v4.0.0 - Dec 05, 2021

Added

• Added the scan action, that performs a simple portscan for RMI services.
• Added the roguejmx action, that spawns a rogue JMX listener.
• Added the objid action, that inspects ObjID values.
• Added the known action, that lists information about known RMI classes.
• Added SSRF support in form of the --ssrf
  and --ssrf-response options.
• Added an SSRF example server (docker container).
• Added the --scan-action option that can be used during the enum action
  to perform only the specified enumeration.
• Added support for custom socket factories within remote-method-guesser's
  plugin system.
• Added a progress bar for the guess action.
• Added ObjID and TCPEndpoint enumeration during the enum action.

Changed

• Changed the argument layout. remote-method-guesser now uses a modular argument layout
  based on argparse4j.
• Changed action layout. Previously existing actions like method, reg, dgc or
  act are now bundled into the serial action.
• Changed target specification during codebase attacks. To target RMI default components,
  you now use the --component option.
• Changed codebase enumeration. Now also works for non registry ports.
• Changed the DGC enumeration to Security Manager enumeration.

v3.3.0 - June 20, 2021

Added

• Added the --verbose option. The output of rmg is now less verbose by default, but you can
  get the full details by using this option.
• Added the --guess-duplicate option. rmg-v3.3.0 no longer guesses methods on identical
  remote classes (only one instance will be used, the others are considered duplicates).
  If you want to guess them anyway, you can use this option.
• Added documentation on method guessing

Changed

• Changed the underlying implementation of method guessing. The new implementation is
  way faster an reduces the runtime of the guess action up to a factor of 8.
  The new implementation is described in more detail here: method guessing
• Changed the wordlist format slightly. The overall format stays the same, but the meaning
  of one field was changed. Old wordlists (in optimized format) are no longer compatible.
• Changed option implementation. Options are now handled by an Enum. Although this makes only
  a difference internally.
• Some small bug fixes

v3.2.0 - Apr 02, 2021

Added

• Add call operation to regulary call remote methods
  • Can be used with bound names (--bound-name)
  • And also with ObjID values (--objid)
• Add plugin system to allow custom gadgets, call arguments and return handlers
  • Add an example plugin and a build script
• Add tests based on tricot

Changed

• Global refactoring - Renamed and moved many classes and functions
  • The calling convention changed slightly for some actions
• The guess operation now also lists methods for known remote objects
  • These are obtained via reflection, not by guessing
  • You can force guessing anyway by using --force-guessing
• Method arguments are now marshalled correctly (previously, always writeObject was used)
• The default wordlist and template files are now contained within the rmg JAR file

v3.1.1 - Feb 16, 2021

Changed

• Fixed bug in RMIWhisperer.java that lead to NullPointerExceptions during the
  method operation. The bugfix is basically a workaround for a more general problem
  that will be resolved in version v3.2.0.

v3.1.0 - Feb 14, 2021

Added

New Enumeration Techniques

• Add JEP290 enumeration during enum operation
• Add JEP290 bypass enumeration during enum action
• Add String marshalling enumeration during enum operation
• Add useCodebaseOnly enumeration during enum operation
• Add localhost bypass (CVE-2019-2684) enumeration during enum operation
• Add DGC enumeration during enum action
• Add Activator enumeration during enum action

New Actions

• Add support for deserialization attacks on Activator, DGC and registry objects
• Add support for codebase attacks on Activator, DGC and registry objects
• Add support for deserialization filter bypass (credits: @_tint0 & @h0ng10)
• Add bind, rebind and unbind operations
  • Add localhost-bypass option for bind, rebind and unbind operations (CVE-2019-2684)
• Add listen operation to spawn a JRMP listener (based on ysoserial)

Other

• Global refactoring - Some action names changed
• Add --stack-trace options for easier debugging
• Add improved error and exception handling
• Add options to use different registry / DGC methods during enum action
• Add documentation to the source code Oo
• Add some other RMI related documentation

Removed

• Removed support for JSON output

v3.0.0 - Nov 28, 2020

Added

rmg

• Add support for guessing without invoking (using invalid argument types)
• Add server-side codebase detection
• Add codebase operation for remote-codebase attacks
• Add support for legacy RMI stubs
• Add colored output

Docker

• Add additional remote method to example server
• Add non-ssl registry on port 9010
• Add legacy RMI service using static stubs
• Add server-codebase and remote-codebase support
• Add improved logging

Changed

• Remote classes are now generated dynamically with Javassist
• Different operations are now invoked using actions, no longer command line switches
• The docker container compiles the example-server now during build time

v2.0.0 - Sep 30, 2020

Added

• Add SSL support (for registry and remote objects)
• Add automatic redirection feature
• Add security checks for bound names
• Add new templates
• Add new example server (available as docker source and GitHub Packages)

Changed

• Changed the sample template. Now supports:
  • SSL
  • Automatic redirection
  • void return types
• Samples are no longer compiled by default
• Change folder structure created by guessing process
• Remove old example server

v1.1.0 - Aug 06, 2020

Added

• Support for primitive types inside of template files
• Additional functions in template files
• bash completion support
• Maven CI

Nov 26, 2020

First stable version of remote-method-guesser :)