Ermir – An Evil Java RMI Registry

Ermir is an Evil/Rogue RMI Registry, it

  • public String[] list(): list() asks the registry for all the bound objects names, while String type cannot be subsitued with a malicious gadget as it is not like any ordinary object and it is not read using readObject() but rather readUTF(), however as list() returns String[] which is an actual object and it is read using

  • public void bind(java.lang.String $param_String_1, java.rmi.Remote $param_Remote_2): bind() binds an object to a name on the registry, in bind() case the return type is void and there is nothing being returned, however if the registry specifies in the RMI return data packet that this return is an execptional return, the client/server client will call

  • public void rebind(java.lang.String $param_String_1, java.rmi.Remote $param_Remote_2): rebind() replaces the binding of the passed name with the supplied remote reference, also returns void, Ermir returns an exception just like bind().

  • public void unbind(java.lang.String $param_String_1): unbind() unbinds a remote object by name in the RMI registry, this one also returns void.

  • PoC


    Bug reports and pull requests are welcome on GitHub at This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the code of conduct.


    The gem is available as open source under the terms of the MIT License.

    Code of Conduct

    Everyone interacting in the Ermir project’s codebases, issue trackers, chat rooms and mailing lists is expected to follow the code of conduct.

    Download Ermir

    If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.


    Original Source