Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
Green Dog
@GrrrDog
with jmx, after authentication, I can get information about available methods and their parameters, even using usual tools as jconsole. But I don't know how to do in case of RMI.
Nate Robb
@NateRobb_twitter
anyone know if there is a workaround for: java.rmi.AccessException: Registry.bind disallowed; origin /x.x.x.x is non-local host
Green Dog
@GrrrDog
@NateRobb_twitter check this article https://mogwailabs.de/blog/2019/03/attacking-java-rmi-services-after-jep-290/ . This error returns in many cases
Moritz Bechler
@mbechler
@GrrrDog The JRMPClient exploit (in the published form) targets the DGC (distributed garbage collection) object which is exposed by any JRMP/RMI listener (not just Registry), however this has been applying a very strict serialization filter for quite some while now
Moritz Bechler
@mbechler
In recent verison, as far as I know, you either need a writeable registry, or need to target a exported object (for which you need a valid methodid/signature)
Matthias Kaiser
@matthiaskaiser
@mbechler thank you @mbechler for the answer to @GrrrDog‘s question
Green Dog
@GrrrDog
yeah, thank you, guys :) I'll test it and, probably, come back with more questions :
Green Dog
@GrrrDog
Oh, I've played with JRMPClient a bit. It's a cool gadget! I don't know how i could overlook it for so long. I remember, at least, two cases when only listeners were available and i didn't know what to do. with them.
Thanks again!
Green Dog
@GrrrDog
Coming back to RMI. I have a situation where a remote server has a closed rmi registry port (it's binded to localhost interface), but an rmi listener's port is open. I have successfully created a deserialization attack PoC against one of methods exposed by RMI in a local test env. So, my question is... Can I send this deserialization attack payload directly to RMI listener? And maybe you know how to do it?
The current idea is to set my local registry as a target for my PoC, but to redirect PoC's connection to local RMI listener to a remote one (real target) using Iptables.
Moritz Bechler
@mbechler
The thing you need to reach the actual exported object is the object id, which you probably wont be able to get in that setup (if nothing is configured in weird way it's sufficiently random). If you had that you probably (likely quite fiddly) could patch a registry to return a reference with that object and the remote endpoint, or you could build on exploit.JRMPClient and put together a raw call to the object.
Green Dog
@GrrrDog
Oh, it sounds complicated. Thank you @mbechler
Conday
@Conday
hello
Ran across and error with JRMPListener and was wondering if anyone could helpout
Green Dog
@GrrrDog
@Conday What is the error? Could you describe the whole situation? write here or directly to me
zzqsmile
@zzqsmile
image.png
image.png

mvn package -DskipTests 出错了

...
[INFO] --- maven-compiler-plugin:3.5.1:compile (default-compile) @ ysoserial ---
[INFO] Changes detected - recompiling the module!
[INFO] Compiling 59 source files to /root/ysoserial/target/classes
[WARNING] Unable to autodetect 'javac' path, using 'javac' from the environment.
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 7.846 s
[INFO] Finished at: 2019-10-30T02:03:39-04:00
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-compiler-plugin:3.5.1:compile (default-compile) on project ysoserial: Compilation failure -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoFailureException

Green Dog
@GrrrDog
@zzqsmile it looks like you have something wrong with jdk Unable to autodetect 'javac' path, using 'javac' from the environment.
Yiğitcan UÇUM
@Yengas
just made a Play Scala application to demonstrate deserialization attack with ysoserial. however the exploit won't run unless i set enableTemplatesImplDeserialization to true. could not find where this security feature comes from (this is not there with spring/java). is there a way to make ysoserial work when enableTemplatesImplDeserialization is false?
google search with the flag itself, links to previous chats in this gitter :sweat: is this security feature inside the jdk, just to block ysoserial?
Green Dog
@GrrrDog
I've just found which looks like RMI listener (nmap detects it as JAVA RMI). But it doesn't response for JRMPClient at all. When you connects to it, it returns \xac\xed\0\x05. The app is run on Java 1.5. Any ideas what can it be?
Dusan Stevanovic
@dusanste_gitlab
Hi, I have a serializable class that contains a method setFoo(Object o) where Foo is a public member of that class. Is there a gadget that I could use to invoke a specific method of that class during its deserialization.
Dusan Stevanovic
@dusanste_gitlab
by specific method I mean a method name that I can control
gh0st
@__gh0st__twitter

Hi guys, I would like to ask some questions. In some clients, I always find flaws in the Java deserialization, but sometimes the environment is very restricted, the client has no DNS, ICMP, HTTP output. What I like to do to explore not so restricted environments is to send a list of payloads [1], with the command nslookup or ping to my domain. In some cases, it works very well. But recently I found two cases in particular:
1º When sending the list of loads to the destination, he returned only the GadgetChain (JRMPClient), how could he have obtained RCE?

2º In this case, it is more restricted, I sent all the payloads and returned absolutely nothing, as the client had no output for ICMP, DNS, HTTP. how can i explore this second case?
[1] I use the script shown in Petre's article(https://securitycafe.ro/2017/11/03/tricking-java-serialization-for-a-treat/)

gh0st
@__gh0st__twitter
A detail that has been overlooked, the payload URLDNS works in two cases.
Moritz Bechler
@mbechler
JRMPClient likely is quite useless when you don't have a network channel back to you (and not direct RCE anyways). If everything else fails, timing is always a nice side channel. In the most basic form, try to run a sleep command (requires patching ysoserial, as the templates payloads currently do not wait for the command to complete). This can be taken much farther though, as it is possible to construct object graphs which when deserialized will take different amounts of time depending on some properties (e.g. class found or not)
gh0st
@__gh0st__twitter
interestingly, is there an article on how to patching ysoserial to have GadgetsChains with the sleep command?
Green Dog
@GrrrDog
@__gh0st__twitter there is a Burp Plugin https://github.com/federicodotta/Java-Deserialization-Scanner you can have a look at the source code and article about it https://techblog.mediaservice.net/2017/05/reliable-discovery-and-exploitation-of-java-deserialization-vulnerabilities/ . If i remember correctly, it uses various time-based techniques to detect deserialization.
gh0st
@__gh0st__twitter
Thank you very much for your help @mbechler and @GrrrDog I ended up finding Federicodotta's modified ysoserial, making it possible to generate a payload with the sleep command directly from that ysoserial.
ysoserial_sleep => https://github.com/federicodotta/ysoserial
If successful, I’ll come back here to comment.
gh0st
@__gh0st__twitter
Hello guys, I was successful with the ysoserial modified by Federicodotta, thanks again for everyone's help! =)
delisyd
@delisyd

Hi there everyone, Is there anyone that could help me? I'm working on a Java deserialization PoC. So far, I was able to receive DNS queries from the vulnerable app using the URLDNS gadget. The problem is that I could not find any other useful gadget in order to show more impact. You know...a simple DNS query is not the best thing.
How do you think I should follow up this? I tried to enumerate classes and I found the following ones:
com.fasterxml.jackson.core.Base64Variant
com.google.gson.JsonDeserializer
org.apache.commons.lang.ArrayUtils
org.apache.commons.logging.impl.AvalonLogger
org.apache.commons.logging.impl.NoOpLog
org.apache.log4j.Appender
org.json.CDL
com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl
com.sun.rowset.JdbcRowSetImpl
java.util.logging.FileHandler
java.rmi.server.UnicastRemoteObject
org.apache.tomcat.dbcp.dbcp2.BasicDataSource
com.sun.org.apache.bcel.internal.util.ClassLoader

I tried the most common payloads but I'm not able to run commands other than the URLDNS.
Any suggestion?
It's a JSF web app in which the javax.faces.viewState is base64(gzip) encoded.

delisyd
@delisyd
Also, the SerialDOS payload seems working as well because when I tested that I had a long delay.
Tom Wyckhuys
@tomwyckhuys
Hi, does anybody has advice how to include double quotes in the payload parameter ? It seems to error out. I need something like java -jar ysoserial.... CommonsBeansutils1 'cmd.exe /C "command & commannd & command" '
Green Dog
@GrrrDog
@tomwyckhuys I usually b64 encode commands http://www.jackson-t.ca/runtime-exec-payloads.html
ASL IT Security
@aslitsecurity
escape
Hello everyone, anyone have any idea how to escape quotes within quotes for ysoserial?
I am trying this command rundll32 SHELL32.DLL,ShellExec_RunDLL "cmd.exe" "/c calc"
"rundll32 SHELL32.DLL,ShellExec_RunDLL "cmd.exe" "/c calc""
ASL IT Security
@aslitsecurity
Nevermind
This command is not working in ysoserial. :(
in cmd if you enter rundll32.exe shell32.dll,ShellExec_RunDLL cmd /c calc
it works
but ysoserial.exe -f BinaryFormatter -g YourGadget -o base64 -c "rundll32.exe shell32.dll,ShellExec_RunDLL cmd /c calc" --rawcmd -t
not working
Chris Frohoff
@frohoff
@aslitsecurity that appears to be ysoserial.net (https://github.com/pwntester/ysoserial.net) which is a similar but different project maintained by @pwntester for .NET apps (ysoserial is for java apps)
Cruel
@0Tty2_twitter
image.png
JDK?
Chris Frohoff
@frohoff

FYI I enabled the discussions feature in the ysoserial github repo so I'd suggest we move most of this dialogue there for better visibility

https://github.com/frohoff/ysoserial/discussions

thamaraiselvan12
@thamaraiselvan12:matrix.org
[m]
Anyone help me how can I create payload