Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
Import and generate dynamic `ysoserial` Java serialization objects #11125
Problem: Some exploit modules targeting Java deserialization vulnerabilities use "blobs" like Base64 strings, which make the code difficult to read, change, and verify. Personally, I spent a full day reverse engineering a recent Java serialized object, understanding
Proposed solution: To make Java serialized objects more easily readable and adaptable, this PR adds support for importing and generating dynamic objects from
Ready for landing. Pending @wchen-r7's review.
Considerations for future work:
Feedback welcome! Thanks!
referenced this pull request
Dec 16, 2018
@wchen-r7: It's ready to go! I've also updated the testing steps above to provide a more thorough walkthrough.
The most significant bug was that when I randomized ysoserial fingerprintable strings, I was off-by-one in my character count.
(TANGENT: However, along the way, I had to troubleshoot offsets and values of both
To support future debugging, I've added a
Cool thanks! I think when you were updating your code, rspec went out of date again: https://travis-ci.org/rapid7/metasploit-framework/jobs/475527324#L2480
Could you please take a look at that? Something related to this:
@wchen-r7: I've spent the day arguing with
... should reference this in the
So, testing that manually:
msf5> pry pry> p = Msf::Util::JavaDeserialization::ysoserial_payload("BeanShell1","id") pry> p.include?("java.awt.event") => true
Looks fine to me! What am I missing?