RMI反序列化漏洞之三顾茅庐-流程分析

最近分析了下RMI相关的反序列化漏洞，查资料时发现许多分析文章都只关注漏洞点，对功能本身语焉不详。所以这篇文章先具体分析下RMI整体的调用流程，并且点出一些可能出现反序列化问题的地方。下篇写具体的漏洞利用。
RMI全称Remote Method Invocation，远程方法调用，功能是跨jvm调用远程方法。实现RMI的协议叫JRMP，RMI实现的过程中进行了java对象的传递，自然使用了序列化和反序列化，也自然产生了反序列化漏洞。
概述下RMI的流程，RMI里有三个角色：客户端、服务端、注册中心。设计上客户端和服务端不直接通信，而是通过注册中心通信。简单理解三者的关系如下：服务端创建远程对象，并将远程对象在注册中心注册，客户端到注册中心端查找并获取对应的远程对象，最终在服务端调用其方法。
具体实现时，客户端没有直接调用服务器上的对象，也没有直接调用注册中心上的对象，而是操作一个进行网络通信的代理类叫Stub，服务端也一样有一个类似的代理类叫Skel，具体操作都是这两个代理类进行的。RMI的大致流程可以参考https://www.ibm.com/docs/en/sdk-java-technology/8?topic=iiop-rmi-implementation
分析之前先写一个最简单的RMI Demo，直观的感受一下使用的方式。
首先需要定义远程对象类。远程方法调用不是所有类都可以，想进行远程方法调用的类，需要实现一个继承Remote接口的接口，远程方法要抛RemoteException。先定义这个接口：

public interface IRemoteObj extends Remote {
    //sayHello就是客户端要调用的方法，需要抛出RemoteException
    public String sayHello() throws RemoteException;
}

然后创建远程对象的实现类。为了后续的远程调用，服务端需要把远程对象发布出去，发布的方法有两种：
1、继承UnicastRemoteObject对象
2、自己调用UnicastRemoteObject.exportObject方法
实际上两种方法是一样的，UnicastRemoteObject的构造方法最后也是调用了exportObject
那么定义远程对象类：

public class RemoteObjImpl extends UnicastRemoteObject implements IRemoteObj {

    public RemoteObjImpl() throws RemoteException {
        //UnicastRemoteObject.exportObject(this, 0);//如果不继承UnicastRemoteObject就需要手工发布
    }

    @Override
    public String sayHello() {
        String name = this.getClass().getName();
        System.out.println(name);
        return name;
    }
}

然后就可以创建服务端和客户端了，服务端一般和注册中心写在一起，做如下几件事：
1、首先创建远程对象，创建时也会进行远程对象的发布。
2、创建注册中心
3、将远程对象绑定到注册中心

public class RMIServer {
    public static void main(String[] args) throws RemoteException, AlreadyBoundException {
        RemoteObjImpl remoteObj = new RemoteObjImpl();
        Registry r = LocateRegistry.createRegistry(1099);
        r.bind("remoteObj",remoteObj);
    }
}

然后是客户端，做以下几件事：
1、获取“注册中心”对象
2、利用注册中心对象获取远程对象
3、调用远程对象上的方法

public class RMIClient {
    public static void main(String[] args) throws RemoteException, NotBoundException {
        Registry registry = LocateRegistry.getRegistry("127.0.0.1", 1099);
        IRemoteObj remoteObj = (IRemoteObj) registry.lookup("remoteObj");
        remoteObj.sayHello();
    }
}

执行客户端的main方法后，代码实际是在服务端执行的，客户端可以获取执行结果。
一共有六行代码，那么接下来开始调试观察整个过程，调试时jdk版本是8u65和8u141交替用的，可能有部分代码对不上，但大致逻辑不变。另外由于rmi大部分代码在sun包下面，需要去openjdk下载对应的源码，不然就只能看反编译的var1变量名猜谜语了。

创建远程对象

首先是RemoteObjImpl remoteObj = new RemoteObjImpl();这一行，调用父类UnicastRemoteObject的构造方法。注意这里并没有接收返回值，只是将远程对象发布出去。

protected UnicastRemoteObject() throws RemoteException
    {
        this(0);
    }

protected UnicastRemoteObject(int port) throws RemoteException
    {
        this.port = port;
        exportObject((Remote) this, port);
    }

跟进exportObject

public static Remote exportObject(Remote obj, int port)
        throws RemoteException
    {
        return exportObject(obj, new UnicastServerRef(port));
    }

出现了一个新的类UnicastServerRef，它代表远程对象的引用。这个类继承了Dispatcher接口，代表由它分发客户端的操作给远程对象。跟进这个类的构造方法：

public UnicastServerRef(int port) {
    super(new LiveRef(port));
}

又出现了一个新的类LiveRef，那再跟进它的构造方法：

public LiveRef(int port) {
    this((new ObjID()), port);
}

public LiveRef(ObjID objID, int port) {
    this(objID, TCPEndpoint.getLocalEndpoint(port), true);
}

public LiveRef(ObjID objID, Endpoint endpoint, boolean isLocal) {
    ep = endpoint;
    id = objID;
    this.isLocal = isLocal;
}

objID就是一个数字id，不重要。主要看又出现的一个类TCPEndpoint，这个名字很明显和网络通信有关了，跟进TCPEndpoint#getLocalEndpoint方法：

public static TCPEndpoint getLocalEndpoint(int port) {
    return getLocalEndpoint(port, null, null);
}

public static TCPEndpoint getLocalEndpoint(int port,
                                           RMIClientSocketFactory csf,
                                           RMIServerSocketFactory ssf)
{
    /*
     * Find mapping for an endpoint key to the list of local unique
     * endpoints for this client/server socket factory pair (perhaps
     * null) for the specific port.
     */
    TCPEndpoint ep = null;

    synchronized (localEndpoints) {
        TCPEndpoint endpointKey = new TCPEndpoint(null, port, csf, ssf);
        LinkedList<TCPEndpoint> epList = localEndpoints.get(endpointKey);
        String localHost = resampleLocalHost();

        if (epList == null) {
            /*
             * Create new endpoint list.
             */
            ep = new TCPEndpoint(localHost, port, csf, ssf);
            epList = new LinkedList<TCPEndpoint>();
            epList.add(ep);
            ep.listenPort = port;
            ep.transport = new TCPTransport(epList);
            localEndpoints.put(endpointKey, epList);

            if (TCPTransport.tcpLog.isLoggable(Log.BRIEF)) {
                TCPTransport.tcpLog.log(Log.BRIEF,
                    "created local endpoint for socket factory " + ssf +
                    " on port " + port);
            }
        } else {
            synchronized (epList) {
                ep = epList.getLast();
                String lastHost = ep.host;
                int lastPort =  ep.port;
                TCPTransport lastTransport = ep.transport;
                // assert (localHost == null ^ lastHost != null)
                if (localHost != null && !localHost.equals(lastHost)) {
                    /*
                     * Hostname has been updated; add updated endpoint
                     * to list.
                     */
                    if (lastPort != 0) {
                        /*
                         * Remove outdated endpoints only if the
                         * port has already been set on those endpoints.
                         */
                        epList.clear();
                    }
                    ep = new TCPEndpoint(localHost, lastPort, csf, ssf);
                    ep.listenPort = port;
                    ep.transport = lastTransport;
                    epList.add(ep);
                }
            }
        }
    }

    return ep;
}

这里比较绕，其实关注主要逻辑就行，最后返回的是一个TCPEndPoint，看下这个类的属性

/**
 * TCPEndpoint represents some communication endpoint for an address
 * space (VM).
 *
 * @author Ann Wollrath
 */
public class TCPEndpoint implements Endpoint {
    /** IP address or host name */
    private String host;
    /** port number */
    private int port;
    /** custom client socket factory (null if not custom factory) */
    private final RMIClientSocketFactory csf;
    /** custom server socket factory (null if not custom factory) */
    private final RMIServerSocketFactory ssf;

    /** if local, the port number to listen on */
    private int listenPort = -1;
    /** if local, the transport object associated with this endpoint */
    private TCPTransport transport = null;

    /** the local host name */
    private static String localHost;
    /** true if real local host name is known yet */
    private static boolean localHostKnown;

很明显是一个和网络请求有关的类，主要属性就是域名，端口，还有一个TCPTransport。TCPTransport是真正的处理网络请求的类，这里实际上将TCPEndPoint和TCPTransport进行了绑定。
所以LiveRef里面就是放了一个TCPEndPoint。那么LiveRef可以理解为一个封装了ip和端口的辅助类。另外注意LiveRef是不能序列化的，也就是说并不需要通过序列化方式传递它，只需要传递里面的id、ip和端口信息就行。实际上实例化一个LiveRef只需要ip和端口就够了：

new LiveRef(new ObjID(),new TCPEndpoint(ip,port),true)

之后回到UnicastServerRef的构造函数那里，调用了父类构造函数

public UnicastServerRef(int port) {
    super(new LiveRef(port));
}

也就是UnicastRef的构造函数，一个单纯的赋值。

public UnicastRef(LiveRef liveRef) {
    ref = liveRef;
}

然后创建这一大堆类的过程就结束了，回到了exportObject中来。这里可以简单总结一下前面这些类的关系，有点乱。这里用idea生成个类图：

LiveRef、TCPEndoPint、TCPTransport是处理网络通信的类。UnicastRef、UnicastServerRef是远程对象的引用对象，是宏观上处理网络请求的类，也是实现RMI调用的核心逻辑的类。UnicastRemoteObject就是远程对象的基础类，它并不直接处理网络请求，而是通过里面的UnicastServerRef处理。
目前其实就创建了一个UnicastServerRef，它的ref是了一个LiveRef，ref里面有一个TCPEndpoint叫ep，ep里面有个TCPTransport叫transport。
继续跟进UnicastRemoteObject#exportObject(Remote obj, UnicastServerRef sref)

private static Remote exportObject(Remote obj, UnicastServerRef sref)
    throws RemoteException
{
    // if obj extends UnicastRemoteObject, set its ref.
    if (obj instanceof UnicastRemoteObject) {
        ((UnicastRemoteObject) obj).ref = sref;
    }
    return sref.exportObject(obj, null, false);
}

这里把远程对象的ref赋值成刚才新建的那个UnicastServerRef，然后调用了UnicastServerRef#exportObject

public Remote exportObject(Remote impl, Object data,
                               boolean permanent)
        throws RemoteException
    {
        Class<?> implClass = impl.getClass();
        Remote stub;

        try {
            stub = Util.createProxy(implClass, getClientRef(), forceStubUse);
        } catch (IllegalArgumentException e) {
            throw new ExportException(
                "remote object implements illegal remote interface", e);
        }
        if (stub instanceof RemoteStub) {
            setSkeleton(impl);
        }

        Target target =
            new Target(impl, this, stub, ref.getObjID(), permanent);
        ref.exportObject(target);
        hashToMethod_Map = hashToMethod_Maps.get(implClass);
        return stub;
    }

这里出现了stub这个变量，很明显这是一个代理类，先看下getClientRef，其实就是新建个UnicastRef，把刚才那个LiveRef放进去。

protected RemoteRef getClientRef() {
    return new UnicastRef(ref);
}

跟进Util.createProxy方法

public static Remote createProxy(Class<?> implClass,
                                 RemoteRef clientRef,
                                 boolean forceStubUse)
    throws StubNotFoundException
{
    Class<?> remoteClass;

    try {
        remoteClass = getRemoteClass(implClass);
    } catch (ClassNotFoundException ex ) {
        throw new StubNotFoundException(
            "object does not implement a remote interface: " +
            implClass.getName());
    }

    if (forceStubUse ||
        !(ignoreStubClasses || !stubClassExists(remoteClass)))
    {
        return createStub(remoteClass, clientRef);
    }

    final ClassLoader loader = implClass.getClassLoader();
    final Class<?>[] interfaces = getRemoteInterfaces(implClass);
    final InvocationHandler handler =
        new RemoteObjectInvocationHandler(clientRef);

    /* REMIND: private remote interfaces? */

    try {
        return AccessController.doPrivileged(new PrivilegedAction<Remote>() {
            public Remote run() {
                return (Remote) Proxy.newProxyInstance(loader,
                                                       interfaces,
                                                       handler);
            }});
    } catch (IllegalArgumentException e) {
        throw new StubNotFoundException("unable to create proxy", e);
    }
}

这是创建stub的逻辑，比较重要。首先判断当前的RemoteObjImpl这个类是否实现了Remote接口，然后判断是否存在该类的Stub类，也就是是否存在RemoteObjImpl_Stub名称的类，如果存在就调用createStub直接实例化一个。

private static RemoteStub createStub(Class<?> remoteClass, RemoteRef ref)
    throws StubNotFoundException
{
    String stubname = remoteClass.getName() + "_Stub";

    /* Make sure to use the local stub loader for the stub classes.
     * When loaded by the local loader the load path can be
     * propagated to remote clients, by the MarshalOutputStream/InStream
     * pickle methods
     */
    try {
        Class<?> stubcl =
            Class.forName(stubname, false, remoteClass.getClassLoader());
        Constructor<?> cons = stubcl.getConstructor(stubConsParamTypes);
        return (RemoteStub) cons.newInstance(new Object[] { ref });

    } catch 
    ......
}

目前系统里是没有这个类的，所以往下走，看到实际是创建了一个动态代理类，调用处理器用的是RemoteObjectInvocationHandler，把刚才创建那个UnicastRef放了进去。之前创建的远程对象里有个UnicastServerRef，这个stub里面有个UnicastRef，但它们两个里面是同一个LiveRef。毕竟这个代理对象就是代表远程对象的。
所以远程对象的Stub其实就是个动态代理，那么远程调用方法时就是调它的invoke方法，后续调用到的时候再分析。
stub是要传给客户端使用的，客户端通过操作stub的UnicastRef，来调用服务端远程对象的UnicastServerRef，是一个对称关系。
接下来判断这个Stub是否属于RemoteStub，如果是就调用setSkeleton。RemoteStub是jdk里内置的几个通用类，有
Activation$ActivationSystemImpl_Stub
ActivationGroup_Stub
DGCImpl_Stub
RMIConnectionImpl_Stub
RMIServerImpl_Stub
ReferenceWrapper_Stub
RegistryImpl_Stub
这几个，那么这里显然会跳过。
之后会创建Target，这又是一个新的类，跟进它的构造方法：

public Target(Remote impl, Dispatcher disp, Remote stub, ObjID id,
              boolean permanent)
{
    this.weakImpl = new WeakRef(impl, ObjectTable.reapQueue);
    this.disp = disp;
    this.stub = stub;
    this.id = id;
    this.acc = AccessController.getContext();

    /*
     * Fix for 4149366: so that downloaded parameter types unmarshalled
     * for this impl will be compatible with types known only to the
     * impl class's class loader (when it's not identical to the
     * exporting thread's context class loader), mark the impl's class
     * loader as the loader to use as the context class loader in the
     * server's dispatch thread while a call to this impl is being
     * processed (unless this exporting thread's context class loader is
     * a child of the impl's class loader, such as when a registry is
     * exported by an application, in which case this thread's context
     * class loader is preferred).
     */
    ClassLoader threadContextLoader =
        Thread.currentThread().getContextClassLoader();
    ClassLoader serverLoader = impl.getClass().getClassLoader();
    if (checkLoaderAncestry(threadContextLoader, serverLoader)) {
        this.ccl = threadContextLoader;
    } else {
        this.ccl = serverLoader;
    }

    this.permanent = permanent;
    if (permanent) {
        pinImpl();
    }
}

Target可以理解为是一个远程服务实例，一个Target对应一个远程对象。里面保存了远程对象实例、对应的Stub、对应的远程引用对象UnicastServerRef，之前创建的LiveRef的ObjID。实际上Target就是用LiveRef的ObjID代表了这个远程对象，一个远程对象和一个LiveRef是绑定的。这里就包括了远程调用所需的全部对象了，远程调用就是Stub使用远程引用来调用远程对象上的方法。
创建完Target后调用到ref也就是LiveRef#exportObject

public void exportObject(Target target) throws RemoteException {
    ep.exportObject(target);
}

调用了TCPEndPoint#exportObject

public void exportObject(Target target) throws RemoteException {
    transport.exportObject(target);
}

又调用了TCPTransport#exportObject

public void exportObject(Target target) throws RemoteException {
    /*
     * Ensure that a server socket is listening, and count this
     * export while synchronized to prevent the server socket from
     * being closed due to concurrent unexports.
     */
    synchronized (this) {
        listen();
        exportCount++;
    }

    /*
     * Try to add the Target to the exported object table; keep
     * counting this export (to keep server socket open) only if
     * that succeeds.
     */
    boolean ok = false;
    try {
        super.exportObject(target);
        ok = true;
    } finally {
        if (!ok) {
            synchronized (this) {
                decrementExportCount();
            }
        }
    }
}

上来调用了一个listen方法，看名字是开一个socket监听

private void listen() throws RemoteException {
    assert Thread.holdsLock(this);
    TCPEndpoint ep = getEndpoint();
    int port = ep.getPort();

    if (server == null) {
        if (tcpLog.isLoggable(Log.BRIEF)) {
            tcpLog.log(Log.BRIEF,
                "(port " + port + ") create server socket");
        }

        try {
            server = ep.newServerSocket();
            /*
             * Don't retry ServerSocket if creation fails since
             * "port in use" will cause export to hang if an
             * RMIFailureHandler is not installed.
             */
            Thread t = AccessController.doPrivileged(
                new NewThreadAction(new AcceptLoop(server),
                                    "TCP Accept-" + port, true));
            t.start();
        } catch (java.net.BindException e) {
            throw new ExportException("Port already in use: " + port, e);
        } catch (IOException e) {
            throw new ExportException("Listen failed on port: " + port, e);
        }

    } else {
        // otherwise verify security access to existing server socket
        SecurityManager sm = System.getSecurityManager();
        if (sm != null) {
            sm.checkListen(port);
        }
    }
}

首先获取了之前保存的TCPEndpoint和端口，然后调用了TCPEndpoint.newServerSocket，跟进去实际最后就是创建了个普通的ServerSocket。然后创建了一个新的AcceptLoop类的监听线程并开启。这里实际上就是客户端最后连接的socket，等后续分析客户端调用时再具体分析。
那么实际上服务就已经发布出去了。最后还有一步记录已经发布的Target，调用了TransPort的exportObject

public void exportObject(Target target) throws RemoteException {
    target.setExportedTransport(this);
    ObjectTable.putTarget(target);
}

setExportedTransport就是把对应的TCPTransport保存进Target

void setExportedTransport(Transport exportedTransport) {
    if (this.exportedTransport == null) {
        this.exportedTransport = exportedTransport;
    }
}

putTarget是把对象和target绑定，放进ObjectTable这个类的静态变量objTable里面。

static void putTarget(Target target) throws ExportException {
    ObjectEndpoint oe = target.getObjectEndpoint();
    WeakRef weakImpl = target.getWeakImpl();

    if (DGCImpl.dgcLog.isLoggable(Log.VERBOSE)) {
        DGCImpl.dgcLog.log(Log.VERBOSE, "add object " + oe);
    }

    synchronized (tableLock) {
        /**
         * Do nothing if impl has already been collected (see 6597112). Check while
         * holding tableLock to ensure that Reaper cannot process weakImpl in between
         * null check and put/increment effects.
         */
        if (target.getImpl() != null) {
            if (objTable.containsKey(oe)) {
                throw new ExportException(
                    "internal error: ObjID already in use");
            } else if (implTable.containsKey(weakImpl)) {
                throw new ExportException("object already exported");
            }

            objTable.put(oe, target);
            implTable.put(weakImpl, target);

            if (!target.isPermanent()) {
                incrementKeepAliveCount();
            }
        }
    }
}

实际上在第三行的if语句里，因为获取了DGCImpl.dgcLog变量，触发了DGCImpl类的实例化。这是垃圾回收相关的类，跟进static代码块

static {
    /*
     * "Export" the singleton DGCImpl in a context isolated from
     * the arbitrary current thread context.
     */
    AccessController.doPrivileged(new PrivilegedAction<Void>() {
        public Void run() {
            ClassLoader savedCcl =
                Thread.currentThread().getContextClassLoader();
            try {
                Thread.currentThread().setContextClassLoader(
                    ClassLoader.getSystemClassLoader());

                /*
                 * Put remote collector object in table by hand to prevent
                 * listen on port.  (UnicastServerRef.exportObject would
                 * cause transport to listen.)
                 */
                try {
                    dgc = new DGCImpl();
                    ObjID dgcID = new ObjID(ObjID.DGC_ID);
                    LiveRef ref = new LiveRef(dgcID, 0);
                    UnicastServerRef disp = new UnicastServerRef(ref);
                    Remote stub =
                        Util.createProxy(DGCImpl.class,
                                         new UnicastRef(ref), true);
                    disp.setSkeleton(dgc);

                    Permissions perms = new Permissions();
                    perms.add(new SocketPermission("*", "accept,resolve"));
                    ProtectionDomain[] pd = { new ProtectionDomain(null, perms) };
                    AccessControlContext acceptAcc = new AccessControlContext(pd);

                    Target target = AccessController.doPrivileged(
                        new PrivilegedAction<Target>() {
                            public Target run() {
                                return new Target(dgc, disp, stub, dgcID, true);
                            }
                        }, acceptAcc);

                    ObjectTable.putTarget(target);
                } catch (RemoteException e) {
                    throw new Error(
                        "exception initializing server-side DGC", e);
                }
            } finally {
                Thread.currentThread().setContextClassLoader(savedCcl);
            }
            return null;
        }
    });
}

使用单例模式创建了一个DGCImpl对象，这个对象就是RMI的分布式垃圾处理对象，一旦有远程对象被创建，就会实例化这个对象，但也只会创建这一次。后面的代码和UnicastServerRef#exportObject里很像，创建一个代理。但这里和前面不同的是这是一个系统内置类，所以是直接创建了DGCImpl_Stub类，而不是创建的动态代理。并且设置了disp的skeleton是DGCImpl_Skel。最后同样把这些放进Target，把Target保存进ObjectTable。按注释所写，这里没有调用TCPTransport#listen，所以没有开启监听。实际上根据TCPEndpoint#getLocalEndpoint，这个时候这个DGCImpl和刚才创建的远程对象用的是同一个TCPEndPoint。
到这里服务发布就结束了。最后return了一个stub，但代码里并没有接收。
这就是整个的远程对象RemoteObjImpl的创建过程，中间比较乱的地方是创建了一大堆对象，互相包含又互相引用。大概描述一下：
最外层对象是Target，里面保存了远程对象、远程对象的代理对象stub、远程对象的引用对象UnicastServerRef、还有代表这个对象的ObjID。
而远程对象里也保存了服务端远程引用对象UnicastServerRef，stub里保存了一个客户端远程引用UnicastRef，这两个引用里实际都保存了同一个LiveRef对象，里面保存了远程对象对应的ip和端口。
而服务端上还有一个ObjectTable，每创建一个远程对象，就会把对应的Target保存到里面。目前已经创建了两个远程对象，分别是自定义远程对象和系统内置远程对象DGCImpl。
那么第一行就分析完了。没错，目前就分析了一行。
那么接下来分析第二行，LocateRegistry.createRegistry(1099)

创建注册中心

跟进

public static Registry createRegistry(int port) throws RemoteException {
    return new RegistryImpl(port);
}

进构造函数

/**
 * Construct a new RegistryImpl on the specified port.
 */
public RegistryImpl(int port)
    throws RemoteException
{
    if (port == Registry.REGISTRY_PORT && System.getSecurityManager() != null) {
        // grant permission for default port only.
        try {
            AccessController.doPrivileged(new PrivilegedExceptionAction<Void>() {
                public Void run() throws RemoteException {
                    LiveRef lref = new LiveRef(id, port);
                    setup(new UnicastServerRef(lref));
                    return null;
                }
            }, null, new SocketPermission("localhost:"+port, "listen,accept"));
        } catch (PrivilegedActionException pae) {
            throw (RemoteException)pae.getException();
        }
    } else {
        LiveRef lref = new LiveRef(id, port);
        setup(new UnicastServerRef(lref));
    }
}

System.getSecurityManager()默认是null，走到else里面。其实主要就是创建了一个UnicastServerRef，里面放一个LiveRef，之后调用setup函数。
跟进setup函数：

private void setup(UnicastServerRef uref)
        throws RemoteException
    {
        /* Server ref must be created and assigned before remote
         * object 'this' can be exported.
         */
        ref = uref;
        uref.exportObject(this, null, true);
    }

这里其实和前面UnicastRemoteObject#exportObject一样，唯一区别就是第三个参数变成了true，虽然之前调用过这函数，还是粘一下

public Remote exportObject(Remote impl, Object data,
                           boolean permanent)
    throws RemoteException
{
    Class<?> implClass = impl.getClass();
    Remote stub;

    try {
        stub = Util.createProxy(implClass, getClientRef(), forceStubUse);
    } catch (IllegalArgumentException e) {
        throw new ExportException(
            "remote object implements illegal remote interface", e);
    }
    if (stub instanceof RemoteStub) {
        setSkeleton(impl);
    }

    Target target =
        new Target(impl, this, stub, ref.getObjID(), permanent);
    ref.exportObject(target);
    hashToMethod_Map = hashToMethod_Maps.get(implClass);
    return stub;
}

这次调用和发布远程对象时有点不同，和创建DGCImpl那里是一样的。首先创建的stub对象不是动态代理生成的了，而是直接找到了sun.rmi.registry.RegistryImpl_Stub，反射创建的。并且RegistryImpl_Stub是继承了RemoteStub的，所以会调用setSkeleton，跟进看一下

public void setSkeleton(Remote impl) throws RemoteException {
    if (!withoutSkeletons.containsKey(impl.getClass())) {
        try {
            skel = Util.createSkeleton(impl);
        } catch (SkeletonNotFoundException e) {
            /*
             * Ignore exception for skeleton class not found, because a
             * skeleton class is not necessary with the 1.2 stub protocol.
             * Remember that this impl's class does not have a skeleton
             * class so we don't waste time searching for it again.
             */
            withoutSkeletons.put(impl.getClass(), null);
        }
    }
}

看下Util.createSkeleton

static Skeleton createSkeleton(Remote object)
    throws SkeletonNotFoundException
{
    Class<?> cl;
    try {
        cl = getRemoteClass(object.getClass());
    } catch (ClassNotFoundException ex ) {
        throw new SkeletonNotFoundException(
            "object does not implement a remote interface: " +
            object.getClass().getName());
    }

    // now try to load the skeleton based ont he name of the class
    String skelname = cl.getName() + "_Skel";
    try {
        Class<?> skelcl = Class.forName(skelname, false, cl.getClassLoader());

        return (Skeleton)skelcl.newInstance();
        ......
}

其实和createStub一样，直接反射生成了sun.rmi.registry.RegistryImpl_Skel。
接下来和之前一样了，创建Target然后发布。最后把Target放到ObjectTable里面，目前里面有RemoteObjImpl的Stub和RegistryImpl_Stub，还有个DGCImpl_Stub。
那么注册中心的创建就结束了，实际上注册中心也是一个远程对象，整体过程和远程对象的发布基本是一样的，只是有些细节不太一样，主要就是没有用动态代理生成Stub，而是直接创建了jdk里面的类。
接下来就是绑定了，来到第三行

绑定远程对象到注册中心

RegistryImpl#bind

public void bind(String name, Remote obj)
        throws RemoteException, AlreadyBoundException, AccessException
    {
        // The access check preventing remote access is done in the skeleton
        // and is not applicable to local access.
        synchronized (bindings) {
            Remote curr = bindings.get(name);
            if (curr != null)
                throw new AlreadyBoundException(name);
            bindings.put(name, obj);
        }
    }

这里其实非常简单，因为这里并不是远程绑定，就直接调用了RegistryImpl类，把名字和远程对象放到一个叫bindings的HashTable里面。
到这里服务端的流程就走完了，接下来看客户端。

获取注册中心远程对象

跟进LocateRegistry.getRegistry(“127.0.0.1”, 1099)

public static Registry getRegistry(String host, int port)
    throws RemoteException
{
    return getRegistry(host, port, null);
}

接着跟

public static Registry getRegistry(String host, int port,
                                   RMIClientSocketFactory csf)
    throws RemoteException
{
    Registry registry = null;

    if (port <= 0)
        port = Registry.REGISTRY_PORT;

    if (host == null || host.length() == 0) {
        // If host is blank (as returned by "file:" URL in 1.0.2 used in
        // java.rmi.Naming), try to convert to real local host name so
        // that the RegistryImpl's checkAccess will not fail.
        try {
            host = java.net.InetAddress.getLocalHost().getHostAddress();
        } catch (Exception e) {
            // If that failed, at least try "" (localhost) anyway...
            host = "";
        }
    }

    /*
     * Create a proxy for the registry with the given host, port, and
     * client socket factory.  If the supplied client socket factory is
     * null, then the ref type is a UnicastRef, otherwise the ref type
     * is a UnicastRef2.  If the property
     * java.rmi.server.ignoreStubClasses is true, then the proxy
     * returned is an instance of a dynamic proxy class that implements
     * the Registry interface; otherwise the proxy returned is an
     * instance of the pregenerated stub class for RegistryImpl.
     **/
    LiveRef liveRef =
        new LiveRef(new ObjID(ObjID.REGISTRY_ID),
                    new TCPEndpoint(host, port, csf, null),
                    false);
    RemoteRef ref =
        (csf == null) ? new UnicastRef(liveRef) : new UnicastRef2(liveRef);

    return (Registry) Util.createProxy(RegistryImpl.class, ref, false);
}

通过host和端口创建了一个LiveRef，用它又创建了一个UnicastRef，然后又调用Util.createProxy，根据前面分析这里创建的是一个RegistryImpl_Stub对象。和服务端不同的是这里的ref是一个UnicastRef而不是UnicastServerRef，因为一个对应客户端一个对应服务端。
注意到实际上这个stub并不是从注册中心或者服务端传递过来的，而是直接根据host和port两个参数在客户端生成的，所以并不是rmi中所有stub都是通过序列化传递的。而且创建过程甚至不需要和注册中心通信，也就是说就算没有注册中心也可以创建这个注册中心stub，只不过后续肯定用不了。
最后创建了这个RegistryImpl_Stub对象，接下来通过它去查找注册中心中的远程对象。

查找远程对象

来到IRemoteObj remoteObj = (IRemoteObj) registry.lookup(“remoteObj”);这一行，跟进RegistryImpl_Stub#lookup
openjdk从jdk8u141版本才有RegistryImpl_Stub的源码，之前的jdk版本都调试不了这个类，但代码逻辑基本没变。

public java.rmi.Remote lookup(java.lang.String $param_String_1)
        throws java.rmi.AccessException, java.rmi.NotBoundException, java.rmi.RemoteException {
    try {
        java.rmi.server.RemoteCall call = ref.newCall((java.rmi.server.RemoteObject) this, operations, 2, interfaceHash);
        try {
            java.io.ObjectOutput out = call.getOutputStream();
            out.writeObject($param_String_1);
        } catch (java.io.IOException e) {
            throw new java.rmi.MarshalException("error marshalling arguments", e);
        }
        ref.invoke(call);
        java.rmi.Remote $result;
        try {
            java.io.ObjectInput in = call.getInputStream();
            $result = (java.rmi.Remote) in.readObject();
        } catch (java.io.IOException e) {
            throw new java.rmi.UnmarshalException("error unmarshalling return", e);
        } catch (java.lang.ClassNotFoundException e) {
            throw new java.rmi.UnmarshalException("error unmarshalling return", e);
        } finally {
            ref.done(call);
        }
        return $result;
    } catch (java.lang.RuntimeException e) {
        throw e;
    } catch (java.rmi.RemoteException e) {
        throw e;
    } catch (java.rmi.NotBoundException e) {
        throw e;
    } catch (java.lang.Exception e) {
        throw new java.rmi.UnexpectedException("undeclared checked exception", e);
    }
}

首先调用UnicastRef#newCall发起一个请求和注册中心建立连接。

/**
 * Create an appropriate call object for a new call on this object.
 * Passing operation array and index, allows the stubs generator to
 * assign the operation indexes and interpret them. The RemoteRef
 * may need the operation to encode in for the call.
 */
public RemoteCall newCall(RemoteObject obj, Operation[] ops, int opnum,
                          long hash)
    throws RemoteException
{
    clientRefLog.log(Log.BRIEF, "get connection");

    Connection conn = ref.getChannel().newConnection();
    try {
        clientRefLog.log(Log.VERBOSE, "create call context");

        /* log information about the outgoing call */
        if (clientCallLog.isLoggable(Log.VERBOSE)) {
            logClientCall(obj, ops[opnum]);
        }

        RemoteCall call =
            new StreamRemoteCall(conn, ref.getObjID(), opnum, hash);
        try {
            marshalCustomCallData(call.getOutputStream());
        } catch (IOException e) {
            throw new MarshalException("error marshaling " +
                                       "custom call data");
        }
        return call;
    } catch (RemoteException e) {
        ref.getChannel().free(conn, false);
        throw e;
    }
}

把要获取的远程对象名称写入输出流，之后调用了UnicastRef#invoke

public void invoke(RemoteCall call) throws Exception {
    try {
        clientRefLog.log(Log.VERBOSE, "execute call");

        call.executeCall();

    } catch
    ......
}

调用了StreamRemoteCall#executeCall

public void executeCall() throws Exception {
    byte returnType;

    // read result header
    DGCAckHandler ackHandler = null;
    try {
        if (out != null) {
            ackHandler = out.getDGCAckHandler();
        }
        releaseOutputStream();
        DataInputStream rd = new DataInputStream(conn.getInputStream());
        byte op = rd.readByte();
        if (op != TransportConstants.Return) {
            if (Transport.transportLog.isLoggable(Log.BRIEF)) {
                Transport.transportLog.log(Log.BRIEF,
                    "transport return code invalid: " + op);
            }
            throw new UnmarshalException("Transport return code invalid");
        }
        getInputStream();
        returnType = in.readByte();
        in.readID();        // id for DGC acknowledgement
    } catch (UnmarshalException e) {
        throw e;
    } catch (IOException e) {
        throw new UnmarshalException("Error unmarshaling return header",
                                     e);
    } finally {
        if (ackHandler != null) {
            ackHandler.release();
        }
    }
    // read return value
    switch (returnType) {
    case TransportConstants.NormalReturn:
        break;

    case TransportConstants.ExceptionalReturn:
        Object ex;
        try {
            ex = in.readObject();
        } catch (Exception e) {
            throw new UnmarshalException("Error unmarshaling return", e);
        }

        // An exception should have been received,
        // if so throw it, else flag error
        if (ex instanceof Exception) {
            exceptionReceivedFromServer((Exception) ex);
        } else {
            throw new UnmarshalException("Return type not Exception");
        }
        // Exception is thrown before fallthrough can occur
    default:
        if (Transport.transportLog.isLoggable(Log.BRIEF)) {
            Transport.transportLog.log(Log.BRIEF,
                "return code invalid: " + returnType);
        }
        throw new UnmarshalException("Return code invalid");
    }
}

发起网络调用，和服务端进行通信并获取结果，此时也触发了服务端监听线程的run方法，暂时不分析。特别注意当服务端返回异常时，会对输入流调用readObject，也就是说可以创建恶意服务端从这里攻击客户端。也就是只要调用了StreamRemoteCall#executeCall就可能被攻击，再往上一层，就是只要调用UnicastRef#invoke就会被攻击。实际上所有的Stub中都调用了UnicastRef#invoke，也就是RMI中所有的客户端调用都可能被攻击。
回到调用逻辑，没有异常的话，就正常返回RegistryImpl_Stub#lookup，获取到数据流in后，调用了in.readObject获取远程对象的动态代理对象RemoteObjStub，所以这里就是一个反序列化触发点。那么如果注册中心可控，客户端lookup注册中心的时候就会被攻击。
分析完了客户端的调用流程，分析下此时注册中心的调用流程，看看注册中心是怎么找到对应的远程对象的：

获取注册中心远程对象(注册中心端)

之前分析过，发布远程对象时会调用TCPTransprt#listen，实际上listen里面开启了一个AcceptLoop线程，接收到网络请求时会调用它的run方法

public void run() {
    try {
        executeAcceptLoop();
    } finally {
        try {
            /*
             * Only one accept loop is started per server
             * socket, so after no more connections will be
             * accepted, ensure that the server socket is no
             * longer listening.
             */
            serverSocket.close();
        } catch (IOException e) {
        }
    }
}

/**
 * Accepts connections from the server socket and executes
 * handlers for them in the thread pool.
 **/
private void executeAcceptLoop() {
    if (tcpLog.isLoggable(Log.BRIEF)) {
        tcpLog.log(Log.BRIEF, "listening on port " +
                   getEndpoint().getPort());
    }

    while (true) {
        Socket socket = null;
        try {
            socket = serverSocket.accept();

            /*
             * Find client host name (or "0.0.0.0" if unknown)
             */
            InetAddress clientAddr = socket.getInetAddress();
            String clientHost = (clientAddr != null
                                 ? clientAddr.getHostAddress()
                                 : "0.0.0.0");

            /*
             * Execute connection handler in the thread pool,
             * which uses non-system threads.
             */
            try {
                connectionThreadPool.execute(
                    new ConnectionHandler(socket, clientHost));
            } catch (RejectedExecutionException e) {
                closeSocket(socket);
                tcpLog.log(Log.BRIEF,
                           "rejected connection from " + clientHost);
            }

        } catch (Throwable t) {
            ......
        }
    }
}

然后调用TCPTransport#executeAcceptLoop，会开启新线程，跟进ConnectionHandler#run

public void run() {
    Thread t = Thread.currentThread();
    String name = t.getName();
    try {
        t.setName("RMI TCP Connection(" +
                  connectionCount.incrementAndGet() +
                  ")-" + remoteHost);
        AccessController.doPrivileged((PrivilegedAction<Void>)() -> {
            run0();
            return null;
        }, NOPERMS_ACC);
    } finally {
        t.setName(name);
    }
}

跟进run0

private void run0() {
    TCPEndpoint endpoint = getEndpoint();
    int port = endpoint.getPort();

    threadConnectionHandler.set(this);

    // set socket to disable Nagle's algorithm (always send
    // immediately)
    // TBD: should this be left up to socket factory instead?
    try {
        socket.setTcpNoDelay(true);
    } catch (Exception e) {
        // if we fail to set this, ignore and proceed anyway
    }
    // set socket to timeout after excessive idle time
    try {
        if (connectionReadTimeout > 0)
            socket.setSoTimeout(connectionReadTimeout);
    } catch (Exception e) {
        // too bad, continue anyway
    }

    try {
        InputStream sockIn = socket.getInputStream();
        InputStream bufIn = sockIn.markSupported()
                ? sockIn
                : new BufferedInputStream(sockIn);

        // Read magic (or HTTP wrapper)
        bufIn.mark(4);
        DataInputStream in = new DataInputStream(bufIn);
        int magic = in.readInt();

        if (magic == POST) {
            tcpLog.log(Log.BRIEF, "decoding HTTP-wrapped call");

            // It's really a HTTP-wrapped request.  Repackage
            // the socket in a HttpReceiveSocket, reinitialize
            // sockIn and in, and reread magic.
            bufIn.reset();      // unread "POST"

            try {
                socket = new HttpReceiveSocket(socket, bufIn, null);
                remoteHost = "0.0.0.0";
                sockIn = socket.getInputStream();
                bufIn = new BufferedInputStream(sockIn);
                in = new DataInputStream(bufIn);
                magic = in.readInt();

            } catch (IOException e) {
                throw new RemoteException("Error HTTP-unwrapping call",
                                          e);
            }
        }
        // bufIn's mark will invalidate itself when it overflows
        // so it doesn't have to be turned off

        // read and verify transport header
        short version = in.readShort();
        if (magic != TransportConstants.Magic ||
            version != TransportConstants.Version) {
            // protocol mismatch detected...
            // just close socket: this would recurse if we marshal an
            // exception to the client and the protocol at other end
            // doesn't match.
            closeSocket(socket);
            return;
        }

        OutputStream sockOut = socket.getOutputStream();
        BufferedOutputStream bufOut =
            new BufferedOutputStream(sockOut);
        DataOutputStream out = new DataOutputStream(bufOut);

        int remotePort = socket.getPort();

        if (tcpLog.isLoggable(Log.BRIEF)) {
            tcpLog.log(Log.BRIEF, "accepted socket from [" +
                             remoteHost + ":" + remotePort + "]");
        }

        TCPEndpoint ep;
        TCPChannel ch;
        TCPConnection conn;

        // send ack (or nack) for protocol
        byte protocol = in.readByte();
        switch (protocol) {
        case TransportConstants.SingleOpProtocol:
            // no ack for protocol

            // create dummy channel for receiving messages
            ep = new TCPEndpoint(remoteHost, socket.getLocalPort(),
                                 endpoint.getClientSocketFactory(),
                                 endpoint.getServerSocketFactory());
            ch = new TCPChannel(TCPTransport.this, ep);
            conn = new TCPConnection(ch, socket, bufIn, bufOut);

            // read input messages
            handleMessages(conn, false);
            break;

        case TransportConstants.StreamProtocol:
            // send ack
            out.writeByte(TransportConstants.ProtocolAck);

            // suggest endpoint (in case client doesn't know host name)
            if (tcpLog.isLoggable(Log.VERBOSE)) {
                tcpLog.log(Log.VERBOSE, "(port " + port +
                    ") " + "suggesting " + remoteHost + ":" +
                    remotePort);
            }

            out.writeUTF(remoteHost);
            out.writeInt(remotePort);
            out.flush();

            // read and discard (possibly bogus) endpoint
            // REMIND: would be faster to read 2 bytes then skip N+4
            String clientHost = in.readUTF();
            int    clientPort = in.readInt();
            if (tcpLog.isLoggable(Log.VERBOSE)) {
                tcpLog.log(Log.VERBOSE, "(port " + port +
                    ") client using " + clientHost + ":" + clientPort);
            }

            // create dummy channel for receiving messages
            // (why not use clientHost and clientPort?)
            ep = new TCPEndpoint(remoteHost, socket.getLocalPort(),
                                 endpoint.getClientSocketFactory(),
                                 endpoint.getServerSocketFactory());
            ch = new TCPChannel(TCPTransport.this, ep);
            conn = new TCPConnection(ch, socket, bufIn, bufOut);

            // read input messages
            handleMessages(conn, true);
            break;
            ......
}

大部分都是在解析网络包之类的，看到有根据POST和JRMI关键字解析的代码。继续跟进调用流程，走进handleMessages

/**
 * handleMessages decodes transport operations and handles messages
 * appropriately.  If an exception occurs during message handling,
 * the socket is closed.
 */
void handleMessages(Connection conn, boolean persistent) {
    int port = getEndpoint().getPort();

    try {
        DataInputStream in = new DataInputStream(conn.getInputStream());
        do {
            int op = in.read();     // transport op
            if (op == -1) {
                if (tcpLog.isLoggable(Log.BRIEF)) {
                    tcpLog.log(Log.BRIEF, "(port " +
                        port + ") connection closed");
                }
                break;
            }

            if (tcpLog.isLoggable(Log.BRIEF)) {
                tcpLog.log(Log.BRIEF, "(port " + port +
                    ") op = " + op);
            }

            switch (op) {
            case TransportConstants.Call:
                // service incoming RMI call
                RemoteCall call = new StreamRemoteCall(conn);
                if (serviceCall(call) == false)
                    return;
                break;
            ......
}

根据读取的op不同进行不同的操作，一般就是走进第一个case，跟进serviceCall

public boolean serviceCall(final RemoteCall call) {
    try {
        /* read object id */
        final Remote impl;
        ObjID id;

        try {
            id = ObjID.read(call.getInputStream());
        } catch (java.io.IOException e) {
            throw new MarshalException("unable to read objID", e);
        }

        /* get the remote object */
        Transport transport = id.equals(dgcID) ? null : this;
        Target target =
            ObjectTable.getTarget(new ObjectEndpoint(id, transport));

        if (target == null || (impl = target.getImpl()) == null) {
            throw new NoSuchObjectException("no such object in table");
        }

        final Dispatcher disp = target.getDispatcher();
        target.incrementCallCount();
        try {
            /* call the dispatcher */
            transportLog.log(Log.VERBOSE, "call dispatcher");

            final AccessControlContext acc =
                target.getAccessControlContext();
            ClassLoader ccl = target.getContextClassLoader();

            ClassLoader savedCcl = Thread.currentThread().getContextClassLoader();

            try {
                setContextClassLoader(ccl);
                currentTransport.set(this);
                try {
                    java.security.AccessController.doPrivileged(
                        new java.security.PrivilegedExceptionAction<Void>() {
                        public Void run() throws IOException {
                            checkAcceptPermission(acc);
                            disp.dispatch(impl, call);
                            return null;
                        }
                    }, acc);
                } catch (java.security.PrivilegedActionException pae) {
                    throw (IOException) pae.getException();
                }
            } finally {
                setContextClassLoader(savedCcl);
                currentTransport.set(null);
            }

        } catch (IOException ex) {
            ......
    return true;
}

读取id，根据id到IbjectTable中查找对应的Target，获取Target中的远程引用disp，然后调用disp.dispatch，也就是UnicastServerRef#dispatch

public void dispatch(Remote obj, RemoteCall call) throws IOException {
    // positive operation number in 1.1 stubs;
    // negative version number in 1.2 stubs and beyond...
    int num;
    long op;

    try {
        // read remote call header
        ObjectInput in;
        try {
            in = call.getInputStream();
            num = in.readInt();
        } catch (Exception readEx) {
            throw new UnmarshalException("error unmarshalling call header",
                                         readEx);
        }
        if (num >= 0) {
            if (skel != null) {
                oldDispatch(obj, call, num);
                return;
            } else {
                throw new UnmarshalException(
                    "skeleton class not found but required " +
                    "for client version");
            }
        }
        ......

skel != null时会调用oldDispatch，跟进

private void oldDispatch(Remote obj, RemoteCall call, int op)
    throws Exception
{
    long hash;              // hash for matching stub with skeleton

    // read remote call header
    ObjectInput in;
    in = call.getInputStream();
    try {
        Class<?> clazz = Class.forName("sun.rmi.transport.DGCImpl_Skel");
        if (clazz.isAssignableFrom(skel.getClass())) {
            ((MarshalInputStream)in).useCodebaseOnly();
        }
    } catch (ClassNotFoundException ignore) { }

    try {
        hash = in.readLong();
    } catch (Exception ioe) {
        throw new UnmarshalException("error unmarshalling call header", ioe);
    }

    // if calls are being logged, write out object id and operation
    logCall(obj, skel.getOperations()[op]);
    unmarshalCustomCallData(in);
    // dispatch to skeleton for remote object
    skel.dispatch(obj, call, op, hash);
}

unmarshalCustomCallData是空函数，所以来到了skel.dispatch，实际上也就是根据Skel的不同调用对应的dispatch方法，那这里就会调用RegistryImpl_Skel#dispatch
这是jdk8u141里面的代码，旧版本是没有RegistryImpl.checkAccess的，也就是可以远程调用所有方法。加上这个限制后只能远程调用lookup和list方法了，其他方法只能本地调用。

public void dispatch(java.rmi.Remote obj, java.rmi.server.RemoteCall call, int opnum, long hash)
        throws java.lang.Exception {
    if (hash != interfaceHash)
        throw new java.rmi.server.SkeletonMismatchException("interface hash mismatch");

    sun.rmi.registry.RegistryImpl server = (sun.rmi.registry.RegistryImpl) obj;
    switch (opnum) {
        case 0: // bind(String, Remote)
        {
            // Check access before reading the arguments
            RegistryImpl.checkAccess("Registry.bind");

            java.lang.String $param_String_1;
            java.rmi.Remote $param_Remote_2;
            try {
                java.io.ObjectInput in = call.getInputStream();
                $param_String_1 = (java.lang.String) in.readObject();
                $param_Remote_2 = (java.rmi.Remote) in.readObject();
            } catch (java.io.IOException | java.lang.ClassNotFoundException e) {
                throw new java.rmi.UnmarshalException("error unmarshalling arguments", e);
            } finally {
                call.releaseInputStream();
            }
            server.bind($param_String_1, $param_Remote_2);
            try {
                call.getResultStream(true);
            } catch (java.io.IOException e) {
                throw new java.rmi.MarshalException("error marshalling return", e);
            }
            break;
        }

        case 1: // list()
        {
            call.releaseInputStream();
            java.lang.String[] $result = server.list();
            try {
                java.io.ObjectOutput out = call.getResultStream(true);
                out.writeObject($result);
            } catch (java.io.IOException e) {
                throw new java.rmi.MarshalException("error marshalling return", e);
            }
            break;
        }

        case 2: // lookup(String)
        {
            java.lang.String $param_String_1;
            try {
                java.io.ObjectInput in = call.getInputStream();
                $param_String_1 = (java.lang.String) in.readObject();
            } catch (java.io.IOException | java.lang.ClassNotFoundException e) {
                throw new java.rmi.UnmarshalException("error unmarshalling arguments", e);
            } finally {
                call.releaseInputStream();
            }
            java.rmi.Remote $result = server.lookup($param_String_1);
            try {
                java.io.ObjectOutput out = call.getResultStream(true);
                out.writeObject($result);
            } catch (java.io.IOException e) {
                throw new java.rmi.MarshalException("error marshalling return", e);
            }
            break;
        }

        case 3: // rebind(String, Remote)
        {
            // Check access before reading the arguments
            RegistryImpl.checkAccess("Registry.rebind");

            java.lang.String $param_String_1;
            java.rmi.Remote $param_Remote_2;
            try {
                java.io.ObjectInput in = call.getInputStream();
                $param_String_1 = (java.lang.String) in.readObject();
                $param_Remote_2 = (java.rmi.Remote) in.readObject();
            } catch (java.io.IOException | java.lang.ClassNotFoundException e) {
                throw new java.rmi.UnmarshalException("error unmarshalling arguments", e);
            } finally {
                call.releaseInputStream();
            }
            server.rebind($param_String_1, $param_Remote_2);
            try {
                call.getResultStream(true);
            } catch (java.io.IOException e) {
                throw new java.rmi.MarshalException("error marshalling return", e);
            }
            break;
        }

        case 4: // unbind(String)
        {
            // Check access before reading the arguments
            RegistryImpl.checkAccess("Registry.unbind");

            java.lang.String $param_String_1;
            try {
                java.io.ObjectInput in = call.getInputStream();
                $param_String_1 = (java.lang.String) in.readObject();
            } catch (java.io.IOException | java.lang.ClassNotFoundException e) {
                throw new java.rmi.UnmarshalException("error unmarshalling arguments", e);
            } finally {
                call.releaseInputStream();
            }
            server.unbind($param_String_1);
            try {
                call.getResultStream(true);
            } catch (java.io.IOException e) {
                throw new java.rmi.MarshalException("error marshalling return", e);
            }
            break;
        }

可以看到到处都是readObject，也就是说客户端可以通过传输恶意对象攻击注册中心。实际上这里也能看出，对注册中心来说，服务端和客户端没什么本质区别，只是一个调用lookup一个调用bind。所以没有ip限制的版本里，服务端也能直接远程攻击注册中心。
这里还有个细节，server.lookup得到的是一个RemoteImplObj对象，通过writeObjecct写入输出流，但最后客户端反序列化得到的却是一个动态代理对象。这是因为这里的out是ConnectionOutputStream，父类是MarshalOutputStream，MarshalOutputStream的构造方法里调用了enableReplaceObject(true)，这样在序列化时会调用它的replaceObject

/**
 * Checks for objects that are instances of java.rmi.Remote
 * that need to be serialized as proxy objects.
 */
protected final Object replaceObject(Object obj) throws IOException {
    if ((obj instanceof Remote) && !(obj instanceof RemoteStub)) {
        Target target = ObjectTable.getTarget((Remote) obj);
        if (target != null) {
            return target.getStub();
        }
    }
    return obj;
}

所以传递过去的是代理对象而不是远程对象本身。
分析完了在注册中心查找远程对象的部分，接下来分析最后一行，remoteObj.sayHello()

远程方法调用(客户端)

之前分析已经知道remoteObj是一个动态代理了，那么调用它的方法时自然是走到了调用处理器类里面，跟进RemoteObjectInvocationHandler#invoke

public Object invoke(Object proxy, Method method, Object[] args)
    throws Throwable
{
    if (! Proxy.isProxyClass(proxy.getClass())) {
        throw new IllegalArgumentException("not a proxy");
    }

    if (Proxy.getInvocationHandler(proxy) != this) {
        throw new IllegalArgumentException("handler mismatch");
    }

    if (method.getDeclaringClass() == Object.class) {
        return invokeObjectMethod(proxy, method, args);
    } else if ("finalize".equals(method.getName()) && method.getParameterCount() == 0 &&
        !allowFinalizeInvocation) {
        return null; // ignore
    } else {
        return invokeRemoteMethod(proxy, method, args);
    }
}

调用的是else里面的invokeRemoteMethod

private Object invokeRemoteMethod(Object proxy,
                                  Method method,
                                  Object[] args)
    throws Exception
{
    try {
        if (!(proxy instanceof Remote)) {
            throw new IllegalArgumentException(
                "proxy not Remote instance");
        }
        return ref.invoke((Remote) proxy, method, args,
                          getMethodHash(method));
    } catch (Exception e) {
        if (!(e instanceof RuntimeException)) {
            Class<?> cl = proxy.getClass();
            try {
                method = cl.getMethod(method.getName(),
                                      method.getParameterTypes());
            } catch (NoSuchMethodException nsme) {
                throw (IllegalArgumentException)
                    new IllegalArgumentException().initCause(nsme);
            }
            Class<?> thrownType = e.getClass();
            for (Class<?> declaredType : method.getExceptionTypes()) {
                if (declaredType.isAssignableFrom(thrownType)) {
                    throw e;
                }
            }
            e = new UnexpectedException("unexpected exception", e);
        }
        throw e;
    }
}

最后调用的是UnicastRef里面另一个重载的invoke，一样调用了executeCall，那么这里客户端也可能被攻击。

public Object invoke(Remote obj,
                     Method method,
                     Object[] params,
                     long opnum)
    throws Exception
{
    if (clientRefLog.isLoggable(Log.VERBOSE)) {
        clientRefLog.log(Log.VERBOSE, "method: " + method);
    }

    if (clientCallLog.isLoggable(Log.VERBOSE)) {
        logClientCall(obj, method);
    }

    Connection conn = ref.getChannel().newConnection();
    RemoteCall call = null;
    boolean reuse = true;

    /* If the call connection is "reused" early, remember not to
     * reuse again.
     */
    boolean alreadyFreed = false;

    try {
        if (clientRefLog.isLoggable(Log.VERBOSE)) {
            clientRefLog.log(Log.VERBOSE, "opnum = " + opnum);
        }

        // create call context
        call = new StreamRemoteCall(conn, ref.getObjID(), -1, opnum);

        // marshal parameters
        try {
            ObjectOutput out = call.getOutputStream();
            marshalCustomCallData(out);
            Class<?>[] types = method.getParameterTypes();
            for (int i = 0; i < types.length; i++) {
                marshalValue(types[i], params[i], out);
            }
        } catch (IOException e) {
            clientRefLog.log(Log.BRIEF,
                "IOException marshalling arguments: ", e);
            throw new MarshalException("error marshalling arguments", e);
        }

        // unmarshal return
        call.executeCall();

        try {
            Class<?> rtype = method.getReturnType();
            if (rtype == void.class)
                return null;
            ObjectInput in = call.getInputStream();

            /* StreamRemoteCall.done() does not actually make use
             * of conn, therefore it is safe to reuse this
             * connection before the dirty call is sent for
             * registered refs.
             */
            Object returnValue = unmarshalValue(rtype, in);

            /* we are freeing the connection now, do not free
             * again or reuse.
             */
            alreadyFreed = true;

            /* if we got to this point, reuse must have been true. */
            clientRefLog.log(Log.BRIEF, "free connection (reuse = true)");

            /* Free the call's connection early. */
            ref.getChannel().free(conn, true);

            return returnValue;

        } catch (IOException | ClassNotFoundException e) {
            // disable saving any refs in the inputStream for GC
           ......
    }
}

可以注意到如果返回值type不是void会调用unmarshalValue

protected static Object unmarshalValue(Class<?> type, ObjectInput in)
    throws IOException, ClassNotFoundException
{
    if (type.isPrimitive()) {
        if (type == int.class) {
            return Integer.valueOf(in.readInt());
        } else if (type == boolean.class) {
            return Boolean.valueOf(in.readBoolean());
        } else if (type == byte.class) {
            return Byte.valueOf(in.readByte());
        } else if (type == char.class) {
            return Character.valueOf(in.readChar());
        } else if (type == short.class) {
            return Short.valueOf(in.readShort());
        } else if (type == long.class) {
            return Long.valueOf(in.readLong());
        } else if (type == float.class) {
            return Float.valueOf(in.readFloat());
        } else if (type == double.class) {
            return Double.valueOf(in.readDouble());
        } else {
            throw new Error("Unrecognized primitive type: " + type);
        }
    } else {
        return in.readObject();
    }
}

当返回值类型不是这几种基础类型时就会调用反序列化，也就是服务端可以通过返回恶意对象来攻击客户端。
接下来分析客户端调用时服务端的处理流程。

远程方法调用(服务端)

和在注册中心查找远程对象时候的前半段一样，来到UnicastServerRef#dispatch

 public void dispatch(Remote obj, RemoteCall call) throws IOException {
    // positive operation number in 1.1 stubs;
    // negative version number in 1.2 stubs and beyond...
    int num;
    long op;

    try {
        // read remote call header
        ObjectInput in;
        try {
            in = call.getInputStream();
            num = in.readInt();
            if (num >= 0) {
                if (skel != null) {
                    oldDispatch(obj, call, num);
                    return;
                } else {
                    throw new UnmarshalException(
                        "skeleton class not found but required " +
                        "for client version");
                }
            }
            op = in.readLong();
        } catch (Exception readEx) {
            throw new UnmarshalException("error unmarshalling call header",
                                         readEx);
        }

        /*
         * Since only system classes (with null class loaders) will be on
         * the execution stack during parameter unmarshalling for the 1.2
         * stub protocol, tell the MarshalInputStream not to bother trying
         * to resolve classes using its superclasses's default method of
         * consulting the first non-null class loader on the stack.
         */
        MarshalInputStream marshalStream = (MarshalInputStream) in;
        marshalStream.skipDefaultResolveClass();

        Method method = hashToMethod_Map.get(op);
        if (method == null) {
            throw new UnmarshalException("unrecognized method hash: " +
                "method not supported by remote object");
        }

        // if calls are being logged, write out object id and operation
        logCall(obj, method);

        // unmarshal parameters
        Class<?>[] types = method.getParameterTypes();
        Object[] params = new Object[types.length];

        try {
            unmarshalCustomCallData(in);
            for (int i = 0; i < types.length; i++) {
                params[i] = unmarshalValue(types[i], in);
            }
        } catch (java.io.IOException e) {
            throw new UnmarshalException(
                "error unmarshalling arguments", e);
        } catch (ClassNotFoundException e) {
            throw new UnmarshalException(
                "error unmarshalling arguments", e);
        } finally {
            call.releaseInputStream();
        }

        // make upcall on remote object
        Object result;
        try {
            result = method.invoke(obj, params);
        } catch (InvocationTargetException e) {
            throw e.getTargetException();
        }

        // marshal return value
        try {
            ObjectOutput out = call.getResultStream(true);
            Class<?> rtype = method.getReturnType();
            if (rtype != void.class) {
                marshalValue(rtype, result, out);
            }
        } catch (IOException ex) {
            throw new MarshalException("error marshalling return", ex);
            /*
             * This throw is problematic because when it is caught below,
             * we attempt to marshal it back to the client, but at this
             * point, a "normal return" has already been indicated,
             * so marshalling an exception will corrupt the stream.
             * This was the case with skeletons as well; there is no
             * immediately obvious solution without a protocol change.
             */
        }
    } catch (Throwable e) {
        logCallException(e);

        ObjectOutput out = call.getResultStream(false);
        if (e instanceof Error) {
            e = new ServerError(
                "Error occurred in server thread", (Error) e);
        } else if (e instanceof RemoteException) {
            e = new ServerException(
                "RemoteException occurred in server thread",
                (Exception) e);
        }
        if (suppressStackTraces) {
            clearStackTraces(e);
        }
        out.writeObject(e);
    } finally {
        call.releaseInputStream(); // in case skeleton doesn't
        call.releaseOutputStream();
    }
}

不同的是这回不会进入old Dispatch，而是继续向下走，之后调用到unmarshalValue，前面写过这个方法会触发反序列化，那么客户端可以通过在参数值传payload来攻击服务端。
目前为止分析了客户端、注册中心、服务端之间的调用过程，但实际上服务端上还有DGC服务，接下来分析下DGC服务的调用过程。

DGC调用流程(客户端)

DGC(Distributed Garbage Collection)指分布式垃圾回收，前面的流程也提到了，远程对象发布时就会伴随着DGC对象的创建。前面介绍了在远程对象发布时服务端会生成一个DGCImpl_Stub对象，那么这个对象是也会像普通远程对象一样反序列化传递给客户端，还是像RegistryImpl_Stub一样在客户端本地生成呢？直觉上的感觉应该是后者，首先因为DGC和注册中心一样都是jdk自带类，第二是刚才分析了整个调用流程并没有发现通过序列化传递DGC代理对象的地方。
那么看看DGCImpl_Stub的是怎么创建的，直接对DGC接口find usage，找到两处创建Stub的地方，第一个是之前说的DGCImpl的静态代码块，第二个在DGCClient$EndpointEntry的构造函数里

private EndpointEntry(final Endpoint endpoint) {
    this.endpoint = endpoint;
    try {
        LiveRef dgcRef = new LiveRef(dgcID, endpoint, false);
        dgc = (DGC) Util.createProxy(DGCImpl.class,
                                     new UnicastRef(dgcRef), true);
    } catch (RemoteException e) {
        throw new Error("internal error creating DGC stub");
    }
    renewCleanThread =  AccessController.doPrivileged(
        new NewThreadAction(new RenewCleanThread(),
                            "RenewClean-" + endpoint, true));
    renewCleanThread.start();
}

下断点，发现入口是在RegistryImpl_Stub#lookup的ref.done：

public void done(RemoteCall call) throws RemoteException {

    /* Done only uses the connection inside the call to obtain the
     * channel the connection uses.  Once all information is read
     * from the connection, the connection may be freed.
     */
    clientRefLog.log(Log.BRIEF, "free connection (reuse = true)");

    /* Free the call connection early. */
    free(call, true);

    try {
        call.done();
    } catch (IOException e) {
        /* WARNING: If the conn has been reused early, then it is
         * too late to recover from thrown IOExceptions caught
         * here. This code is relying on StreamRemoteCall.done()
         * not actually throwing IOExceptions.
         */
    }
}

跟进StreamRemoteCall#done

public void done() throws IOException {
    /* WARNING: Currently, the UnicastRef.java invoke methods rely
     * upon this method not throwing an IOException.
     */

    releaseInputStream();
}

public void releaseInputStream() throws IOException {
    /* WARNING: Currently, the UnicastRef.java invoke methods rely
     * upon this method not throwing an IOException.
     */

    try {
        if (in != null) {
            // execute MarshalInputStream "done" callbacks
            try {
                in.done();
            } catch (RuntimeException e) {
            }

            // add saved references to DGC table
            in.registerRefs();

            /* WARNING: The connection being passed to done may have
             * already been freed.
             */
            in.done(conn);
        }
        conn.releaseInputStream();
    } finally {
        in = null;
    }
}

调用了ConnectionInputStream#registerRefs

void registerRefs() throws IOException {
    if (!incomingRefTable.isEmpty()) {
        for (Map.Entry<Endpoint, List<LiveRef>> entry :
                 incomingRefTable.entrySet()) {
            DGCClient.registerRefs(entry.getKey(), entry.getValue());
        }
    }
}

这里有个if，目前不需要关注细节，总之客户端调用时是可以进去的，那么跟进DGCClient#registerRefs

static void registerRefs(Endpoint ep, List<LiveRef> refs) {
    /*
     * Look up the given endpoint and register the refs with it.
     * The retrieved entry may get removed from the global endpoint
     * table before EndpointEntry.registerRefs() is able to acquire
     * its lock; in this event, it returns false, and we loop and
     * try again.
     */
    EndpointEntry epEntry;
    do {
        epEntry = EndpointEntry.lookup(ep);
    } while (!epEntry.registerRefs(refs));
}

这是一个do while循环，先进入EndpointEntry#lookup

public static EndpointEntry lookup(Endpoint ep) {
    synchronized (endpointTable) {
        EndpointEntry entry = endpointTable.get(ep);
        if (entry == null) {
            entry = new EndpointEntry(ep);
            endpointTable.put(ep, entry);
            /*
             * While we are tracking live remote references registered
             * in this VM, request a maximum latency for inspecting the
             * entire heap from the local garbage collector, to place
             * an upper bound on the time to discover remote references
             * that have become unreachable (see bugid 4171278).
             */
            if (gcLatencyRequest == null) {
                gcLatencyRequest = GC.requestLatency(gcInterval);
            }
        }
        return entry;
    }
}

可以看到触发了EndpointEntry的实例化。那么这里就创建了DGCImpl_Stub，接下来看下哪里调用了DGCImpl_Stub里面具体的方法。实际上就在EndpointEntry的构造函数里开启的新线程，看看RenewCleanThread#run

public void run() {
    do {
        ......
        boolean needRenewal_ = needRenewal;
        Set<RefEntry> refsToDirty_ = refsToDirty;
        long sequenceNum_ = sequenceNum;
        AccessController.doPrivileged(new PrivilegedAction<Void>() {
            public Void run() {
                if (needRenewal_) {
                    makeDirtyCall(refsToDirty_, sequenceNum_);
                }

                if (!pendingCleans.isEmpty()) {
                    makeCleanCalls();
                }
                return null;
            }}, SOCKET_ACC);
    } while (!removed || !pendingCleans.isEmpty());
}

可以看到里面循环调用makeDirtyCall

private void makeDirtyCall(Set<RefEntry> refEntries, long sequenceNum) {
    assert !Thread.holdsLock(this);

    ObjID[] ids;
    if (refEntries != null) {
        ids = createObjIDArray(refEntries);
    } else {
        ids = emptyObjIDArray;
    }

    long startTime = System.currentTimeMillis();
    try {
        Lease lease =
            dgc.dirty(ids, sequenceNum, new Lease(vmid, leaseValue));
        long duration = lease.getValue();

        long newRenewTime = computeRenewTime(startTime, duration);
        long newExpirationTime = startTime + duration;

        synchronized (this) {
            dirtyFailures = 0;
            setRenewTime(newRenewTime);
            expirationTime = newExpirationTime;
        }

    } catch (Exception e) {
        ......

dgc.dirty这里调用了DGCImpl_Stub#dirty

public java.rmi.dgc.Lease dirty(java.rmi.server.ObjID[] $param_arrayOf_ObjID_1, long $param_long_2, java.rmi.dgc.Lease $param_Lease_3)
        throws java.rmi.RemoteException {
    try {
        java.rmi.server.RemoteCall call = ref.newCall((java.rmi.server.RemoteObject) this, operations, 1, interfaceHash);
        try {
            java.io.ObjectOutput out = call.getOutputStream();
            out.writeObject($param_arrayOf_ObjID_1);
            out.writeLong($param_long_2);
            out.writeObject($param_Lease_3);
        } catch (java.io.IOException e) {
            throw new java.rmi.MarshalException("error marshalling arguments", e);
        }
        ref.invoke(call);
        java.rmi.dgc.Lease $result;
        Connection connection = ((StreamRemoteCall) call).getConnection();
        try {
            java.io.ObjectInput in = call.getInputStream();

            if (in instanceof ObjectInputStream) {
                /**
                 * Set a filter on the stream for the return value.
                 */
                ObjectInputStream ois = (ObjectInputStream) in;
                AccessController.doPrivileged((PrivilegedAction<Void>)() -> {
                    ObjectInputFilter.Config.setObjectInputFilter(ois, DGCImpl_Stub::leaseFilter);
                    return null;
                });
            }
            $result = (java.rmi.dgc.Lease) in.readObject();
        } catch (java.io.IOException | java.lang.ClassNotFoundException e) {
            if (connection instanceof TCPConnection) {
                // Modified to prevent re-use of the connection after an exception
                ((TCPConnection) connection).getChannel().free(connection, false);
            }
            throw new java.rmi.UnmarshalException("error unmarshalling return", e);
        } finally {
            ref.done(call);
        }
        return $result;
    } catch (java.lang.RuntimeException e) {
        ......

调用了in.readObject()，也就是说DGC客户端调用dirty时有可能被DGC服务端攻击。而前面的每个stub的调用都会触发ref.done，也就是每次stub的调用都可能被DGC服务端攻击。为了看源码用的是8u141这个版本，有个过滤器，但是低版本没有。
接下来分析下服务端的调用流程

DGC调用流程(服务端)

实际上这几个服务端的前半部分都是一样的，都是到UnicastServerRef#dispatch。然后DGCImpl_Stub也是jdk内置类，所以进入oldDispatch，最后进入DGCImpl_Skel#dispatch。clean方法基本不会调用，就看dirty部分

case 1: // dirty(ObjID[], long, Lease)
 {
     java.rmi.server.ObjID[] $param_arrayOf_ObjID_1;
     long $param_long_2;
     java.rmi.dgc.Lease $param_Lease_3;
     try {
         java.io.ObjectInput in = call.getInputStream();
         $param_arrayOf_ObjID_1 = (java.rmi.server.ObjID[]) in.readObject();
         $param_long_2 = in.readLong();
         $param_Lease_3 = (java.rmi.dgc.Lease) in.readObject();
     } catch (java.io.IOException e) {
         throw new java.rmi.UnmarshalException("error unmarshalling arguments", e);
     } catch (java.lang.ClassNotFoundException e) {
         throw new java.rmi.UnmarshalException("error unmarshalling arguments", e);
     } finally {
         call.releaseInputStream();
     }
     java.rmi.dgc.Lease $result = server.dirty($param_arrayOf_ObjID_1, $param_long_2, $param_Lease_3);
     try {
         java.io.ObjectOutput out = call.getResultStream(true);
         out.writeObject($result);
     } catch (java.io.IOException e) {
         throw new java.rmi.MarshalException("error marshalling return", e);
     }
     break;
 }

服务端也调用了in.readObject，也就是说DGC客户端可以攻击DGC服务端。
目前为止就分析完了一次正常的RMI调用的完整流程，那么总结下整个过程中的反序列化点以及导致的攻击，这里不具体区分触发的服务是注册中心还是DGC之类的，只按客户端/服务端/注册中心分类：
1、攻击客户端：
RegistryImpl_Stub#lookup->注册中心攻击客户端
DGCImpl_Stub#dirty->服务端攻击客户端
UnicastRef#invoke->服务端攻击客户端
StreamRemoteCall#executeCall->服务端/注册中心攻击客户端
2、攻击服务端
UnicastServerRef#dispatch->客户端攻击服务端
DGCImpl_Skel#dispatch->客户端攻击服务端
3、攻击注册中心
RegistryImpl_Skel#dispatch->客户端/服务端攻击注册中心
通过完整的分析RMI调用流程，发现了上述反序列化攻击点，下篇文章会实现具体的攻击方式。

参考链接

https://docs.oracle.com/javase/tutorial/rmi/implementing.html
https://docs.oracle.com/javase/8/docs/technotes/guides/rmi/index.html
http://scz.617.cn:8/network/202002221000.txt
https://www.jianshu.com/p/2c78554a3f36
https://last-las.github.io/2020/12/10/%E6%B7%B1%E5%85%A5%E5%AD%A6%E4%B9%A0rmi%E5%B7%A5%E4%BD%9C%E5%8E%9F%E7%90%86
https://www.cnblogs.com/binarylei/p/12115986.html