Skip to content
Slides/Demos from the BSides Munich 2019 talk "Attacking Java RMI in 2019"
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.
BSides Exploiting RMI Services.pdf

Attacking Java RMI services after JEP 290

This repository contains all examples from my talk "Attacking Java RMI services in 2019" at BSides Munich 2019. I also included the slides, however a more detailed explanation of this topic can be found on our blog.


This is a simple RMI service that I used as an example. It is a Maven project with CommonsCollections 3.1 bundled. Additional instructions how to build/run this service cna be found in the directory.


This directory contains a minimal code example how to attack an RMI service that provides a method that accepts an arbitrary object as argument. The code needs to be imported into an project that also includes the ysoserial jar.


A YouDebug script that replaces the objects in a remote invocation call with an object from ysoserial.

You can’t perform that action at this time.