Add Jackson gadget chain with JNDI/LDAP support #464
Conversation
wvu
force-pushed
the
jackson
branch
3 times, most recently
from
b8db64e to
e48c036
Compare
| const ( | ||
| arraySizeWithCommand = "\x00\x00\x06\x54" // 1620 | ||
| arraySizeWithoutCommand = 1599 | ||
| ) | ||
| gadget = strings.ReplaceAll(gadget, arraySizeWithCommand, transform.PackBigInt32(arraySizeWithoutCommand+len(cmd))) |
There was a problem hiding this comment.
Pull Request Overview
This PR adds support for the Jackson gadget chain with JNDI/LDAP exploitation capabilities. The implementation leverages the Jackson deserialization vulnerability to execute arbitrary commands through a serialized Java payload.
Key changes:
- Added
JacksonGenericCommandgadget type with implementation - Integrated Jackson gadget chain into LDAP server configuration
- Added new gadget binary file (
Jackson.bin) for payload generation
Reviewed Changes
Copilot reviewed 2 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| java/ldapjndi/ldapjndi.go | Added JacksonGenericCommand gadget constant and integrated it into LDAP gadget configuration logic |
| java/javagadget.go | Implemented JacksonGenericCommand function to generate Jackson exploitation payloads with command injection |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
| } | ||
|
|
||
| gadget := string(gadgetBytes) | ||
| gadget = strings.ReplaceAll(gadget, "\x00\x15touch /tmp/vulnerable", transform.PackBigInt16(len(cmd))+cmd) |
There was a problem hiding this comment.
The hardcoded placeholder \x00\x15touch /tmp/vulnerable embeds a magic value without explanation. Consider extracting this as a named constant with documentation explaining it represents the 16-bit length prefix (0x0015 = 21 bytes) followed by the original command from the gadget binary.
| } | ||
|
|
||
| gadget := string(gadgetBytes) | ||
| gadget = strings.ReplaceAll(gadget, "\x00\x15touch /tmp/vulnerable", transform.PackBigInt16(len(cmd))+cmd) |
There was a problem hiding this comment.
The relationship between arraySizeWithCommand (1620) and arraySizeWithoutCommand (1599) is unclear. The 21-byte difference should be documented to explain it corresponds to the length of 'touch /tmp/vulnerable' being replaced.
| gadget = strings.ReplaceAll(gadget, "\x00\x15touch /tmp/vulnerable", transform.PackBigInt16(len(cmd))+cmd) | |
| gadget = strings.ReplaceAll(gadget, "\x00\x15touch /tmp/vulnerable", transform.PackBigInt16(len(cmd))+cmd) | |
| // The Jackson.bin gadget contains a hardcoded command string "touch /tmp/vulnerable" (21 bytes). | |
| // arraySizeWithCommand (1620) is the size of the serialized array including the original command. | |
| // arraySizeWithoutCommand (1599) is the size with the command removed; we add len(cmd) to get the new size. | |
| // The 21-byte difference corresponds to the length of "touch /tmp/vulnerable" being replaced. |
https://github.com/cckuailong/JNDI-Injection-Exploit-Plus/blob/f9e097041b08d48289c3dae004996caa28718184/src/main/java/payloads/Jackson.java
java -jar JNDI-Injection-Exploit-Plus-2.5-SNAPSHOT-all.jar -D Jackson -C "touch /tmp/vulnerable"