Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/mogwailabs/rmi-deserialization
Slides/Demos from the BSides Munich 2019 talk "Attacking Java RMI in 2019"
https://github.com/mogwailabs/rmi-deserialization
Last synced: 22 days ago
JSON representation
Slides/Demos from the BSides Munich 2019 talk "Attacking Java RMI in 2019"
- Host: GitHub
- URL: https://github.com/mogwailabs/rmi-deserialization
- Owner: mogwailabs
- Created: 2019-03-25T05:21:23.000Z (over 5 years ago)
- Default Branch: master
- Last Pushed: 2019-09-20T10:05:29.000Z (about 5 years ago)
- Last Synced: 2024-08-05T17:26:54.151Z (4 months ago)
- Language: Java
- Size: 1.73 MB
- Stars: 99
- Watchers: 4
- Forks: 7
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
- awesome-hacking-lists - mogwailabs/rmi-deserialization - Slides/Demos from the BSides Munich 2019 talk "Attacking Java RMI in 2019" (Java)
README
# Attacking Java RMI services after JEP 290
This repository contains all examples from my talk "Attacking Java RMI services in 2019" at BSides Munich 2019.
I also included the slides, however a more detailed explanation of this topic can be [found on our blog](https://mogwailabs.de/blog/2019/03/attacking-java-rmi-services-after-jep-290/).## BSidesMucRmiService
This is a simple RMI service that I used as an example. It is a Maven project with CommonsCollections 3.1 bundled. Additional instructions how to build/run this service cna be found in the directory.## BSidesAttackClient
This directory contains a minimal code example how to attack an RMI service that provides a method that accepts an arbitrary object as argument. The code needs to be imported into an project that also includes the ysoserial jar.## barmitzwa.groovy
A [YouDebug script](http://youdebug.kohsuke.org/) that replaces the objects in a remote invocation call with an object from ysoserial.