-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Why do all the serialized payloads contain java.lang.Override? #75
Comments
The I don't have specific experience with elasticsearch, but looking at some source code it looks like it uses a slightly modified deserialization stream format and behavior via ThrowableObjectOutputStream and ThrowableObjectInputStream that:
In this scenario, it seems likely that the last of these customizations may be getting in the way of it working, but it's hard to say for sure without more information about which path it's following through the It may also be worth asking in the gitter chat to see if anyone else has come across this specific vector and/or issue before. |
Thank you for the reply @frohoff. I will try and look into the issue further with your feedback in mind. |
Closing after resolution via gitter chat. |
I am trying attempting to use ysoserial to generate a Groovy1 payload against an old version of elasticsearch. The payload fails to deserialize due to the presence of java.lang.Override. Specifically, elastic search seems to call the following function when resolving classes contained within a serialized stream:
protected ObjectStreamClass readClassDescriptor() throws IOException, ClassNotFoundException { int type = read(); if (type < 0) { throw new EOFException(); } switch (type) { case ThrowableObjectOutputStream.TYPE_EXCEPTION: return ObjectStreamClass.lookup(Exception.class); case ThrowableObjectOutputStream.TYPE_STACKTRACEELEMENT: return ObjectStreamClass.lookup(StackTraceElement.class); case ThrowableObjectOutputStream.TYPE_FAT_DESCRIPTOR: return super.readClassDescriptor(); case ThrowableObjectOutputStream.TYPE_THIN_DESCRIPTOR: String className = readUTF(); Class<?> clazz = loadClass(className); return ObjectStreamClass.lookup(clazz); default: throw new StreamCorruptedException( "Unexpected class descriptor type: " + type); } }
ObjectStreamClass.lookup(clazz)
returnsnull
whenclazz == "java.lang.Override"
. I am not entirely sure what the purpose of java.lang.Override is in the serialized object but is there any way of generating payloads which do not contain this class?Thanks in advance for the help.
The text was updated successfully, but these errors were encountered: