Merge pull request #27 from qtc-de/develop

Prepare v4.2.1 release
qtc-de · Jan 7, 2022 · a2cdbde · a2cdbde
2 parents 5e0ce0e + 3338a34
commit a2cdbde
Show file tree

Hide file tree

Showing 9 changed files with 48 additions and 17 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,6 +6,15 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 
+## [4.2.1] - Jan 07, 2022
+
+### Changed
+
+* Fix missing ``--yso`` option for some actions (resolves issue #26)
+* Improve the bash completion script
+* Improve test cases
+
+
 ## [4.2.0] - Dec 30, 2021
 
 ### Changed

diff --git a/README.md b/README.md
@@ -4,7 +4,7 @@
 
 [![](https://github.com/qtc-de/remote-method-guesser/workflows/master%20maven%20CI/badge.svg?branch=master)](https://github.com/qtc-de/remote-method-guesser/actions/workflows/master.yml)
 [![](https://github.com/qtc-de/remote-method-guesser/workflows/develop%20maven%20CI/badge.svg?branch=develop)](https://github.com/qtc-de/remote-method-guesser/actions/workflows/develop.yml)
-[![](https://img.shields.io/badge/version-4.2.0-blue)](https://github.com/qtc-de/remote-method-guesser/releases)
+[![](https://img.shields.io/badge/version-4.2.1-blue)](https://github.com/qtc-de/remote-method-guesser/releases)
 [![](https://img.shields.io/badge/build%20system-maven-blue)](https://maven.apache.org/)
 ![](https://img.shields.io/badge/java-8%2b-blue)
 [![](https://img.shields.io/badge/license-GPL%20v3.0-blue)](https://github.com/qtc-de/remote-method-guesser/blob/master/LICENSE)

diff --git a/pom.xml b/pom.xml
@@ -8,7 +8,7 @@
     <artifactId>remote-method-guesser</artifactId>
     <name>remote-method-guesser</name>
     <packaging>jar</packaging>
-    <version>4.2.0</version>
+    <version>4.2.1</version>
     <description>Identify common misconfigurations on Java RMI endpoints</description>
 
     <properties>

diff --git a/resources/bash_completion.d/rmg b/resources/bash_completion.d/rmg
@@ -38,13 +38,16 @@ function _rmg() {
 
     elif [[ ${words[1]} == "bind" || ${words[1]} == "rebind" ]]; then
 
-        if _comp_contains "--config --plugin" $prev; then
+        if _comp_contains "--config --plugin --yso" $prev; then
             _filedir
             return 0
 
-        elif _comp_contains "--ssrf-response --bind-objid" $prev; then
+        elif _comp_contains "--ssrf-response --bind-objid --gadget-cmd" $prev; then
             return 0
 
+        elif _comp_contains "--gadget-name" $prev; then
+            opts="$gadgets"
+
         elif [[ $cur == -* ]] || [[ $args -ge 8 ]]; then
             opts="--help"
             opts="$opts --gopher"
@@ -62,8 +65,11 @@ function _rmg() {
             opts="$opts --no-color"
             opts="$opts --stack-trace"
             opts="$opts --ssl"
+            opts="$opts --yso"
+            opts="$opts --gadget-name"
+            opts="$opts --gadget-cmd"
 
-        elif [[ $cword -eq 4 ]]; then
+        elif [[ $args -eq 4 ]]; then
             _ip_addresses
             compopt -o nospace
             return 0
@@ -142,7 +148,7 @@ function _rmg() {
             opts="$opts --follow"
             opts="$opts --ssl"
 
-        elif [[ $cword -eq 5 ]]; then
+        elif [[ $args -eq 5 ]]; then
             _ip_addresses
             compopt -o nospace
             return 0
@@ -251,7 +257,7 @@ function _rmg() {
 
     elif [[ ${words[1]} == "listen" ]]; then
 
-        if _comp_contains "--config --plugin" $prev; then
+        if _comp_contains "--config --plugin --yso" $prev; then
             _filedir
             return 0
 
@@ -262,12 +268,13 @@ function _rmg() {
             opts="$opts --plugin"
             opts="$opts --no-color"
             opts="$opts --stack-trace"
+            opts="$opts --yso"
 
-        elif [[ $cword -eq 2 ]]; then
+        elif [[ $args -eq 2 ]]; then
             _ip_addresses
             return 0
 
-        elif [[ $cword -eq 4 ]]; then
+        elif [[ $args -eq 4 ]]; then
             opts="$gadgets"
 
         else
@@ -316,7 +323,7 @@ function _rmg() {
             opts="$opts --follow"
             opts="$opts --ssl"
 
-        elif [[ $cword -eq 2 ]]; then
+        elif [[ $args -eq 2 ]]; then
             _ip_addresses
             return 0
 
@@ -352,7 +359,7 @@ function _rmg() {
 
     elif [[ ${words[1]} == "serial" ]]; then
 
-        if _comp_contains "--config --plugin" $prev; then
+        if _comp_contains "--config --plugin --yso" $prev; then
             _filedir
             return 0
 
@@ -382,8 +389,9 @@ function _rmg() {
             opts="$opts --signature"
             opts="$opts --follow"
             opts="$opts --ssl"
+            opts="$opts --yso"
 
-        elif [[ $cword -eq 4 ]]; then
+        elif [[ $args -eq 4 ]]; then
             opts="$gadgets"
 
         else

diff --git a/src/de/qtc/rmg/internal/ArgumentHandler.java b/src/de/qtc/rmg/internal/ArgumentHandler.java
@@ -271,8 +271,12 @@ public Object getGadget()
         String command = null;
 
         if( this.getAction() == Operation.BIND || this.getAction() == Operation.REBIND ) {
-            gadget = "jmx";
-            command = RMGOption.require(RMGOption.BIND_ADDRESS);
+
+            boolean customGadget = RMGOption.BIND_GADGET_NAME.notNull();
+            boolean customCommand = RMGOption.BIND_GADGET_CMD.notNull();
+
+            gadget = customGadget ? RMGOption.BIND_GADGET_NAME.getValue() : "jmx";
+            command = customCommand ? RMGOption.BIND_GADGET_CMD.getValue() : RMGOption.require(RMGOption.BIND_ADDRESS);
 
         } else {
             gadget = (String) RMGOption.require(RMGOption.GADGET_NAME);

diff --git a/src/de/qtc/rmg/internal/ExceptionHandler.java b/src/de/qtc/rmg/internal/ExceptionHandler.java
@@ -416,8 +416,8 @@ public static void bindException(Exception e)
 
     public static void ysoNotPresent(String location)
     {
-        Logger.eprintlnMixedYellow("Unable to find ysoserial library in path", location);
-        Logger.eprintlnMixedYellow("Check your configuration file or specify it on the command line using the", "--yso", "parameter");
+        Logger.eprintlnMixedBlue("Unable to find ysoserial library in path", location);
+        Logger.eprintlnMixedYellow("Check your configuration file or use the", "--yso", "command line parameter.");
         RMGUtils.exit();
     }
 

diff --git a/src/de/qtc/rmg/internal/RMGOption.java b/src/de/qtc/rmg/internal/RMGOption.java
@@ -55,6 +55,8 @@ public enum RMGOption {
     BIND_ADDRESS("bind-host", "host specifications the bound remote object should point to", Arguments.store(), RMGOptionGroup.ACTION, "host:port"),
     BIND_BOUND_NAME("bound-name", "Bound name to use for (un)bind action", Arguments.store(), RMGOptionGroup.ACTION, "name"),
     BIND_BYPASS("--localhost-bypass", "attempt localhost bypass (CVE-2019-2684)", Arguments.storeTrue(), RMGOptionGroup.ACTION),
+    BIND_GADGET_NAME("--gadget-name", "attempt to bind the specified gadget instead of JMXServer", Arguments.store(), RMGOptionGroup.ACTION, "gadget"),
+    BIND_GADGET_CMD("--gadget-cmd", "command for a custom gadget", Arguments.store(), RMGOptionGroup.ACTION, "cmd"),
 
     CODEBASS_CLASS("classname", "classname to load during codebase attack", Arguments.store(), RMGOptionGroup.ACTION, "classname"),
     CODEBASE_URL("url", "codebase URL to load the payload from", Arguments.store(), RMGOptionGroup.ACTION, "url"),

diff --git a/src/de/qtc/rmg/operations/Operation.java b/src/de/qtc/rmg/operations/Operation.java
@@ -41,6 +41,9 @@ public enum Operation {
             RMGOption.BIND_BYPASS,
             RMGOption.BIND_OBJID,
             RMGOption.BIND_ADDRESS,
+            RMGOption.BIND_GADGET_NAME,
+            RMGOption.BIND_GADGET_CMD,
+            RMGOption.YSO,
     }),
 
     CALL("dispatchCall", "<arguments>", "Regulary calls a method with the specified arguments", new RMGOption[] {
@@ -154,6 +157,7 @@ public enum Operation {
             RMGOption.LISTEN_PORT,
             RMGOption.GADGET_NAME,
             RMGOption.GADGET_CMD,
+            RMGOption.YSO,
     }),
 
     OBJID("dispatchObjID", "<objid>", "Print information contained within an ObjID", new RMGOption[] {
@@ -183,6 +187,9 @@ public enum Operation {
             RMGOption.BIND_BYPASS,
             RMGOption.BIND_OBJID,
             RMGOption.BIND_ADDRESS,
+            RMGOption.BIND_GADGET_NAME,
+            RMGOption.BIND_GADGET_CMD,
+            RMGOption.YSO,
     }),
 
     ROGUEJMX("dispatchRogueJMX", "[forward-host]", "Creates a rogue JMX listener (collect credentials)", new RMGOption[] {
@@ -236,6 +243,7 @@ public enum Operation {
             RMGOption.ARGUMENT_POS,
             RMGOption.GADGET_NAME,
             RMGOption.GADGET_CMD,
+            RMGOption.YSO,
     }),
 
     UNBIND("dispatchUnbind", "", "Removes the specified bound name from the registry", new RMGOption[] {

diff --git a/tests/tricot.yml b/tests/tricot.yml
@@ -18,7 +18,7 @@ tester:
         ge: 1.9.0
 
 variables:
-  rmg: rmg-4.2.0-jar-with-dependencies.jar
+  rmg: rmg-4.2.1-jar-with-dependencies.jar
   volume: /tmp/rmg-tricot-test/
   volume-d: /rce/
   codebase-class: CodebaseTest