Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
Matthias Kaiser
@matthiaskaiser
I
Try javax.management.loading.MLet
Matthias Kaiser
@matthiaskaiser
getMBeansFromURL(String)
Siva Siva
@zebasquared_twitter

@matthiaskaiser thanks for the suggestion. I am able to invoke getMBeansFromURL(String) but I get a java.lang.IllegalStateException: This MLet MBean is not registered with an MBeanServer.. I see that the first line of the getMBeansFromURL function has the following check:
if (server == null) { throw new IllegalStateException("This MLet MBean is not registered with an MBeanServer.");

I am unable to bypass this check without calling preRegister(MBeanServer server, ObjectName name) first, which I am unable to do with my current limitations. I would really appreciate any other ideas.

For your reference, I am trying to reproduce https://mp.weixin.qq.com/s/8_D8xwXwgETItMmJRgp6XQ but I am failing at the very last step
Green Dog
@GrrrDog
@zebasquared_twitter Have you looked at https://github.com/mbechler/marshalsec/blob/master/marshalsec.pdf ? It's about serialization gadgets, but maybe it will give you some ideas.
Siva Siva
@zebasquared_twitter
@GrrrDog I gave it a skim a while back, but I think I should read it again. As you suggested, it might help me with this situation. Thanks!
Moritz Bechler
@mbechler
@zebasquared_twitter don't think there is much for this situtation in there. I'm not aware of any "direct" way to command execution (there just isn't much code using that in the standard library), however there are a buch of indirect ones:
  • until very recently (< 8u191) you can get code execution based on JNDI/LDAP reference lookups, e.g. with javax.naming.InitialContext::lookup(String)
  • javax.swing.plaf.synth.SynthLookAndFeel::load(URL) loads/processes a remote document using XMLDecoder
  • com.sun.media.sound.JARSoundbankReader::getSoundbank(URL) performs remote classloading
you should be able to call all of these.
Siva Siva
@zebasquared_twitter
@mbechler I should have posted here earlier but after I read you paper again, I was able to get RCE indirectly via javax.naming.InitialContext::lookup(String). Thanks again for all the help + very useful paper!
U̶ɴ̶ᴠ̶ᴇ̶ʀ̶ɪ̶ғ̶ɪ̶ᴇ̶ᴅ
@droope123_twitter
Hi everybody. I am exploiting an AMF java deserialization. I think this is like a regular deserialization with the exception that a few more restrictions are in place, but I've managed to bypass those by following the instructions here. I am now in a situation where I can instantiate gadgets using ysoserial.exploit.JRMPListener.
I have an issue where I get the RMI callback, the response is successfully sent, but no payloads execute, with the exception of URLDNS. URLDNS works and triggers a Burp Collaborator lookup.
I think this is because the app is using some sort of blacklisting/whitelisting of classes. I was wondering if you know of good ways of bypassing these kinds of restrictions to achieve anything useful? I am going to try these but I think I probably won't be able to use things from the commons library.
U̶ɴ̶ᴠ̶ᴇ̶ʀ̶ɪ̶ғ̶ɪ̶ᴇ̶ᴅ
@droope123_twitter
The client says they're using https://dzone.com/articles/a-first-look-into-javas-new-serialization-filterin
U̶ɴ̶ᴠ̶ᴇ̶ʀ̶ɪ̶ғ̶ɪ̶ᴇ̶ᴅ
@droope123_twitter
nvm got rce :D
skyroot
@magicalking
hi all,when I compile ysoserial with maven ,I got this proplem,someone can help me ?
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-compiler-plugin:3.5.1:compile (default-compile) on project ysoserial: Compilation failure -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoFailureException
Green Dog
@GrrrDog
Hey! Could anyone clarify me JRMPClient payload and in which cases in can be handy for us?
Green Dog
@GrrrDog
And another question. In case of RMI registry, after jep 290, we still can exploit serialization via methods with specific parameter types. But we need to have an interface, which we cannot get when we test somethings with blackbox approach. Do i understand the situation with RMI correctly?
Matthias Kaiser
@matthiaskaiser
@GrrrDog JRMPClient connects to your server and and you can send back a gadget in the response
@GrrrDog Only the standard methods like "lookup" are protected by JEP290. If you can lookup a proxy you can still get RCE using parameters
@GrrrDog Same applies to JMX after successful auth
Green Dog
@GrrrDog
@matthiaskaiser the article https://mogwailabs.de/blog/2019/03/attacking-java-rmi-services-after-jep-290/ says that JRMPClient doesn't work against the rmi registry, but the listener. Does it mean that when there is a target and rmi-registry port is filtered, but a "usual" rmi port is reachable, i can use this payload against it?
" If you can lookup a proxy you can still get RCE using parameters" I didn't get it :)
with jmx, after authentication, I can get information about available methods and their parameters, even using usual tools as jconsole. But I don't know how to do in case of RMI.
Nate Robb
@NateRobb_twitter
anyone know if there is a workaround for: java.rmi.AccessException: Registry.bind disallowed; origin /x.x.x.x is non-local host
Green Dog
@GrrrDog
@NateRobb_twitter check this article https://mogwailabs.de/blog/2019/03/attacking-java-rmi-services-after-jep-290/ . This error returns in many cases
Moritz Bechler
@mbechler
@GrrrDog The JRMPClient exploit (in the published form) targets the DGC (distributed garbage collection) object which is exposed by any JRMP/RMI listener (not just Registry), however this has been applying a very strict serialization filter for quite some while now
Moritz Bechler
@mbechler
In recent verison, as far as I know, you either need a writeable registry, or need to target a exported object (for which you need a valid methodid/signature)
Matthias Kaiser
@matthiaskaiser
@mbechler thank you @mbechler for the answer to @GrrrDog‘s question
Green Dog
@GrrrDog
yeah, thank you, guys :) I'll test it and, probably, come back with more questions :
Green Dog
@GrrrDog
Oh, I've played with JRMPClient a bit. It's a cool gadget! I don't know how i could overlook it for so long. I remember, at least, two cases when only listeners were available and i didn't know what to do. with them.
Thanks again!
Green Dog
@GrrrDog
Coming back to RMI. I have a situation where a remote server has a closed rmi registry port (it's binded to localhost interface), but an rmi listener's port is open. I have successfully created a deserialization attack PoC against one of methods exposed by RMI in a local test env. So, my question is... Can I send this deserialization attack payload directly to RMI listener? And maybe you know how to do it?
The current idea is to set my local registry as a target for my PoC, but to redirect PoC's connection to local RMI listener to a remote one (real target) using Iptables.
Moritz Bechler
@mbechler
The thing you need to reach the actual exported object is the object id, which you probably wont be able to get in that setup (if nothing is configured in weird way it's sufficiently random). If you had that you probably (likely quite fiddly) could patch a registry to return a reference with that object and the remote endpoint, or you could build on exploit.JRMPClient and put together a raw call to the object.
Green Dog
@GrrrDog
Oh, it sounds complicated. Thank you @mbechler
Conday
@Conday
hello
Ran across and error with JRMPListener and was wondering if anyone could helpout
Green Dog
@GrrrDog
@Conday What is the error? Could you describe the whole situation? write here or directly to me
zzqsmile
@zzqsmile
image.png
image.png

mvn package -DskipTests 出错了

...
[INFO] --- maven-compiler-plugin:3.5.1:compile (default-compile) @ ysoserial ---
[INFO] Changes detected - recompiling the module!
[INFO] Compiling 59 source files to /root/ysoserial/target/classes
[WARNING] Unable to autodetect 'javac' path, using 'javac' from the environment.
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 7.846 s
[INFO] Finished at: 2019-10-30T02:03:39-04:00
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-compiler-plugin:3.5.1:compile (default-compile) on project ysoserial: Compilation failure -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoFailureException

Green Dog
@GrrrDog
@zzqsmile it looks like you have something wrong with jdk Unable to autodetect 'javac' path, using 'javac' from the environment.
Yiğitcan UÇUM
@Yengas
just made a Play Scala application to demonstrate deserialization attack with ysoserial. however the exploit won't run unless i set enableTemplatesImplDeserialization to true. could not find where this security feature comes from (this is not there with spring/java). is there a way to make ysoserial work when enableTemplatesImplDeserialization is false?
google search with the flag itself, links to previous chats in this gitter :sweat: is this security feature inside the jdk, just to block ysoserial?
Green Dog
@GrrrDog
I've just found which looks like RMI listener (nmap detects it as JAVA RMI). But it doesn't response for JRMPClient at all. When you connects to it, it returns \xac\xed\0\x05. The app is run on Java 1.5. Any ideas what can it be?
Dusan Stevanovic
@dusanste_gitlab
Hi, I have a serializable class that contains a method setFoo(Object o) where Foo is a public member of that class. Is there a gadget that I could use to invoke a specific method of that class during its deserialization.
Dusan Stevanovic
@dusanste_gitlab
by specific method I mean a method name that I can control
gh0st
@__gh0st__twitter

Hi guys, I would like to ask some questions. In some clients, I always find flaws in the Java deserialization, but sometimes the environment is very restricted, the client has no DNS, ICMP, HTTP output. What I like to do to explore not so restricted environments is to send a list of payloads [1], with the command nslookup or ping to my domain. In some cases, it works very well. But recently I found two cases in particular:
1º When sending the list of loads to the destination, he returned only the GadgetChain (JRMPClient), how could he have obtained RCE?

2º In this case, it is more restricted, I sent all the payloads and returned absolutely nothing, as the client had no output for ICMP, DNS, HTTP. how can i explore this second case?
[1] I use the script shown in Petre's article(https://securitycafe.ro/2017/11/03/tricking-java-serialization-for-a-treat/)

gh0st
@__gh0st__twitter
A detail that has been overlooked, the payload URLDNS works in two cases.
Moritz Bechler
@mbechler
JRMPClient likely is quite useless when you don't have a network channel back to you (and not direct RCE anyways). If everything else fails, timing is always a nice side channel. In the most basic form, try to run a sleep command (requires patching ysoserial, as the templates payloads currently do not wait for the command to complete). This can be taken much farther though, as it is possible to construct object graphs which when deserialized will take different amounts of time depending on some properties (e.g. class found or not)