first commit

java/rmi-codebase/Dockerfile

@@ -0,0 +1,15 @@
+FROM openjdk:8u222-jdk
+
+LABEL maintainer="phithon <root@leavesongs.com>"
+
+ENV RMIIP="127.0.0.1"
+COPY src/ /usr/src/
+WORKDIR /usr/src
+
+RUN set -ex \
+    && javac *.java
+
+EXPOSE 1099
+EXPOSE 64000
+
+CMD ["bash", "-c", "java -Djava.rmi.server.hostname=${RMIIP} -Djava.rmi.server.useCodebaseOnly=false -Djava.security.policy=client.policy RemoteRMIServer"]

java/rmi-codebase/README.md

@@ -0,0 +1,27 @@
+# Java RMI Codebase Remote Code Execution
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Java Remote Method Invocation (RMI) is used for remote procedure calls in Java. Under certain conditions, an RMI client can specify `java.rmi.server.codebase` to make the server load remote objects, leading to the execution of arbitrary Java bytecode on the server.
+
+References:
+
+- <https://docs.oracle.com/javase/7/docs/technotes/guides/rmi/codebase.html>
+- <https://paper.seebug.org/1091/>
+
+## Environment Setup
+
+Execute the following commands to compile and start the RMI Registry and server:
+
+```
+docker compose build
+docker compose run -e RMIIP=your-ip -p 1099:1099 -p 64000:64000 rmi
+```
+
+Replace `your-ip` with your server's IP address. The client will use this IP to connect to the server.
+
+After startup, the RMI Registry will be listening on port 1099.
+
+## Vulnerability Reproduction
+
+To be completed.

java/rmi-codebase/README.zh-cn.md

@@ -0,0 +1,25 @@
+# Java RMI Codebase 远程代码执行漏洞
+
+Java Remote Method Invocation（RMI）是Java中用于远程过程调用的机制。在满足特定条件的情况下，RMI客户端可以通过指定`java.rmi.server.codebase`参数，使服务端加载远程对象，从而执行任意Java字节码。
+
+参考链接：
+
+- <https://docs.oracle.com/javase/7/docs/technotes/guides/rmi/codebase.html>
+- <https://paper.seebug.org/1091/>
+
+## 环境搭建
+
+执行如下命令编译及启动RMI Registry和服务器：
+
+```
+docker compose build
+docker compose run -e RMIIP=your-ip -p 1099:1099 -p 64000:64000 rmi
+```
+
+将`your-ip`替换为你的服务器IP地址，客户端将使用此IP连接服务器。
+
+环境启动后，RMI Registry将监听在1099端口。
+
+## 漏洞复现
+
+待完善。

java/rmi-codebase/docker-compose.yml

@@ -0,0 +1,8 @@
+services:
+  rmi:
+    build: .
+    ports:
+      - "1099:1099"
+      - "64000:64000"
+    environment:
+      - RMIIP=127.0.0.1

java/rmi-codebase/src/Calc.java

@@ -0,0 +1,17 @@
+import java.rmi.RemoteException;
+import java.rmi.server.UnicastRemoteObject;
+import java.util.List;
+
+public class Calc extends UnicastRemoteObject implements ICalc {
+    public Calc() throws RemoteException {
+        super(64000);
+    }
+
+    public Integer sum(List<Integer> params) throws RemoteException {
+        Integer sum = 0;
+        for (Integer param : params) {
+            sum += param;
+        }
+        return sum;
+    }
+}

java/rmi-codebase/src/ICalc.java

@@ -0,0 +1,7 @@
+import java.rmi.Remote;
+import java.rmi.RemoteException;
+import java.util.List;
+
+public interface ICalc extends Remote {
+    public Integer sum(List<Integer> params) throws RemoteException;
+}

java/rmi-codebase/src/RemoteRMIServer.java

@@ -0,0 +1,23 @@
+import java.rmi.Naming;
+import java.rmi.Remote;
+import java.rmi.RemoteException;
+import java.rmi.registry.LocateRegistry;
+import java.rmi.server.UnicastRemoteObject;
+import java.util.List;
+
+public class RemoteRMIServer {
+    private void start() throws Exception {
+        if (System.getSecurityManager() == null) {
+            System.out.println("setup SecurityManager");
+            System.setSecurityManager(new SecurityManager());
+        }
+
+        Calc h = new Calc();
+        LocateRegistry.createRegistry(1099);
+        Naming.rebind("refObj", h);
+    }
+
+    public static void main(String[] args) throws Exception {
+        new RemoteRMIServer().start();
+    }
+}

java/rmi-codebase/src/client.policy

@@ -0,0 +1,3 @@
+grant {
+    permission java.security.AllPermission;
+};