Collection of bypass gadgets to extend and wrap ysoserial payloads
Clone or download
Latest commit 00fcbde Apr 11, 2016
Type Name Latest commit message Commit time
Failed to load latest commit information.
src Initial commit Apr 11, 2016
.gitignore Initial commit Apr 11, 2016 updated readme Apr 11, 2016
pom.xml Initial commit Apr 11, 2016

SerialKiller: Bypass Gadget Collection


Collection of Bypass Gadgets that can be used in JVM Deserialization Gadget chains to bypass "Look-Ahead ObjectInputStreams" desfensive deserialization.

Released as part of RSA 2016 Talk "SerialKiller: Silently Pwning Your Java Endpoints" by Alvaro Muñoz (@pwntester) and Christian Schneider (@cschneider4711).

Details about bypass gadget technique can be found in the following resources:


This software has been created purely for the purposes of academic research and for the development of effective defensive techniques, and is not intended to be used to attack systems except where explicitly authorized. Project maintainers are not responsible or liable for misuse of the software. Use responsibly.


The current status of this project heavily depends on "YSoSerial". project and the idea is to integrate it there in the near future (see below). It can actually be considered an extension of ysoserial and it reuses some parts of the code and all the payload gadgets in order to facilitate future integration.

Copy the current version (ysoserial-0.0.5-SNAPSHOT-all.jar) to /external and adjust the pom.xml if using a different version.

The following Jar files are required from Weblogic and WebSphere application servers and not distributed with SerialKiller Bypass Gadget Collection. Copy them from your authorized version of the application server to the /external directory.


mvn clean compile assembly:single


java -jar target/serialkiller-bypass-gadgets-0.0.1-SNAPSHOT-all.jar <Payload Gadget, eg: CommonsCollections2> <Bypass Gadget, eg: Weblogic1> <Command, eg: 'touch /tmp/test'>


The idea is to integrate this project into YsoSerial project as soon as it supports wrapping payloads in bypass gadgets and handle missing dependencies.