orm/rmi/spec/rmi-­‐protocol3.html  
RMI 101. RMI Transport Protocol. 14hLp://docs.oracle.com/javase/7/docs/pla]orm/rmi/spec/rmi-­‐protocol3.html  
RMI 101. RMI Transport Protocol 15hLp://docs.oracle.com/javase/7/docs/pla]orm/rmi/spec/rmi-­‐protocol3.html  
16
17
18
RMI 101. RMI Transport Protocol 19 “Call  and  return  data  in  RMI  calls  are  formaLed  using  the  Java  Object   SerializaBon  Protocol”   hLp://docs.oracle.com/javase/7/docs/pla]orm/rmi/spec/rmi-­‐protocol4.html  
Java Object Serialization Protocol 20 “The  ability  to  store  and  retrieve  JavaTM  objects  is  essen/al  to  building   all  but  the  most  transient  applica/ons.  The  key  to  storing  and  retrieving   objects  in  a  serialized  form  is  represen/ng  the  state  of  objects  sufficient   to  reconstruct  the  object(s).”   hLp://docs.oracle.com/javase/7/docs/pla]orm/serializa/on/spec/serialTOC.html   Warning:  If  you  haven’t  fought  with  Java  Serializa/on  before,  the  specs  and     the  grammar  can  be  confusing…  
Java Object Serialization Protocol 21 • Use small programs to get serialized samples. import java.io.*;! ! public class NewArrayInts! {! public static void main(String [] args)! {! int[] anArray;! anArray = new int[2];! anArray[0] = -20;! anArray[1] = 0x41;! try! {! FileOutputStream fileOut =! new FileOutputStream("new_array_ints.ser");! ObjectOutputStream out = new ObjectOutputStream(fileOut);! out.writeObject(anArray);! out.close();! fileOut.close();! } catch(IOException i)! {! i.printStackTrace();! }! }! }!
Java Object Serialization Protocol 22 stream:! magic version contents! contents:! content! contents content! content:! object! blockdata! object:! newArray! newArray:! TC_ARRAY classDesc newHandle <size> values! classDesc:! newClassDesc! nullReference! (ClassDesc)prevObject!   newClassDesc:! TC_CLASSDESC className serialVersionUID newHandle classDescInfo! className:! (utf)! serialVersionUID:! (long)! classDescInfo:! classDescFlags fields classAnnotation superClassDesc ! classDescFlags:! (byte) ! fields:! (short)<count> fieldDesc[count]! classAnnotation:! endBlockData! contents endBlockData! superClassDesc:! classDesc!   hLp://docs.oracle.com/javase/7/docs/pla]orm/serializa/on/spec/protocol.html#10258  
Java Object Serialization Protocol 23 $ hexdump new_array_ints.ser! 0000000 ac ed 00 05 75 72 00 02 5b 49 4d ba 60 26 76 ea! 0000010 b2 a5 02 00 00 78 70 00 00 00 02 ff ff ff ec 00! 0000020 00 00 41! STREAM_MAGIC   STREAM_VERSION   TC_ARRAY   TC_CLASSDESC   className:  [I   SerialVersionUID   classDescFlags:  SC_SERIALIZABLE   fields  count     TC_ENDBLOCKDATA   (classAnnota/on)   TC_NULL  (superClassDesc)   (int)<size>   value[0]  =  -­‐20   value[1]  =  0x41     $  serialver  [I   [I:        sta/c  final  long  serialVersionUID  =  5600894804908749477L;  
Java Object Serialization Protocol 24 • Also, you have two useful (Java) classes: –  java.io.ObjectOutputStream –  java.io.ObjectInputStream • Read and debug them! import java.io.*;! ! public class NewArrayInts! {! public static void main(String [] args)! {! int[] anArray;! anArray = new int[2];! anArray[0] = -20;! anArray[1] = 0x41;! try! {! FileOutputStream fileOut =! new FileOutputStream("new_array_ints.ser");! ObjectOutputStream out = new ObjectOutputStream(fileOut);! out.writeObject(anArray);! out.close();! fileOut.close();! } catch(IOException i)! {! i.printStackTrace();! }! }! }!
Java Object Serialization Protocol 25 • Several days later…: –  Rex::Java::Serialization: Not full support, but good enough for our purposes. •  Includes  modeling  for  the  different  en//es  as  described  in  the  Java  Serializa/on   Protocol  specs/grammar.   •  Every  object  allows  to  decode  (unserializa/on)  from  an  IO  or  “self”  encoding   (serializa/on).   •  Rex::Java::Serializa/on::Builder  allows  easy  building  of  some  elements.   –  Also: tools/java_deserializer.rb allows to inspect java serialized streams, zooming arrays and objects.
Java Object Serialization Protocol 26 $ tools/java_deserializer.rb /tmp/call_demo.bin! [*] Deserializing...! ! @magic: 0xaced! @version: 5! @contents: [! BlockData { [ 0x24, 0x5, 0x74, 0x80, 0x6a, 0x0, 0x5, 0x7f, 0x90, 0x3a, 0x40, 0x57, 0x0, 0x0, 0x1, 0x4c, 0x6c, 0xca, 0x1b, 0xae, 0x80, 0x1, 0xff, 0xff, 0xff, 0xff, 0x53, 0xe0, 0x82, 0x2d, 0x3e, 0x37, 0x24, 0xdf ] }! ]! @references: [! ]!
Java Object Serialization Protocol 27 $ tools/java_deserializer.rb /tmp/return_demo.bin! [*] Deserializing...! ! @magic: 0xaced! @version: 5! @contents: [! BlockData { [ 0x1, 0x90, 0x3a, 0x40, 0x57, 0x0, 0x0, 0x1, 0x4c, 0x6c, 0xca, 0x1b, 0xae, 0x80, 0xb ] }! Utf { Hello, world! }! ]! @references: [! [7e0000] Utf { Hello, world! }! ]!
Finally… 28 BlockData { [ 0x24, 0x5, 0x74, 0x80, 0x6a, 0x0, 0x5, 0x7f, 0x90, 0x3a, 0x40, 0x57, 0x0, 0x0, 0x1, 0x4c, 0x6c, 0xca, 0x1b, 0xae, 0x80, 0x1, 0xff, 0xff, 0xff, 0xff, 0x53, 0xe0, 0x82, 0x2d, 0x3e, 0x37, 0x24, 0xdf ] }   hLp://docs.oracle.com/javase/7/docs/pla]orm/rmi/spec/rmi-­‐protocol4.html    
Finally… 29 hLp://docs.oracle.com/javase/7/docs/pla]orm/rmi/spec/rmi-­‐protocol4.html     @contents: [! BlockData { [ 0x1, 0x90, 0x3a, 0x40, 0x57, 0x0, 0x0, 0x1, 0x4c, 0x6c, 0xca, 0x1b, 0xae, 0x80, 0xb ] }! Utf { Hello, world! }! ]!
Finally…. 30 • Rex::Proto::Rmi –  Model for the RMI protocol as described in the specs / grammar. Every object allows to be “self” read from an IO or written into an String. • Msf::Java::Rmi::Client –  Mixin including the Exploit::Remote::TCP one –  Methods to made RMI calls easier from the modules. –  Also methods to build calls for some common RMI endpoints •  Registry   •  JMX  Management  
RMI Method Invocation 31 • In order to debug RMI calls, let’s understand them a little bit better. • Use RMIC to generate the stubs (v1.2). It’s not needed anymore, since nowadays static stubs are deprecated in favor of dynamic code. • It will generate a new class HelloImpl_Stub.class. rmic  -­‐classpath  .  example.hello.HelloImpl  
RMI Method Invocation 32 java.rmi.Remote   example.hello.Hello   java.rmi.server.RemoteObject   java.rmi.server.RemoteStub   implements   java.rmi.server.RemoteRef   ref   sun.rmi.server.UnicastRef   implements  
RMI Method Invocation 33
Case Study: java_rmi_registry 34 • The RMI Registry is just a remote object provided by Java, so every virtual machine knows its interface. • Listens on a well known port –  1099/TCP.
Case Study: java_rmi_registry 35 msf  >  use  auxiliary/gather/java_rmi_registry   msf  auxiliary(java_rmi_registry)  >  set  rhost  172.16.158.131   rhost  =>  172.16.158.131   msf  auxiliary(java_rmi_registry)  >  run     [*]  172.16.158.131:1099  -­‐  Sending  RMI  Header...   [*]  172.16.158.131:1099  -­‐  Lis/ng  names  in  the  Registry...   [+]  172.16.158.131:1099  -­‐  1  names  found  in  the  Registry   [+]  172.16.158.131:1099  -­‐  Name  Hello  (example.hello.HelloImpl_Stub)  found  on  172.16.158.131:1175   [*]  Auxiliary  module  execu/on  completed  
Case Study: java_rmi_server 36 Credits:  Michael  Schierl  @mihi42   hLp://docs.oracle.com/javase/7/docs/pla]orm/rmi/spec/rmi-­‐arch5.html   RMI  allows  parameters,  return  values  and  excepBons  passed  in  RMI  calls  to  be   any  object  that  is  serializable.  RMI  uses  the  object  serializa/on  mechanism  to   transmit  data  from  one  virtual  machine  to  another  and  also  annotates  the  call   stream  with  the  appropriate  locaBon  informaBon  so  that  the  class  definiBon   files  can  be  loaded  at  the  receiver.  
Case Study: java_rmi_server 37 Credits:  Michael  Schierl  @mihi42  
Case Study: java_rmi_server 38 Credits:  Michael  Schierl  @mihi42  
Case Study: java_rmi_server 39 Credits:  Michael  Schierl  @mihi42  
Case Study: java_jmx_server 40 Credits:  Braden  Thomas   hLp://www.accuvant.com/blog/exploi/ng-­‐jmx-­‐rmi   msf  auxiliary(java_rmi_registry)  >  set  rhost  172.16.158.132   rhost  =>  172.16.158.132   msf  auxiliary(java_rmi_registry)  >  set  rport  1617   rport  =>  1617   msf  auxiliary(java_rmi_registry)  >  run     [*]  172.16.158.132:1617  -­‐  Sending  RMI  Header...   [*]  172.16.158.132:1617  -­‐  Lis/ng  names  in  the  Registry...   [+]  172.16.158.132:1617  -­‐  1  names  found  in  the  Registry   [+]  172.16.158.132:1617  -­‐  Name  jmxrmi  (javax.management.remote.rmi.RMIServerImpl_Stub)   found  on  172.16.158.132:1471   [*]  Auxiliary  module  execu/on  completed  
Case Study: java_jmx_server 41 Credits:  Braden  Thomas   hLp://www.accuvant.com/blog/exploi/ng-­‐jmx-­‐rmi  
Case Study: java_jmx_server 42 Credits:  Braden  Thomas   hLp://www.accuvant.com/blog/exploi/ng-­‐jmx-­‐rmi  
Case Study: java_jmx_server 43 Credits:  Braden  Thomas   hLp://www.accuvant.com/blog/exploi/ng-­‐jmx-­‐rmi  
DEMO
Conclusions 45 • Ruby Support on MSF for: –  Java Serialization –  RMI –  Some JMX No  more  RAW  streams!  
Conclusions 46 • Lot of examples: –  All the RMI/JMX modules have been ported. –  Specs –  New modules: java_rmi_registry, java_jmx_server • TODO –  Full Java Serialization support. –  Exploit all the things! PR are super welcome!
QUESTIONS? THANK YOU!

Recommended

Network Performance: Making Every Packet Count - NET401 - re:Invent 2017
Network Performance: Making Every Packet Count - NET401 - re:Invent 2017Network Performance: Making Every Packet Count - NET401 - re:Invent 2017
Network Performance: Making Every Packet Count - NET401 - re:Invent 2017
Amazon Web Services
 
インメモリーで超高速処理を実現する場合のカギ
インメモリーで超高速処理を実現する場合のカギインメモリーで超高速処理を実現する場合のカギ
インメモリーで超高速処理を実現する場合のカギ
Masaki Yamakawa
 
SIPREC RTPEngine Media Forking
SIPREC RTPEngine Media ForkingSIPREC RTPEngine Media Forking
SIPREC RTPEngine Media Forking
Hossein Yavari
 
Storage Management using LVM
Storage Management using LVMStorage Management using LVM
Storage Management using LVM
Priyank Kapadia
 
IIJにおけるGlusterFS利用事例 GlusterFSの詳解と2年間の運用ノウハウ
IIJにおけるGlusterFS利用事例 GlusterFSの詳解と2年間の運用ノウハウIIJにおけるGlusterFS利用事例 GlusterFSの詳解と2年間の運用ノウハウ
IIJにおけるGlusterFS利用事例 GlusterFSの詳解と2年間の運用ノウハウ
IIJ
 
AWS SAMで始めるサーバーレスアプリケーション開発
AWS SAMで始めるサーバーレスアプリケーション開発AWS SAMで始めるサーバーレスアプリケーション開発
AWS SAMで始めるサーバーレスアプリケーション開発
真吾 吉田
 
Fixing the Java Serialization Mess
Fixing the Java Serialization Mess Fixing the Java Serialization Mess
Fixing the Java Serialization Mess
Salesforce Engineering
 
SIP Testing with FreeSWITCH
SIP Testing with FreeSWITCHSIP Testing with FreeSWITCH
SIP Testing with FreeSWITCH
Moises Silva
 

Recommended

Network Performance: Making Every Packet Count - NET401 - re:Invent 2017
Network Performance: Making Every Packet Count - NET401 - re:Invent 2017Network Performance: Making Every Packet Count - NET401 - re:Invent 2017
Network Performance: Making Every Packet Count - NET401 - re:Invent 2017
Amazon Web Services
 
インメモリーで超高速処理を実現する場合のカギ
インメモリーで超高速処理を実現する場合のカギインメモリーで超高速処理を実現する場合のカギ
インメモリーで超高速処理を実現する場合のカギ
Masaki Yamakawa
 
SIPREC RTPEngine Media Forking
SIPREC RTPEngine Media ForkingSIPREC RTPEngine Media Forking
SIPREC RTPEngine Media Forking
Hossein Yavari
 
Storage Management using LVM
Storage Management using LVMStorage Management using LVM
Storage Management using LVM
Priyank Kapadia
 
IIJにおけるGlusterFS利用事例 GlusterFSの詳解と2年間の運用ノウハウ
IIJにおけるGlusterFS利用事例 GlusterFSの詳解と2年間の運用ノウハウIIJにおけるGlusterFS利用事例 GlusterFSの詳解と2年間の運用ノウハウ
IIJにおけるGlusterFS利用事例 GlusterFSの詳解と2年間の運用ノウハウ
IIJ
 
AWS SAMで始めるサーバーレスアプリケーション開発
AWS SAMで始めるサーバーレスアプリケーション開発AWS SAMで始めるサーバーレスアプリケーション開発
AWS SAMで始めるサーバーレスアプリケーション開発
真吾 吉田
 
Fixing the Java Serialization Mess
Fixing the Java Serialization Mess Fixing the Java Serialization Mess
Fixing the Java Serialization Mess
Salesforce Engineering
 
SIP Testing with FreeSWITCH
SIP Testing with FreeSWITCHSIP Testing with FreeSWITCH
SIP Testing with FreeSWITCH
Moises Silva
 
Docker를 활용한 손쉬운 ECS 활용기 - 김민태 (AUSG) :: AWS Community Day Online 2021
Docker를 활용한 손쉬운 ECS 활용기 - 김민태 (AUSG) :: AWS Community Day Online 2021Docker를 활용한 손쉬운 ECS 활용기 - 김민태 (AUSG) :: AWS Community Day Online 2021
Docker를 활용한 손쉬운 ECS 활용기 - 김민태 (AUSG) :: AWS Community Day Online 2021
AWSKRUG - AWS한국사용자모임
 
〜Apache Geode 入門 gfsh によるクラスター構築・管理
〜Apache Geode 入門 gfsh によるクラスター構築・管理〜Apache Geode 入門 gfsh によるクラスター構築・管理
〜Apache Geode 入門 gfsh によるクラスター構築・管理
Akihiro Kitada
 
動画配信の基礎知識
動画配信の基礎知識動画配信の基礎知識
動画配信の基礎知識
Daiyu Hatakeyama
 
Linux Linux Traffic Control
Linux Linux Traffic ControlLinux Linux Traffic Control
Linux Linux Traffic Control
SUSE Labs Taipei
 
Introduction to the Container Network Interface (CNI)
Introduction to the Container Network Interface (CNI)Introduction to the Container Network Interface (CNI)
Introduction to the Container Network Interface (CNI)
Weaveworks
 
CloudStack and cloud-init
CloudStack and cloud-initCloudStack and cloud-init
CloudStack and cloud-init
MarcusS13
 
FreeSWITCH on Docker
FreeSWITCH on DockerFreeSWITCH on Docker
FreeSWITCH on Docker
建澄 吳
 
Amazon EBS: Deep Dive
Amazon EBS: Deep DiveAmazon EBS: Deep Dive
Amazon EBS: Deep Dive
Amazon Web Services
 
NFV Orchestration for Telcos using OpenStack Tacker
NFV Orchestration for Telcos using OpenStack TackerNFV Orchestration for Telcos using OpenStack Tacker
NFV Orchestration for Telcos using OpenStack Tacker
Sridhar Ramaswamy
 
コンテナ時代のOpenStack
コンテナ時代のOpenStackコンテナ時代のOpenStack
コンテナ時代のOpenStack
Akira Yoshiyama
 
Getting started with SIP Express Media Server SIP app server and SBC - workshop
Getting started with SIP Express Media Server SIP app server and SBC - workshopGetting started with SIP Express Media Server SIP app server and SBC - workshop
Getting started with SIP Express Media Server SIP app server and SBC - workshop
stefansayer
 
BPF: Tracing and more
BPF: Tracing and moreBPF: Tracing and more
BPF: Tracing and more
Brendan Gregg
 
Scaling FreeSWITCH Performance
Scaling FreeSWITCH PerformanceScaling FreeSWITCH Performance
Scaling FreeSWITCH Performance
Moises Silva
 
Web assembly 맛보기
Web assembly 맛보기Web assembly 맛보기
Web assembly 맛보기
GyeongSeok Seo
 
GoBGP活用によるSD-WANプラクティス
GoBGP活用によるSD-WANプラクティスGoBGP活用によるSD-WANプラクティス
GoBGP活用によるSD-WANプラクティス
Toshiki Tsuboi
 
Epoll - from the kernel side
Epoll - from the kernel sideEpoll - from the kernel side
Epoll - from the kernel side
llj098
 
Receive side scaling (RSS) with eBPF in QEMU and virtio-net
Receive side scaling (RSS) with eBPF in QEMU and virtio-netReceive side scaling (RSS) with eBPF in QEMU and virtio-net
Receive side scaling (RSS) with eBPF in QEMU and virtio-net
Yan Vugenfirer
 
OpenStackをコマンドで攻める! 構築・運用とトラブル解決 - OpenStack最新情報セミナー 2014年6月
OpenStackをコマンドで攻める! 構築・運用とトラブル解決 - OpenStack最新情報セミナー 2014年6月OpenStackをコマンドで攻める! 構築・運用とトラブル解決 - OpenStack最新情報セミナー 2014年6月
OpenStackをコマンドで攻める! 構築・運用とトラブル解決 - OpenStack最新情報セミナー 2014年6月
VirtualTech Japan Inc.
 
AWS運用自動化への第一歩 
AWS運用自動化への第一歩 AWS運用自動化への第一歩 
AWS運用自動化への第一歩 
Trainocate Japan, Ltd.
 
OSTree: OSイメージとパッケージシステムの間にGitのアプローチを
OSTree: OSイメージとパッケージシステムの間にGitのアプローチをOSTree: OSイメージとパッケージシステムの間にGitのアプローチを
OSTree: OSイメージとパッケージシステムの間にGitのアプローチを
i_yudai
 
Ruby on the JVM
Ruby on the JVMRuby on the JVM
Ruby on the JVM
Kresten Krab Thorup
 
Remote Method Invocation (Java RMI)
Remote Method Invocation (Java RMI)Remote Method Invocation (Java RMI)
Remote Method Invocation (Java RMI)
Sonali Parab
 

More Related Content

What's hot

Docker를 활용한 손쉬운 ECS 활용기 - 김민태 (AUSG) :: AWS Community Day Online 2021
Docker를 활용한 손쉬운 ECS 활용기 - 김민태 (AUSG) :: AWS Community Day Online 2021Docker를 활용한 손쉬운 ECS 활용기 - 김민태 (AUSG) :: AWS Community Day Online 2021
Docker를 활용한 손쉬운 ECS 활용기 - 김민태 (AUSG) :: AWS Community Day Online 2021
AWSKRUG - AWS한국사용자모임
 
〜Apache Geode 入門 gfsh によるクラスター構築・管理
〜Apache Geode 入門 gfsh によるクラスター構築・管理〜Apache Geode 入門 gfsh によるクラスター構築・管理
〜Apache Geode 入門 gfsh によるクラスター構築・管理
Akihiro Kitada
 
動画配信の基礎知識
動画配信の基礎知識動画配信の基礎知識
動画配信の基礎知識
Daiyu Hatakeyama
 
Linux Linux Traffic Control
Linux Linux Traffic ControlLinux Linux Traffic Control
Linux Linux Traffic Control
SUSE Labs Taipei
 
Introduction to the Container Network Interface (CNI)
Introduction to the Container Network Interface (CNI)Introduction to the Container Network Interface (CNI)
Introduction to the Container Network Interface (CNI)
Weaveworks
 
CloudStack and cloud-init
CloudStack and cloud-initCloudStack and cloud-init
CloudStack and cloud-init
MarcusS13
 
FreeSWITCH on Docker
FreeSWITCH on DockerFreeSWITCH on Docker
FreeSWITCH on Docker
建澄 吳
 
Amazon EBS: Deep Dive
Amazon EBS: Deep DiveAmazon EBS: Deep Dive
Amazon EBS: Deep Dive
Amazon Web Services
 
NFV Orchestration for Telcos using OpenStack Tacker
NFV Orchestration for Telcos using OpenStack TackerNFV Orchestration for Telcos using OpenStack Tacker
NFV Orchestration for Telcos using OpenStack Tacker
Sridhar Ramaswamy
 
コンテナ時代のOpenStack
コンテナ時代のOpenStackコンテナ時代のOpenStack
コンテナ時代のOpenStack
Akira Yoshiyama
 
Getting started with SIP Express Media Server SIP app server and SBC - workshop
Getting started with SIP Express Media Server SIP app server and SBC - workshopGetting started with SIP Express Media Server SIP app server and SBC - workshop
Getting started with SIP Express Media Server SIP app server and SBC - workshop
stefansayer
 
BPF: Tracing and more
BPF: Tracing and moreBPF: Tracing and more
BPF: Tracing and more
Brendan Gregg
 
Scaling FreeSWITCH Performance
Scaling FreeSWITCH PerformanceScaling FreeSWITCH Performance
Scaling FreeSWITCH Performance
Moises Silva
 
Web assembly 맛보기
Web assembly 맛보기Web assembly 맛보기
Web assembly 맛보기
GyeongSeok Seo
 
GoBGP活用によるSD-WANプラクティス
GoBGP活用によるSD-WANプラクティスGoBGP活用によるSD-WANプラクティス
GoBGP活用によるSD-WANプラクティス
Toshiki Tsuboi
 
Epoll - from the kernel side
Epoll - from the kernel sideEpoll - from the kernel side
Epoll - from the kernel side
llj098
 
Receive side scaling (RSS) with eBPF in QEMU and virtio-net
Receive side scaling (RSS) with eBPF in QEMU and virtio-netReceive side scaling (RSS) with eBPF in QEMU and virtio-net
Receive side scaling (RSS) with eBPF in QEMU and virtio-net
Yan Vugenfirer
 
OpenStackをコマンドで攻める! 構築・運用とトラブル解決 - OpenStack最新情報セミナー 2014年6月
OpenStackをコマンドで攻める! 構築・運用とトラブル解決 - OpenStack最新情報セミナー 2014年6月OpenStackをコマンドで攻める! 構築・運用とトラブル解決 - OpenStack最新情報セミナー 2014年6月
OpenStackをコマンドで攻める! 構築・運用とトラブル解決 - OpenStack最新情報セミナー 2014年6月
VirtualTech Japan Inc.
 
AWS運用自動化への第一歩 
AWS運用自動化への第一歩 AWS運用自動化への第一歩 
AWS運用自動化への第一歩 
Trainocate Japan, Ltd.
 
OSTree: OSイメージとパッケージシステムの間にGitのアプローチを
OSTree: OSイメージとパッケージシステムの間にGitのアプローチをOSTree: OSイメージとパッケージシステムの間にGitのアプローチを
OSTree: OSイメージとパッケージシステムの間にGitのアプローチを
i_yudai
 

What's hot (20)

Docker를 활용한 손쉬운 ECS 활용기 - 김민태 (AUSG) :: AWS Community Day Online 2021
Docker를 활용한 손쉬운 ECS 활용기 - 김민태 (AUSG) :: AWS Community Day Online 2021Docker를 활용한 손쉬운 ECS 활용기 - 김민태 (AUSG) :: AWS Community Day Online 2021
Docker를 활용한 손쉬운 ECS 활용기 - 김민태 (AUSG) :: AWS Community Day Online 2021
 
〜Apache Geode 入門 gfsh によるクラスター構築・管理
〜Apache Geode 入門 gfsh によるクラスター構築・管理〜Apache Geode 入門 gfsh によるクラスター構築・管理
〜Apache Geode 入門 gfsh によるクラスター構築・管理
 
動画配信の基礎知識
動画配信の基礎知識動画配信の基礎知識
動画配信の基礎知識
 
Linux Linux Traffic Control
Linux Linux Traffic ControlLinux Linux Traffic Control
Linux Linux Traffic Control
 
Introduction to the Container Network Interface (CNI)
Introduction to the Container Network Interface (CNI)Introduction to the Container Network Interface (CNI)
Introduction to the Container Network Interface (CNI)
 
CloudStack and cloud-init
CloudStack and cloud-initCloudStack and cloud-init
CloudStack and cloud-init
 
FreeSWITCH on Docker
FreeSWITCH on DockerFreeSWITCH on Docker
FreeSWITCH on Docker
 
Amazon EBS: Deep Dive
Amazon EBS: Deep DiveAmazon EBS: Deep Dive
Amazon EBS: Deep Dive
 
NFV Orchestration for Telcos using OpenStack Tacker
NFV Orchestration for Telcos using OpenStack TackerNFV Orchestration for Telcos using OpenStack Tacker
NFV Orchestration for Telcos using OpenStack Tacker
 
コンテナ時代のOpenStack
コンテナ時代のOpenStackコンテナ時代のOpenStack
コンテナ時代のOpenStack
 
Getting started with SIP Express Media Server SIP app server and SBC - workshop
Getting started with SIP Express Media Server SIP app server and SBC - workshopGetting started with SIP Express Media Server SIP app server and SBC - workshop
Getting started with SIP Express Media Server SIP app server and SBC - workshop
 
BPF: Tracing and more
BPF: Tracing and moreBPF: Tracing and more
BPF: Tracing and more
 
Scaling FreeSWITCH Performance
Scaling FreeSWITCH PerformanceScaling FreeSWITCH Performance
Scaling FreeSWITCH Performance
 
Web assembly 맛보기
Web assembly 맛보기Web assembly 맛보기
Web assembly 맛보기
 
GoBGP活用によるSD-WANプラクティス
GoBGP活用によるSD-WANプラクティスGoBGP活用によるSD-WANプラクティス
GoBGP活用によるSD-WANプラクティス
 
Epoll - from the kernel side
Epoll - from the kernel sideEpoll - from the kernel side
Epoll - from the kernel side
 
Receive side scaling (RSS) with eBPF in QEMU and virtio-net
Receive side scaling (RSS) with eBPF in QEMU and virtio-netReceive side scaling (RSS) with eBPF in QEMU and virtio-net
Receive side scaling (RSS) with eBPF in QEMU and virtio-net
 
OpenStackをコマンドで攻める! 構築・運用とトラブル解決 - OpenStack最新情報セミナー 2014年6月
OpenStackをコマンドで攻める! 構築・運用とトラブル解決 - OpenStack最新情報セミナー 2014年6月OpenStackをコマンドで攻める! 構築・運用とトラブル解決 - OpenStack最新情報セミナー 2014年6月
OpenStackをコマンドで攻める! 構築・運用とトラブル解決 - OpenStack最新情報セミナー 2014年6月
 
AWS運用自動化への第一歩 
AWS運用自動化への第一歩 AWS運用自動化への第一歩 
AWS運用自動化への第一歩 
 
OSTree: OSイメージとパッケージシステムの間にGitのアプローチを
OSTree: OSイメージとパッケージシステムの間にGitのアプローチをOSTree: OSイメージとパッケージシステムの間にGitのアプローチを
OSTree: OSイメージとパッケージシステムの間にGitのアプローチを
 

Similar to Abusing Java Remote Interfaces

Ruby on the JVM
Ruby on the JVMRuby on the JVM
Ruby on the JVM
Kresten Krab Thorup
 
Remote Method Invocation (Java RMI)
Remote Method Invocation (Java RMI)Remote Method Invocation (Java RMI)
Remote Method Invocation (Java RMI)
Sonali Parab
 
ppt_on_java.pptx
ppt_on_java.pptxppt_on_java.pptx
ppt_on_java.pptx
MAYANKKUMAR492040
 
Unit 1 Core Java for Compter Science 3rd
Unit 1 Core Java for Compter Science 3rdUnit 1 Core Java for Compter Science 3rd
Unit 1 Core Java for Compter Science 3rd
prat0ham
 
JavaOne 2011 - JVM Bytecode for Dummies
JavaOne 2011 - JVM Bytecode for DummiesJavaOne 2011 - JVM Bytecode for Dummies
JavaOne 2011 - JVM Bytecode for Dummies
Charles Nutter
 
GOTO Night with Charles Nutter Slides
GOTO Night with Charles Nutter SlidesGOTO Night with Charles Nutter Slides
GOTO Night with Charles Nutter Slides
Alexandra Masterson
 
A begineers guide of JAVA - Getting Started
A begineers guide of JAVA - Getting Started A begineers guide of JAVA - Getting Started
A begineers guide of JAVA - Getting Started
Rakesh Madugula
 
Building Concurrent WebObjects applications with Scala
Building Concurrent WebObjects applications with ScalaBuilding Concurrent WebObjects applications with Scala
Building Concurrent WebObjects applications with Scala
WO Community
 
Understanding the Dalvik Virtual Machine
Understanding the Dalvik Virtual MachineUnderstanding the Dalvik Virtual Machine
Understanding the Dalvik Virtual Machine
National Cheng Kung University
 
13243967
1324396713243967
13243967
vijayabharati
 
oop unit1.pptx
oop unit1.pptxoop unit1.pptx
oop unit1.pptx
sureshkumara29
 
CS8392 OOP
CS8392 OOPCS8392 OOP
CS8392 OOP
DhanalakshmiVelusamy1
 
The Why and How of Scala at Twitter
The Why and How of Scala at TwitterThe Why and How of Scala at Twitter
The Why and How of Scala at Twitter
Alex Payne
 
06.1 .Net memory management
06.1 .Net memory management06.1 .Net memory management
06.1 .Net memory management
Victor Matyushevskyy
 
JAVA PROGRAM CONSTRUCTS OR LANGUAGE BASICS.pptx
JAVA PROGRAM CONSTRUCTS OR LANGUAGE BASICS.pptxJAVA PROGRAM CONSTRUCTS OR LANGUAGE BASICS.pptx
JAVA PROGRAM CONSTRUCTS OR LANGUAGE BASICS.pptx
AALIM MUHAMMED SALEGH COLLEGE OF ENGINEERING
 
Breakfast cereal for advanced beginners
Breakfast cereal for advanced beginnersBreakfast cereal for advanced beginners
Breakfast cereal for advanced beginners
Truptiranjan Nayak
 
Mastering Java Bytecode - JAX.de 2012
Mastering Java Bytecode - JAX.de 2012Mastering Java Bytecode - JAX.de 2012
Mastering Java Bytecode - JAX.de 2012
Anton Arhipov
 
Java programing language unit 1 introduction
Java programing language unit 1 introductionJava programing language unit 1 introduction
Java programing language unit 1 introduction
chnrketan
 
The State of Managed Runtimes 2013, by Attila Szegedi
The State of Managed Runtimes 2013, by Attila SzegediThe State of Managed Runtimes 2013, by Attila Szegedi
The State of Managed Runtimes 2013, by Attila Szegedi
ZeroTurnaround
 
Lecture from javaday.bg by Nayden Gochev/ Ivan Ivanov and Mitia Alexandrov
Lecture from javaday.bg by Nayden Gochev/ Ivan Ivanov and Mitia Alexandrov Lecture from javaday.bg by Nayden Gochev/ Ivan Ivanov and Mitia Alexandrov
Lecture from javaday.bg by Nayden Gochev/ Ivan Ivanov and Mitia Alexandrov
Nayden Gochev
 

Similar to Abusing Java Remote Interfaces (20)

Ruby on the JVM
Ruby on the JVMRuby on the JVM
Ruby on the JVM
 
Remote Method Invocation (Java RMI)
Remote Method Invocation (Java RMI)Remote Method Invocation (Java RMI)
Remote Method Invocation (Java RMI)
 
ppt_on_java.pptx
ppt_on_java.pptxppt_on_java.pptx
ppt_on_java.pptx
 
Unit 1 Core Java for Compter Science 3rd
Unit 1 Core Java for Compter Science 3rdUnit 1 Core Java for Compter Science 3rd
Unit 1 Core Java for Compter Science 3rd
 
JavaOne 2011 - JVM Bytecode for Dummies
JavaOne 2011 - JVM Bytecode for DummiesJavaOne 2011 - JVM Bytecode for Dummies
JavaOne 2011 - JVM Bytecode for Dummies
 
GOTO Night with Charles Nutter Slides
GOTO Night with Charles Nutter SlidesGOTO Night with Charles Nutter Slides
GOTO Night with Charles Nutter Slides
 
A begineers guide of JAVA - Getting Started
A begineers guide of JAVA - Getting Started A begineers guide of JAVA - Getting Started
A begineers guide of JAVA - Getting Started
 
Building Concurrent WebObjects applications with Scala
Building Concurrent WebObjects applications with ScalaBuilding Concurrent WebObjects applications with Scala
Building Concurrent WebObjects applications with Scala
 
Understanding the Dalvik Virtual Machine
Understanding the Dalvik Virtual MachineUnderstanding the Dalvik Virtual Machine
Understanding the Dalvik Virtual Machine
 
13243967
1324396713243967
13243967
 
oop unit1.pptx
oop unit1.pptxoop unit1.pptx
oop unit1.pptx
 
CS8392 OOP
CS8392 OOPCS8392 OOP
CS8392 OOP
 
The Why and How of Scala at Twitter
The Why and How of Scala at TwitterThe Why and How of Scala at Twitter
The Why and How of Scala at Twitter
 
06.1 .Net memory management
06.1 .Net memory management06.1 .Net memory management
06.1 .Net memory management
 
JAVA PROGRAM CONSTRUCTS OR LANGUAGE BASICS.pptx
JAVA PROGRAM CONSTRUCTS OR LANGUAGE BASICS.pptxJAVA PROGRAM CONSTRUCTS OR LANGUAGE BASICS.pptx
JAVA PROGRAM CONSTRUCTS OR LANGUAGE BASICS.pptx
 
Breakfast cereal for advanced beginners
Breakfast cereal for advanced beginnersBreakfast cereal for advanced beginners
Breakfast cereal for advanced beginners
 
Mastering Java Bytecode - JAX.de 2012
Mastering Java Bytecode - JAX.de 2012Mastering Java Bytecode - JAX.de 2012
Mastering Java Bytecode - JAX.de 2012
 
Java programing language unit 1 introduction
Java programing language unit 1 introductionJava programing language unit 1 introduction
Java programing language unit 1 introduction
 
The State of Managed Runtimes 2013, by Attila Szegedi
The State of Managed Runtimes 2013, by Attila SzegediThe State of Managed Runtimes 2013, by Attila Szegedi
The State of Managed Runtimes 2013, by Attila Szegedi
 
Lecture from javaday.bg by Nayden Gochev/ Ivan Ivanov and Mitia Alexandrov
Lecture from javaday.bg by Nayden Gochev/ Ivan Ivanov and Mitia Alexandrov Lecture from javaday.bg by Nayden Gochev/ Ivan Ivanov and Mitia Alexandrov
Lecture from javaday.bg by Nayden Gochev/ Ivan Ivanov and Mitia Alexandrov
 

Recently uploaded

Proposal: The Ark Project and The BEEP Inc
Proposal: The Ark Project and The BEEP IncProposal: The Ark Project and The BEEP Inc
Proposal: The Ark Project and The BEEP Inc
Raheem Muhammad
 
Artificial Intelligence, Data and Competition – OECD – June 2024 OECD discussion
Artificial Intelligence, Data and Competition – OECD – June 2024 OECD discussionArtificial Intelligence, Data and Competition – OECD – June 2024 OECD discussion
Artificial Intelligence, Data and Competition – OECD – June 2024 OECD discussion
OECD Directorate for Financial and Enterprise Affairs
 
Using-Presentation-Software-to-the-Fullf.pptx
Using-Presentation-Software-to-the-Fullf.pptxUsing-Presentation-Software-to-the-Fullf.pptx
Using-Presentation-Software-to-the-Fullf.pptx
kainatfatyma9
 
怎么办理(lincoln学位证书)英国林肯大学毕业证文凭学位证书原版一模一样
怎么办理(lincoln学位证书)英国林肯大学毕业证文凭学位证书原版一模一样怎么办理(lincoln学位证书)英国林肯大学毕业证文凭学位证书原版一模一样
怎么办理(lincoln学位证书)英国林肯大学毕业证文凭学位证书原版一模一样
kekzed
 
Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...
Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...
Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...
OECD Directorate for Financial and Enterprise Affairs
 
Carrer goals.pptx and their importance in real life
Carrer goals.pptx and their importance in real lifeCarrer goals.pptx and their importance in real life
Carrer goals.pptx and their importance in real life
artemacademy2
 
BRIC_2024_2024-06-06-11:30-haunschild_archival_version.pdf
BRIC_2024_2024-06-06-11:30-haunschild_archival_version.pdfBRIC_2024_2024-06-06-11:30-haunschild_archival_version.pdf
BRIC_2024_2024-06-06-11:30-haunschild_archival_version.pdf
Robin Haunschild
 
ServiceNow CIS-ITSM Exam Dumps & Questions [2024]
ServiceNow CIS-ITSM Exam Dumps & Questions [2024]ServiceNow CIS-ITSM Exam Dumps & Questions [2024]
ServiceNow CIS-ITSM Exam Dumps & Questions [2024]
SkillCertProExams
 
Pro-competitive Industrial Policy – OECD – June 2024 OECD discussion
Pro-competitive Industrial Policy – OECD – June 2024 OECD discussionPro-competitive Industrial Policy – OECD – June 2024 OECD discussion
Pro-competitive Industrial Policy – OECD – June 2024 OECD discussion
OECD Directorate for Financial and Enterprise Affairs
 
The Intersection between Competition and Data Privacy – OECD – June 2024 OECD...
The Intersection between Competition and Data Privacy – OECD – June 2024 OECD...The Intersection between Competition and Data Privacy – OECD – June 2024 OECD...
The Intersection between Competition and Data Privacy – OECD – June 2024 OECD...
OECD Directorate for Financial and Enterprise Affairs
 
Disaster Management project for holidays homework and other uses
Disaster Management project for holidays homework and other usesDisaster Management project for holidays homework and other uses
Disaster Management project for holidays homework and other uses
RIDHIMAGARG21
 
Pro-competitive Industrial Policy – LANE – June 2024 OECD discussion
Pro-competitive Industrial Policy – LANE – June 2024 OECD discussionPro-competitive Industrial Policy – LANE – June 2024 OECD discussion
Pro-competitive Industrial Policy – LANE – June 2024 OECD discussion
OECD Directorate for Financial and Enterprise Affairs
 
The Intersection between Competition and Data Privacy – COLANGELO – June 2024...
The Intersection between Competition and Data Privacy – COLANGELO – June 2024...The Intersection between Competition and Data Privacy – COLANGELO – June 2024...
The Intersection between Competition and Data Privacy – COLANGELO – June 2024...
OECD Directorate for Financial and Enterprise Affairs
 
原版制作贝德福特大学毕业证(bedfordhire毕业证)硕士文凭原版一模一样
原版制作贝德福特大学毕业证(bedfordhire毕业证)硕士文凭原版一模一样原版制作贝德福特大学毕业证(bedfordhire毕业证)硕士文凭原版一模一样
原版制作贝德福特大学毕业证(bedfordhire毕业证)硕士文凭原版一模一样
gpww3sf4
 
The Intersection between Competition and Data Privacy – KEMP – June 2024 OECD...
The Intersection between Competition and Data Privacy – KEMP – June 2024 OECD...The Intersection between Competition and Data Privacy – KEMP – June 2024 OECD...
The Intersection between Competition and Data Privacy – KEMP – June 2024 OECD...
OECD Directorate for Financial and Enterprise Affairs
 
Artificial Intelligence, Data and Competition – ČORBA – June 2024 OECD discus...
Artificial Intelligence, Data and Competition – ČORBA – June 2024 OECD discus...Artificial Intelligence, Data and Competition – ČORBA – June 2024 OECD discus...
Artificial Intelligence, Data and Competition – ČORBA – June 2024 OECD discus...
OECD Directorate for Financial and Enterprise Affairs
 
Gamify it until you make it Improving Agile Development and Operations with ...
Gamify it until you make it Improving Agile Development and Operations with ...Gamify it until you make it Improving Agile Development and Operations with ...
Gamify it until you make it Improving Agile Development and Operations with ...
Ben Linders
 
Artificial Intelligence, Data and Competition – LIM – June 2024 OECD discussion
Artificial Intelligence, Data and Competition – LIM – June 2024 OECD discussionArtificial Intelligence, Data and Competition – LIM – June 2024 OECD discussion
Artificial Intelligence, Data and Competition – LIM – June 2024 OECD discussion
OECD Directorate for Financial and Enterprise Affairs
 
IEEE CIS Webinar Sustainable futures.pdf
IEEE CIS Webinar Sustainable futures.pdfIEEE CIS Webinar Sustainable futures.pdf
IEEE CIS Webinar Sustainable futures.pdf
Claudio Gallicchio
 
Why Psychological Safety Matters for Software Teams - ACE 2024 - Ben Linders.pdf
Why Psychological Safety Matters for Software Teams - ACE 2024 - Ben Linders.pdfWhy Psychological Safety Matters for Software Teams - ACE 2024 - Ben Linders.pdf
Why Psychological Safety Matters for Software Teams - ACE 2024 - Ben Linders.pdf
Ben Linders
 

Recently uploaded (20)

Proposal: The Ark Project and The BEEP Inc
Proposal: The Ark Project and The BEEP IncProposal: The Ark Project and The BEEP Inc
Proposal: The Ark Project and The BEEP Inc
 
Artificial Intelligence, Data and Competition – OECD – June 2024 OECD discussion
Artificial Intelligence, Data and Competition – OECD – June 2024 OECD discussionArtificial Intelligence, Data and Competition – OECD – June 2024 OECD discussion
Artificial Intelligence, Data and Competition – OECD – June 2024 OECD discussion
 
Using-Presentation-Software-to-the-Fullf.pptx
Using-Presentation-Software-to-the-Fullf.pptxUsing-Presentation-Software-to-the-Fullf.pptx
Using-Presentation-Software-to-the-Fullf.pptx
 
怎么办理(lincoln学位证书)英国林肯大学毕业证文凭学位证书原版一模一样
怎么办理(lincoln学位证书)英国林肯大学毕业证文凭学位证书原版一模一样怎么办理(lincoln学位证书)英国林肯大学毕业证文凭学位证书原版一模一样
怎么办理(lincoln学位证书)英国林肯大学毕业证文凭学位证书原版一模一样
 
Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...
Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...
Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...
 
Carrer goals.pptx and their importance in real life
Carrer goals.pptx and their importance in real lifeCarrer goals.pptx and their importance in real life
Carrer goals.pptx and their importance in real life
 
BRIC_2024_2024-06-06-11:30-haunschild_archival_version.pdf
BRIC_2024_2024-06-06-11:30-haunschild_archival_version.pdfBRIC_2024_2024-06-06-11:30-haunschild_archival_version.pdf
BRIC_2024_2024-06-06-11:30-haunschild_archival_version.pdf
 
ServiceNow CIS-ITSM Exam Dumps & Questions [2024]
ServiceNow CIS-ITSM Exam Dumps & Questions [2024]ServiceNow CIS-ITSM Exam Dumps & Questions [2024]
ServiceNow CIS-ITSM Exam Dumps & Questions [2024]
 
Pro-competitive Industrial Policy – OECD – June 2024 OECD discussion
Pro-competitive Industrial Policy – OECD – June 2024 OECD discussionPro-competitive Industrial Policy – OECD – June 2024 OECD discussion
Pro-competitive Industrial Policy – OECD – June 2024 OECD discussion
 
The Intersection between Competition and Data Privacy – OECD – June 2024 OECD...
The Intersection between Competition and Data Privacy – OECD – June 2024 OECD...The Intersection between Competition and Data Privacy – OECD – June 2024 OECD...
The Intersection between Competition and Data Privacy – OECD – June 2024 OECD...
 
Disaster Management project for holidays homework and other uses
Disaster Management project for holidays homework and other usesDisaster Management project for holidays homework and other uses
Disaster Management project for holidays homework and other uses
 
Pro-competitive Industrial Policy – LANE – June 2024 OECD discussion
Pro-competitive Industrial Policy – LANE – June 2024 OECD discussionPro-competitive Industrial Policy – LANE – June 2024 OECD discussion
Pro-competitive Industrial Policy – LANE – June 2024 OECD discussion
 
The Intersection between Competition and Data Privacy – COLANGELO – June 2024...
The Intersection between Competition and Data Privacy – COLANGELO – June 2024...The Intersection between Competition and Data Privacy – COLANGELO – June 2024...
The Intersection between Competition and Data Privacy – COLANGELO – June 2024...
 
原版制作贝德福特大学毕业证(bedfordhire毕业证)硕士文凭原版一模一样
原版制作贝德福特大学毕业证(bedfordhire毕业证)硕士文凭原版一模一样原版制作贝德福特大学毕业证(bedfordhire毕业证)硕士文凭原版一模一样
原版制作贝德福特大学毕业证(bedfordhire毕业证)硕士文凭原版一模一样
 
The Intersection between Competition and Data Privacy – KEMP – June 2024 OECD...
The Intersection between Competition and Data Privacy – KEMP – June 2024 OECD...The Intersection between Competition and Data Privacy – KEMP – June 2024 OECD...
The Intersection between Competition and Data Privacy – KEMP – June 2024 OECD...
 
Artificial Intelligence, Data and Competition – ČORBA – June 2024 OECD discus...
Artificial Intelligence, Data and Competition – ČORBA – June 2024 OECD discus...Artificial Intelligence, Data and Competition – ČORBA – June 2024 OECD discus...
Artificial Intelligence, Data and Competition – ČORBA – June 2024 OECD discus...
 
Gamify it until you make it Improving Agile Development and Operations with ...
Gamify it until you make it Improving Agile Development and Operations with ...Gamify it until you make it Improving Agile Development and Operations with ...
Gamify it until you make it Improving Agile Development and Operations with ...
 
Artificial Intelligence, Data and Competition – LIM – June 2024 OECD discussion
Artificial Intelligence, Data and Competition – LIM – June 2024 OECD discussionArtificial Intelligence, Data and Competition – LIM – June 2024 OECD discussion
Artificial Intelligence, Data and Competition – LIM – June 2024 OECD discussion
 
IEEE CIS Webinar Sustainable futures.pdf
IEEE CIS Webinar Sustainable futures.pdfIEEE CIS Webinar Sustainable futures.pdf
IEEE CIS Webinar Sustainable futures.pdf
 
Why Psychological Safety Matters for Software Teams - ACE 2024 - Ben Linders.pdf
Why Psychological Safety Matters for Software Teams - ACE 2024 - Ben Linders.pdfWhy Psychological Safety Matters for Software Teams - ACE 2024 - Ben Linders.pdf
Why Psychological Safety Matters for Software Teams - ACE 2024 - Ben Linders.pdf
 

Abusing Java Remote Interfaces

  • 1. ISSW 2015 ABUSING JAVA REMOTE INTERFACES Juan Vazquez
  • 2. Index 2 • About me • Motivation • RMI 101 • Java Object Serialization Protocol • RMI: Method invocation • Case Study: java_rmi_registry • Case Study: java_rmi_server • Case Study: java_jmx_server • Conclusions RMI   Remote  Method  Invoca/on   JMX   Java  Management  Extensions  
  • 3. About me 3 • I’m not a Java developer • I’m not a Java hacker • Exploit Developer at Rapid7 –  Metasploit-Framework • My English… sorry!
  • 4. Motivation 4 • Leon Johnson, awesome pentester at Rapid7, asked about a module for exploiting JMX RMI endpoints. • Excellent write-up from Braden Thomas: –  http://www.accuvant.com/blog/exploiting-jmx-rmi
  • 8. RMI 101 8 • Wikipedia says: “The  Java  Remote  Method  Invoca/on  (Java  RMI)  is  a  Java  API  that   performs  the  object-­‐oriented  equivalent  of  remote  procedure   calls  (RPC),  with  support  for  direct  transfer  of  serialized  Java   classes  and  distributed  garbage  collec/on.”  *   *  For  a  beLer  introduc/on,  the  Java  specs  are  more  useful,  but  it’s  hard  to  find  1  summary  sentence  in  the  specs  J  
  • 9. RMI 101. Hello World! 9
  • 10. RMI 101. Hello World! 10
  • 11. RMI 101. Hello World! 11
  • 12. RMI 101. Hello World! 12 C:rmi_hello_world>start  rmiregistry   C:rmi_hello_world>javac  -­‐cp  .  examplehello*.java   C:rmi_hello_world>java  -­‐cp  .  example.hello.Server   Server  ready     Server C:rmi_hello_world>javac  -­‐cp  .  examplehello*.java   C:rmi_hello_world>java  -­‐cp  .  example.hello.Client  172.16.158.132   response:  Hello,  world!     Client
  • 13. RMI 101. RMI Transport Protocol 13 hLp://docs.oracle.com/javase/7/docs/pla]orm/rmi/spec/rmi-­‐protocol3.html  
  • 14. RMI 101. RMI Transport Protocol. 14hLp://docs.oracle.com/javase/7/docs/pla]orm/rmi/spec/rmi-­‐protocol3.html  
  • 15. RMI 101. RMI Transport Protocol 15hLp://docs.oracle.com/javase/7/docs/pla]orm/rmi/spec/rmi-­‐protocol3.html  
  • 16. 16
  • 17. 17
  • 18. 18
  • 19. RMI 101. RMI Transport Protocol 19 “Call  and  return  data  in  RMI  calls  are  formaLed  using  the  Java  Object   SerializaBon  Protocol”   hLp://docs.oracle.com/javase/7/docs/pla]orm/rmi/spec/rmi-­‐protocol4.html  
  • 20. Java Object Serialization Protocol 20 “The  ability  to  store  and  retrieve  JavaTM  objects  is  essen/al  to  building   all  but  the  most  transient  applica/ons.  The  key  to  storing  and  retrieving   objects  in  a  serialized  form  is  represen/ng  the  state  of  objects  sufficient   to  reconstruct  the  object(s).”   hLp://docs.oracle.com/javase/7/docs/pla]orm/serializa/on/spec/serialTOC.html   Warning:  If  you  haven’t  fought  with  Java  Serializa/on  before,  the  specs  and     the  grammar  can  be  confusing…  
  • 21. Java Object Serialization Protocol 21 • Use small programs to get serialized samples. import java.io.*;! ! public class NewArrayInts! {! public static void main(String [] args)! {! int[] anArray;! anArray = new int[2];! anArray[0] = -20;! anArray[1] = 0x41;! try! {! FileOutputStream fileOut =! new FileOutputStream("new_array_ints.ser");! ObjectOutputStream out = new ObjectOutputStream(fileOut);! out.writeObject(anArray);! out.close();! fileOut.close();! } catch(IOException i)! {! i.printStackTrace();! }! }! }!
  • 22. Java Object Serialization Protocol 22 stream:! magic version contents! contents:! content! contents content! content:! object! blockdata! object:! newArray! newArray:! TC_ARRAY classDesc newHandle <size> values! classDesc:! newClassDesc! nullReference! (ClassDesc)prevObject!   newClassDesc:! TC_CLASSDESC className serialVersionUID newHandle classDescInfo! className:! (utf)! serialVersionUID:! (long)! classDescInfo:! classDescFlags fields classAnnotation superClassDesc ! classDescFlags:! (byte) ! fields:! (short)<count> fieldDesc[count]! classAnnotation:! endBlockData! contents endBlockData! superClassDesc:! classDesc!   hLp://docs.oracle.com/javase/7/docs/pla]orm/serializa/on/spec/protocol.html#10258  
  • 23. Java Object Serialization Protocol 23 $ hexdump new_array_ints.ser! 0000000 ac ed 00 05 75 72 00 02 5b 49 4d ba 60 26 76 ea! 0000010 b2 a5 02 00 00 78 70 00 00 00 02 ff ff ff ec 00! 0000020 00 00 41! STREAM_MAGIC   STREAM_VERSION   TC_ARRAY   TC_CLASSDESC   className:  [I   SerialVersionUID   classDescFlags:  SC_SERIALIZABLE   fields  count     TC_ENDBLOCKDATA   (classAnnota/on)   TC_NULL  (superClassDesc)   (int)<size>   value[0]  =  -­‐20   value[1]  =  0x41     $  serialver  [I   [I:        sta/c  final  long  serialVersionUID  =  5600894804908749477L;  
  • 24. Java Object Serialization Protocol 24 • Also, you have two useful (Java) classes: –  java.io.ObjectOutputStream –  java.io.ObjectInputStream • Read and debug them! import java.io.*;! ! public class NewArrayInts! {! public static void main(String [] args)! {! int[] anArray;! anArray = new int[2];! anArray[0] = -20;! anArray[1] = 0x41;! try! {! FileOutputStream fileOut =! new FileOutputStream("new_array_ints.ser");! ObjectOutputStream out = new ObjectOutputStream(fileOut);! out.writeObject(anArray);! out.close();! fileOut.close();! } catch(IOException i)! {! i.printStackTrace();! }! }! }!
  • 25. Java Object Serialization Protocol 25 • Several days later…: –  Rex::Java::Serialization: Not full support, but good enough for our purposes. •  Includes  modeling  for  the  different  en//es  as  described  in  the  Java  Serializa/on   Protocol  specs/grammar.   •  Every  object  allows  to  decode  (unserializa/on)  from  an  IO  or  “self”  encoding   (serializa/on).   •  Rex::Java::Serializa/on::Builder  allows  easy  building  of  some  elements.   –  Also: tools/java_deserializer.rb allows to inspect java serialized streams, zooming arrays and objects.
  • 26. Java Object Serialization Protocol 26 $ tools/java_deserializer.rb /tmp/call_demo.bin! [*] Deserializing...! ! @magic: 0xaced! @version: 5! @contents: [! BlockData { [ 0x24, 0x5, 0x74, 0x80, 0x6a, 0x0, 0x5, 0x7f, 0x90, 0x3a, 0x40, 0x57, 0x0, 0x0, 0x1, 0x4c, 0x6c, 0xca, 0x1b, 0xae, 0x80, 0x1, 0xff, 0xff, 0xff, 0xff, 0x53, 0xe0, 0x82, 0x2d, 0x3e, 0x37, 0x24, 0xdf ] }! ]! @references: [! ]!
  • 27. Java Object Serialization Protocol 27 $ tools/java_deserializer.rb /tmp/return_demo.bin! [*] Deserializing...! ! @magic: 0xaced! @version: 5! @contents: [! BlockData { [ 0x1, 0x90, 0x3a, 0x40, 0x57, 0x0, 0x0, 0x1, 0x4c, 0x6c, 0xca, 0x1b, 0xae, 0x80, 0xb ] }! Utf { Hello, world! }! ]! @references: [! [7e0000] Utf { Hello, world! }! ]!
  • 28. Finally… 28 BlockData { [ 0x24, 0x5, 0x74, 0x80, 0x6a, 0x0, 0x5, 0x7f, 0x90, 0x3a, 0x40, 0x57, 0x0, 0x0, 0x1, 0x4c, 0x6c, 0xca, 0x1b, 0xae, 0x80, 0x1, 0xff, 0xff, 0xff, 0xff, 0x53, 0xe0, 0x82, 0x2d, 0x3e, 0x37, 0x24, 0xdf ] }   hLp://docs.oracle.com/javase/7/docs/pla]orm/rmi/spec/rmi-­‐protocol4.html    
  • 29. Finally… 29 hLp://docs.oracle.com/javase/7/docs/pla]orm/rmi/spec/rmi-­‐protocol4.html     @contents: [! BlockData { [ 0x1, 0x90, 0x3a, 0x40, 0x57, 0x0, 0x0, 0x1, 0x4c, 0x6c, 0xca, 0x1b, 0xae, 0x80, 0xb ] }! Utf { Hello, world! }! ]!
  • 30. Finally…. 30 • Rex::Proto::Rmi –  Model for the RMI protocol as described in the specs / grammar. Every object allows to be “self” read from an IO or written into an String. • Msf::Java::Rmi::Client –  Mixin including the Exploit::Remote::TCP one –  Methods to made RMI calls easier from the modules. –  Also methods to build calls for some common RMI endpoints •  Registry   •  JMX  Management  
  • 31. RMI Method Invocation 31 • In order to debug RMI calls, let’s understand them a little bit better. • Use RMIC to generate the stubs (v1.2). It’s not needed anymore, since nowadays static stubs are deprecated in favor of dynamic code. • It will generate a new class HelloImpl_Stub.class. rmic  -­‐classpath  .  example.hello.HelloImpl  
  • 32. RMI Method Invocation 32 java.rmi.Remote   example.hello.Hello   java.rmi.server.RemoteObject   java.rmi.server.RemoteStub   implements   java.rmi.server.RemoteRef   ref   sun.rmi.server.UnicastRef   implements  
  • 34. Case Study: java_rmi_registry 34 • The RMI Registry is just a remote object provided by Java, so every virtual machine knows its interface. • Listens on a well known port –  1099/TCP.
  • 35. Case Study: java_rmi_registry 35 msf  >  use  auxiliary/gather/java_rmi_registry   msf  auxiliary(java_rmi_registry)  >  set  rhost  172.16.158.131   rhost  =>  172.16.158.131   msf  auxiliary(java_rmi_registry)  >  run     [*]  172.16.158.131:1099  -­‐  Sending  RMI  Header...   [*]  172.16.158.131:1099  -­‐  Lis/ng  names  in  the  Registry...   [+]  172.16.158.131:1099  -­‐  1  names  found  in  the  Registry   [+]  172.16.158.131:1099  -­‐  Name  Hello  (example.hello.HelloImpl_Stub)  found  on  172.16.158.131:1175   [*]  Auxiliary  module  execu/on  completed  
  • 36. Case Study: java_rmi_server 36 Credits:  Michael  Schierl  @mihi42   hLp://docs.oracle.com/javase/7/docs/pla]orm/rmi/spec/rmi-­‐arch5.html   RMI  allows  parameters,  return  values  and  excepBons  passed  in  RMI  calls  to  be   any  object  that  is  serializable.  RMI  uses  the  object  serializa/on  mechanism  to   transmit  data  from  one  virtual  machine  to  another  and  also  annotates  the  call   stream  with  the  appropriate  locaBon  informaBon  so  that  the  class  definiBon   files  can  be  loaded  at  the  receiver.  
  • 37. Case Study: java_rmi_server 37 Credits:  Michael  Schierl  @mihi42  
  • 38. Case Study: java_rmi_server 38 Credits:  Michael  Schierl  @mihi42  
  • 39. Case Study: java_rmi_server 39 Credits:  Michael  Schierl  @mihi42  
  • 40. Case Study: java_jmx_server 40 Credits:  Braden  Thomas   hLp://www.accuvant.com/blog/exploi/ng-­‐jmx-­‐rmi   msf  auxiliary(java_rmi_registry)  >  set  rhost  172.16.158.132   rhost  =>  172.16.158.132   msf  auxiliary(java_rmi_registry)  >  set  rport  1617   rport  =>  1617   msf  auxiliary(java_rmi_registry)  >  run     [*]  172.16.158.132:1617  -­‐  Sending  RMI  Header...   [*]  172.16.158.132:1617  -­‐  Lis/ng  names  in  the  Registry...   [+]  172.16.158.132:1617  -­‐  1  names  found  in  the  Registry   [+]  172.16.158.132:1617  -­‐  Name  jmxrmi  (javax.management.remote.rmi.RMIServerImpl_Stub)   found  on  172.16.158.132:1471   [*]  Auxiliary  module  execu/on  completed  
  • 41. Case Study: java_jmx_server 41 Credits:  Braden  Thomas   hLp://www.accuvant.com/blog/exploi/ng-­‐jmx-­‐rmi  
  • 42. Case Study: java_jmx_server 42 Credits:  Braden  Thomas   hLp://www.accuvant.com/blog/exploi/ng-­‐jmx-­‐rmi  
  • 43. Case Study: java_jmx_server 43 Credits:  Braden  Thomas   hLp://www.accuvant.com/blog/exploi/ng-­‐jmx-­‐rmi  
  • 44. DEMO
  • 45. Conclusions 45 • Ruby Support on MSF for: –  Java Serialization –  RMI –  Some JMX No  more  RAW  streams!  
  • 46. Conclusions 46 • Lot of examples: –  All the RMI/JMX modules have been ported. –  Specs –  New modules: java_rmi_registry, java_jmx_server • TODO –  Full Java Serialization support. –  Exploit all the things! PR are super welcome!