Skip to content

Latest commit

 

History

History
46 lines (29 loc) · 2.63 KB

File metadata and controls

46 lines (29 loc) · 2.63 KB

SerialKiller: Bypass Gadget Collection

Description

Collection of Bypass Gadgets that can be used in JVM Deserialization Gadget chains to bypass "Look-Ahead ObjectInputStreams" desfensive deserialization.

Released as part of RSA 2016 Talk "SerialKiller: Silently Pwning Your Java Endpoints" by Alvaro Muñoz (@pwntester) and Christian Schneider (@cschneider4711).

Details about bypass gadget technique can be found in the following resources:

Disclaimer

This software has been created purely for the purposes of academic research and for the development of effective defensive techniques, and is not intended to be used to attack systems except where explicitly authorized. Project maintainers are not responsible or liable for misuse of the software. Use responsibly.

Requirements

The current status of this project heavily depends on "YSoSerial". project and the idea is to integrate it there in the near future (see below). It can actually be considered an extension of ysoserial and it reuses some parts of the code and all the payload gadgets in order to facilitate future integration.

Copy the current version (ysoserial-0.0.5-SNAPSHOT-all.jar) to /external and adjust the pom.xml if using a different version.

The following Jar files are required from Weblogic and WebSphere application servers and not distributed with SerialKiller Bypass Gadget Collection. Copy them from your authorized version of the application server to the /external directory.

com.ibm.jaxws.thinclient_8.5.0.jar
com.ibm.ws.ejb.embeddableContainer_8.5.0.jar
com.oracle.weblogic.iiop-common.jar
com.ibm.mq.jmqi.jar
com.ibm.ws.ejb.thinclient_8.5.0.jar
com.ibm.msg.client.jms.jar
com.ibm.ws.runtime.coregroupbridge.jar

Build

mvn clean compile assembly:single

Usage

java -jar target/serialkiller-bypass-gadgets-0.0.1-SNAPSHOT-all.jar <Payload Gadget, eg: CommonsCollections2> <Bypass Gadget, eg: Weblogic1> <Command, eg: 'touch /tmp/test'>

Future

The idea is to integrate this project into YsoSerial project as soon as it supports wrapping payloads in bypass gadgets and handle missing dependencies.