-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
Import and generate dynamic ysoserial
Java serialization objects
#11125
Conversation
e04c25e
to
349a366
Compare
You might wanna rename your file |
@wchen: Thanks! I've renamed the helper script and added Wiki documentation. This PR is now ready for final review and potential landing. |
I'll give this a try. Thank you! |
Hi @asoto-r7, I have submitted a pull request to you for the rspec. You can find it here: Please let me know when you have resolved the issue with hp_imc_java_deserialize.rb not getting a session, and then I'll take a look at the PR again. Thank you! |
e126f3c
to
ddebc29
Compare
@wchen-r7: It's ready to go! I've also updated the testing steps above to provide a more thorough walkthrough. The most significant bug was that when I randomized ysoserial fingerprintable strings, I was off-by-one in my character count. (TANGENT: However, along the way, I had to troubleshoot offsets and values of both To support future debugging, I've added a
|
Cool thanks! I think when you were updating your code, rspec went out of date again: https://travis-ci.org/rapid7/metasploit-framework/jobs/475527324#L2480 Could you please take a look at that? Something related to this:
|
@wchen-r7: I've spent the day arguing with
... should reference this in the
So, testing that manually: msf5> pry
pry> p = Msf::Util::JavaDeserialization::ysoserial_payload("BeanShell1","id")
pry> p.include?("java.awt.event")
=> true Looks fine to me! What am I missing? |
@wchen: Thanks for the rspec, especially since it caught that I had locally updated the JSON file, but committed a version that didn't contain all the payloads. The tests are passing now and it's ready for testing. I apologize for the delay. |
I will try again. Thanks! |
Exploit is working for me with this patch. Let me look around a bit more and then I'll try to land it. Pretty busy today w/ meetings but I think I should be able to do this today. |
Release NotesThis adds support for importing and generating dynamic objects from |
Overview
Problem: Some exploit modules targeting Java deserialization vulnerabilities use "blobs" like Base64 strings, which make the code difficult to read, change, and verify. Personally, I spent a full day reverse engineering a recent Java serialized object, understanding
ysoserial
, and recreating a verified "blob" to land PR #10947. And yet, despite my comments and notes, it will be difficult for the next person to understand or modify. And so...Proposed solution: To make Java serialized objects more easily readable and adaptable, this PR adds support for importing and generating dynamic objects from
ysoserial
and hopefully fixes #10057). Rather than invokingysoserial
directly (and all the Java overhead that would entail), this PR uses a once-run Docker container. The docker container will output a JSON file (data/ysoserial_payloads.json
) containing the relevant binary and offsets so that a Metasploit library can quickly generate a dynamic Java serialized object.Current Status
Ready for landing. Pending @wchen-r7's review.
Considerations for future work:
ysoserial-modified.jar
with it'sbash
,cmd
, andpowershell
variations.Myfaces2
which requires a<base_url>:<classname>
formatted string orURLDNS
which requires a URL).Feedback welcome! Thanks! 馃槂
Verification
Please review
lib/msf/util/java_deserialization.rb
to identify code that significantly contradicts our current or best practices.Change directory to the
tools/payloads/ysoserial
.CommonsBeanutils1
that invokesls
:hp_imc_java_deserialize
module works with the new updates: