Skip to content
Slides/Demos from the BSides Munich 2019 talk "Attacking Java RMI in 2019"
Java Groovy
Branch: master
Clone or download
Hans-Martin Münch
Hans-Martin Münch Fixing error in pom.xml
Latest commit 360ad2b Sep 20, 2019
Type Name Latest commit message Commit time
Failed to load latest commit information.
BSidesAttackClient/src/de/mogwailabs/BSidesRMIService Initial commit Mar 25, 2019
BSidesMucRmiService Fixing error in pom.xml Sep 20, 2019
BSides Exploiting RMI Services.pdf Updating slides Mar 26, 2019
barmitzwa.groovy Initial commit Mar 25, 2019

Attacking Java RMI services after JEP 290

This repository contains all examples from my talk "Attacking Java RMI services in 2019" at BSides Munich 2019. I also included the slides, however a more detailed explanation of this topic can be found on our blog.


This is a simple RMI service that I used as an example. It is a Maven project with CommonsCollections 3.1 bundled. Additional instructions how to build/run this service cna be found in the directory.


This directory contains a minimal code example how to attack an RMI service that provides a method that accepts an arbitrary object as argument. The code needs to be imported into an project that also includes the ysoserial jar.


A YouDebug script that replaces the objects in a remote invocation call with an object from ysoserial.

You can’t perform that action at this time.